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1  SUMMARY 


The  underlying  theme  of  the  PROCEED  OVERHEAD  project  was  to  investigate  the  fun¬ 
damental  limits  that  govern  the  construction  of  secure  multi-party  protocols.  The  current 
approach  to  secure  protocol  design  involves  three  steps: 

1.  devise  a  bare  protocol  that  completes  the  collaborate  task  with  no  security — e.g.,  de¬ 
sign  a  circuit  or  Turing  machine  that  computes  a  function, 

2.  transform  the  bare  protocol  into  one  that  is  secure  in  the  presence  of  honest-but-curious 
(HBC)  adversaries,  and 

3.  transform  the  HBC  protocol  into  one  that  secure  against  arbitrarily  malicious  parties. 

Over  the  5  year  project  period,  we  have  studied  the  choices  and  methods  involved  at 
each  stage  and  have  made  significant  progress  on  understanding  fundamental  overheads  in 
each  case.  These  overheads  consist  of  (a)  additional  rounds  or  exchanges  between  the  play¬ 
ers,  (b)  additional  communication  (i.e.,  longer  messages  between  players),  (c)  additional 
computation  by  all  parties,  (d)  additional  requirements  on  the  types  of  players  involved  in 
the  collaboration  (e.g.,  an  honest  majority)  needed  to  achieve  security,  and  (e)  additional 
complexity  in  concretely  implementing  the  protocol. 

Our  results  from  this  project  analyze  each  type  of  overhead  through  either  formal  analyt¬ 
ical  measurement,  characterization,  or  direct  experimental  measurement.  Furthermore,  we 
have  developed  several  systems  that  put  into  practice  state-of-the-art  techniques  for  secure 
computation  that  have  emerged  from  our  analysis.  As  an  example,  our  system  for  two-party 
secure  computation  against  malicious  adversaries  that  has  been  developed  during  PROCEED 
has  improved  the  state-of-the-art  performance  by  a  factor  of  104  and  has  increased  the  size 
of  the  functions  that  can  be  securely  computed  by  a  factor  of  106. 

The  results  of  these  efforts  appeared  in  44  published  papers,  including  the  top  theoretical 
venues  such  as  STOC  and  FOCS,  to  cryptography  flagship  conferences  including  CRYPTO 
and  Eurocrypt,  to  top  applied  venues  such  as  IEEE  Security  and  Privacy,  USENIX  Secu¬ 
rity  and  ACM  Computer  and  Communications  Security,  and  journals  such  as  JACM.  Six 
papers  were  invited  to  special  issue  on  best  papers  from  STOC,  TCC,  CRYPTO,  SCN,  and 
AsiaCrypt.  The  project  also  supported  the  development  of  open  source  code,  including  the 
Charm  library,  which  has  been  downloaded  thousands  of  times. 

Our  results  are  organized  into  a  few  broad  categories.  We  have  major  results  on  practical 
secure  two-party  computation ,  as  well  as  theoretical  characterizations  of  the  performance 
overheads  for  multi-party  secure  computation.  Our  project  has  also  studied  basic  crypto¬ 
graphic  primitives — encryption  algorithms  and  signature  schemes — that  are  used  widely  in 
all  types  of  secure  computation.  These  results  either  clarify  performance  issues  with  these 
primitives,  develop  new  techniques  for  proving  the  security  of  efficient  constructions,  or 
clarify  the  relationship  between  security  notions  for  encryption.  Finally,  we  study  other  far- 
reaching  topics  related  to  secure  computation,  such  as  program  obfuscation  (an  advanced 
technique  in  cryptography  that  could  result  in  much  simpler  and  more  secure  implementa¬ 
tions  of  secure  computation),  and  secure  computations  protocols  for  bitcoin. 
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2  INTRODUCTION 


The  US  government  and  private  industries  are  in  great  need  of  better  ways  to  secure  their 
data.  The  focus  of  this  four-university  collaborative  project  (University  of  Virginia,  Cornell, 
Indiana  University,  Johns  Hopkins  University)  was  to  investigate  sophisticated  methods  of 
cryptographically  protecting  data  with  a  focus  on  “reducing  the  overhead” — that  is  making 
the  cryptography  as  efficient  and  practical  as  possible. 

Over  the  course  of  this  multi-year  project,  substantial  progress  was  made  on  both  applied 
and  theoretical  fronts.  The  project  was  comprised  of  over  a  dozen  sub-projects,  which  ranged 
in  topic  from  secure  multi-party  computation  to  Fully  Homomorphic  Encryption  to  digital 
signatures  to  Bitcoin  and  more.  The  results  of  these  efforts  appeared  in  44  published  papers, 
including  the  top  theoretical  venues  such  as  STOC  and  FOCS,  to  cryptography  flagship  con¬ 
ferences  including  CRYPTO  and  Eurocrypt,  to  top  applied  venues  such  as  IEEE  Security  and 
Privacy,  USENIX  Security  and  ACM  Computer  and  Communications  Security,  and  journals 
such  as  JACM.  Six  papers  were  invited  to  special  issue  on  best  papers  from  STOC,  TCC, 
CRYPTO,  SCN,  and  AsiaCrypt.  The  project  also  supported  the  development  of  open  source 
code,  including  the  Charm  library,  which  has  been  downloaded  thousands  of  times. 

Brief  overview  We  have  constructed  some  of  the  world’s  fastest  and  most  practical  se¬ 
cure  two-party  computation  systems  implementing  Yao’s  Garbled  Circuit  Protocol  on  varied 
parallel  architectures,  and  under  differing  security  models.  The  parallel  architectures  varied 
from  compute-cluster  based  super  computers  in  malicious  security  models,  to  reasonably 
priced  GPU  based  parallelism  in  the  honest-but-curious  model.  In  addition,  key  supportive 
technologies  to  Yao’s  Garbled  Circuit  Protocol  implementations  have  been  designed  and  im¬ 
plemented,  such  as  a  new  effective  2-party  circuit  compiler  was  developed  that  constructed 
the  largest  circuits  known  at  the  time,  and  was  the  first  to  incorporate  a  number  of  circuit 
optimization  technologies. 

Second,  we  resolved  some  central  open  problems  in  the  theory  of  secure  computations  and 
zero-knowledge  protocols.  Most  notably,  we  demonstrated  the  first  constant-round  secure 
computation  protocols  based  on  minimal  hardness  assumptions,  the  first  black-box  secure 
computation  protocols  that  remain  secure  under  concurrent  executions ,  the  first  constant- 
round  concurrent  zero-knowledge  constructions,  and  the  first  resettably-secure  protocol  based 
on  minimal  hardness  assumptions.  We  also  provided  the  first  construction  of  program  obfus¬ 
cation  which  can  be  proven  secure  based  on  a  natural  hardness  assumptions  on  multilienar 
maps. 

Third,  this  project  explored  the  authentication  analog  of  fully  homomorphic  encryption. 
We  captured  and  strengthened  in  one  definition  several  disjoint  notions  of  computing  on 
authenticated  data  existing  in  the  literature.  We  then  provided  generic  constructions  for 
all  univariate  and  closed  predicates,  and  specific  efficient  constructions  for  a  broad  class  of 
natural  predicates  such  as  quoting,  subsets,  weighted  sums,  averages,  and  Fourier  transforms. 
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3  METHODS,  ASSUMPTIONS  AND  PROCEDURES 


We  subdivide  the  projects  that  were  worked  on  into  several  areas,  shadowing  the  concepts 
discussed  in  the  summary  and  introduction.  Within  each  area  we  discuss  the  basic  methods 
of  each  project. 

3.1  Yao’s  Garbled  Circuits 

3.1.1  Malicious  Garbled  Circuits  on  Compute  Clusters.  Yao’s  garbled  circuits  tech¬ 
nique  enables  the  creation  of  a  two-party  secure  computation  protocol.  Prior  to  the  PRO¬ 
CEED  project,  our  work  (Eurocrypt  2011)  described  a  two-party  protocol  that  is  secure  in 
the  malicious  model  based  on  this  technique.  As  a  result  of  PROCEED,  over  a  five  year  pe¬ 
riod,  we  have  discovered  several  new  techniques  that  have  lead  to  a  substantial  improvement 
in  the  area  of  two-party  secure  computation.  At  a  very  high  level,  our  protocols  can  now 
handle  very  large  instances  of  secure  computation  problems  (i.e.  we  can  securely  compute 
functions  that  require  billions  of  boolean  gates  to  represent)  at  a  speed  that  is  measured  in 
millions  of  boolean  gates  per  second. 

To  achieve  these  results,  we  have  developed  new  protocol  techniques  for  achieving  se¬ 
curity  against  malicious  adversaries  (specifically,  new  techniques  for  handling  problems  in¬ 
volving  input  consistency  between  different  instances  of  a  problem,  output  authenticity,  gar¬ 
bling  techniques,  and  methods  for  handling  a  general  class  of  “selective  failure”  attacks). 
Additionally,  we  have  focused  on  improving  the  parallel  complexity  of  secure  computation 
protocols,  and  thus  benefited  tremendously  from  the  recent  trend  in  computer  architecture  to 
add  more  “cores”  to  each  processor,  and  more  processors  to  each  computer. 

We  have  also  developed  new  systems  to  translate  high-level  C  programs  into  boolean 
circuits.  Our  PCF,  or  ’’portable  circuit  format”  compiler  can  now  handle  circuits  with  nearly 
trillions  of  gates.  In  work  prior  to  this  project  (and  even  in  our  first  version  of  our  com¬ 
piler),  methods  to  translate  programs  into  boolean  circuits  could  handle  only  very  small  toy 
examples. 

3.1.2  Semi-Honest  Garbled  Circuits  on  GPUs.  Previous  work  demonstrated  the  feasi¬ 
bility  and  practical  use  of  secure  two-party  computation  [5,  9,  15,  23].  In  this  work,  we  pre¬ 
sented  the  first  Graphical  Processing  Unit  (GPU)-optimized  implementation  of  an  optimized 
Yao’s  garbled-circuit  protocol  for  two-party  secure  computation  in  the  honest-but-curious 
and  1 -bit-leaked  malicious  models.  We  implemented  nearly  all  of  the  modern  protocol  ad¬ 
vancements,  such  as  Free-XOR,  Pipelining,  and  OT  extension.  Our  implementation  was  the 
first  allowing  entire  circuits  to  be  generated  concurrently,  and  makes  use  of  a  modification 
of  the  XOR  technique  so  that  circuit  generation  is  optimized  for  implementation  on  SIMD 
architectures  of  GPUs.  In  our  best  cases  we  generated  about  75  million  gates  per  second  and 
we  exceeded  the  state-of-the-art  performance  metrics  on  modem  CPU  systems  by  a  factor  of 
about  200,  and  GPU  systems  by  about  a  factor  of  2.3.  While  many  recent  works  on  garbled 
circuits  exploit  the  embarrassingly  parallel  nature  of  many  tasks  that  are  part  of  a  secure 
computation  protocol,  we  showed  that  there  are  still  various  forms  and  levels  of  paralleliza- 
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tion  that  may  yet  improve  the  performance  of  these  protocols.  In  particular,  we  highlight  that 
implementations  on  the  SIMD  architecture  of  modern  GPUs  require  significantly  different 
approaches  than  the  general  purpose  MIMD  architecture  of  multi-core  CPUs,  which  again 
differ  from  the  needs  of  parallelizing  on  compute  clusters.  Additionally,  modifications  to 
the  security  models  for  many  common  protocols  have  large  effects  on  reasonable  parallel 
architectures  for  implementation. 

3.2  General  Theoretical  Work 

Many  of  the  results  of  this  project  explore  theoretical  questions  concerning  secure  computa¬ 
tion.  For  these  questions,  the  method  is  to  pose  a  question  concerning  the  necessity  of  some 
aspect  of  overhead  for  secure  computation  and  mathematically  explore  whether  that  aspect 
is  essential  or  can  be  removed. 
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4  RESULTS  AND  DISCUSSION 


In  this  section,  we  highlight  the  results  from  the  main  aspects  of  our  project. 

4.1  Secure  2-party  Computation 

4.1.1  Malicious  Garbled  Circuits  on  Compute  Clusters.  Yao’s  garbled  circuits  tech¬ 
nique  enables  the  creation  of  a  two-party  secure  computation  protocol.  Prior  to  the  PRO¬ 
CEED  project,  PI  Shelat  and  Shen  (Eurocrypt  2011)  described  a  two-party  protocol  that  is 
secure  in  the  malicious  model  based  on  this  technique.  As  a  result  of  PROCEED,  over  a 
five  year  period,  we  have  discovered  several  new  techniques  that  have  lead  to  a  substantial 
improvement  in  the  area  of  two-party  secure  computation.  At  a  very  high  level,  our  pro¬ 
tocols  can  now  handle  very  large  instances  of  secure  computation  problems  (i.e.  we  can 
securely  compute  functions  that  require  billions  of  boolean  gates  to  represent)  at  a  speed  that 
is  measured  in  millions  of  boolean  gates  per  second. 

To  achieve  these  results,  we  have  developed  new  protocol  techniques  for  achieving  se¬ 
curity  against  malicious  adversaries  (specifically,  new  techniques  for  handling  problems  in¬ 
volving  input  consistency  between  different  instances  of  a  problem,  output  authenticity,  gar¬ 
bling  techniques,  and  methods  for  handling  a  general  class  of  “selective  failure”  attacks). 
Additionally,  we  have  focused  on  improving  the  parallel  complexity  of  secure  computation 
protocols,  and  thus  benefited  tremendously  from  the  recent  trend  in  computer  architecture  to 
add  more  “cores”  to  each  processor,  and  more  processors  to  each  computer. 

The  protocol  was  the  most  efficient  in  terms  o  fb  oth  a  symptotics  and  real-world  ex¬ 
ecution  times.  In  this  project,  we  have  optimized  that  protocol  and  implemented  it  on  a 
cluster  of  machines.  We  have  demonstrated  a  lOOx  factor  of  improvement,  and  continue  to 
make  adjustments  to  discover  the  true  overhead  rate  for  malicious  security.  The  table  below 
summarizes  some  of  the  performance  results.  In  order  to  run  experiments  on  large  garbled 
circuits,  we  have  built  a  compiler  that  produces  optimized  circuits  from  programs  (the  Fair- 
Play  circuit  compiler  cannot  handle  circuits  with  more  than  one  million  gates  without 
running  into  memory  problems).  In  this  case,  the  optimizations  favor  XOR  gates  over 
NAND  gates.  Our  compiler  has  produced  the  smallest  known  garbled  Yao  circuit  for  AES. 

4.1.2  Parallelism.  In  2012,  in  [KSS12]  we  illustrated  how  to  design  highly  parallelizable 
protocols  for  2-party  secure  computation  that  are  secure  in  the  malicious  model.  As  the  fol¬ 
lowing  chart  showed,  the  running  time  for  evaluating  the  AES  circuit  (in  which  one  party 
holds  a  key  k,  the  other  party  holds  an  input  x,  and  the  goal  is  to  compute  AESk(x ))  de¬ 
creases  as  expected  as  we  run  the  protocol  on  up  to  256  cores.  In  this  same  paper,  we  report 
6B  gate  circuit  evaluation  at  a  rate  of  approximately  100-120k/gates  per  second.  By  Novem¬ 
ber  2012,  we  had  improved  our  protocol  to  run  at  >  300k  gates  per  second  in  our  system.  We 
are  investigating  ways  to  remove  the  algebraic  operations  from  the  protocol;  this  will  result 
in  large  performance  improvements  when  the  circuit  has  many  inputs.  We  also  improved  our 
compiler  infrastructure  to  handle  very  large  circuits  in  a  more  scalable  way.  In  Jan’ 13,  we 
employed  the  AESNI  and  SSE2  instruction  sets  in  our  system.  While  the  former  improves 
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Table  1:  The  time  (in  seconds)  of  running  AES  circuit  with  security  parameter  k= 80  and 
s= 256.  The  number  of  nodes  represents  the  degree  of  parallelism  on  each  side.  means 
that  the  time  is  smaller  than  0.05  second  and  thus  omitted. 


core  # 

2 

4 

8 

16 

32 

64 

128 

256 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

OT 

79.1 

16.8 

39.5 

8.4 

19.8 

4.2 

9.9 

2.1 

4.9 

1.1 

2.5 

0.6 

1.3 

0.3 

0.6 

0.2 

Gen. 

19.6 

- 

9.3 

- 

4.5 

- 

2.2 

- 

1.1 

- 

0.5 

- 

0.3 

- 

0.1 

- 

Inp.  chk 

- 

0.9 

- 

0.4 

- 

0.2 

- 

0.1 

- 

- 

- 

- 

- 

- 

- 

- 

Eval. 

7.1 

16.2 

3.2 

7.6 

1.7 

3.5 

0.8 

1.7 

0.4 

0.8 

0.3 

0.4 

0.2 

0.2 

0.1 

0.1 

Inter-com 

11.8 

83.6 

5.7 

41.3 

2.5 

20.5 

1.4 

10.2 

0.6 

5.1 

0.3 

2.6 

0.1 

1.4 

0.1 

0.7 

Intra-com 

0.5 

0.5 

0.2 

0.3 

0.2 

0.2 

0.1 

0.2 

0.1 

0.1 

- 

0.1 

- 

0.1 

- 

0.1 

Total  time 

118.0 

118.1 

58.0 

58.0 

28.6 

28.6 

14.4 

14.4 

7.2 

7.2 

3.7 

3.7 

1.9 

!.9 

1.0 

1.0 

the  generation  of  the  doubly  encrypted  entries  for  garbled  truth  table,  the  latter  speeds  up 
the  bit-wise  XOR  in  a  128-bit  primitive  operation  manner.  Moreover,  we  have  designed  a 
new  generator’s  input  consistency  check  that  gets  rid  of  the  number  theoretic  assumption  and 
group  operation  entirely  (except  for  OTs). 

Reducing  hardness  assumptions  By  April  2013,  we  improved  our  protocol  so  that  it  no 
longer  relies  on  any  specific  hardness  assumptions  (our  prior  work  required  discrete  log  or 
special  types  of  proof  systems)  and  yet  has  better  performance.  We  do  this  by  describing  new 
solutions  to  the  three  main  problems  for  malicious  Yao  with  cut-and-choose.  We  solve  input 
consistency  using  a  hashing  approach,  we  solve  selective  failure  using  a  coding  approach, 
and  we  solve  two-output  authenticity  using  a  commit/hash  approach.  We  show  in  Figure  2 
the  overall  execution  time  of  our  system  securely  evaluating  circuits  EDT-40951,  RSA-2562, 
and  1024-AES128.  Overall,  our  system  is  able  to  handle  650,000+  (or  ~  200,000  non- 
XOR)  gates  per  second.  We  also  observe  that  for  all  three  circuits  that  we  evaluated,  more 
than  60%  of  the  execution  time  is  spent  on  communicating  the  huge  amount  of  data,  the 
garbled  circuits.  If  we  consider  only  the  circuit  garbling,  the  rate  that  our  system  actually 
achieves  could  be  as  high  as  1,600,000+  (or  500,000+  non-XOR)  gates  per  second,  with  the 
help  of  various  optimization  techniques,  including  SSE2  and  AESNI  instruction  sets,  and  the 
free-XOR  technique.  These  results  are  eventually  published  in  our  [SS13]  paper. 

Table  2:  The  performance  of  our  main  protocol  with  k  =  80  and  a  =  256.  All  numbers  in  “time” 
column  come  from  an  average  of  30  data  points  and  have  the  95%  confidence  interval  <  1%. 


circuit 

gates 

(non-XOR) 

time  (sec) 

comm. 

EDT-4095 

5.9B 

(2.4B) 

9,042 

18  TB 

RSA-256 

0.93B 

(0.33B) 

1,437 

3  TB 

1024- AES  128 

32M 

(9.3M) 

49 

74  GB 

'This  circuit  computes  the  edit  distance  of  two  4,095-bit  inputs. 
2This  circuit  computes  a  256-bit  modular  exponentiation. 
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Table  3:  The  95%  two-sided  confidence  intervals  for  computation  and  communication  time 
for  each  stage  in  the  1024-AES128  experiment 


Gen 

(sec) 

Eval 

(sec) 

Comm 

(MB) 

OT 

comp 

comm 

0.4±0.09% 
0.1±  1% 

0.3±0.6% 

6 

cut-& 

comp 

- 

- 

Q 

chk 

comm 

- 

- 

Inp. 

comp 

$ 

H 

-H 

oo 

o 

0.3±0.2% 

2.008 

Chk 

comm 

0.33=  1% 

0.9=1=  1% 

Evl. 

comp 

11.4=1=  0.6% 

28.0=1=0.4% 

72,271 

comm 

9.2=1=  1% 

30. 3  ±0.8% 

Total 

comp 

comm 

12.6=1=  0.3% 

9.6=1=  1% 

28.0±0.2% 

31.5±0.4% 

74,294 

In  the  fall  of  2013,  we  developed  demos  for  DARPA  based  on  this  work;  the  demos  in¬ 
volve  a  mail  regex  parser  for  checking  security  designations,  and  a  graph  intersection  demo 
to  determine  if  two  people  have  a  path  in  a  secret  graph  to  one  another.  We  have  also 
continued  to  develop  the  PCF  2.0  framework  to  address  various  bugs  and  gaps  in  the  imple¬ 
mentation  to  support  the  various  groups  (Sharemind,  Georgia  Tech)  who  also  use  the  library. 

4.1.3  Semi-Honest  Garbled  Circuits  on  GPUs.  Previous  work  demonstrated  the  fea¬ 
sibility  and  practical  use  of  secure  two-party  computation  [18,  29,  41,  64].  In  this  work 
[31],  we  presented  the  first  Graphical  Processing  Unit  (GPU)-optimized  implementation  of 
an  optimized  Yao’s  garbled-circuit  protocol  for  two-party  secure  computation  in  the  honest- 
but-curious  and  1 -bit-leaked  malicious  models.  We  implemented  nearly  all  of  the  modern 
protocol  advancements,  such  as  Free-XOR,  Pipelining,  and  OT  extension.  Our  implemen¬ 
tation  was  the  first  allowing  entire  circuits  to  be  generated  concurrently,  and  makes  use  of 
a  modification  of  the  XOR  technique  so  that  circuit  generation  is  optimized  for  implemen¬ 
tation  on  SIMD  architectures  of  GPUs.  In  our  best  cases  we  generated  about  75  million 
gates  per  second  and  we  exceeded  the  state-of-the-art  performance  metrics  on  modern  CPU 
systems  by  a  factor  of  about  200,  and  GPU  systems  by  about  a  factor  of  2.3.  While  many 
recent  works  on  garbled  circuits  exploit  the  embarrassingly  parallel  nature  of  many  tasks  that 
are  part  of  a  secure  computation  protocol,  we  showed  that  there  are  still  various  forms  and 
levels  of  parallelization  that  may  yet  improve  the  performance  of  these  protocols.  In  partic¬ 
ular,  we  highlight  that  implementations  on  the  SIMD  architecture  of  modern  GPUs  require 
significantly  different  approaches  than  the  general  purpose  MIMD  architecture  of  multi-core 
CPUs,  which  again  differ  from  the  needs  of  parallelizing  on  compute  clusters.  Addition¬ 
ally,  modifications  to  the  security  models  for  many  common  protocols  have  large  effects  on 
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reasonable  parallel  architectures  for  implementation. 

Our  system  [31]  is  currently  the  most  efficient  gate  garbler,  and  definitely  the  case  when 
one  considers  the  cost  per  gate.  Our  implementation  did  key  work  to  ensure  that  garbeling 
was  very  much  optimized  to  the  SIMD  architecture  of  the  GPU.  Full  details  are  given  in  the 
paper.  We  benchmarked  our  system  in  comparison  to  the  others  to  show  the  benefit  of  our 
SIMD  optimizations.  A  full  analysis  of  the  effectiveness  is  given  in  the  full  paper  in  the 
Appendix.  Here,  for  the  benefit  of  the  reader  we  provide  the  key  results  from  that  section. 

Most  prior  work  in  the  area  benchmarks  the  time  it  takes  to  generate  and  evaluate  vari¬ 
ous  circuits.  This  process  indirectly  benchmarks  the  number  of  gates  generated  or  evaluated 
per  second.  However,  this  is  often  run  on  systems  with  varying  numbers  of  cores,  and  to  a 
lesser  extent  varying  speeds.  We  report  results  on  the  average  number  of  gates  generated  or 
evaluated  per  second  per  core.  We  note  this  metric  seems  relatively  stable,  and  thus  we  use  it 
for  a  near  apples-to-apples  comparison.  Table  4  has  details  for  the  comparison  systems.  We 
note  that  even  though  EC2  has  multiple  GPUs,  only  one  is  used  in  the  results  presented.  EC2 
is  run  on  Amazon’s  elastic  compute  infrastructure,  and  is  running  under  a  Xen  hypervisor. 
Since  we  do  not  have  direct  access  to  the  bare  metal,  we  cannot  determine  how  much  over¬ 
head  the  Xen  hypervisor  entails,  but  Xen  project  benchmarks  suggest,  assuming  appropriate 
kernel  patches  have  been  applied,  a  0-30%  performance  decrease  [10]. 

Table  4:  Benchmark  system  descriptions.  EC2  runs  a  Xen  virtual  machine. 


System 

CPU 

Core/ 

Thrd. 

GHz 

Ram 

(GB) 

GPU 

Kre uter  et  at. 
[41] 

Xenon 

E5506 

4 

2.13 

8 

N/A 

EC2 

Xenon 

X5570 

8/16 

2.93 

24 

Tesla 

S2050 

Tie 

Xenon 

E5-2620 

12/12 

2 

64 

Tesla 

K20 

GPU 

Cores 

SMs 

GHz 

Memory 

Compute 

(GB) 

Capability 

S2050  (EC2) 

448 

14 

1.15 

2.7 

2.0 

K20  (Tie) 

2496 

13 

0.71 

4.8 

3.5 

We  ran  circuit  generation  on  the  EC2  and  Tie  systems  (cf.  Table  4).  We  first  compared 
our  results  to  those  of  Frederiksen  and  Nielsen  [18]  in  Fig.  la.  We  remind  the  reader  that  we 
compared  their  circuit  generation  times  from  experiments  where  they  have  similar,  but  not 
identical  circuits.  This  is  due  to  the  need  to  simulate  the  cut-and-choose  malicious  protocol  in 
the  other  systems,  which  we  do  not  support.  Further,  while  we  did  have  access  to  their  circuit 
file,  we  could  not  execute  it  directly  as  we  do  not  support  their  file  description  language  in 
our  system,  and  their  binary  file  format  was  not  conducive  to  easy  translation.  Thus,  we 
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show  in  Fig.  la  that  under  similar  workloads  our  scheme  outperforms  theirs  on  the  same 
hardware  using  the  metric  of  gates  generated  per  second.  Observe  that  we  generate  gates  at 
about  2.3  times  the  rate  on  the  Tie  system  compared  to  Frederiksen  and  Nielsen  on  the  EC2 
system.  Observe  that  we  generate  gates  at  about  3  times  the  rate  on  the  Tie  system  compared 
to  Frederiksen  and  Nielsen.  This  is  the  benchmark  system,  as  Frederiksen’  and  Nielsen’s 
code  is  targeted  at  compute  capability  3.X  CUDA  cards. 

As  the  number  of  cores  on  systems  can  be  highly  variable,  in  Fig.  lb  we  calculate 
the  average  rate  of  gate  generation  per  core  for  the  two  systems,  to  help  with  understanding 
performance  on  other  GPU  cards  with  varying  numbers  of  cores.  Note  that  in  the  benchmarks 
reported  in  Figs,  la  and  lb  we  have  commented  out  any  code  in  our  system  necessary  to  split 
large  circuits  into  smaller  sub-circuits  so  that  they  can  fit  onto  the  GPU,  as  Frederiksen  and 
Nielsen  have  no  such  corresponding  code  as  they  simply  assume  the  circuit  will  fit.  Thus  we 
are  not  penalized  for  computing  overhead  that  the  other  system  also  does  not  compute. 


AES  Comparison  (No  Pipelining) 


AES  Comparison  (No  Pipelining) 


Figure  1:  la)  Circuit  gate  generation  rates  of  [18]  vs.  our  technique  using  fully  parallelizable 
circuit  generation,  lb)  Gates  generation  rate  per  multi-processor  on  differing  circuit  sizes. 

Next,  we  considered  a  number  of  different  circuit  sizes  from  both  Kreuter  et  al.[37], 
and  circuits  that  we  have  constructed.  Given  our  support  of  PCF  we  can  compare  the  same 
circuits  as  are  tested  by  Kreuter  et  al.[37].  We  see  in  Fig.  2,  the  absolute  performance  of  our 
system  versus  that  of  Kreuter  et  al.  in  terms  of  Gates  per  sec,  and  then  in  Figs.  2a  and  2b 
the  relative  performance  per  core.  Note  that  performance  per  core  is  relatively  stable  across 
medium-to-large  circuit  sizes.  Recall  that  our  cores  are  substantially  more  abundant,  and 
have  lower  cost  and  energy  usage  that  those  of  Kreuter  et  al.  Using  the  metric  of  gates  per 
second  we  find  our  system,  in  the  case  of  generation,  provides  significantly  higher  generation 
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rates:  approximately  three  orders  of  magnitude.  Our  system  tops  out  at  around  75  million 
gates  per  second,  while  Kreuter  et  al  tops  out  at  0.35  million  gates  per  second.  We  note  that 
their  system  is  built  for  cluster  computing,  and  so  they  pay  a  significant  overhead  to  support 
it. 


Normalized  Gate  Generation 


Circuit  Gate  Count 


Normalized  Gate  Generation 
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Gate  Gen  Per  Core  Per  Sec  vs.  Gate  Count 


Figure  2:  Gate  Generation  Times  comparing  to  Kreuter  et  al. [37] . 


4.1.4  PCF  Compiler.  We  have  also  developed  new  systems  to  translate  high-level  C  pro¬ 
grams  into  boolean  circuits.  Our  PCF,  or  ’’portable  circuit  format”  compiler  can  now  handle 
circuits  with  nearly  trillions  of  gates.  In  work  prior  to  this  project  (and  even  in  our  first  ver¬ 
sion  of  our  compiler),  methods  to  translate  programs  into  boolean  circuits  could  handle  only 
very  small  toy  examples. 

The  results  of  our  PCFvl  compiler  were  described  in  [KMBS 13]  (USENIX  Security’  13). 
Previous  approaches  to  compiling  circuits  have  scaled  poorly  as  the  circuit  size  increases. 
Our  approach  is  based  on  online  circuit  compression  and  lazy  gate  generation.  We  imple¬ 
mented  an  optimizing  compiler  for  this  new  representation  of  circuits,  and  evaluated  the  use 
of  this  representation  in  two  secure  computation  environments.  Our  evaluation  demonstrates 
the  utility  of  this  approach,  allowing  us  to  scale  secure  computation  beyond  any  previous 
system  while  requiring  substantially  less  CPU  time  and  disk  space.  In  our  largest  test,  we 
evaluate  an  RSA-1024  signature  function  with  more  than  42  billion  gates,  that  was  generated 
and  optimized  using  our  compiler.  With  our  techniques,  the  bottleneck  in  secure  computation 
lies  with  the  cryptographic  primitives,  not  the  compilation  or  storage  of  circuits. 

Since  early  2014,  we  have  been  developing  PCF2,  which  is  an  update  to  the  original  PCF 
work  presented  at  Usenix’  13.  Improvements  include  better  language  support,  more  efficient 
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data  structures,  support  for  various  methods  to  call  special-purpose  libraries,  bindings  to 
dozens  of  languages,  and  bug  fixes  throughout  the  pipeline. 

4.1.5  Oblivious  RAM  Results.  All  known  efficient  constructions  of  generic  secure  two- 
party  protocols  require  an  oblivious  representation  of  the  function  /  to  ensure  that  the  control 
flow  of  the  algorithm  does  not  depend  on  its  input  and  therefore  leak  partial  information.  The 
standard  approach  to  creating  an  oblivious  representation  is  to  generate  a  boolean  circuit 
from  the  description  of  /.  This  strategy  is  employed  by  dozens  of  prior  works  including  all 
of  our  prior  work  in  this  project  [50,  52,  4,  28,  40,  39,  47,  65]  on  secure  computation. 

When  /  is  given  as  a  RAM  (Random  Access  Memory  model)  program,  transforming 
/  into  a  binary  circuit  may  be  problematic.  A  naive  transformation  replaces  each  indexed 
access  to  memory  with  a  scan  of  the  entire  memory  in  order  to  keep  the  index  hidden.  To 
overcome  this  issue,  Gordon  et  al  [25]  used  an  Oblivious  RAM  (ORAM)  data  structure  pro¬ 
posed  first  by  Goldreich  [20]  to  compile  RAM  programs  into  secure  computation  protocols. 

Intuitively,  ORAM  is  a  technique  to  transform  a  memory  access  (with  secret  index  i) 
into  a  sequence  of  memory  accesses  (whose  indices  are  revealed  to  the  adversary  but  appear 
independent  of  the  secret  value  i).  ORAM  techniques  have  been  widely  studied  in  other 
contexts  [24,  61,  42,  23,  16,  6,  76,  74,  22,  20,  60,  63,  75,  12,  70,  67].  However,  the  goals  of 
these  prior  works  were  (1)  reducing  the  bandwidth  overhead  between  the  client  and  server; 
(2)  reducing  the  client  storage ;  and  (3)  reducing  the  server’s  overall  memory  overhead.  Re¬ 
markably,  state  of  the  art  approaches  to  ORAM  design  limit  the  overhead  in  all  three  aspects 
to  various  combinations  of  0(logc(n))  where  c  €  {0, 1,  2, 3}. 

We  embark  on  a  comprehensive  study  of  practical  secure  computation  ORAM  tech¬ 
niques.  We  do  so  via  both  theoretical  analysis  of  several  metrics  used  to  judge  ORAMs  and 
experiments  performed  on  optimized  implementations  of  4  state-of-the-art  ORAM  schemes. 
We  report  a  new  heuristic  ORAM  design  that  outperforms  all  other  ORAMs  we  considered. 

Our  first  observation  is  that  traditional  measures  of  ORAM  schemes  do  not  properly 
indicate  the  ORAM  performance  in  secure  computation  setting.  Previously,  ORAM  was 
primarily  considered  in  storage  outsourcing  [69,  22,  68],  and  secure  processor  execution  [49] 
settings.  Thus,  ORAM  constructions  were  mainly  evaluated  by  the  bandwidth  overhead  (i.e., 
the  number  of  data  blocks  retrieved  per  memory  query). 

Since  the  client-side  computational  logic  needs  to  process  secret  values  (e.g.,  the  original 
index),  their  cost  cannot  be  ignored  as  in  tradiational  ORAMs  designed  merely  for  outsourc¬ 
ing  storage.  On  the  contrary,  the  overhead  due  to  securely  computing  the  client-side  ORAM 
logic  can  easily  dominate  the  overall  cost  in  both  bandwidth  and  CPU  cycles.  Therefore,  the 
circuit  complexity  of  the  ORAM  algorithm  plays  a  critical  role  in  evaluating  the  efficiency  of 
ORAM  schemes  used  in  secure  computation. 

We  find  that,  asymptotically  speaking,  the  Binary  Tree  ORAM  by  Shi  et  al.  [67]  performs 
the  same  as  a  naively  implemented  Path  ORAM  [70],  although  Path  ORAM  is  asymptoti¬ 
cally  faster  in  the  data  outsourcing  scenario.  In  fact,  due  to  the  circuit  size,  Path  ORAM  is 
significantly  slower  for  practical  parameter  settings.  Next,  we  derive  Path-SC  ORAM,  an 
optimized  construction  of  Path  ORAM  that  is  O(logn)  faster  than  its  naive  implementation. 
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However,  because  of  the  3  oblivious  sorts  (resulting  in  a  large  constant  factor  in  practice), 
its  performance  in  practical  parameter  settings  is  still  inferior  to  those  theoretically  slower 
schemes  such  as  Binary  Tree  ORAM  [67]  and  CLP  ORAM  [12]. 

We  then  present  SCORAM,  a  heuristic  compact  ORAM  design  optimized  for  secure  com¬ 
putation  protocols.  Our  new  design  is  almost  lOx  smaller  in  circuit  size  and  also  faster  than 
all  other  designs  we  have  tested  for  realistic  settings  (i.e.,  memory  sizes  between  4MB  and 
2GB,  constratined  by  2~80  failure  probability).  SCORAM  makes  it  feasible  to  perform  secure 
computations  on  gigabyte- sized  data  sets. 

4.2  Theory  of  Secure  Computation 

Minimal  Hardness  Assumptions  for  0(l)-round  Secure  Computation  Joint  with  Lin 
and  Venkitasubramaniam,  PI  Pass  investigated  the  minimal  hardness  assumptions  needed  for 
constant-round  secure  computation  protocols.  It  is  known  that  the  existence  of  an  “honest- 
but-curious”  secure,  so  called,  oblivious  transfer  (OT),  protocol  is  both  sufficient  and  neces¬ 
sary  for  construction  of  secure  computation  protocols.  For  constant-round  secure 
computation,  constant-round  OT  is  necessary;  the  main  open  question  is  whether  constant- 
round  OT  also  suffices.  (Our  earlier  results  show  that  constant-round  secure 
computation  exists  assuming  the  existence  of  enhanced  trapdoor  permutation;  this 
assumption  does  not  include,  e.g.,  lattice-based  assumption,  etc).  By  relying  on  the 
above-mentioned  non-malleable  commitment  scheme,  we  showed  that  indeed  constant- 
round  OT  alone  suffices  to  establish  secure  multi-party  computation  protocols  for  any 
function.  This  resolves  a  question  left  open  since  the  inception  of  secure  multi-party 
computation  in  1987. 

The  paper  appeared  in  Asiacrypt’  12  and  was  invited  to  the  special-issue  on  the  best  pa¬ 
pers  from  the  conferences. 

Blackbox  Concurrent  Secure  Computation  PI  Pass  joint  with  Huijia  Lin  presented  the 
first  black-box  construction  of  a  secure  multi-party  computation  protocol  that  satisfies  a 
meaningful  notion  of  concurrent  security  in  the  plain  model  (without  any  set-  up,  and  with¬ 
out  assuming  an  honest  majority).  Moreover,  our  protocol  relies  on  the  minimal  assumption 
of  the  existence  of  a  semi-honest  OT  protocol,  and  our  security  notion  “UC  with  super¬ 
polynomial  helpers”  (Canetti  et  al,  STOC’IO)  is  closed  under  universal  composition,  and 
implies  “super-polynomial-time  simulation”. 

The  question  of  providing  a  black-box  construction  of  a  concurrently  secure  protocol  was 
one  of  the  key  open  problems  in  our  original  proposal.  Our  construction  is  currently  still  just 
a  “feasibility”  result,  but  it  indicates  that  the  tools  for  obtaining  practical  implementations  of 
concurrently  secure  protocols  are  within  reach.  The  paper  appeared  in  CRYPTO’  12. 

Large  Scale  Secure  Computation  We  are  interested  in  secure  computation  protocols  in 
settings  where  the  number  of  parties  is  huge,  and  their  data  even  larger.  In  this  regime,  the 
efficiency  of  existing  solutions  breaks  down:  either  requiring  resources  linear  in  the  circuit 
representation  size  of  the  function,  or  requiring  parties  to  store  and  communicate  information 
on  the  order  of  all  parties’  combined  inputs. 
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Assuming  the  existence  of  a  single-use  broadcast  channel  (per  player),  we  demonstrate 
statistically  secure  n-party  computation  protocols  for  computing  (multiple)  arbitrary  dy¬ 
namic  RAM  programs  over  parties’  inputs,  handling  (1/3)  fraction  static  corruptions,  while 
preserving  up  to  polylogarithmic  factors  the  computation  and  memory  complexities  of  the 
RAM  program.  Additionally,  our  protocol  is  load  balanced  across  all  parties,  and  achieves 
polylogarithmic  communication  locality  (i.e.,  each  party  only  ever  needs  to  speak  to  poly- 
log(n)  other  parties). 

The  paper  was  just  accepted  to  CRYPTO’ 15. 

4.2.1  Non-Malleable  Commitments.  One  approach  for  acheiving  round-efficient  secure 
multi-party  computation  protocols  is  to  run  many  of  its  sub  components  in  parallel.  The 
problem  with  this  approach  is  that  the  security  of  many  standard  cryptographic  primitives 
does  not  necessarily  remain  intact  when  they  are  executed  in  parallel.  For  instance,  a 
man-in-the-middle  attacker  participating  in  two  simultaneous  executions  of  a  cryptographic 
protocol  might  use  messages  from  one  of  the  executions  in  order  to  violate  the  security  of 
the  second. 

Non-malleable  protocols  block  such  attacks.  The  original  paper  by  Dolev,  Dwork  and 
Naor  from  1990  presented  the  first  non-malleable  protocols.  Since  then,  non-malleable  prim¬ 
itives  have  been  extensively  studied  in  the  literature;  the  main  focus  of  this  study  has  been 
to  improve  the  round-complexity  of  such  protocols  (indeed,  if  we  want  to  use  non- 
malleable  protocols  to  improve  the  round-efficiency  of  secure  computation  protocols,  it  is 
essential  that  the  non-malleable  protocols  themselves  are  round-efficient). 

Constant-round  Non-malleable  Commitments  Rafael  Pass  joint  with  his  student  Huijia 
Lin  managed  to  completely  resolve  the  round-complexity  of  non-malleable  protocols,  show¬ 
ing  that  constant-round  protocols  are  possible  using  the  minimal  assumption  of  a  one-way 
function;  this  had  remained  an  open  question  since  1990  (this  question  was  also  explicitly 
mentioned  in  our  DARPA  proposal).  A  major  application  of  this  result  is  that  constant-round 
secure  multi-party  computation  protocols  for  any  function  are  possible  based  on  the 
existence  of  enhanced  trapdoor  permutations.  This  work  resulted  in  a  paper  that  is  scheduled 
to  appear  in  Journal  of  the  ACM  (the  leading  CS  journal). 

Non-interactive  Non-maleable  Commitments  PI  Pass  investigated  the  possibility  that 
non-interactive  non-malleable  commitment  is  possible.  If  such  commitments  were 
possible,  it  would  dramatically  decrease  the  round-complexity  of  secure  computations 
protocols  (our  earlier  results  have  established  that  a  constant  number  of  rounds  suffice, 
but  the  precise  constant  is  still  rather  high).  In  a  paper  appearing  in  TCC’13,  Pass 
demonstrated  that  standard  proof  techniques  cannot  be  used  to  prove  security  of  such 
commitment  schemes.  The  paper  was  invited  to  the  “10-year  anniversary  of  TCC”  special 
issue  in  computational  complexity,  and  also  invited  to  the  special-issue  of  best  paper  in 
TCC’13  in  Journal  of  Cryptology.  (A  full  version  of  the  paper  was  just  accepted  for 
publication  in  the  10-year  celebration  issue.) 

4.2.2  Zero- Knowledge. 
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Constant-round  Concurrent  Zero-knowledge  from  Falsifiable  A  ssumption  One  of  the 

main  outstanding  open  problem  in  Concurrent  Security  is  whether  constant-round  concurrent 
zero-knowledge  protocols  exists.  We  present  a  new,  but  falsifiable,  hardness 
assumption  under  which  a  constant-round  concurrent  zero-knowledge  protocol  exists. 
The  paper  was  accepted  and  presented  at  FOCS’13. 

New  Technique  for  Non-Black-Box  Simulations:  Resettable  Security  from  One-way 
Functions  The  simulation  paradigm,  introduced  by  Goldwasser,  Micali  and  Rackoff,  is  of 
fundamental  importance  to  modern  cryptography.  In  a  breakthrough  work  from  2001,  Barak 
(FOCS’Ol)  introduced  a  novel  non-black-box  simulation  technique.  This  technique  enabled 
the  construction  of  new  cryptographic  primitives,  such  as  resettably-sound  zero-knowledge 
arguments,  that  cannot  be  proven  secure  using  just  black-box  simulation  techniques.  The 
work  of  Barak  and  its  follow-ups,  however,  all  require  stronger  cryptographic  hardness  as¬ 
sumptions  than  the  minimal  assumption  of  one-way  functions:  the  work  of  Barak  requires 
the  existence  of  collision-resistant  hash  functions,  and  a  very  recent  result  by  Bitansky  and 
Paneth  (FOCS’  12)  instead  requires  the  existence  of  an  Oblivious  Transfer  protocol. 

We  show  how  to  perform  non-black-box  simulation  assuming  just  the  existence  of  one¬ 
way  functions.  In  particular,  we  demonstrate  the  existence  of  a  constant-round  resettably- 
sound  zero-knowledge  argument  based  only  on  the  existence  of  one-way  functions.  Using 
this  technique,  we  determine  necessary  and  sufficient  assumptions  for  several  other  notions 
of  resettable  security  of  zero-knowledge  proofs.  An  additional  benefit  of  our  approach  is  that 
it  seemingly  makes  practical  implementations  of  non-black-box  zero-knowledge  viable. 

The  paper  was  accepted  in  STOC’  13  and  invited  to  the  special-issue  in  Siam  Joe  on  best 
papers  from  STOC’ 13.  We  additionally  wrote  a  follow-up  paper  on  “simulatous  resettability” 
that  appeared  in  FOCS’13. 

4.3  Digital  Signatures 

We  now  discuss  functional  and  foundational  advances  in  realizing  practical  digital  signa¬ 
tures. 

4.3.1  Computing  on  Authenticated  Data.  This  project  represents  joint  work  involving 
four  PROCEED  members:  Dan  Boneh,  Susan  Hohenberger,  Abhi  Shelat  and  Brent 
Waters.  It  explores  the  authentication  analog  of  fully  homomorphic  encryption.  We 
capture  and  strengthen  in  one  definition  several  disjoint  notions  of  computing  on 
authenticated  data  existing  in  the  literature.  We  then  provide  generic  constructions  for  all 
univariate  and  closed  predicates,  and  specific  efficient  constructions  for  a  broad  class  of 
natural  predicates  such  as  quoting,  subsets,  weighted  sums,  averages,  and  Fourier 
transforms.  The  original  work  appeared  in  TCC  2012  and  a  full  version  appeared  in  the 
Journal  of  Cryptology  in  2015. 

Brent  Waters  and  Susan  Hohenberger  also  explored  expanding  this  notion  to  comput¬ 
ing  on  authenticated  graphs.  We  developed  a  candidate  approach,  which  generalizes  the 
’’untraceable  linking”  techniques  used  in  the  substring  construction  of  the  prior  TCC  paper, 
but  were  unable  to  completely  analyze  it.  That  is,  we  were  still  exploring  if  the  mechanisms 
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that  connected  two  adjoining  letters  in  a  text  document  can  be  generalized  to  connect  any  two 
nodes  in  a  graph.  This  subproject  was  downgraded  as  a  priority  when  the  breakthrough  result 
of  realizing  multilinear  maps  appeared  by  Garg,  Gentry  and  Halevi.  Armed  with  this  new 
mathematical  tool,  our  focus  shifted  to  more  foundational  authentication  problems,  which 
we  now  describe  in  Section  4.3.2. 

4.3.2  Full  Domain  Hash  from  Multilinear  Maps.  Applying  a  full  domain  hash  is  a  com¬ 
mon  technique  in  cryptography  where  a  hash  function,  modeled  as  a  random  oracle,  is  used 
to  hash  a  string  into  a  set.  Originally,  the  concept  referred  to  a  signature  scheme  where  one 
hashed  into  the  range  of  a  trapdoor  permutation  (Bellare-Rogaway  1993).  Subsequently, 
full  domain  hash  has  been  treated  as  a  more  general  concept.  Pairing-based  applications  of 
Full  Domain  Hash  include:  the  original  Boneh-Franklin  identity-based  encryption  schemes, 
short  and  aggregate  signatures,  Hierarchical  Identity-Based  Encryption,  and  decentralized 
Attribute-Based  Encryption.  Typically,  proofs  of  such  schemes  will  use  the  random  oracle 
heuristic  to  “program”  the  output  of  the  hash  function  in  a  certain  way  for  which  there  is  no 
known  standard  model  equivalent. 

Given  that  there  are  well-known  issues  with  random  oracle  instantiability  in  general  and 
problems  with  Full  Domain  Hash  in  particular,  there  has  been  a  push  to  find  standard  model 
realizations  of  these  applications. 

In  this  project  we  explore  building  constructions  with  full  domain  hash  structure,  but  with 
standard  model  proofs  that  do  not  employ  the  random  oracle  heuristic.  The  launching  point 
for  our  results  will  be  the  utilization  of  a  “leveled”  multilinear  map  setting  for  which  Garg, 
Gentry,  and  Halevi  (GGH)  gave  an  approximate  candidate.  Our  first  step  is  the  creation  of  a 
standard  model  signature  scheme  that  exhibits  the  structure  of  the  Boneh,  Lynn  and  Shacham 
signatures.  In  particular,  this  gives  us  a  signature  that  admits  unrestricted  aggregation. 

We  build  on  this  result  to  offer  an  identity-based  aggregate  signature  scheme  that  admits 
unrestricted  aggregation.  In  our  construction,  an  arbitrary-sized  set  of  signatures  on  iden¬ 
tity/message  pairs  can  be  aggregated  into  a  single  group  element,  which  authenticates  the 
entire  set.  The  identity-based  setting  has  important  advantages  over  regular  aggregate  signa¬ 
tures  in  that  it  eliminates  the  considerable  burden  of  having  to  store,  retrieve  or  verify  a  set 
of  verification  keys,  and  minimizes  the  total  cryptographic  overhead  that  must  be  attached 
to  a  set  of  signer/message  pairs.  While  identity-based  signatures  are  trivial  to  achieve,  their 
aggregate  counterparts  are  not.  To  the  best  of  our  knowledge,  no  prior  candidate  for  realiz¬ 
ing  unrestricted  identity-based  aggregate  signatures  exists  in  either  the  standard  or  random 
oracle  models. 

A  key  technical  idea  underlying  these  results  is  the  realization  of  a  hash  function  with  a 
Naor-Reingold-type  structure  that  is  publicly  computable  using  repeated  application  of  the 
multilinear  map.  We  expect  this  to  have  wider  applications.  We  present  our  results  in  a 
generic  “leveled”  multilinear  map  setting  and  then  show  how  they  can  be  translated  to  the 
GGH  graded  algebras  analogue  of  multilinear  maps. 

This  work  was  performed  by  Susan  Hohenberger,  Amit  Sahai  and  Brent  Waters  and 
accepted  to  CRYPTO  2013. 
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Next,  we  improved  our  prior  results  for  full  domain  hash  to  provide  a  method  to  instan¬ 
tiate  the  random  oracle  with  a  concrete  hash  function  in  these  applications.  This  has  been  an 
open  problem  since  random  oracles  were  proposed  by  Bellare  and  Rogaway  in  1993,  and  full 
domain  hash  applications  now  encompass  a  broader  range  of  notable  cryptographic  schemes 
including  the  Boneh-Franklin  IBE  scheme  and  Boneh-Lynn-Shacham  (BLS)  signatures.  All 
of  the  above  described  schemes  required  a  hash  function  that  had  to  be  modeled  as  a  random 
oracle  to  prove  security.  Our  work  utilizes  recent  advances  in  indistinguishability  obfusca¬ 
tion  to  construct  specific  hash  functions  for  use  in  these  schemes.  We  then  prove  security  of 
the  original  cryptosystems  when  instantiated  with  our  specific  hash  function. 

This  work  was  performed  by  Susan  Hohenberger,  Amit  Sahai  and  Brent  Waters  and 
accepted  to  Eurocrypt  2014. 

4.3.3  Universal  Aggregate  Signatures.  We  introduce  the  concept  of  universal  signature 
aggregators.  In  a  universal  signature  aggregator  system,  a  third  party,  using  a  set  of  common 
reference  parameters,  can  aggregate  a  collection  of  signatures  produced  from  any  set  of  sign¬ 
ing  algorithms  (subject  to  a  chosen  length  constraint)  into  one  short  signature  whose  length  is 
independent  of  the  number  of  signatures  aggregated.  In  prior  aggregation  works,  signatures 
can  only  be  aggregated  if  all  signers  use  the  same  signing  algorithm  (e.g.,  BLS)  and  shared 
parameters.  A  universal  aggregator  can  aggregate  across  schemes  even  in  various  algebraic 
settings  (e.g.,  BLS,  RSA,  ECDSA),  thus  creating  novel  opportunities  for  compressing  au¬ 
thentication  overhead.  It  is  especially  compelling  that  existing  public  key  infrastructures  can 
be  used  and  that  the  signers  do  not  have  to  alter  their  behavior  to  enable  aggregation  of  their 
signatures. 

We  provide  multiple  constructions  and  proofs  of  universal  signature  aggregators  based 
on  indistinguishability  obfuscation  and  other  supporting  primitives.  We  detail  our  techniques 
as  well  as  the  tradeoffs  in  features  and  security  of  our  solutions. 

This  work  was  performed  by  Susan  Hohenberger,  Venkata  Koppula  and  Brent  Waters 
and  appeared  in  Eurocrypt  2015. 

4.4  Encryption 

We  now  discuss  advances  in  security  and  efficiency  for  encryption. 

4.4.1  New  Approach  for  Chosen- Ciphertext  Security.  Chosen-ciphertext  security  is  the 
deployable  standard  for  encryption,  but  yet  can  sometimes  be  difficult  to  realize. 

In  this  project,  we  presented  a  new  approach  for  creating  chosen-ciphertext  secure  en¬ 
cryption.  The  focal  point  of  our  work  is  a  new  abstraction  that  we  call  Detectable  Chosen- 
Ciphertext  Security  (DCCA).  Intuitively,  this  notion  is  meant  to  capture  systems  that  are  not 
necessarily  chosen  ciphertext  attack  (CCA)  secure,  but  where  we  can  detect  whether  a  certain 
query  CT  can  be  useful  for  decrypting  (or  distinguishing)  a  challenge  ciphertext  CT*. 

We  show  how  to  build  chosen  ciphertext  secure  systems  from  DCCA  security.  We  mo¬ 
tivate  our  techniques  by  describing  multiple  examples  of  DCCA  systems  including  creating 
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them  from  1-bit  CCA  secure  encryption  —  capturing  the  Myers-shelat  result  (FOCS  2009). 
Our  work  identifies  DCCA  as  a  new  target  for  building  CCA  secure  systems. 

This  is  joint  work  by  Susan  Hohenberger,  Allison  Lewko  and  Brent  Waters  that  appeared 
in  Eurocrypt  2012. 

4.4.2  Results  on  Construction  of  Other  Strong  Forms  of  Encryption.  We  construct 
[56]  a  Non-Malleable  Chosen  Ciphertext  Attack  (NM-CCA1 )  encryption  scheme  from  any 
encryption  scheme  that  is  also  plaintext  aware  and  weakly  simulatable.  We  believe  this  is 
the  first  construction  of  a  NM-CCA1  scheme  that  follows  strictly  from  encryption  schemes 
with  seemingly  weaker  or  incomparable  security  definitions  to  NM-CCA1 .  Previously,  the 
statistical  Plaintext  Awareness  #1  (PA1)  notion  of  security  for  encryption  was  only  known 
to  imply  CCA1 .  Our  result  is  therefore  novel  because  unlike  the  case  of  Chosen  Plaintext 
Attack  (CPA)  and  Chosen  Chiphertext  Attack  (CCA2),  it  is  unknown  whether  a  CCA1 
scheme  can  be  transformed  into  an  NM-CCA1  scheme.  Additionally,  we  show  both  the 
Damgard  Elgamal  Scheme  (DEG)  and  the  Cramer-Shoup  Lite  Scheme  (CS-Lite)  are  weakly 
simulatable  under  the  DDH  assumption.  Since  both  are  known  to  be  statistical  Plaintext 
Aware  1  (PA1)  under  the  Diffie-He liman  Knowledge  (DHK)  assumption,  they  instantiate 
our  scheme  securely. 

Furthermore,  in  response  to  a  question  posed  by  Matsuda  and  Matsuura,  we  define 
cNM-CCAl  -security  in  which  an  NM-CCA-adversary  is  permitted  to  ask  a  c  >  1  number 
of  parallel  queries  after  receiving  the  challenge  ciphertext.  We  extend  our  construction  to 
yield  a  cNM-CCAl  scheme  for  any  constant  c.  All  of  our  constructions  are  black-box.  This 
work  was  completed  by  Mona  Sergi  (a  graduate  student  whose  PhD  was  partially  funded  by 
this  project),  abhi  shelat,  and  Steven  Myers. 

4.4.3  Chosen-Ciphertext  Security  does  not  imply  Circular  Security.  Traditional  defi¬ 
nitions  of  encryption  security  guarantee  secrecy  for  any  plaintext  that  can  be  computed  by 
an  outside  adversary.  In  some  settings,  such  as  anonymous  credential  or  disk  encryption 
systems,  this  is  not  enough,  because  these  applications  encrypt  messages  that  depend  on 
the  secret  key.  A  natural  question  to  ask  is  do  standard  definitions  capture  these  scenarios? 
One  area  of  interest  is  n-circular  security  where  the  ciphertexts  E(pk1,  sk2 ),  E(pk2:  sk3), 
... ,  E(pkn_i,  skn),  E(pkn,  ski )  must  be  indistinguishable  from  encryptions  of  zero.  Acar  et 
al.  (Eurocrypt  2010)  provided  a  CPA-secure  public  key  cryptosystem  that  is  not  2-circular 
secure  due  to  a  distinguishing  attack. 

In  this  work,  we  consider  a  natural  relaxation  of  this  definition.  Informally,  a  cryptosys¬ 
tem  is  n-weak  circular  secure  if  an  adversary  given  the  cycle  E{jpk\ ,  sk2),  E(pk2l  s/c3), . . . , 
E(pkn_ i,  skn).  E(pkn.  ski)  has  no  significant  advantage  in  the  regular  security  game,  (e.g., 
CPA  or  CCA)  where  ciphertexts  of  chosen  messages  must  be  distinguished  from  ciphertexts 
of  zero.  Since  this  definition  is  sufficient  for  some  practical  applications  and  the  Acar  et  al. 
counterexample  no  longer  applies,  the  hope  is  that  it  would  be  easier  to  realize,  or  perhaps 
even  implied  by  standard  definitions.  We  show  that  this  is  unfortunately  not  the  case:  even 
this  weaker  notion  is  not  implied  by  standard  definitions.  Specifically,  we  show: 
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•  For  symmetric  encryption,  under  the  minimal  assumption  that  one-way  functions  exist, 
n-weak  circular  (CPA)  security  is  not  implied  by  CCA  security,  for  any  n.  In  fact,  it 
is  not  even  implied  by  authenticated  encryption  security,  where  ciphertext  integrity  is 
guaranteed. 

•  For  public-key  encryption,  under  a  number-theoretic  assumption,  2-weak  circular  se¬ 
curity  is  not  implied  by  CCA  security. 

In  both  of  these  results,  which  also  apply  to  the  stronger  circular  security  definition,  we  ac¬ 
tually  show  for  the  first  time  an  attack  in  which  the  adversary  can  recover  the  secret  key 
of  an  otherwise- secure  encryption  scheme  after  an  encrypted  key  cycle  is  published.  These 
negative  results  are  an  important  step  in  answering  deep  questions  about  which  attacks  are 
prevented  by  commonly-used  definitions  and  systems  of  encryption.  They  say  to  practition¬ 
ers:  if  key  cycles  may  arise  in  your  system,  then  even  if  you  use  CCA-secure  encryption, 
your  system  may  break  catastrophically;  that  is,  a  passive  adversary  might  be  able  to  recover 
your  secret  keys. 

This  is  joint  work  with  David  Cash,  Matthew  Green  and  Susan  Hohenberger  that  ap¬ 
peared  in  PKC  2012. 

4.4.4  Online/Offline  Attribute-Based  Encryption.  Attribute-based  encryption  (ABE)  is 
a  type  of  public  key  encryption  that  allows  users  to  encrypt  and  decrypt  messages  based  on 
user  attributes.  For  instance,  one  can  encrypt  a  message  to  any  user  satisfying  the  boolean 
formula  (“crypto  conference  attendee”  AND  “PhD  student”)  OR  “IACR  member”.  One 
drawback  is  that  encryption  and  key  generation  computational  costs  scale  with  the  complex¬ 
ity  of  the  access  policy  or  number  of  attributes.  In  practice,  this  makes  encryption  and  user 
key  generation  a  possible  bottleneck  for  some  applications. 

To  address  this  problem,  we  developed  new  techniques  for  ABE  that  split  the  compu¬ 
tation  for  these  algorithms  into  two  phases:  a  preparation  phase  that  does  the  vast  majority 
of  the  work  to  encrypt  a  message  or  create  a  secret  key  before  it  knows  the  message  or  the 
attribute  list/access  control  policy  that  will  be  used  (or  even  the  size  of  the  list  or  policy).  A 
second  phase  can  then  rapidly  assemble  an  ABE  ciphertext  or  key  when  the  specifics  become 
known.  This  concept  is  sometimes  called  “online/offline”  encryption  when  only  the  message 
is  unknown  during  the  preparation  phase;  we  note  that  the  addition  of  unknown  attribute  lists 
and  access  policies  makes  ABE  significantly  more  challenging. 

One  motivating  application  for  this  technology  is  mobile  devices:  the  preparation  work 
can  be  performed  while  the  phone  is  plugged  into  a  power  source,  then  it  can  later  rapidly 
perform  ABE  operations  on  the  move  without  significantly  draining  the  battery. 

Our  performance  estimates  showed  that  over  99%  of  the  computational  work  could  be 
moved  to  the  offline  phase  in  many  scenarios. 

This  is  joint  work  with  Susan  Hohenberger  and  Brent  Waters  that  appeared  in  PKC  2014. 

4.4.5  Blackbox  proofs  of  knowledge  of  plaintext.  We  develop  [57,  56]  a  novel  proof 
of  knowledge  of  a  plaintext  protocol  and  show  how  to  use  it  in  the  construction  of  a  fully 
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black-box  multi-party  computation  protocol  with  low  communication  overhead.  We  briefly 
describe  the  motivation  behind  our  work. 

Secure  computation  with  an  honest  majority  can  be  accomplished  without  any  crypto¬ 
graphic  assumptions,  but  the  best  such  protocol  requires  the  parties  to  communicate  |  / 1  log  |  / 1  + 
d2  ■  poly(n ,  log  |/|)  bits  [15]  and  at  least  d  rounds.  Here  |/|  is  the  size  of  the  function  be¬ 
ing  computed  and  d  is  the  circuit  depth  of  /,  and  thus  the  communication  of  the  protocol 
is  super-linearly  related  to  the  number  of  gates  in  /.  Until  recently,  even  the  use  of  crypto¬ 
graphic  assumptions  for  secure  computation  required  polylog(X)  communication  overhead 
per  gate  [15]  where  A  is  a  security  parameter. 

Gentry  [19]  circumvents  per-gate  overhead  as  follows:  the  honest-but-curious  parities 
use  secure  multi-party  computation  to  generate  an  FHE  key,  each  party  encrypts  its  input, 
and  sends  the  resulting  ciphertext  and  proof  to  other  parties.  Once  all  parties  have  encryp¬ 
tions  of  everyone’s  inputs,  they  compute  the  function  of  interest  locally  using  the  evaluation 
procedure  of  the  FHE.  Finally,  to  use  the  resulting  ciphertexts  as  inputs  to  a  secure  multi¬ 
party  computation  which  computes  the  decryption  of  the  majority  input.  In  order  to  be  secure 
against  malicious  adversaries,  the  Naor  and  Nissim  compiler  [59],  which  makes  use  of  the 
PCP  theorem,  can  be  applied.  The  use  of  the  PCP  theorem  in  the  SMC  steps  makes  the 
approach  impractical,  even  when  presented  with  a  practical  FHE  scheme. 

The  motivation  behind  our  work  is  to  remove  any  use  white-box  techniques,  such  as  the 
PCP  theorem  or  generic  ZK  or  NIZK,  from  the  above  framework  for  constructing  communication- 
efficient  secure  protocols.  These  techniques  have  historically  been  inefficient.  In  other 
words,  we  seek  a  black-box  transformation  from  TFHE  to  secure  computation. 

First  Contribution  The  main  technical  hurdle  in  devising  a  black-box  transformation  from 
TFHE  to  secure  computation  is  to  implement  the  requirement  for  each  player  to  prove  that 
they  “know  the  plaintext”  corresponding  to  the  encrypted  input  that  they  have  broadcast. 

This  step  is  essential  because  it  prevents  one  player  from  copying  (or  mauling  via  the  homo¬ 
morphism)  the  input  of  a  player  who  has  acted  earlier.  To  handle  this  step,  we  show  how  to 
construct  a  two-round  black-box  proof  of  knowledge  of  an  encrypted  bit  for  any  circuit  pri¬ 
vate  FHE  scheme  using  only  the  encryption  scheme.  Since  our  protocol  is  only  two  rounds, 
it  is  not  zero-knowledge  (cf.  [21]),  but  can  provably  keep  the  encrypted  bit  hidden.  Our  POK 
requires  that  the  public-key  contain  a  labeled  encryption  of  0  and  1,  which  given  all  known 
FHE  schemes  seems  to  be  a  natural  modification.  3  For  traditional  FHE  schemes,  the  POK 
can  be  used  completely  black-box,  without  even  the  need  for  the  modification. 

The  basic  idea  of  our  proof  of  knowledge  protocol  is  to  first  modify  the  encryption 
scheme  so  that  the  message  is  encoded  using  an  error-correcting  code  (ECC)  based  veri¬ 
fiable  secret  sharing  (VSS)  scheme.  To  encrypt  a  message  we  first  generate  its  secret  shares, 
and  encrypt  them  independently  using  fresh  randomness.  A  verifier  now  requests  the  Prover 
to  reveal  the  randomness  used  to  encrypt  a  sub-threshold  number  of  the  shares.  The  verifier 

3Since  all  current  schemes  contain  bit-wise  encryptions  of  their  own  secret-keys  which  are  random  bit 
strings,  and  a  natural  extension  of  any  protocol  that  provides  encryptions  of  one’s  own  secret-key  can  be  used 
to  derive  a  labeled  encryption  of  0  and  1  which  we  describe. 
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then  does  a  consistency  check,  based  on  the  ECC  underlying  the  scheme,  to  ensure  that  the 
shares  were  encoded  properly.  In  particular,  the  error-correcting  code  we  choose  offers  a 
property  that  allows  one  to  check  whether  local  parts  of  the  codeword  are  error-free.  The 
verifier  accepts  if  everything  appears  to  be  properly  coded.  Since  the  number  of  shares  re¬ 
vealed  is  less  than  the  threshold,  it  does  not  leak  any  information  about  the  original  message. 
To  show  a  proof  of  knowledge  property,  we  argue  that  an  extractor  can  rewind  the  Prover 
and  ask  for  another  set  of  shares  to  be  opened.  With  high  probability,  this  second  transcript 
provides  enough  new  shares  to  run  the  VSS  recover  algorithm,  and  recover  the  original  mes¬ 
sage.  The  one  issue  with  this  approach  is  that  the  Prover  must  reveal  the  randomness  used  to 
encrypt  some  of  the  shares.  The  semantic  security  of  an  encryption  scheme  does  not  guaran¬ 
tee  any  security  when  these  random  bits  are  revealed — in  particular,  the  security  of  the  rest 
of  the  unopened  encryptions  are  not  guaranteed.  Instead,  we  require  the  encryption  scheme 
to  be  secure  against  a  selective  opening  attack  (SOA).  Fortunately,  a  result  of  Hemenway  et 
al.  [27]  can  be  generalized  to  show  that  any  circuit  private  homomorphic  encryption  scheme 
can  be  made  into  an  SOA-secure  one. 

We  point  out  that  our  proof  of  knowledge  requires  the  encryption  scheme  to  be  homo¬ 
morphic  and  circuit-private.  Recently,  Damgard  et  al.  [17]  demonstrates  a  three -round  £- 
protocol  for  knowledge  of  plaintext,  but  their  protocol  requires  the  underlying  encryption 
scheme  to  also  be  homomorphic  on  the  random  coins  used  to  encrypt.  Although  many  FHE 
schemes  support  this  property  on  their  random  coins,  it  is  certainly  not  specified  in  the  def¬ 
inition  of  FHE.  In  contrast,  circuit  privacy  has  been  independently  defined  and  seems  to  be 
a  naturally  weaker  property.4  Moreover,  their  scheme  requires  the  message  space  for  the 
FHE  to  be  over  Zn  for  N  related  to  the  security  parameter.  While  in  general,  single -bit  FHE 
implies  many-bit  FHE,  we  are  not  aware  of  any  such  transformation  that  also  preserves  the 
homomorphism  over  the  random  coins  as  required  by  their  protocol.  Thus,  the  requirement 
for  large  message  space  and  homomorphism  over  the  random  coins  seem  to  be  extra  as¬ 
sumption  which  our  work  can  avoid  (our  protocol  also  works  on  single-bit  FHE).  Finally,  the 
E -protocol  from  [17]  must  be  compiled  into  a  full  zero-knowledge  protocol  using  standard 
techniques  which  add  round  complexity  and/or  setup  assumptions;  we  show  that  our  two- 
round  protocol  with  its  hidden-bit  property  suffices  for  our  secure  computation  protocol. 

Second  Contribution  By  combining  our  result  with  almost  any  TFHE  scheme,  we  con¬ 
struct  a  secure  multi-party  protocol  that  avoids  both  per-gate  communication  complexity  and 
white-box  techniques  such  as  the  PCP  theorem  or  Zero-Knowledge.  The  communication 
complexity  of  our  protocol  is  0( Xc  ■  n2  )  where  A  is  a  security  parameter  and  c  is  a  small  con¬ 
stant  for  the  TFHE  scheme  and  is  thus  independent  of  |/|.  Our  black-box  transformation  is 
particularly  important  because  if  practical  FHE  (and  TFHE)  can  be  constructed,  our  transfor¬ 
mations  will  result  in  practical  SFE.  Our  work  is  in  the  standard  model  and  does  not  require 
trust  assumptions  such  as  the  common  reference  string,  a  random  oracle  or  public-key  setup. 

4Even  though  current  schemes  achieve  circuit  privacy  via  randomness  homomorphisms,  it  is  certainly  plau¬ 
sible  for  future  constructions  to  achieve  circuit  privacy  in  other  ways.  Moreover,  there  do  not  seem  to  be  any 
natural  ways  to  transform  a  circuit  private  scheme  to  one  with  a  randomness  homomorphism,  and  thus  we  feel 
it  is  a  weaker  notion. 
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Final  Contribution  For  completeness,  we  also  construct  a  threshold  fully  homomorphic 
public-key  encryption  scheme  (TFHE)  based  on  the  Approximate  GCD  problem  and  the 
fully  homomorphic  encryption  scheme  presented  by  van  Dijk  et  al.  [72],  and  our  result  was 
the  first  to  demonstrate  the  feasibility  of  directly  achieving  this  threshold  primitive  for  FHE. 
Since  our  original  eprint  submission,  [3]  and  [48]  present  more  efficient  TFHE  constructions 
based  on  LWE-style  assumptions.  The  point  of  this  construction  is  to  demonstrate  feasibility 
of  TFHE  under  different  complexity  assumptions.5 

4.4.6  Efficient  Prototyped  Bootstrapping  FHE  with  SAGE.  We  provided  several  im¬ 
plementations  of  FHE  that  incorporate  several  different  optimizations.  All  implementations 
were  done  in  SAGE[71],  which  is  an  open-source  advanced  mathematics  package  that  has  an 
incorporated  programming  language  based  on  Python.  Our  first  implementation  was  one  that 
implemented  bootstrapping  working  on  the  RLWE  based  scheme  of  Brakerski  and  Vaikun- 
tanathan  [9],  with  improvements  as  suggested  in  Lauter,  Naehrig  and  Vaikuntanathan  [58]. 
We  benchmarked  our  implementation  in  Sage  of  the  non-bootstrapping  scheme  against  the 
implementation  in  Magma  of  the  Lauter,  Naehrig  and  Vaikuntanathan  system  [58]  and  get 
slightly  faster  results.  (Note,  Lauter  et  al.  did  not  implement  bootstrapping,  so  there  is 
no  possibility  of  providing  a  comparison  here).  This  suggests  that  there  is  no  preference 
in  choosing  the  Magma  implementation  system  which  is  costly  and  proprietary,  over  SAGE. 
The  second  implementation  was  Bakerski’s  new  algorithm,  We  did  not  implement  bootstrap¬ 
ping,  but  did  implement  more  advanced  error  handling  mechanisms,  specifically  the  modular 
reduction  technique. 

The  SAGE  system,  while  excellent  for  prototyping  code  was  too  inefficient  to  handle 
large  realistic  security  parameters.  Therefore,  we  looked  into  the  possibility  of  augmenting 
the  SAGE  system  with  a  backend  that  could  handle  polynomial  algebra  on  the  GPU.  We  were 
successfully  in  writing  small  programs  that  access  GPGPU  through  SAGE,  going  through 
pycuda.  However,  after  some  experimentation  and  implementation  of  basic  mathematics 
on  the  GPU,  we  realized  that  the  architecture  was  not  promising.  The  reason  was  that  the 
bus  is  too  slow  to  have  individual  polynomial  multiplication  and  addition  operations  pushed 
across  it,  to  have  them  performed  on  the  GPU,  but  this  is  the  only  method  that  SAGE  seems 
to  support  the  outsourcing  of  such  operations.  Therefore,  while  we  believe  there  is  much 
promise  in  using  the  GPU  to  perform  FHE  operations,  accessing  it  through  SAGE  is  not  a 
promising  approach. 

4.4.7  Tamper-resilient  Cryptography. 

On  the  Impossibility  of  Tamper-resilient  Cryptography  We  initiate  a  study  of  the  secu¬ 
rity  of  cryptographic  primitives  in  the  presence  of  efficient  tampering  attacks  to  the  random¬ 
ness  of  honest  parties.  More  precisely,  we  consider  p-tampering  attackers  that  may  tamper 

5We  note  that  historically,  threshold  encryption  has  been  presented  where  the  key-generation  algorithm 
and  decryption  algorithms  are  single  algorithms,  or  they  are  multi-party  protocols.  We  present  multi-party 
protocols. 
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with  each  bit  of  the  honest  parties’  random  tape  with  probability  p,  but  have  to  do  so  in  an 
’’online”  fashion.  We  present  both  positive  and  negative  results: 

•  Any  secure  encryption  scheme,  bit  commitment  scheme,  or  zero-  knowledge  protocol 
can  be  broken  with  probability  p  by  a  tampering  attacker.  The  core  of  this  result  is 
a  new  Fourier  analytic  technique  for  biasing  the  output  of  bounded-value  functions, 
which  may  be  of  independent  interest  (and  provides  an  alternative,  and  in  our  eyes 
simpler,  proof  of  the  classic  Santha-Vazirani  theorem). 

•  Assuming  the  existence  of  one-way  functions,  cryptographic  primitives  such  as  sig¬ 
natures,  identification  protocols  can  be  made  resilient  to  p- tampering  attacks  for  any 
p  =  1  /n“,  where  a  >  0  and  n  is  the  security  parameter. 

The  paper  is  appeared  in  CRYPTO  ’14  and  was  invited  to  the  special  issues  of  the  best  papers 
in  the  conference. 

4.5  New  Software  Tools 

In  this  section,  we  describe  open  source  software  that  was  used  by  or  partially  developed  with 
the  support  of  this  DARPA  funding.  This  work  formed  the  basis  for  a  2013  PhD  dissertation 
for  JHU  graduate  student  Joseph  Ayo  Akinyele,  although  he  was  not  funded  on  this  grant. 

4.5.1  Charm:  A  Toolkit  for  Rapid  Prototyping  of  Cryptographic  Systems.  Matt  Green 
led  the  development  of  Charm,  an  extensible  framework  designed  for  rapid  prototyping 
of  cryptographic  systems  that  utilize  the  latest  advances  in  cryptography,  such  as  fully- 
homomorphic  encryption  and  SFE,  as  well  as  the  traditional  cryptographic  functionalities. 
Charm  is  designed  to  minimize  code  complexity,  promote  code  re-use,  and  to  automate  inter¬ 
operability,  while  not  compromising  on  efficiency.  It  was  first  publicly  presented  in  NDSS 
2012.  The  work  to  build  Charm  was  not  part  of  PROCEED,  but  Charm  was  an  available 
foundation  for  some  of  the  implementation  tasks  we  proposed.  The  Charm  team  interacted 
during  the  project  with  Galois  and  UVA  on  making  this  code  available  and  easy  to  use  by 
the  PROCEED  team.  It  was  also  used  for  the  development  of  further  tools  as  noted  in  Sec¬ 
tion  4.5.2.  A  dedicated  website  for  Charm  was  launched  at 

http  ://w  w  w.charm-crypto  .com/ 

According  to  Github  records,  the  library  has  been  downloaded  thousands  of  times  world¬ 
wide. 

The  library  continues  to  be  actively  maintained  and  a  paper  on  it  was  published  with 
the  following  information:  Joseph  A.  Akinyele,  Christina  Garman,  Ian  Miers,  Matthew 
W.  Pagano,  Michael  Rushanan,  Matthew  Green,  Aviel  D.  Rubin:  Charm:  a  framework  for 
rapidly  prototyping  cryptosystems.  J.  Cryptographic  Engineering  3(2):  111-128  (2013). 
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4.5.2  The  AutoTools  Suite.  Cryptographic  design  tasks  are  primarily  performed  by  hand 
today.  Shifting  more  of  this  burden  to  computers  could  make  the  design  process  faster,  more 
accurate  and  less  expensive.  In  this  subproject,  we  investigated  tools  for  programmatically 
altering  existing  cryptographic  constructions  to  reflect  particular  design  goals.  Our  tech¬ 
niques  enhance  both  security  and  efficiency  with  the  assistance  of  advanced  tools  including 
Satisfiability  Modulo  Theories  (SMT)  solvers.  A  dedicated  website  for  these  automation 
tools  was  launched  at 

https://github.com/JHUISI/auto-tools 
Specifically,  we  developed  the  following  suite  of  tools: 

AutoBatch  AutoBatch  is  an  automated  tool  for  generating  batch  verification  code  in  either 
Python  or  C++  from  a  high  level  representation  of  a  signature  scheme.  AutoBatch 
outputs  both  software  and,  for  transparency,  a  LaTeX  file  describing  the  batching  al¬ 
gorithm  and  arguing  that  it  preserves  the  unforgeability  of  the  original  scheme. 

We  tested  AutoBatch  on  over  a  dozen  pairing-based  schemes  to  demonstrate  that  a 
computer  could  find  competitive  batching  solutions  in  a  reasonable  amount  of  time.  In 
particular,  it  found  an  algorithm  that  is  faster  than  a  batching  algorithm  from  Eurocrypt 
2010.  Another  novel  contribution  is  that  it  handles  cross-scheme  batching,  where  it 
searches  for  a  common  algebraic  structure  between  two  distinct  schemes  and  attempts 
to  batch  them  together. 

We  also  published  a  journal  version  that  expanded  on  the  ACM  CCS  2012  original 
work  in  a  number  of  ways.  We  added  a  new  loop-unrolling  technique  and  showed  that 
it  helps  cut  the  batch  verification  cost  of  one  scheme  by  roughly  half.  We  described  our 
pruning  and  search  algorithms  in  greater  detail,  including  pseudocode  and  diagrams. 
All  experiments  were  also  re-run  using  the  RELIC  pairing  library.  We  compared  those 
results  to  our  earlier  results  using  the  MIRACL  library,  and  discuss  why  RELIC  out¬ 
performs  MIRACL  in  all  but  two  cases.  Automated  proofs  of  several  new  batching 
algorithms  are  also  included. 

AutoGroup  AutoGroup  converts  a  pairing-based  encryption  or  signature  scheme  written 
in  (simple)  symmetric  group  notation  into  a  specific  instantiation  in  the  more  effi¬ 
cient,  asymmetric  setting.  Some  existing  symmetric  schemes  have  hundreds  of  possi¬ 
ble  asymmetric  translations,  and  this  tool  allows  the  user  to  optimize  the  construction 
according  to  a  variety  of  metrics,  such  as  ciphertext  size,  key  size  or  computation  time. 

AutoStrong  The  AutoStrong  tool  focuses  on  the  security  of  digital  signature  schemes  by 
automatically  converting  an  existentially  unforgeable  signature  scheme  into  a  strongly 
unforgeable  one.  The  main  technical  challenge  here  is  to  automate  the  “partitioned” 
check,  which  allows  a  highly-efficient  transformation. 

CloudSource  CloudSource  is  an  automated  tool  for  developing  “outsourcing-ready”  de¬ 
cryption  of  cryptographic  schemes.  CloudSource  is  designed  to  programmatically  an¬ 
alyze  existing  pairing-based  encryption  schemes,  and  to  derive  new  algorithms  that 
allow  users  to  outsource  portions  of  the  decryption  routine  to  an  untrusted  server. 
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The  CloudSource  tool  addresses  a  growing  need,  as  we  increasingly  deploy  cryptog¬ 
raphy  in  environments  where  users  employ  limited  mobile  devices  and  yet  have  ready 
access  to  cloud-based  computing  resources.  The  techniques  we  propose  form  part  of  a 
growing  line  of  work  aimed  towards  the  automated  analysis  and  engineering  of  cryp¬ 
tographic  protocols,  and  will  help  to  reduce  the  need  for  manual  optimization  of  these 
constructions. 

Our  experiments  demonstrate  that  these  design  tasks  studied  can  be  performed  automat¬ 
ically  in  (usually)  a  matter  of  seconds. 

This  work  includes  collaborations  by  Susan  Hohenberger,  Matthew  Green,  Joseph  Ayo 
Akinyele,  Matthew  Pagano,  and  Avi  Rubin.  Multiple  papers  appeared  in  ACM  CCS  and  the 
Journal  of  Computer  Security. 

4.6  Protocols  for  Bitcoin 

Bitcoin  is  the  first  e-cash  system  to  see  widespread  adoption.  While  Bitcoin  offers  the 
potential  for  new  types  of  financial  interaction,  it  has  significant  limitations  regarding  pri¬ 
vacy.  Specifically,  because  the  Bitcoin  transaction  log  is  completely  public,  users’  privacy 
is  protected  only  through  the  use  of  pseudonyms.  In  this  project,  we  propose  Zerocoin,  a 
cryptographic  extension  to  Bitcoin  that  augments  the  protocol  to  allow  for  fully  anonymous 
currency  transactions.  Our  system  uses  standard  cryptographic  assumptions  and  does  not 
introduce  new  trusted  parties  or  otherwise  change  the  security  model  of  Bitcoin.  We  detail 
Zerocoin’s  cryptographic  construction,  its  integration  into  Bitcoin,  and  examine  its  perfor¬ 
mance  both  in  terms  of  computation  and  impact  on  the  Bitcoin  protocol.  This  work  involved 
Ian  Miers,  Christina  Garman,  Matthew  Green  and  Avi  Rubin,  and  appeared  in  IEEE  Security 
and  Privacy  2013. 

Although  payments  are  conducted  between  pseudonyms,  Bitcoin  cannot  offer  strong  pri¬ 
vacy  guarantees:  payment  transactions  are  recorded  in  a  public  decentralized  ledger,  from 
which  much  information  can  be  deduced.  Zerocoin  (Miers  et  al.,  IEEE  S&P  2013)  tackles 
some  of  these  privacy  issues  by  unlinking  transactions  from  the  payments  origin.  Yet  it  still 
reveals  payment  destinations  and  amounts,  and  is  limited  in  functionality.  In  this  project,  we 
construct  a  full-fledged  ledger-based  digital  currency  with  strong  privacy  guarantees.  Our 
results  leverage  recent  advances  in  zero-knowledge  Succinct  Non-interactive  ARguments  of 
Knowledge  (zk-SNARKs).  We  formulate  and  construct  decentralized  anonymous  payment 
schemes  (DAP  schemes).  A  DAP  scheme  lets  users  pay  each  other  directly  and  privately:  the 
corresponding  transaction  hides  the  payments  origin,  destination,  and  amount.  We  provide 
formal  definitions  and  proofs  of  the  constructions  security.  We  then  build  Zerocash,  a  prac¬ 
tical  instantiation  of  our  DAP  scheme  construction.  In  Zerocash,  transactions  are  less  than  1 
kB  and  take  under  6  ms  to  verify  orders  of  magnitude  more  efficient  than  the  less-anonymous 
Zerocoin  and  competitive  with  plain  Bitcoin.  This  work  involved  an  MIT-JHU  collaboration, 
including  Eli  Ben-Sasson,  Alessandro  Chiesa,  Christina  Garman,  Matthew  Green,  Ian  Miers, 
Eran  Tromer  and  Madars  Virza,  and  appeared  in  IEEE  Security  and  Privacy  2014. 
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4.7  Program  Obfuscation 


Program  obfuscation  serves  to  ’’scramble”  a  computer  program,  hiding  its  implementation 
details  while  preserving  its  functionality.  Unfortunately,  the  ’’dream”  notion  of  security, 
guaranteeing  that  obfuscated  code  does  not  reveal  information  beyond  black-box  access  to 
the  original  program,  has  historically  run  into  strong  impossibility  results,  and  is  known  to 
be  impossible  to  achieve  for  general  programs. 

Recently,  the  first  plausible  candidate  of  general-purpose  obfuscation  was  presented 
(Garg  et  al  FOCS  2013)  for  a  relaxed  notion  of  security,  known  as  indistinguishability  ob¬ 
fuscation,  which  requires  only  that  obfuscations  of  functionally  equivalent  programs  are  in¬ 
distinguishable. 

We  initiated  the  study  of  the  stronger  notion  of  extractability  or  ’’differing-inputs”  obfus¬ 
cation:  An  extractability  obfuscator  for  a  class  of  algorithms  M  guarantees  that  if  an  efficient 
attacker  A  can  distinguish  between  obfuscations  of  two  algorithms  M\,M2  €  M,  then  A 
can  efficiently  recover  (given  M\  and  M2)  an  input  on  which  Mi  and  M2  provide  different 
outputs  (Barak  et  al  JACM  2012).  We  demonstrate  that  extractability  obfuscation  provides 
several  new  applications,  including  obfuscation  of  Turing  machines,  indistinguishability- 
secure  functional  encryption  for  an  unbounded  number  of  key  queries  and  unbounded  mes¬ 
sage  spaces,  and  a  new  notion  of  functional  witness  encryption.  We  also  explore  the  relation 
between  extractability  obfuscation  and  other  cryptographic  notions  and  show  that  in  special 
cases,  extractability  obfuscation  is  in  fact  implied  by  indistinguishability  obfuscation.  This 
paper  was  accepted  to  TCC’  14,  and  has  since  been  quite  influential. 

In  a  different  vein,  we  investigated  constructions  of  obfuscations  that  can  provably  be 
based  on  some  cryptographic  hardness  assumptions.  This  was  a  wide-open  problem.  In  our 
work,  we  stipulated  new  hardness  assumptions  for  multilinear  maps  and  provided  the  first 
provably-secure  construction  of  obfuscation  based  on  a  succint  hardness  assumption.  The 
paper  appeared  in  CRYPTO  ’14. 

In  an  orthogonal  approach  we  investigate  whether  obfuscation  implies  other 
crypto-graphic  hardness  assumption.  We  show  that  indistinguishability  obfuscation  plus  a 

slight  variant  of  the  assumption  that  NP  (jL  /i/5/5  implies  the  existence  of  one-way  functions. 
This  result  appeared  in  FOCS’14. 


4.7.1  Understanding  Secure  Computation  in  the  Context  of  Complex  Systems.  In 

some  secure  computation  schemes,  such  as  bitcoin,  there  is  the  need  for  all  parties  to  en¬ 
gage  in  the  system  and  trust  it  for  it  to  be  of  use  and  produce  value.  Other  large  scale  secure 
computation  schemes  share  this  property.  In  [30],  we  consider  how  complex  systems  effect 
security  in  a  number  of  settings  producing  value  (e.g.,  SMC)  and  harm.  We  consider  ways 
this  can  be  taxonamized  and  studied. 
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5  CONCLUSIONS 


This  project  resulted  in  several  high-quality  publications  that  appeared  at  top  venues,  in 
3  high-quality  implementations  of  secure  computation  protocols  and  the  tools  needed  to 
construct  such  protocols,  and  in  several  software  artifacts  that  were  demonstrated  to  DARPA 
officials  during  the  demonstration  days  held  annually  throughout  the  performance  period. 

Two-party  Secure  Computation  In  the  project  area  of  secure  two-party  computation, 
published  papers  include  [73,  26,  31,  36,  66,  38].  These  papers  correspond  to  a  number 
of  high-performance  implementations  of  Yao’s  Garbled  Circuit  protocols,  and  related  ma¬ 
chinery.  In  [31]  there  was  a  SIMD  implementation  of  Yao’s  circuits  implemented  on 
GPGPU  architectures  that  showed  that  even  in  the  honest-but-curious  model,  the  protocol 
could  be  made  so  computationally  efficient  as  to  have  the  communication  overhead 
dominate  the  computation. 

Zero-Knowledge  Our  progress  on  Interactive  Proofs  and  Zero-knowledge  can  be  found 
in  [44,  35,  54,  34,  32,  13,  62,  33,  14].  Most  notable,  we  presented  the  first  concurrent 
zero-knowledge  protocol,  new  parallel  repetition  theorems,  an  our  journal  paper  on  non¬ 
malleability  (which  appeared  in  JACM)  gives  the  first  constant-round  non-malleable  com¬ 
mitment  and  zero-knowledge  protocols  based  on  one-way  functions. 

Encryption  and  Authentication  In  the  area  of  encryption  and  authentication  research, 
published  papers  include  [2,  57,  1].  Understanding  security  requirements  for  encryption 
schemes  and  their  relative  power  is  essential  for  understanding  the  effectiveness  of  crypto¬ 
graphic  primitives  used  in  different  settings.  In  [55,  56]  we  show  the  first  construction  to 
achieve  more  than  CCA1  security  from  a  primitive  that  has  only  a  weaker  form  of  plaintext 
awareness.  We  initiated  the  study  of ’’randomness-dependent”  encryption  schemes  in  [5].  We 
present  several  new  lower  bounds  on  the  efficiency  of  cryptographic  primitives  in  [53,  51]. 

Multi-Party  Computation  In  the  project  we  developed  a  protocol  that  introduced  the  first 
threshold  decryption  scheme  for  a  leveled  fully  homomorphic  encryption  scheme  [57]  and 
showed  how  to  use  it  to  achieve  secure  multi-party  computation  which  asymptotically 
met  known  lower  bounds.  The  SMC  scheme  itself  was  black-box  and  only  relied  on 
threshold  FHE  as  a  building  block.  More  of  our  work  on  Secure  Computation  can  be  found 
in  [8,  11,  45,  43];  most  notably,  we  gave  the  first  black-box  constructions  of  concurrently 
secure  protocols. 

Obfuscation  Our  work  on  Obfuscation  can  be  found  in  [46,  7];  most  notably,  we  gave  the 
first  applications  of  differing-input  obfuscation,  and  provided  new  constructions  of  indistin- 
guishability  obfuscation. 
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Complex  Systems  We  did  some  work  [30]  in  the  direction  of  considering  how  to  con¬ 
struct  a  taxonomy  of  complex  systems  as  they  relate  to  secure  computing  and  networking 
systems.  Understanding  how  large  systems  can  become  secure  and  trusted  or  insecure,  due 
to  individual  actors.  Large  SMC  systems  such  as  crypto-currencies  rely  on  such  properties. 
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Abstract 

We  present  a  constant-round  concurrent  zero-knowledge  protocol  for  IMP.  Our  protocol 
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1  Introduction 


Zero-knowledge  (2 1C)  interactive  proofs  [?]  are  paradoxical  constructs  that  allow  one  player  (called 
the  Prover)  to  convince  another  player  (called  the  Verifier)  of  the  validity  of  a  mathematical  state¬ 
ment  x  G  L,  while  providing  zero  additional  knowledge  to  the  Verifier.  Beyond  being  fascinating 
in  their  own  right,  ZfC  proofs  have  numerous  cryptographic  applications  and  are  one  of  the  most 
fundamental  cryptographic  building  blocks. 

The  notion  of  concurrent  zero  knowledge,  first  introduced  and  achieved  in  the  paper  by  Dwork, 
Naor  and  Sahai  [?],  considers  the  execution  of  zero- knowledge  proofs  in  an  asynchronous  and 
concurrent  setting.  More  precisely,  we  consider  a  single  adversary  mounting  a  coordinated  attack 
by  acting  as  a  verifier  in  many  concurrent  executions  (called  sessions).  Concurrent  ZfC  proofs  are 
significantly  harder  to  construct  and  analyze.  Since  the  original  protocol  by  Dwork,  Naor  and  Sahai 
(which  relied  on  so  called  “timing  assumptions”),  various  other  concurrent  ZfC  protocols  have  been 
obtained  based  on  different  set-up  assumptions  (e.g.,  [?,  ?,  ?,  ?,  ?,  ?]),  or  in  alternative  models 
(e.g.,  super-polynomial-time  simulation  [?,  ?]). 

In  the  standard  model,  without  set-up  assumptions  (the  focus  of  our  work,)  Canetti,  Kilian, 
Petrank  and  Rosen  [?]  (building  on  earlier  works  by  [?,  ?])  show  that  concurrent  ZfC  proofs  for  non¬ 
trivial  languages,  with  “black-box”  simulators,  require  at  least  D(logn)  number  of  communication 
rounds.  Richardson  and  Kilian  [?]  constructed  the  first  concurrent  ZfC  argument  in  the  standard 
model  without  any  extra  set-up  assumptions.  Their  protocol,  which  uses  a  black-box  simulator, 
requires  0(ne )  number  of  rounds.  The  round-complexity  was  later  improved  in  the  work  of  Kilian 
and  Petrank  (KP)  [?]  to  0(log2  n)  round.  More  recent  work  by  Prabhakaran,  Rosen  and  Sahai 
[?]  improves  the  analysis  of  the  KP  simulator,  achieving  an  essentially  optimal,  w.r.t.  black-box 
simulation,  round-complexity  of  O(logn);  see  also  [?]  for  an  (arguably)  simplified  and  generalized 
analysis. 

The  central  open  problem  in  the  area  is  whether  a  constant-round  concurrent  ZfC  protocol  (for 
a  non-trivial  language)  can  be  obtained.  Note  that  it  could  very  well  be  the  case  that  all  “clas¬ 
sic”  zero-knowledge  protocols  already  are  concurrent  zero-knowledge;  thus,  simply  assuming  that 
those  protocols  are  concurrent  zero-knowledge  yields  an  assumption  under  which  constant-round 
concurrent  zero-knowledge  (trivially)  exists — in  essence,  we  are  assuming  that  for  every  attacker 
a  simulator  exists.  Furthermore,  as  shown  in  [?]  (and  informally  discussed  in  [?])  under  various 
“extractability”  assumptions  of  the  knowledge-of-exponent  type  [?,  ?,  ?],  constant-round  concur¬ 
rent  zero-knowledge  is  easy  to  construct.  But  such  extractability  assumptions  also  simply  assume 
that  for  every  attacker,  a  simulator  (in  essence,  “the  extractor”  guaranteed  by  the  extractability 
assumption)  exists.  In  particular,  an  explicit  construction  of  the  concurrent  zero-knowledge  simula¬ 
tor  is  not  provided — it  is  simply  assumed  that  one  exists.  For  some  applications  of  zero-knowledge 
such  as  deniability  (see  e.g.,  [?,  ?]),  having  an  explicit  simulator  is  crucial.  Rather,  we  are  here 
concerned  with  the  question  of  whether  constant-round  concurrent  zero-knowledge,  with  an  explicit 
simulator  exits. 

1.1  Towards  Constant-round  Concurrent  Zero-Knowledge 

Recently,  the  authors  [?]  provided  a  first  construction  a  constant-round  concurrent  zero- knowledge 
protocol  with  an  explicit  simulator,  based  on  a  new  cryptographic  hardness  assumption — the  exis¬ 
tence  of  so-called  P -certificates,  roughly  speaking,  succint  non-interactive  arguments  for  languages 
in  P.  An  issue  with  their  protocol,  however,  is  that  soundness  only  holds  for  uniform  polynomial- 
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time  attackers  (as  opposed  to  non-uniform  ones).1  Additionally,  whereas  the  existence  P-certihcates 
is  a  falsifiable  assumption  [?,  ?]  it  is  unclear  whether  the  existence  of  P-certihcates  itself  can  be 
based  on  some  more  natural  hardness  assumption. 

A  very  recent  elegant  work  by  Pandey,  Prabhakaran  and  Sahai  [?]  takes  a  different  approach  and 
instead  demonstrates  the  existence  of  constant-round  concurrent  zero-knowledge  protocol  with  an 
explicit  simulator  based  on  the  existence  of  differing-input  obfuscation  (diO)  for  (restricted  classes 
of)  P /poly  [?,  ?,  ?].  Whereas  the  assumption  that  a  particular  scheme  is  a  diO  is  an  “extractability” 
assumption  (similar  in  flavor  to  knowledge-of-exponent,  type  [?,  ?,  ?]  assumptions),  the  intruiging 
part  of  the  scheme  of  Pandey  et  al  [?]  is  that  the  extractability  assumption  is  only  used  to  prove 
soundness  of  the  protocol;  concurrent  zero-knowledgde  is  proved  in  the  “standard”  model,  through 
providing  an  explicit  simulator.  Nevertheless,  diO  is  a  strong  and  subtle  assumption — indeed,  as 
shown  by  recent  work,  unless  we  restricting  the  class  of  programs  for  which  diO  should  hold,  we 
may  end  up  with  a  notion  that  is  unsatishable  [?,  ?,  ?]).  Furthermore,  there  are  currently  no 
known  approaches  for  basing  diO  on  more  “natural”  (or  in  fact  any )  hardness  (as  opposed  to 
extractability)  assumption. 

1.2  Our  Results 

In  this  paper,  we  combine  the  above-mentioned  two  approaches.  Very  roughly  speaking,  we  will  use 
obfuscation  to  obtain  a  a  variant  of  the  notion  of  a  P-certificate,  and  we  next  show  that  this  variant 
still  suffices  to  obtain  constant-round  concurrent  zero-knowledge  (where  the  soundness  conditions 
holds  also  against  non-uniform  PPT  attackers).  More  importantly,  rather  than  using  diO,  we 
are  able  to  use  indistinguishability  obfuscation  (iO)  [?,  ?].  Following  the  groundbreaking  work  of 
Garg  et  al  [?],  there  are  now  several  candidate  constructions  of  iO  that  can  be  based  on  hardness 
assumptions  on  (approximate)  multilinear  maps  [?,  ?]. 

Theorem.  Assume  the  existence  of  indistinguishability  obfuscation  for  P / poly  (with  slightly  super¬ 
polynomial  security),  one-way  permutations  and  collision-resistant  hashfunction.  Then  there  exists 
a  constant-round  concurrent  zero -knowledge  argument  for  NP. 

In  more  details,  our  approach  proceeds  in  the  following  steps: 

•  We  first  observe  that  a  warm-up  case  considered  in  [?] — which  shows  the  existence  of  constant- 
round  concurrent  zero- knowledge  based  on,  so-called,  unique  I* -certificates  (that  is,  P-certificates 
for  which  there  exists  at  most  one  accepting  certificate  for  each  statement)  directly  generalizes 
also  to  unique  P-certificates  in  the  Common  Random  String  model  (a.k.a.  the  Uniform  Ran¬ 
dom  String  model  (URS))  satisfying  an  adaptive  soundness  property  (where  the  statement 
to  be  proved  can  be  selected  after  the  URS). 

•  We  next  show  that  by  appropriately  modifying  the  protocol,  we  can  handle  also  unique  P- 
certificates  in  the  URS  model  satisfying  even  just  a  “static”  soundness  condition  (where  the 
statement  needs  to  be  selected  before  the  URS  is  picked),  and  additionally  also  unique  P- 
certificates  (with  static  soundness)  in  the  Common  Reference  String  (CRS)  model,  where 
the  reference  string  no  longer  is  required  to  be  uniform.  Unique  P-certificates  in  the  CRS 
model  can  be  constructed  based  on  the  existence  of  diO  for  P /poly  [?],  and  as  such  this 
preliminary  step  already  implies  the  result  of  [?]  in  a  modular  way  (but  with  worse  concrete 
round  complexity). 

1  Or  holds  against  non-uniform  attackers  under  significantly  stronger,  and  no  longer  falsifiable,  assumptions. 
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•  We  next  consider  a  more  relaxed  variant  of  unique  P-certificates  in  the  CRS  model  -which 
we  refer  to  as  delegetable  unique  P-certificates — where  the  CRS  is  allowed  to  be  statement 
dependent  but  only  a  “small”  (in  particular,  independent  of  the  statement  length)  part  of  the 
CRS  generation  requires  using  secret  coins.  By  relying  on  iO  for  P /poly,  we  next  show  that 
the  protocol  can  be  generalized  to  work  also  with  such  delegetable  unique  P-certificates. 

•  We  finally  leverage  recent  results  on  delegation  of  computation  based  on  iO  from  [?,  ?,  ?] 
and  show  that  the  beautiful  protocol  of  Koppula,  Lewko  and  Waters  [?]  can  be  modified  into 
a  delegetable  uniqe  P-certificate. 

1.3  Outline  of  Our  Techniques 

We  here  provide  a  detailed  outline  of  our  techniques.  As  mentioned,  our  construction  heavily  relies 
on  a  “warm-up”  case  of  the  construction  of  [?],  which  we  start  by  recalling  (closely  following  the 
description  in  [?]).  The  starting  point  of  the  construction  of  [?]  is  the  construction  is  Barak’s  [?] 
non-black-box  zero- knowledge  argument  for  NP.  We  start  by  very  briefly  recalling  the  ideas  behind 
his  protocol  (following  a  slight  variant  of  this  protocol  due  to  [?]). 

Barak’s  protocol  Roughly  speaking,  on  common  input  ln  and  x  £  {0,  l}poly(n),  the  Prover  P 
and  Verifier  V,  proceed  in  two  stages.  In  Stage  1,  P  starts  by  sending  a  computationally-binding 
commitment  c  £  {0,  l}n  to  0n;  V  next  sends  a  “challenge”  r  £  {0,  l}2n.  In  Stage  2,  P  shows  (using 
a  witness  indistinguishable  argument  of  knowledge)  that  either  x  is  true,  or  there  exists  a  “short” 
string  a  £  {0,  l}n  such  that  c  is  a  commitment  to  a  program  M  such  that  M(a)  =  r.2 

Soundness  follows  from  the  fact  that  even  if  a  malicious  prover  P*  tries  to  commit  to  some 
program  M  (instead  of  committing  to  CP),  with  high  probability,  the  string  r  sent  by  V  will 
be  different  from  M(a)  for  every  string  a  £  {0,  l}n.  To  prove  ZK,  consider  the  non-black-box 
simulator  S  that  commits  to  the  code  of  the  malicious  verifier  V*;  note  that  by  definition  it 
thus  holds  that  Af(c)  =  r,  and  the  simulator  can  use  a  =  c  as  a  “fake”  witness  in  the  final 
proof.  To  formalize  this  approach,  the  witness  indistinguishable  argument  in  Stage  2  must  actually 
be  a  witness  indistinguishable  universal  argument  (WIUA)  [?,  ?]  since  the  statement  that  c  is  a 
commitment  to  a  program  M  of  arbitrary  polynomial-size,  and  that  M(c)  =  r  within  some  arbitrary 
polynomial  time,  is  not  in  NP. 

Now,  let  us  consider  concurrent  composition.  That  is,  we  need  to  simulate  the  view  of  a  verifier 
that  starts  m  =  poly{n )  concurrent  executions  of  the  protocol.  The  above  simulator  no  longer 
works  in  this  setting:  the  problem  is  that  the  verifier’s  code  is  now  a  function  of  all  the  prover 
messages  sent  in  different  executions.  (Note  that  if  we  increase  the  length  of  r  we  can  handle  a 
bounded  number  of  concurrent  executions,  by  simply  letting  a  include  all  these  messages). 

So,  if  the  simulator  could  commit  not  only  to  the  code  of  V*,  but  also  to  a  program  M  that 
generates  all  other  prover  messages,  then  we  would  seemingly  be  done.  And  at  first  sight,  this 
doesn’t  seem  impossible:  since  the  simulator  S  is  actually  the  one  generating  all  the  prover  messages, 
why  don’t  we  just  let  M  be  an  appropriate  combination  of  S  and  V*1  This  idea  can  indeed  be 
implemented  [?,  ?],  but  there  is  a  serious  issue:  if  the  verifier  “nests”  its  concurrent  executions,  the 
running-time  of  the  simulation  quickly  blows  up  exponentially — for  instance,  if  we  have  three  nested 
sessions,  to  simulate  session  3  the  simulator  needs  to  generate  a  WIUA  regarding  the  computation 
needed  to  generate  a  WIUA  for  session  2  which  in  turn  is  regarding  the  generation  of  the  WIUA  of 

2We  require  that  C  is  a  commitment  scheme  allowing  the  committer  to  commit  to  an  arbitrarily  long  string 
m  £  {0, 1}*.  Any  commitment  scheme  for  fixed-length  messages  can  easily  be  modified  to  handle  arbitrarily  long 
messages  by  asking  the  committer  to  first  hash  down  m  using  a  collision-resistant  hash  function  h  chosen  by  the 
receiver,  and  next  commit  to  h(m). 
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session  1  (so  even  if  there  is  just  a  constant  overhead  in  generating  a  WIU  A,  we  can  handle  at  most 
logn  nested  sessions). 

Unique  P-certificates  to  The  Rescue:  The  “Warm-Up”  Case  from  [?]  As  shown  in  [?],  the 
blow-up  in  the  running-time  can  be  prevented  using  Unique  P-certificates.  Roughly  speaking,  we 
say  that  ( P ,  V )  is  a  P -certificate  system  if  ( P ,  V)  is  a  non-interactive  proof  system  (i.e.,  the  prover 
send  a  single  message  to  the  verifier,  who  either  accepts  or  rejects)  allowing  an  efficient  prover  to 
convince  the  verifier  of  the  validity  of  any  deterministic  polynomial-time  computation  M( x)  =  y 
using  a  “certificate”  of  some  fixed  polynomial  length  (independent  of  the  size  and  the  running-time 
of  M )  whose  validity  the  verifier  can  check  in  some  fixed  polynomial  time  (independent  of  the 
running-time  of  M).  The  P-certificate  system  is  unique  if  there  exists  at  most  one  accepted  proof 
for  any  statement. 

The  protocol  proceeds  just  as  Barak’s  protocol  except  that  Stage  2  is  modified  as  follows:  instead 
of  having  P  prove  (using  a  WIU  A)  that  either  x  is  true,  or  there  exists  a  “short”  string  a  G  {0,  l}2n 
such  that  c  is  a  commitment  to  a  program  M  such  that  M(a)  =  r,  we  now  ask  P  to  use  a  WIU  A 
to  prove  that  either  x  is  true,  or 

•  commitment  consistency:  c  is  a  commitment  to  a  program  Mi,  and 

—  input  certification:  there  exists  a  vector  A  =  ((1, 7Ti),  (2, 7^), . . .)  and  a  vector  of 
messages  rh  such  that  7 q  certifies  that  M\  (A<y)  outputs  rrij  in  its  j’th  communication 
round,  where  A<j  =  ((1, 7Ti), . . . ,  (j  —  1, 7Tj_i)),  and 

—  prediction  correctness:  there  exists  a  P-certificate  it  of  length  n  demonstrating  that 
Mi  (A)  =  r. 

Soundness  of  the  modified  protocol,  roughly  speaking,  follows  since  by  the  unique  certificate  prop¬ 
erty,  for  every  program  M\  it  inductively  follows  that  for  every  j,  mj  is  uniquely  defined,  and  thus 
also  the  unique  (accepting)  certificate  ttj  certifying  Mi(A<j)  =  rrij ;  it  follows  that  M\  determines  a 
unique  vector  A  that  passes  the  input  certification  conditions,  and  thus  there  exists  a  single  r  that 
make  M\  also  pass  the  prediction  correctness  conditions.  Note  that  we  here  inherently  rely  on  the 
fact  that  the  P-certificate  is  unique  to  argue  that  the  sequence  A  is  uniquely  defined.  (Technically, 
we  here  need  to  rely  on  a  P-certificate  that  is  sound  for  slightly  super-polynomial-time  as  there  is 
no  a-priori  polynomial  bound  on  the  running-time  of  Mi,  nor  the  length  of  A.) 

To  prove  zero-knowledge,  roughly  speaking,  our  simulator  will  attempt  to  commit  to  its  own 
code  in  a  way  that  prevents  a  blow-up  in  the  running-time.  Recall  that  the  main  reason  that  we  had 
a  blow-up  in  the  running-time  of  the  simulator  was  that  the  generation  of  the  WIU  A  is  expensive. 
Observe  that  in  the  new  protocol,  the  only  expensive  part  of  the  generation  of  the  WIU  A  is  the 
generation  of  the  P-certificates  7r;  the  rest  of  the  computation  has  a-priori  bounded  complexity 
(depending  only  on  the  size  and  running-time  of  V*).  To  take  advantage  of  this  observation,  we 
thus  have  the  simulator  only  commit  to  a  program  that  generates  prover  messages  (in  identically 
the  same  way  as  the  actual  simulator),  but  getting  certificates  7 f  as  input. 

In  more  detail,  to  describe  the  actual  simulator  S,  let  us  first  describe  two  “helper”  simulators 
S\ ,  S2  ■  Si  is  an  interactive  machine  that  simulates  prover  messages  in  a  “right”  interaction  with 
V*.  Additionally,  5)  is  expecting  some  “external”  messages  on  the  “left” — looking  forward,  these 
“left”  messages  will  later  be  certificates  provided  by  S'2.  See  Figure  1  for  an  illustration  of  the 
communication  patterns  between  5j ,  S2  and  V* . 

S 1  proceeds  as  follows  in  the  right  interaction.  In  Stage  1  of  every  session  i,  Si  first  commits  to 
a  machine  Si(j',  r)  that  emulates  an  interaction  between  Si  and  V*,  feeding  Si  input  r  as  messages 
on  the  left,  and  finally  S)  outputs  the  verifier  message  in  the  jn th  communication  round  in  the 
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Figure  1:  Simulation  using  P-certificates. 


right  interaction  with  V* .  (Formalizing  what  it  means  for  S'!  to  commit  to  S 1  is  not  entirely  trivial 
since  the  definition  of  Si  depends  on  S\ ;  we  refer  the  reader  to  the  formal  proof  for  a  description  of 
how  this  circularity  is  broken.3 4 5  Si  next  simulates  Stage  2  by  checking  if  it  has  received  a  message 
(j,  71  j )  in  the  left  interaction,  where  j  is  the  communication  round  (in  the  right  interaction  with 
V*)  where  the  verifier  sends  its  random  challenge  and  expects  to  receive  the  first  message  of  Stage 
2;  if  so,  it  uses  Mi  =  S 1  (and  the  randomness  it  used  to  commit  to  it),  j  and  a  being  the  list  of 
messages  received  by  Si  in  the  left  interaction,  as  a  ’’fake”  witness  to  complete  Stage  2. 

The  job  of  S2  is  to  provide  P-certificates  ttj  for  Si  allowing  Si  to  complete  its  simulation.  S2 
emulates  the  interaction  between  Si  and  V*,  and  additionally,  at  each  communication  round  j,  S2 
feeds  Si  a  message  (j,  ttj)  where  ttj  is  a  P-certificate  showing  that  Si  (j,  o~<J)  =  rj,  where  a is  the 
list  of  messages  already  generated  by  S2,  and  rj  is  the  verifier  message  in  the  j’th  communication 
round.  Finally,  S2  outputs  its  view  of  the  full  interaction. 

The  actual  simulator  S  just  runs  S2  and  recovers  from  the  view  of  S2  the  view  of  V*  and  outputs 
it.  Note  that  since  Si  has  polynomial  running-time,  generating  each  certificate  about  Si  (which  is 
just  about  an  interaction  between  Si  and  V*)  also  takes  polynomial  time.  As  such  S2  can  also  be 
implemented  in  polynomial  time  and  thus  also  S. 

Finally,  indistinguishability  of  this  simulation,  roughly  speaking,  follow  from  the  hiding  prop¬ 
erty  of  the  commitment  in  Stage  1,  and  the  WI  property  of  the  WIUA  in  Stage  2.  (There  is 
another  circularity  issue  that  arises  in  formalizing  this — as  Si  in  essence  needs  to  commit  to  its 
own  randomness — but  it  can  be  dealt  with  as  shown  in  [?];  we  here  omit  the  details  as  they  are  not 
important  for  our  modifications  to  the  protocol.) 

Generalizing  to  Unique  P-certificates  in  CRS  model  The  key  technical  contribution  in  [?] 
was  to  generalize  the  above  approach  to  deal  also  with  “non-unique”  P-certificates.  Here  we  instead 
aim  to  generalize  the  above  approach  to  work  with  P-certificates  in  the  CRS  model,  but  still  relying 
on  the  uniqueness  property. 

Let  us  first  note  that  if  we  had  access  to  unique  P-certificate  in  the  URS  (i.e. ,  the  uniform 
reference  string)  model  satisfying  an  adaptive  soundness  property  (where  the  statement  to  be 
proved  can  be  selected  after  the  URS,  then  above-mentioned  protocol  directly  generelized  to  work 
with  them  (as  opposed  to  using  unique  P-certificates  in  the  “plain”  model)  by  simply  having  the 
Verifier  send  the  URS  along  with  its  first  message  of  the  protocol.1 

We  next  note  that  the  protocol  can  be  further  generalized  to  handle  also  unique  P-certificates 
in  the  URS  model  satisfying  even  just  a  static  soundness  condition  (where  the  statement  needs  to 

3Roughly  speaking,  we  let  Si  take  the  description  of  a  machine  M  as  input,  and  we  then  run  Si  on  input  M  =  Si. 

4To  make  this  work,  we  need  to  rely  on  P-certificates  in  the  URS  model  with  perfect  completeness. 
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be  selected  before  the  URS  is  picked)  by  proceeding  as  follows: 


•  We  add  a  Stage  1.5  to  the  protocol  where  the  Prover  is  asked  to  provide  a  commitment  C2 
to  0"  and  then  asked  to  provide  a  WIUARG  that  either  x  G  L  or  C2  is  a  commitment  to  a 
“well-formed”  statement  (but  not  that  the  statement  is  true)  for  the  P-certificate  in  use  in 
Stage  2. 

•  Stage  2  of  the  protocol  is  then  modified  to  first  have  the  Verifier  send  the  URS  for  the  P- 
certificate,  and  then  requiring  that  the  prover  uses  a  P-certificate  for  the  statement  committed 
to  in  C2  •  In  other  words,  we  require  the  Prover  to  commit  in  advance,  and  prove  knowledge 
of,  the  statement  to  be  used  in  the  P-certificate  and  thus  static  soundness  suffices. 

Additionally,  this  approach  generalizes  also  to  deal  with  unique  P-certificates  in  the  Common 
Reference  String  (CRS)  model  (where  the  reference  string  no  longer  needs  to  be  uniform),  by 
having  the  Verifier  provide  a  zero-knowledge  proof  that  the  CRS  was  well-formed.5 

Generalizing  to  Delegetable  P-certificates  The  notion  of  a  P-certificate  in  the  CRS  model 
requires  that  the  same  CRS  can  be  used  to  prove  any  statement  q  of  any  (polynomially-related) 
length.  We  will  now  consider  a  weaker  notion  of  a  P-certificate  in  the  CRS  model,  where  the 
CRS  is  “statement-dependent” — that  is,  the  CRS  is  generated  as  a  function  of  the  statement  q 
to  be  proved — in  essence,  such  P-certificates  can  be  viewed  as  specific  instances  of  a  two-round, 
delegation  protocol.  But  whereas  the  CRS  may  depend  on  the  statement,  we  still  restrict  it  in 
several  important  ways: 

•  As  before,  the  length  of  the  CRS  is  “short”  (independent  of  the  length  of  the  statement  q). 

•  Additionally,  only  a  “small”  part  of  the  generation  procedure  relies  on  secret  coins.  More 
precisely,  the  CRS  generation  procedure  proceeds  in  three  steps:  1)  first,  secret  coins  are  used 
to  generate  a  public  parameter  PP  and  a  secret  parameter  K  (this  is  done  independently 
of  the  statement  g),  2)  next,  only  PP  is  used  to  deterministically  process  the  statement  q 
into  a  “short”  digest  d  (independent  of  the  length  of  q),  and  3)  the  digest  d  and  the  secret 
parameter  K  is  efficiently  processed  to  finally  generate  the  CRS  (independent  of  the  length 
of  q).  To  emphasize,  only  step  2  requires  work  that  is  proportional  to  the  length  of  q,  but 
this  work  only  requires  public  information. 

We  now  generalize  the  above  approach  to  also  work  with  delegetable  unique  P-certificates. 

•  Instead  of  having  the  Verifier  send  the  CRS  in  the  clear  (which  it  cannot  compute  as  it  does 
not  know  the  statement  q  on  which  it  will  be  run),  it  simply  runs  part  1  of  the  CRS  generation 
procedure  to  generate  PP  and  K  and  sends  just  the  public-parameter  PP  to  the  Prover. 

•  The  Prover  is  then  asked  to  provide  a  third  commitment  C3  to  0n  and  provide  a  WIUARG  that 
either  x  G  L  or  C3  is  a  correctly  computed  digest  d  (w.r.t.,  PP)  to  the  statement  q  committed 
to  in  C2 •  (In  essence,  the  Verifier  is  delegating  the  computation  of  d  to  the  Prover.) 

•  Next,  the  Verifier  sends  an  indistinguishability  obfuscation  II  =  iO(II)  of  a  program  II  that 
on  input  a  decommitment  ( d',r ')  to  C3  processes  d'  and  K  into  a  CRS  p  and  outputs  it. 
(The  reason  that  the  Verifier  cannot  generate  p  in  the  clear  is  that  digest  d  cannot  be  sent 
to  the  Verifier  in  the  clear;  recall  that  the  honest  prover  will  never  compute  any  such  digest, 

5Again,  we  here  rely  on  P-certificates  in  the  CRS  model  with  perfect  completeness. 
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it  is  meant  to  commit  to  0n  and  prove  that  x  £  L.)  Additionally,  the  verifier  gives  a  zero- 
knowledge  proof  that  the  obfuscation  is  correctly  computed  (and  using  the  same  random  coins 
that  were  used  to  generate  PP). 

•  Then,  the  Prover  provides  a  commitment  C4  to  0”  and  provides  a  WI  proof  of  knowledge  that 
x  £  L  or  C4  is  a  commitment  to  a  CRS  p  computed  by  applying  the  obfuscated  code  II  to  a 
proper  decommitment  of  C3. 

•  Finally,  in  Stage  2  of  the  protocol,  we  require  the  Prover  to  provide  P-certificates  w.r.t  to  the 
CRS  p  commited  to  in  C4. 

Note  that  if  C3  is  perfectly  binding,  then  by  iO  security  of  the  obfuscation,  we  can  replace  II  with 
a  program  that  has  the  CRS  p  hardcoded  and  does  not  depend  on  K,  and  this  suffices  for  arguing 
that  soundness  of  the  protocol  still  holds.  On  the  other  hand,  the  simulation  can  proceed  just  as 
before  except  that  now  it  uses  the  obfuscated  code  II  to  generate  the  CRS  p  and  commit  to  it  in 
c4. 

Realizing  Delegetable  Unique  P-Certificates  We  finally  leverage  recent  results  on  delegation 
of  computation  based  on  iO  for  circuits  from  [?,  ?,  ?]  and  show  that  the  beautiful  protocol  of 
Koppula,  Lewko  and  Waters  [?]  can  be  massaged  (and  slightly  modified)  into  a  delegetable  uniqe 
P-certificate. 

Let  is  point  out  that,  just  as  [?],  our  protocol  requires  the  use  of  P-certificates  that  satisfy  a 
slightly  strong  soundness  condition — namely,  we  require  soundness  to  hold  against  circuits  of  size 
T(-)  where  T(-)  is  some  “nice”  (slightly)  super-polynomial  function  (e.g.,  T(n)  =  nlogloglogn).  To 
acheive  such  (delegetable)  P-certificates,  we  thus  need  to  rely  on  iO  for  P /poly  secure  against 
T(-)-size  circuits. 

2  Introduction 

3  Preliminaries 

4  P-certificates 

We  consider  the  following  canonical  languages  for  P:  for  every  constant  c  £  N,  let  Lc  =  {(M,  x ,  y)  : 

M{x)  =  y  within  \x\c  steps}.  Let  Tm(x)  denotes  the  running  time  of  M  on  input  x. 

Definition  1  (Two-Message  P-certificate).  A  tuple  of  probabilistic  interactive  Turing  machines, 

(Gen,  Pcerti  Vcert),  is  a  (Two-Message)  P-certificate  system  if  there  exist  polynomials  Iqrs>  In,  and 
the  following  holds: 

Syntax  and  Efficiency:  For  every  c  6  N,  every  q  =  (M,  x,  y )  £  Lc,  and  every  k  £  N,  the 
verification  of  the  statement  proceed  as  follows: 

CRS  Generation:  CRS  e-  Gen(lfc,  c,  q),  where  Gen  runs  in  time  poly(/r,  \q\). 

PROOF  Generation:  7 r  <—  Pcert(lfc,c,  g,  CRS),  where  Pcert  runs  in  timepoly(k,  |x|,min(TA/(x),  |x|c)) 
with  Tm{x)  <  |x|c  the  running  time  of  M  on  input  x.  The  length  of  the  proof  7r  is 
bounded  by  ln(k). 

Proof  Verification:  b  =  Vcert(lfc,  CRS,  n),  where  Vcert  runs  in  time  poly(fc,  | CRS | ) . 
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(Perfect)  Completeness:  For  every  c,d  E  N,  there  exists  a  negligible  function  p,  such  that  for 
every  k  E  N  and  every  q  =  (M,x,y)  E  Lc  such  that  |g|  <  kd,  the  probability  that  in  the  above 
execution  Vcert  outputs  1  is  1. 


Definition  2  (Selective  Strong  Soundness  of  P-certificate).  We  say  that  a  P -certificate  system 
(Gen,  Pcert^Vcert)  is  ( selectively )  strong  sound  if  the  following  holds: 


•  Strong  Soundness:  There  exists  some  “nice”  super-polynomial  function 6  T{k)  E  kP^  and 
some  “nice”  super- constant  function7 8  C(-)  E  w(l)  such  that  for  every  probabilistic  algorithm 
P*  with  running-time  bounded  by  T(-),  there  exists  a  negligible  function  p,  such  that,  for 
every  k  E  N,  c  <  C(k), 


Pr 


(9. st) 

CRS 


7T 


P*{lk,c) 
Gen(lfc,  c,  q) 
P*( st,  CRS) 


Vcert(lfc,CRS,7 r) 


1  A  q  fL  Lc 


<  p(k) 


Definition  3  (Uniqueness  of  P-certificate).  We  say  that  a  P-certificate  system  (Gen,  Pcert)  Vcert)  is 
unique  if  for  every  k  E  N,  every  string  CRS  E  {0, 1}*,  there  exists  at  most  one  string  ir  E  {0, 1}*, 
such  that  Vcert(lfc,  CRS,  7r)  =  1. 

Rachel: 

[This  is  a  very  strong  uniqueness  requirement,  in  particular,  any  CRS  string  (even  ones  that  are  not  in 
the  support  of  Gen)  has  at  most  one  matching  proof.] 

Delegatable  CRS  Generation 


Definition  4  (Delegatable  CRS  Generation).  We  say  that  a  (two-message)  P-certificate  (Gen,  Pcert5  Vcert) 
has  delegatable  CRS  generation  if  the  CRS  generation  algorithm  Gen  consists  of  three  subroutines 
(Setup,  PreGen,  CRSGen),  and  there  are  polynomials  Id  and  lK,  such  that,  the  following  holds: 

Delegatable  CRS  Generation:  Gen(lfc,c,  q)  proceeds  in  the  following  three  steps: 


1.  Generate  parameters:  ( PP,K )  t—  Setup(l  ,c),  where  Setup  runs  in  time  poly (k).  We 
call  PP  the  public  parameter  and  K  the  key. 

2.  (Public)  statement  processing:  d  E-  PreGen  (PP,  q),  where  PreGen  runs  in  time  poly  (A;,  \q\), 
and  the  length  of  d  is  bounded  by  ld{k).  We  call  d  the  digest  of  the  statemenet. 

3.  (Private)  CRS  generation:  k  <—  CRSGen (PP,  K,  d),  where  CRSGen  runs  in  time  poly(fc), 
and  the  length  of  n  is  bounded  by  lK(k). 


Finally,  Gen  outputs  CRS  =  (PP,k). 


The  reason  that  we  say  such  a  CRS  generation  procedure  is  delegatable  is  because  the  only  part 
of  computation  that  depends  on  the  statemenet  is  the  statemenet  processing  step;  all  other  steps 
runs  in  time  a  fixed  polynomial  in  the  security  parameter.  However,  the  statemenet  processing 
step  depends  only  on  the  public  parameter  and  the  statemenet;  hence  to  ensure  soundness,  one 
only  needs  to  ensure  the  correctness  of  this  computation,  without  ensuring  the  “secrecy”  of  the 
computation.  Therefore,  we  also  call  this  step  “public”  statement  processing. 

6 For  instance,  T{n)  =  nlos 108  ^ ‘og  n . 

7For  instance,  C(k)  =  log  log  log  n. 
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4.1  Instantation  of  P-certificates  with  Delegatable  CRS  Generation 

Our  instantiation  relies  on  the  “message  hiding  encoding”  introduced  in  the  recent  work  by  Koppula, 
Lewko  and  Waters  [?],  as  a  step  towards  constructing  (succint)  indistinguishability  obfuscation  for 
Turing  machines.  Roughly  speaking,  a  message  hiding  encoding  scheme  proceeds  as  follows:  Given 
any  message  msg  (usually  generated  at  random  in  applications),  it  transforms  a  Turing  machine 
computation,  M  on  input  x  (with  time  bound  T),  into  an  encoding  enc,  which  when  decoded  yields 
msg  if  M(x )  =  1  (in  T  steps)  and  T  otherwise;  on  the  other  hand,  the  security  of  the  message 
hiding  encoding  guarantees  that  the  encoding  enc  for  a  non-accepting  computation  (M,  x)  hides 
the  message  msg.  Below,  we  recall  their  definition:  Let  denote  the  Turing  machine  that 

runs  M ( x )  for  T  steps  and  outputs  1  if  the  computation  accepts  and  T  otherwise. 

Definition  1  (Message  Hiding  Encoding  [?]).  A  message  hiding  encoding  scheme  MHE  consists  of 
two  PPT  algorithms  (MHE. enc,  MHE. dec)  satisfying  the  following  properties 

Syntax  and  Efficiency:  For  any  Turing  machine  M ,  input  inp  €  {0, 1}*,  message  msg  G  {0, 1}*, 
time  bound  TgFf,  and  security  parameter  fceN, 

1.  Encoding:  The  encoding  algorithm  MHE.enc(lfc,  M,  T,  inp,  msg)  outputs  an  encoding  enc, 
in  time  poly(fc,  \M\,  |inp|,  |msg|,  logT)  (independent  of  the  running  time  of  the  comptua- 
tion.) 

2.  Decoding:  The  decoding  algorithm  MHE.dec(lfc,  M,  inp,  T,  enc)  outputs  a  message  msg  or 
_L,  in  time  poly(fe,  \M\,  |inp|,logT, mm(TM(x),T)),  where  Tm{x)  is  the  running  time  of 
M  on  input  x. 

Correctness:  For  any  Turing  machine  M ,  input  inp  G  {0, 1}*,  message  msg  G  {0, 1}*,  time  bound 
T  G  N,  and  security  parameter  k  G  N,  */n  I,  (; x )  =  1,  then 

MHE.dec(lfc,  M,  inp,  T,  MHE.enc(l^:,  M,  T,  inp,  msg))  =  msg 

Definition  2  (Message  Hiding  Property).  A  message  hiding  encoding  scheme  MHE  is  secure  if  for 
every  PPT  adversary  A*,  and  polynomial  T,  there  is  a  neligible  function  e,  such  that,  for  every 

security  parameter  k  G  N,  every  messages  msg0,  msg1  G  {0,  \}k ,  M  of  description  size  at  most  k, 

time  bound  T  <  p{k),  and  input  inp  G  {0,  \\P^k\  such  that,  n^(inp)  =  0,  it  holds  that, 

^  ^ —  {0, 1}  |msg0|  =  | msg!  |  =  k 

Pr  (st,  msg0,  msgl,  M,T,  inp)  -G-  A*(\k)  :  A  T  <  T(k)  <1/2  +  e(k) 

enc  f-  MHE.enc(lfe,  M,  T,  inp,  msgfe)  ^  ^  (st,enc)  =  b 

Furthermore,  MHE  is  super-polynomially  secure  if  there  exists  a  super-polynomial  functions  H, 
such  that  the  above  condition  holds  for  every  T' -time  adversary  and  function  T'. 

The  message  hiding  encoding  is  similar  to  and  can  be  viewed  as  a  weakening  of  randomized 
encoding  [?]  in  the  following  sense:  The  encoding  enc  for  M,  x  with  message  msg,  can  also  be  viewed 
as  an  encoding  for  the  augmented  Turing  machine  M(x,  msg)  that  outputs  msg  if  M (x)  =  1  and 
T  otherwise;  while  randomized  encoding  guarantees  the  privacy  of  the  whole  input  (x,  msg),  the 
message  hiding  encoding  only  guarantees  privacy  of  a  part  of  the  input  msg. 

In  [?],  a  construction  of  a  message  hiding  encoding  is  provied  assuming  the  existence  of  indis- 
tinguishability  obfuscation  for  circuits  and  one-way  function. 

Approved  for  Public  Release;  Distribution  Unlimited. 

9 

47 


Theorem  1.  Assume  the  existence  of  an  indistinguishability  obfusction  for  circuits,  an  injective 
PRG  and  an  IND-CPA  secure  public-key  encryption  scheme  (that  are  super-polynomially  secure), 
there  is  a  message  hiding  encoding  scheme  (that  is  super-polynomially  secure). 

P-certificates  from  Message  Hiding  Encoding:  In  is  known  that  randomized  encoding  (and 
its  slightly  enhanced  variant  of  garbling  schemes)  can  be  used  to  ensure  the  correctness  of  a  com¬ 
putation,  as  explored  in  many  previous  works,  for  example  in  [?,  ?]  and  formalized  in  [?].  In  fact, 
for  ensuring  correctness,  it  suffices  to  use  a  “message  hiding  encoding”  as  observed  in  [?].  Here, 
the  message  msg  can  be  viewed  as  the  correctness  proof,  and  the  message  hiding  property  ensures 
that  a  prover  can  only  obtain  msg  if  the  underlying  computation  is  accepting,  which  implies  cornp- 
tuational  soundness.  This  natually  suggests  a  two  message  proof  system  for  P :  Let  Ver(c,  q)  for 
q  =  ( M,x,y )  be  the  universal  verification  algorithm  that  verifies  if  M(x)  =  y  in  \x\c  steps;  it 
outputs  1  if  so  and  0  otherwise;  it  is  easy  to  see  that  the  run  time  of  Ver  is  bounded  by  a\x\c  with 
a  universal  constant  a. 

CRS  Generation  Gen(lfc,c,  q):  Sample  n  A  {0,  l}fc  at  random.  Compute  the  message  hiding 
encoding  enc  -o-  MHE.enc(lfc,M  =  Ver,  T  =  a|x|c,  inp  =  q,  msg  =  7 r),  with  7r  as  the  message. 
Additionally  compute  y  =  /( 7r)  using  a  injective  one-way  function  /.  Outputs  CRS  string 
CRS  =  (enc,  y ). 

Proof  Generation  Pcert(lfc,  c,  q,  CRS):  Parse  CRS  =  (enc,y).  Decode  z  =  MHE.dec(lfc,  Ver,  \q\c,  q,  enc). 
If  f(z)  =  y ,  output  proof  7 r  =  z;  otherwise,  output  _L. 

Proof  Verification  Vcert(lfc,  CRS,  7t):  Parse  CRS  =  (enc,  y).  Accept  if  /( 7r)  =  y ,  and  reject 
otherwise. 

Efficiency:  The  proof  verification  algorithm  Vcert  runs  in  strict  polynomial  time.  The  complexity 
of  the  CRS  and  proof  generation  is  determined  by  the  complexity  of  the  encoding  and  decoding  algo¬ 
rithm  of  the  message  hiding  encoding  scheme:  It  follows  from  the  the  efficiency  of  M PIE. enc  that  Gen 
runs  in  time  poly(fc,  |Ver|,  |q|,  1 7r| ,  log(a|x|c))  =  poly(/c,  \q\),  and  from  the  efficiency  of  MEIE.dec  that 
P Cert  runs  in  time  poly(fc,  |Ver|,  |g|,  |7r|,  log(|g|c),  min(t*,  a|x|c))  =  poly(/c,  |g|,min(f*,  |x|c)),  where  t* 
is  the  running  time  of  M  on  input  x.  Moreover,  the  length  of  the  proof  is  exactly  1 7r|  =  k.  In 
summary,  the  above  system  satisfies  the  efficiency  requirment  of  P-certificates. 

Strong  Soundness:  It  follows  directly  from  standard  techniques  that  the  message  hiding  property 
of  MHE  implies  that  for  any  constant  c,  the  above  system  is  secure  against  any  PPT  cheating  prover 
trying  to  prove  a  statically  choosen  false  statement  q  w.r.t.  language  Lc.  This  is  because,  for  a 
false  statement,  the  computation  Ver(c,  q)  is  not  accepting.  Thus,  it  follows  form  the  message 
hiding  property  of  MHE  that,  the  honest  encoding  enc  of  Ver  with  input  (c,  q)  and  message  7r  is 
indistinguishable  from  an  encoding  enc7  of  Ver,  (c,  q)  and  a  different  message,  say,  0n.  Therefore,  if 
a  cheating  prover  can  produce  a  valid  proof  for  q  when  receiving  an  honest  CRS  =  (enc,  f(ir))  with 
polynomial  probability,  it  can  still  produce  a  valid  proof  when  receiving  CRS7  =  (enc7,  /( 7r)).  Since 
a  valid  proof  is  7r,  the  cheating  prover  violates  the  one-wayness  of  /.  Thus  soundness  holds. 

To  obtain  strong  soundness,  we  rely  on  complexity  leveling.  Assume  that  MHE  and  the  injective 
one-way  function  is  super-polynomially  secure  w.r.t.  to  a  super-polynomial  function  E  There  must 
exist  another  super-polynomial  function  E  and  a  super-constant  function  f}' ,  such  that,  E(/c )&  ^  < 
r (k)  (for  example,  let  E  be  equal  to  2EDlogfc  for  (5(k)  =  tu(l);  set  (5’{k )  =  /^(/c)1/2  and  E (k)  = 

2^  (fc)i°gfcj_  ]q  follows  from  the  same  argument  that  the  above  argument  system  is  sound  against  all 
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r'-time  cheating  provers  who  chooses  false  statement  q  w.r.t.  any  langauge  Lc  for  c  <  This 

implies  that  the  system  is  strong  sound. 

Uniqueness:  For  any  CRS  string  CRS(enc,  y),  it  follows  from  the  injectiveness  of  the  one-way 
function  /,  that  there  is  at  most  one  string  ir,  such  that,  Ver(lfc,  CRS,7t)  =  1,  that  is,  f(ir)  =  y. 

Summarizing,  we  have, 

Theorem  2.  Assume  the  existence  of  a  message  hiding  encoding  scheme  and  an  injective  one-way 
function  (that  are  both  super-polynomially  secure),  there  is  a  (two-message)  P -cetificate  system  with 
(strong)  soundness  and  uniqueness. 

Delegatable  CRS  Generation.  The  message  hiding  encoding  scheme  of  [?]  has  certain  special 
structure,  such  that,  the  resulting  construction  of  P-certihcates  directly  have  delegatable  CRS 
generation.  The  special  property  is  that  their  encoding  algorithm  can  be  divided  into  three  steps 
matching  exactly  the  three  steps  in  delegatable  CRS  generation: 

•  (i)  First,  it  generates  certain  public  parameters  and  a  key,  depending  only  on  the  security 
parameter  k  and  the  time  bound  T.  (Namely,  this  step  runs  their  Setup-Acc  and  Steup-ltr 
algorithms;  let  PP  denote  the  output  of  these  two  algorithms  and  K  is  a  randomly  sampled 
puncturable  PRF  key). 

•  (ii)  then,  the  input  of  the  comptuation  x  is  processed  using  the  security  parameter  and  public 
parameters  to  produce  a  digest  of  the  input.  (Namely,  this  step  runs  their  Write-Store,  Prep- 
Write,  and  Update  algorithms  iteratively  with  the  input  x  and  the  public  parameters  PP, 
to  compute  a  digest  w  of  the  input.  Note  that  their  input  processing  step  also  produces  a 
processed  input  denoted  as  store,  which  in  an  overly  simplified  view,  is  similar  to  a  Merkle 
Hash  tree  built  with  leaves  x8;  and  store  is  also  a  part  of  the  encoding.  However,  we  notice 
that  the  rest  of  the  encoding  does  not  depend  on  store,  and  since  it  can  be  re-computed  by 
the  decoder  given  x  and  the  public  parameter,  it  can  hence  be  omited  from  the  encoding.) 

•  (iii)  finally,  the  encoding  is  produced  depending  only  on  the  security  parameter,  the  digest  of 
the  input,  the  public  parameter,  and  the  key.  (Namely,  this  step  runs  the  Setup-Spl,  Sign-Spl 
using  the  PRF  key  K  and  the  digest  w,  and  then  obufscates  using  10  a  program  that  depends 
on  the  TM  M,  the  time  bound  T,  the  public  pararameter  PP  and  K .) 

These  three  steps  for  generating  an  encoding  corresponds  exactly  to  the  Setup,  PreGen  and  CRSGen 
algorithms  in  a  delegatable  CRS  generation,  with  the  CRSGen  additionally  computes  the  image 
y  =  /( 7r).  Thus,  combining  Theorem  2  with  the  construction  of  message  hiding  encoding  of  [?], 
and  noticing  the  special  structure  of  its  encoding  algorithm,  we  have, 

Corollary  1.  Assume  the  existence  of  an  indistinguishability  obfusction  for  circuits,  an  injective 
PRG  and  an  IND-CPA  secure  public-key  encryption  scheme  (that  are  all  super-polynomially  secure), 
there  is  a  (two-message)  P-cetificate  system  with  (strong)  soundness,  uniqueness,  and  delegatable 
CRS  generation. 

5  Our  Protocol 

We  proceed  to  describe  formally  our  protocol,  ( P ,  V).  The  protocol  relies  on  the  following  primitives: 

8The  actual  computation  of  store  is  much  more  complicated.  In  an  over-simplified  view,  it  is  similar  to  a  Merkle 
hash  tree  computed  using  a  specially  crafted  hash  function  implemented  using  IO. 
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•  A  non-interactive  perfectly  binding  commitment  scheme  com.  We  assume  without  loss  of 
generality  that  com  only  needs  n  bits  of  randomness  to  commit  to  any  n-bit  string,  (as  it  can 
always  expand  these  n  bits  into  a  longer  sequence  using  a  PRG). 

•  A  strong  (two-message)  P-certificate  system  (Gen,  Pcert,  Vcert)  with  delegatable  CRS  gener¬ 
ation  Gen  =  (Setup,  PreGen,  CRSGen).  The  strong  soundness  property  is  associated  with 
parameter  T(-)  and  C'(-),  where  T(-)  is  a  “nice”  super-polynomial  function  and  C(-)  is  a 
“nice”  super-constant  function.  The  uniqueness  property  ensures  that  for  every  string  CRS, 
there  exists  at  most  one  proof  7 r  that  is  accepted  by  Vcert(lfc,  CRS,7t)  =  1.  This  allows  us  to 
define  the  following  deterministic  oracle  Oycert,  which  will  be  used  in  the  CZK  protocol  later. 


O 


n 

V  cert 


(CRS) 


7T  If  there  exists  uniques  s.t.  Vcert(ln,  CRS,  7r)  =  1 
_L  otherwise 


We  call  Oycert  the  P-certificate  oracle.  Additionally,  we  consider  a  universal  emulator 
Emulator”  that  on  input  ( P,x,0 )  emulates  the  execution  of  a  deterministic  oracle  machine 
P  on  input  x  with  oracle  Oycert  as  follows:  It  parses  O  as  an  array;  to  answer  the  ?'th  query 
CRS.;  from  P,  it  checks  whether  O;  is  the  right  answer  from  this  CRS  (i.e.,  Vcert(ln,  CRS;,  O;) 
=  1);  if  so,  it  returns  O;  to  P;  otherwise,  it  aborts  and  outputs  _L.  Finally,  the  emulator 
outputs  the  output  of  P. 

For  simplicty,  we  assume  that  the  lengths  of  the  CRS,  the  proof  7r,  and  the  digest  of  statement 
d  are  all  bounded  by  n,  the  security  parameter.  This  is  without  loss  of  generality,  and  can  be 
achieved  by  scaling  down  the  security  parameter. 

•  A  family  of  hash  functions  {Pn}„ :  to  simplify  the  exposition,  we  here  assume  that  both  com 
and  {'Hn}n  are  collision  resistant  against  circuits  of  size  T'(-),  where  T'(-)  is  “nice”  super¬ 
polynomial  function.  As  in  [?],  this  assumption  can  be  weakened  to  just  collision  resistance 
against  polynomial-size  circuits  by  modifying  the  protocol  to  use  a  “good”  error-correcting 
code  ECC  (i.e.,  with  constant  distance  and  with  polynomial-time  encoding  and  decoding),  and 
replace  commitments  com(/i(-))  with  com(/i(ECC(-))). 

•  An  indistinguishability  obfuscator  iO  for  circuits. 

•  A  constant-round  WIUA  argument  system,  a  constant-round  WZSSV  proof  system,  and  a 
constant-round  ZfC  argument  system. 

Let  us  now  turn  to  specifying  the  protocol  ( P ,  V).  The  protocol  makes  use  of  three  parameters: 
m(-)  is  a  polynomial  that  upper  bounds  the  number  of  concurrent  sessions;  T(-)  is  a  “nice”  super¬ 
polynomial  function  such  that  T(n),Tr (n)  £  r(n)“’^1\  and  D(-)  is  a  “nice”  super-constant  function 
such  that  D(n )  <  C(n).  Let  m  =  m{n ),  T  =  T(n)  and  D  =  D{n).  In  the  description  below,  when 
discussing  P-certificates,  we  always  consider  the  language  Lp.  For  simplicity,  below  we  do  not 
explicitly  discuss  about  the  length  of  the  random  strings  used  by  various  algorithms. 

The  prover  P  and  the  verifier  V ,  on  common  input  1”  and  x  and  private  input  a  witness  w  to 
P,  proceed  as  follow: 

Phase  1— Program  Slot:  P  and  V  exchanges  the  following  three  messages. 

(a)  V  chooses  a  randomly  sampled  hash  function  h  T~Ln. 

(b)  P  sends  a  commitment  c  to  0”  using  com,  and  random  coins  p\ . 
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(c)  V  replies  with  a  random  “challenge”  r  of  length  3 mn. 

We  call  (c,  r)  the  program-slot. 

Note:  In  the  simulation,  the  simulator  commits  to  a  program  S±. 

Phase  2 — Commit  to  Statement:  P  and  V  exchanges  the  following  messages. 

(a)  P  sends  a  commitment  c 2  to  0”  using  com,  and  random  coins  p-2. 

(b)  P  gives  a  WIUA  argument  of  the  statement  that  either  x  G  L  OR  there  exists  S\  G 
{0,  l}r("\  j  G  [m],  s  G  {0,  1}”,  7r  G  {0,  1}”,  <7  G  {0,  l}r(”\  p,  p2  such  that, 

Knowledge  of  Statement:  c2  =  com (h(q)]  /u),  where  q  G  {0,  l}3r. 

Correctness  of  Statement:  The  statement  q  satisfy  the  following  properties: 

•  Use  OF  Emulator:  q  can  be  parsed  into  ( Emulator”,  (Si ,  (ln,  j,  s),  a),  r). 

•  Program  Consistency:  c  =  com(h(Si);  p). 

If  the  argument  is  not  accepting,  V  aborts. 

Note:  By  definition  of  the  emulator  Emulator”,  on  input  (S\,(ln,j,s),a),  it  will  emulate 
the  execution  of  the  deterministic  oracle  machine  S(ln,j,s)  with  oracle  Oycert  using  answers 
stored  in  array  a. 

The  purpose  of  this  Phase  is  twofold:  First,  it  enforces  a  cheating  prover  to  commit  to  the 
“ trapdoor ”  statement  before  the  CRS  of  the  P -certificate  is  generated,  and  hence  the  soundness 
of  the  protocol  only  relies  on  the  selective  soundness  of  the  P -certificate.  Second,  it  checks 
whether  the  “trapdoor”  statement  has  the  right  structure,  in  particular,  the  statement  is  about 
whether  S^Vcert(ln,j,s)  =  r  with  a  containing  all  the  correct  oracle  answers  (as  enforeced 
by  Emulator”,).  In  the  simulation,  the  simulator  commits  to  the  “ trapdoor ”  statement,  q  = 
(Emulator”,  (Si,  (1  ”,  j,  s ),  a),  r),  here. 

Phase  3 — Delegate  Public  Statement  Processing:  V  delegates  the  public  statement  process¬ 
ing  to  P: 

(a)  V  generates  (PP,K)  =  Setup(l”,  D;  psetup)  using  random  coins  tcrs,  and  sends  PP. 

(b)  P  sends  a  commitment  C3  to  0”  using  com,  and  random  coins  p^. 

(c)  P  gives  a  WIUA  argument  of  the  statement  that  either  x  G  L  OR  there  exists,  d  G  {0, 1}”, 
q  G  {0,  l}3r,  pPreGen,  P2,  P3,  Such  that, 

Statement  Consistency:  C2  =  com(h(q);  p2). 

Digest  Consistency:  C3  =  com(d;  pfi). 

Correctness  of  Digest:  d  =  PreGen(PP,  q;  ppreGen)- 
If  the  argument  is  not  accepting,  V  aborts. 

Note:  The  purpose  of  this  Phase  is  to  allow  the  verifier  to  delegate  the  computation  of  the 
digest  of  the  statement  to  P.  In  simulation,  the  simualtor  will  compute,  commit  to  and  prove 
correctness  of  d  =  PreGen(PP,  g;  ppreGen)-  V  cannot  compute  d  itself,  since  (1)  it  does  not 
know  the  “trapdoor”  statement  q  and  (2)  the  computation  takes  poly(n,  |g|),  which  is  too 
expensive  for  the  verifier. 

Phase  4 — Delegate  Private  CRS  Generation:  V  delegates  the  private  CRS  generation  to  P: 
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(a)  V  sends  the  indistinguishability  obfuscation  A  £-  iO( P)  of  program  P  =  pn>c3TR^,PcRSGen 
with  C4,  K ,  and  a  random  string  pcRSGen  hardwired  in.  P  on  input  (d! ,  p')  checks  whether 
C3  =  com(d/,  p')  and  outputs  k  =  CRSGen (PP,  K ,  d;  pcRSGen)  if  it  is  the  case,  and  _L  oth¬ 
erwise.  The  functionality  of  P  is  described  formally  in  Figure  2. 


Circuit  P  =  pra>c3.pp.*:.PcRSGen;  Qn  jnput  (d' ,  p')  where  d!  £  {0, 1}"  and  p'  £  {0, 1}”,  does: 

(a)  Check  if  C3  =  com(d';  p')\  if  not,  output  J_. 

(b)  Otherwise  output  k  =  CRSGen(PP,  K ,  d'\  pcRSGen)- 

Circuit  Q  =  Q”’C3’K:  On  input  ( d'  ,p ')  where  d!  £  {0, 1}"  and  p'  £  {0,  l}n,  does: 

(a)  Check  if  c3  =  com (d'\ p');  if  not,  output  _L. 

(b)  Otherwise  output  k. 

The  above  circuits  are  padded  to  their  maximum  size. 


Figure  2:  Circuits  used  in  the  construction  and  proof  of  CZK  protocol  (P,  V) 

(b)  V  gives  a  ZK.  argument  of  the  statement  that  there  exists  K  £  {0,  l}n,  psetup>  AcRSGem 
PiO,  such  that, 

Correctness  of  Public  Parameter:  ( PP,K )  =  Setup(ln,  D;  psetup)- 
Correctness  of  Obfuscation:  A  =  iO(PC3,PP’K,PCRSGen-,  pio) 

If  the  argument  is  not  accepting,  P  aborts. 

(c)  P  sends  commitment  C4  of  0™  using  com  and  random  coins  p±. 

(d)  P  gives  a  W1SSV  proof  of  the  statement  that  either  x  £  L  OR  there  exists  CRS  G 
{0,  l}n,  d’  £  {0,  l}n,  p',  p^,  such  that, 

CRS  Consistency:  C4  =  com(CRS;  p^). 

Correctness  of  CRS:  CRS  =  (PP,  n)  and  k  =  P (d',p'). 

If  the  proof  is  not  accepting,  V  aborts. 

Note:  The  purpose  of  this  Phase  is  to  allow  the  verifier  to  delegate  the  computation  of 
CRS  to  P.  In  simulation,  the  simualtor  will  compute,  commit  to,  and  prove  correctness  of 
CRS  =  ( PP,k ),  with  k  =  P(d,  P3).  V  cannot  compute  k  itself,  even  though  the  computation 
takes  only  polynomial  time  in  n,  since  d  cannot  he  revealed  to  V  in  order  to  ensure  the 
indistinguishability  of  the  simulation.  On  the  other  hand,  to  ensure  the  “ privacy  ”  of  the  CRS 
computation,  V  delegates  this  computation  via  obfuscation. 

Phase  5 — Final  Proof:  P  gives  the  final  proof: 

(a)  P  gives  a  W1SSV  proof  of  the  statement  that  either  x  £  L  OR  there  exists  it  £  {0,  l}n, 
CRS  £  {0,  l}n,  P4,  such  that, 

CRS  Consistency:  C4  =  com(CRS;  pfi), 

Proof  Verification:  n  verifies  w.r.t.  CRS,  Vcert(ln,  CRS,7r)  =  1. 

V  accepts  if  the  proof  is  accepting. 
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Note:  In  the  simulation,  the  simulator  will  compute  the  proof  n  Pcert(l>  D,  q,  CRS),  and 
succeed  in  the  final  proof  by  using  ir  and  CRS,p4  generated  in  the  last  phase  as  “trapdoor” 
witness. 

Theorem  3.  The  above  protocol  (P,  V)  is  a  concurrent  ZK,  argument  system  for  NP. 

The  completeness  of  the  protocol  follows  from  the  completeness  of  the  WIUA  argument  of 
knowledge,  WISSV,  and  the  ZKL  argument.  Below,  we  prove  first  the  concurrent  zero  knowlege 
property  and  then  the  soundness  of  the  protocol. 

5.1  Proof  of  Concurrent  Zero-Knowledge 

The  goal  of  our  simulator  is  to  try  to  “commit  to  its  own  code”  and  prove  about  its  own  execution 
using  P-certihcates  in  a  way  that  prevents  a  blow-up  in  the  running-time.  Note  that  the  only 
expensive  part  of  this  process  is  the  generation  of  the  P-certificates  if;  the  rest  of  the  computa¬ 
tion  has  a-priori  bounded  complexity  (depending  only  on  the  size  and  running-time  of  V*).  To 
take  advantage  of  this  observation,  we  thus  have  the  simulator  only  commit  to  an  oracle  program 
that  generates  prover  messages  (in  identically  the  same  way  as  the  actual  simulator),  but  getting 
certificates  if  from  the  P-certificate  oracle  Oycert- 

In  more  detail,  to  describe  the  actual  simulator  S,  let  us  first  describe  two  “helper”  simulators 
Si ,  S2 .  Roughly  speaking,  Si  is  an  interactive  machine  that  simulates  prover  messages  in  a  “right” 
interaction  with  V*.  Additionally,  Si  excepts  to  have  access  to  oracle  Oycert  on  the  “left”,  in 
particular,  at  any  point,  it  can  send  a  CRS  string  CRS  and  gets  back  the  ir  =  Oycert( CRS)  the 
unique  accepting  certificate  w.r.t.  this  CRS  (or  _L,  if  such  a  certificate  does  not  exist);  the  oracle 
will  be  simulated  by  S'2,  who  provides  these  “left”  certificates. 

Let  us  turn  to  a  formal  description  of  the  Si  and  S'2.  To  simplifiy  the  exposition,  we  assume 
w.l.o.g  that  V*  has  its  non-uniform  advice  z  hard-coded,  and  is  deterministic  (as  it  can  always  get 
its  random  tape  as  non-uniform  advice). 

On  a  high-level,  S'i(ln,  x,  M,  s,  I)  acts  as  a  prover  in  a  “right”  interaction,  communicating  with 
a  concurrent  verifier  V* ,  while  accessing  oracle  on  the  “left”.  (The  input  x  is  the  statement  to  be 
proved,  the  input  M  will  later  be  instantiated  with  the  code  of  Si,  and  the  input  (s,£)  is  used  to 
generate  the  randomness  for  Si;  s  is  the  seed  for  the  forward  secure  pseudorandom  generator  g, 
and  £  is  the  number  of  n-bit  long  blocks  to  be  generated  using  g.)  A  communication  round  in  the 
“right”  interaction  with  V*  refers  to  a  verifier  message  (sent  by  V*)  followed  by  a  prover  message 
(sent  by  Si). 

Procedure  of  simulator  Si  :  Let  us  now  specify  how  S\  generates  prover  messages  in  its  “right” 
interaction  with  V*.  SfVcert(ln,x,M,s,£)  acts  as  follows: 

Generate  Randomness:  Upon  invocation,  Si  generates  its  “random-tape”  by  expanding  the  seed 
s;  more  specifically,  let  (s£,  S£- 1, . . .  si),  (qe,  qe~i,  ■  ■  ■ ,  qi)  be  the  output  of  g(s,£).  We  assume 
without  loss  of  generality  that  Si  only  needs  n  bits  of  randomness  to  generate  any  prover 
message  (it  can  always  expand  these  n  bits  into  a  longer  sequence  using  a  PRG);  in  order  to 
generate  its  jth  prover  message,  it  uses  qj  as  randomness. 

Simulate  Phase  1 — “Commit  to  its  own  code”:  Upon  receiving  a  hash  function  hi  in  session 
i  during  the  jth  communication  round,  Si  provides  a  commitment  Ci  to  (the  hash  of)  the  deter¬ 
ministic  oracle  machine  Si(ln,  a,  s')  =  wrap(M(ln,x,M,s',a),  V*,a),  where  wrap(A,B,a) 
is  the  program  that  lets  A  communicate  with  B  for  a  rounds,  while  allowing  A  to  access 
oracle  Oycert ,  and  finally  outputting  B’s  message  in  the  jth  communication  round. 
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Note:  That  is,  Si(ln,  a,  s',  r)  emulates  a  rounds  of  an  execution  between  Si  and  V*  where 
Si  expands  out  the  seed  s'  into  a  blocks  of  randomness  and  additionally  have  access  to  Oycert- 

Simulate  Phase  2 — “Commit  to  the  trapdoor  statement”:  Upon  receiving  a  challenge  rl 
in  session  i  during  the  jth  communication  round,  Si  needs  to  commit  to  the  “trapdoor” 
statement  it  will  later  prove  in  the  final  proof.  To  do  so,  it  prepares  statement  qi  = 
(Emulator",  (5i,  (ln,j,  Sj),  Tj_i),  r*),  where  Tj-i  is  the  list  of  oracle  answers  received  by  Si 
in  the  first  j  —  1  communication  rounds. 

Note:  That  is,  the  “ trapdoor ”  statement  is  that  the  execution  of  Si(ln,  j,  sj),  emualted  by 
Emulator”,  outputs  r,  when  its  kth  oracle  queries  is  answered  using  additionally,  the 

validity  of  each  answer  is  checked  by  ”  (i.e.,  the  answer  must  be  an  accepting  proof  w.r.t.  the 
query  CRS  string). 

By  constrution  of  Si,  this  means  after  j  communication  rounds  between  Si  and  V* ,  where 
Si  uses  randomness  expanded  out  from  Sj,  and  oracle  answers  Tj-i,  V*  outputs  rj  in  the  jth 
communication  round.  Note  that  since  we  only  require  Si  to  generate  the  jth  verifier  message, 
giving  him  the  seed  ( Sj,j )  as  input  suffices  to  generate  all  prover  messages  in  rounds  j'  <  j. 
It  follows  from  the  consistency  requirement  of  the  forward  secure  PRG  that  Si  using  ( Sj,j ) 
as  seed  will  generate  the  exact  same  random  sequence  for  the  j  —  1  first  blocks  as  if  running 
Si  using  (s,  T)  as  seed.  Therefore,  the  “ trapdoor ”  statement  holds. 

In  later  communication  rounds,  when  Si  receives  a  message  from  V*  belonging  to  the  WIUA 
in  Phase  2  of  session  i,  Si  proves  honestly  that  it  knows  the  statement  q,  it  is  committing 
to  in  session  i,  and  the  statement  is  correctly  formated  and  consistent  with  the  program  Si 
committed  to  in  Phase  1  of  session  i. 

Simulate  Phase  3 —  “Process  the  trapdoor  statement”:  Upon  receiving  a  public  parame¬ 
ter  PPi  in  session  i  during  the  jth  communication  round,  Si  needs  to  commit  to  the  digest  di  of 
the  “trapdoor”  statement  qi  of  session  i.  To  do  so,  it  computes  honestly  di  4-  PreGen (PPi,  qi) 
and  commits  to  di  using  com,  and  randomness  pi . 

In  later  communication  rounds,  when  Si  receives  a  message  from  V*  belonging  to  the  WIUA 
in  Phase  3  of  session  i,  Si  proves  honestly  that  it  knows  di  committed  to  in  Phase  3  of  session 
i  and  it  is  computed  correctly  w.r.t.  PPi  and  a  statement  qi  committed  to  in  Phase  2  of 
session  i. 

Simulate  Phase  4 —  “Compute  the  CRS”:  Upon  receiving  an  obfuscated  program  Aj,  Si  acts 
as  an  honest  verifier  of  the  ZKL  argument  to  verify  that  PPi  and  Aj  in  session  i  are  correctly 
generated.  Upon  recieving  the  last  message  of  the  ZK  argument,  in  the  jth  communication 
round,  Si  needs  to  commit  to  the  CRSj  of  session  i.  To  do  so,  it  computes  Ki  =  A i(di,pi).  If 
the  output  is  _L,  Si  aborts.  Otherwise,  it  commits  to  CRSj  =  ( PPi,Ki )  using  com. 

In  later  communication  rounds,  when  Si  receives  a  message  from  V*  belonging  to  the  WISSV 
in  Phase  4  of  session  i,  Si  proves  honestly  that  it  knows  Ki  committed  to  in  Phase  4  of  session 
i  and  it  is  computed  correctly  w.r.t.  Aj  and  a  digest  di  committed  to  in  Phase  3  of  session  i. 

Simulate  Phase  5 —  “Prove  the  trapdoor  statement  using  P-certificate” :  Upon  receiving 
the  last  message  from  V*  in  Phase  4  of  session  i,  during  the  jth  communication  round,  Si 
needs  to  prove  in  the  WISSV  proof  that  there  is  a  P-certificate  that  verifies  the  validity  of 
the  “trapdoor”  statement  qi  w.r.t.  the  CRS  string  CRSj  committed  to  in  Phase  4  of  session  i. 
To  do  so,  it  sends  query  CRSj  to  its  oracle  Oycert ,  and  obtains  answer  7Tj.  It  aborts  if  7Tj  =  _L. 
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Otherwise,  Si  provides  an  honest  W1SSV  that  Vcert(ln,  CRS;,  7T;)  =  1  w.r.t.  CRS;  which  is 
the  committed  value  in  Phase  4  of  session  i. 

Procedure  of  simulator  S2 :  S2(ln,x,  M,  s,£)  internally  emulates  £  messages  of  an  execution 
between  Si(l”,  x,  M,  s ,  £)  and  V* ,  and  simulates  the  oracle  Oycert.  for  Si.  In  a  communication  round 
j  when  Si  sends  an  oracle  query  CRS,  for  a  session  i,  S2  generates  a  certificate  7 r,  of  the  statement 
qi  =  (Emulator”,  (5i,  (1”,/,  Sj/),  r^/)  w.r.t.  CRS;,  that  is,  7 t,  -o-  Pcert(l”,  D,  qi,  CRS*)  (where 

j'  is  the  round  in  which  the  challenge  r,  is  sent  by  V*,  g;  and  CRS*  are  generated  by  Si  (emulated 
internally  by  S2)  in  Phase  2  and  4  of  session  i).  S2  checks  if  indeed  Vcert(l”,  CRS,;,  7T;)  =  1,  it 
outputs  fail  if  this  is  not  the  case,  and  otherwise,  feeds  7 r,  to  Si.  Finally,  S2  outputs  its  view  (which 
in  particular,  contains  the  view  of  V*)  at  the  end  of  the  execution. 

Procedure  of  the  final  simulator  S:  The  final  simulator  5(1”,  x)  simply  runs  Sb(l”,  x,  Si,  s,T(n+ 
|a;|)),  where  s  is  a  uniformly  random  string  of  length  n  and  T(n  +  |x|)  is  a  polynomial  upper-bound 
on  the  number  of  messages  sent  by  V*  given  the  common  input  1”,  x,  and  extracts  out  and  outputs, 
the  view  of  V*  from  the  output  of  Sb-  (In  case  that  Sb  outputs  fail,  S  outputs  fail  as  well.) 

Running-time  of  S.  Let  us  first  argue  that  Si  runs  in  polynomial  time. 

1.  In  Phase  1,  it  only  takes  5)  polynomial-time  to  generate  the  commitments  (since  V*  has  a 
polynomial-length  description,  and  thus  also  the  code  of  Si). 

2.  In  Phase  2,  it  also  only  takes  Si  polynomial  time  to  commit  to  the  statements  qi  (since 
Emulator”,  (1  n,j,Sj),  and  r  have  fixed  polynomial  lengths,  and  Si  and  Tj-i  have  polynomial 
length  description,  depending  on  the  size  of  V*).  Furthermore,  the  witnesses  of  the  WIUA  in 
Phase  2  has  polynomial  length;  by  the  relative  prover  efficiency  condition  of  the  WIUA,  each 
such  proof  only  requires  some  fixed  polynomial-time. 

3.  In  Phase  3,  processing  the  statements  g;  takes  time  polynomial  in  the  length  of  the  statement 
and  n,  which  is  polynomial.  Furthermore,  committing  to  the  outputs  d;  and  proving  about 
their  correctness  using  WIUA  also  takes  only  polynomial  time  (by  the  relative  prover  efficiency 
of  WIUA). 

4.  In  Phase  4,  since  the  CRS  generation  is  very  efficient,  taking  time  polynomial  in  only  the 
security  parameter,  Si  completes  all  Phase  4  in  polynomial  time. 

5.  In  Phase  5,  the  simulator  proves  about  the  verification  of  a  P-certificate  w.r.t.  to  a  CRS  string 
committed  to  in  Phase  4.  Since  both  steps  takes  time  poly(n),  Si  completes  all  Phase  5  in 
polynomial  time. 

Overall,  the  whole  execution  of  Si  takes  some  fixed  polynomial  time  (in  the  length  of  V*  and  thus 
also  in  the  length  of  x.)  It  directly  follows  that  also  Si’s  running-time  is  polynomially  bounded. 

Finally,  since  S2  is  simply  providing  certificates  about  the  execution  of  Si,  it  follows  by  the 
relative  prover  efficiency  condition  of  P-certfficates,  that  S2  runs  in  polynomial  time,  and  thus  also 
S. 

Indistinguishability  of  the  simulation  Fix  any  cheating  verifier  V* ,  we  first  argue  that  during 
the  execution  of  S  for  simulating  the  view  of  V* ,  the  probability  that  S2  (and  hence  S)  outputs  fail 
is  negligible.  By  construction,  S2  outputs  fail  when  for  some  session  i,  the  proof  7 r;  that  it  constructs 
honestly  using  Pcert  does  not  verify  w.r.t.  the  CRS,:  that  Si  comptues.  It  follows  from  the  soundness 
of  the  ZKL  argument  in  Phase  4  of  session  i  that,  with  overwhelming  probability,  V*  in  session 
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i  computes  (. PP,K )  A  Setup(ln,Z?)  and  the  obfuscation  A  A  iO( P)  of  P  =  P"'c3>pp>A>PcRSGen 
correctly  w.r.t.  some  random  strings  psetup  and  pto-  In  this  case,  since  S\  evalutes  PreGen,  commits 
to  the  produced  digest  di,  and  evalutes  A*  honestly,  it  follows  from  the  perfect  correctness  of  the 
indistinguishability  obfuscator,  the  perfect  completeness  of  the  P-certificate  system,  and  the  perfect 
binding  property  of  com  that  as  long  as  %  is  a  true  statement,  S2  would  generate  an  accepting 
proof  for  it  w.r.t.  CRS;.  By  construction,  qt  is  a  true  statement.  Therefore,  the  probability  that  S2 
outputs  fail  is  neligible. 

Below  we  argue  about  the  indistinguishability  of  the  simulation  conditioning  on  that  S2  does 
not  output  fail.  Assume  that  there  exists  a  cheating  verifier  V* ,  a  distinguisher  D  and  a  polynomial 
p  such  that  the  real  view  and  the  simulated  view  of  V*  can  be  distinguished  by  D  with  probability 
for  infinitely  many  n.  More  formally,  for  infinitely  many  n  E  N ,  x  E  Ln{0,  l}Poly(n);  w  g  R^(x) 

and  z  E  {0,  l}Poly(Tl))  it  holds  that 

|Pr[£>(Viewv.  (P(w),  V*(z))  (ln,  x))  =  1]  -  Pr [D(S(ln,x,z))  =  1]|  >  (1) 

p[n) 

Consider  such  n,  x,  z  (and  assume  that  z  is  hard-coded  into  the  description  of  V*),  and  consider 
T  =  T(n+\x\)  hybrid  experiments  (recall  that  T(n+\x\)  is  the  maximum  number  of  communication 
rounds  given  common  input  ln,x). 

•  In  hybrid  Hj,  the  first  j  communication  rounds  are  simulated  exactly  as  by  S  (using  pseudo- 
randomness),  but  all  later  communication  round  j'  >  j  are  generated  honestly  using  true 
randomness  q'j  being  uniformly  distributed  in  {0,  l}n.  More  precisely,  every  prover  commit¬ 
ment  sent  after  round  j  is  a  commitment  to  0n  (i.e. ,  Step  1- (b) ,  2- (a),  3-(b)  and  4- (c) ) ;  every 
WIUA  argument  (i.e.,  Step  2-(b),  3-(c))  and  every  WXSSV  proof  (i.e.,  Step  4-(d),  5- (a))  that 
start  after  round  j  uses  the  true  witness  w  instead  of  “fake”  witnesses  that  S  uses;  however, 
every  WIUA  argument  and  WISSV  proof  that  start  at  or  before  round  j  are  still  proven 
using  (appropriate)  “fake”  witnesses  as  S  does;  importantly,  all  prover  messages  generated 
after  round  j  uses  truely  random  coins. 

It  follows  by  Equation  1  and  a  hybrid  argument  that  there  exist  some  j  and  a  polynomial  p"  such 
that  D  distinguishes  Hj  and  Hj+ \  with  probability  p/pn^  ■  Now,  consider  another  hybrid  experiment 

Hj  that  proceeds  just  at  HJ+\ ,  but  where  true  randomness  is  used  in  communication  round  j  +  1 
(but  still  committing  to  the  the  same  values  as  S  does  and  using  “fake”  witness  as  S  does).  It  follows 
by  the  forward  security  of  the  PRG  g  that  the  outputs  of  Hj+\  and  Hj  are  indistinguishable — the 
reason  we  need  forward  security  is  that  to  emulate  communication  rounds  j'  <  j,  the  seeds  Sj>  may 
need  to  be  known  (as  they  are  part  of  the  “trapdoor”  statements).  Indistinguishability  of  Hj  and 
Hj  follows  directly  by  either  the  hiding  property  of  the  commitment  scheme  (if  in  the  j  +  1  round, 
the  prover  message  is  a  commitment),  or  the  witness  indistinguishability  property  of  the  WIUA  or 
W1SSV  (if  in  this  round,  the  prover  message  is  a  message  of  WIUA  or  WZSSV).  It  thus  leads  to 
a  contradiction  and  completes  the  proof  of  the  indistinguishability  of  the  simulation. 

5.2  Proof  of  Soundness 
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Abstract.  We  present  the  first  efficient  (i.e.,  polylogarithmic  overhead) 
method  for  securely  and  privately  processing  large  data  sets  over  mul¬ 
tiple  parties  with  parallel,  distributed  algorithms.  More  specifically,  we 
demonstrate  load-balanced,  statistically  secure  computation  protocols 
for  computing  Parallel  RAM  (PRAM)  programs,  handling  (1/3  —  e)  frac¬ 
tion  malicious  players,  while  preserving  up  to  polylogarithmic  factors  the 
computation,  parallel  time,  and  memory  complexities  of  the  PRAM  pro¬ 
gram,  aside  from  a  one-time  execution  of  a  broadcast  protocol  per  party. 
Additionally,  our  protocol  has  polylog  communication  locality — that  is, 
each  of  the  n  parties  speaks  only  with  polylog(n)  other  parties. 


1  Introduction 

Large  data  sets,  such  as  medical  data,  genetic  data,  transaction  data,  the 
web  and  web  access  logs,  and  network  traffic  data,  are  now  in  abundance. 

Much  of  the  data  is  stored  or  made  accessible  in  a  distributed  fashion, 
having  necessitated  the  development  of  efficient  distributed  protocols 
that  compute  over  such  data.  In  particular,  novel  programming  models 
for  processing  large  data  sets  with  parallel,  distributed  algorithms,  such 
as  MapReduce  (and  its  implementation  Hadoop)  are  emerging  as  crucial 
tools  for  leveraging  this  data  in  important  ways. 

But  these  methods  require  that  the  data  itself  is  revealed  to  the  partic¬ 
ipating  servers  performing  the  computation — and  thus  blatantly  violate 
the  privacy  of  potentially  sensitive  data.  As  a  consequence,  such  methods 

*  The  research  of  the  first  author  has  received  funding  from  the  European  Union’s 
Tenth  Framework  Programme  (FP10/  2010-2016)  under  grant  agreement  no.  259426 
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cannot  be  used  in  many  critical  applications  (e.g.,  discovery  of  causes  or 
treatments  of  diseases  using  genetic  or  medical  data). 

In  contrast,  methods  such  as  secure  multi-party  computation  (MPC), 
introduced  in  the  seminal  works  of  Yao  [Yao86]  and  Goldreich,  Micali 
and  Wigderson  [GMW87],  enable  securely  and  privately  performing  any 
computation  on  individuals  private  inputs  (assuming  some  fraction  of  the 
parties  are  honest).  However,  despite  great  progress  in  developing  these 
techniques,  there  are  no  MPC  protocols  whose  efficiency  and  communi¬ 
cation  requirements  scale  to  the  modern  regime  of  large-scale  distributed, 
parallel  data  processing. 

We  are  concerned  with  merging  these  two  approaches.  In  particular, 

We  seek  MPC  protocols  that  efficiently  (technically,  with 

poly  logarithmic  overhead)  enable  secure  and  private  processing  of  large 
data  sets  with  parallel,  distributed  algorithms. 

Explicitly,  in  this  large-scale  regime,  the  following  properties  are  paramount: 

1.  Exploiting  Random  Access.  Computations  on  large  data  sets  are  fre¬ 
quently  “lightweight” :  accessing  a  small  number  of  dynamically  cho¬ 
sen  data  items,  relying  on  conditional  branching,  and/or  maintaining 
small  memory.  This  means  that  converting  a  program  first  into  a  cir¬ 
cuit  to  enable  its  secure  computation,  which  immediately  obliterates 
these  gains,  will  not  be  a  feasible  option. 

2.  Exploiting  Parallelism.  In  fact,  as  mentioned,  to  effectively  solve 
large-scale  problems,  modern  programming  models  heavily  leverage 
parallelism.  The  notion  of  a  Parallel  RAM  (PRAM)  better  captures 
such  computing  models.  In  the  PRAM  model  of  computation,  several 
(polynomially  many)  CPUs  run  simultaneously,  potentially  commu¬ 
nicating  with  one  another,  while  accessing  the  same  shared  external 
memory.  We  consider  a  PRAM  model  with  a  variable  number  of 
CPUs  but  with  a  fixed  activation  structure  (i.e.,  what  processors  are 
activated  at  which  time  steps  is  fixed).  Note  that  such  a  model  simul¬ 
taneously  captures  RAMs  (a  single  CPU)  and  circuits  (the  circuit 
topology  dictates  the  CPU  activation  structure). 

3.  Exploiting  Plurality  of  Users.  In  the  setting  of  MPC  we  would  like 
to  leverage  not  only  parallelism  within  a  single  party  (i.e.,  if  a  party 
has  multiple  CPUs  that  may  run  in  parallel),  but  also  that  we  have 
a  large  number  of  parties  that  can  run  in  parallel.  So,  if  we  we  have 
n  parties,  each  with  k  processors,  we  ideally  would  like  to  securely 
compute  PRAMs  that  use  nk  CPUs  (as  opposed  to  just  k  CPUs). 

Additionally,  the  following  desiderata  are  often  of  importance: 

3.  Load  balancing.  When  the  data  set  contains  tens  or  hundreds  of 
thousands  of  users’  data,  it  is  often  unreasonable  to  assume  that 
any  single  user  can  provide  memory,  computation,  or  communication 
resources  on  the  order  of  the  data  of  all  users.  Rather,  we  would  like 
to  balance  the  load  across  nodes. 

4.  Communication  Locality.  In  many  cases,  establishing  a  secure  com¬ 
munication  channel  with  a  large  number  of  distinct  parties  may  be 
costly,  and  thus  we  would  like  to  minimize  the  locality  of  communi¬ 
cation  [BGT13]:  that  is,  the  number  of  total  parties  that  each  party 
must  send  and  receive  message  to  during  the  course  of  the  protocol. 
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To  date,  no  existing  work  addresses  secure  computation  of  Parallel  RAM 
programs.  Indeed,  nearly  all  results  in  MPC  require  a  circuit  model  for 
the  function  being  evaluated  (including  the  line  of  work  on  scalable 
MPC  [DI06,DIK+08,DKMS12,ZMS14]),  and  thus  inherit  resource  re¬ 
quirements  that  are  linear  in  the  circuit  size.  Even  for  (sequential)  RAM, 
the  only  known  protocols  either  only  handle  two  parties  [OS97,GKK+ll,L013,GGH+13], 
or  in  the  context  of  multi-party  computation  require  all  parties  to  store 
all  inputs  [DMN11],  rendering  the  protocol  useless  in  a  large-scale  setting 
(even  forgetting  about  computation  load  balancing  and  locality). 

1.1  Our  Results 

We  present  a  statistically  secure  MPC  for  (any  sequence  of)  PRAMs 
handling  (1/3  —  e)  fraction  static  corruptions  in  a  synchronous  communi¬ 
cation  network,  with  secure  point-to-point  channels.  In  addition,  our  pro¬ 
tocol  is  strongly  load  balanced  and  communication  local  (i.e. ,  polylog(n) 
locality).  We  state  our  theorem  assuming  each  party  itself  is  a  fc-processor 
PRAM,  for  parameter  k. 

Theorem  1  (Informal  —  Main  Theorem).  For  any  constant  e  >  0 
and  polynomial  parallelism  parameter  k  =  k(n),  there  exists  an  n-party 
statistically  secure  (with  error  negligible  in  n)  protocol  for  computing 
any  adaptively  chosen  sequence  of  PRAM  programs  IT j  with  fixed  CPU 
activation  structures  (and  that  may  have  bounded  shared  state),  han¬ 
dling  (1/3  —  e)  fraction  static  corruptions  with  the  following  complexi¬ 
ties,  where  each  party  is  a  k-processor  PRAM  (and  where  \x\,  \y\  denote 
per-party  input  and  output  size,4  space(TZ),  comp(77),  and  tim e(77)  de¬ 
note  the  worst-case  space,  computation,  and  (parallel)  runtime  of  II ,  and 
CPUs(II)  denotes  the  number  of  CPUs  of  II): 

—  Computation  per  party,  per  II j :  0(comp(77j)/n  +  | y\) . 

—  Time  steps,  per  Ilj:  O  ^time(TTj)  •  max  {l,  CP^^J7-)  . 

—  Memory  per  party:  O  (|x|  +  \y\  +  maxj)-!  space(JT,)/n) . 

—  Communication  Locality:  0(1). 
given  a  one-time  preprocessing  phase  with  complexity: 

—  Computation  per  party:  0(\x\),  plus  single  broadcast  of  0(1)  bits. 

—  Time  steps:  O  ^max  { 1,  -^r}^  ■ 

Additionally,  our  protocol  achieves  a  strong  “online”  load-balancing  guar¬ 
antee:  at  all  times  during  the  protocol,  all  parties’  communication  and 
computation  loads  vary  by  at  most  a  constant  multiplicative  factor  (up 
to  a  polylog(n)  additive  term). 

Remark  1  (Round  complexity) .  As  is  the  case  with  all  general  MPC  pro¬ 
tocols  in  the  information-theoretic  setting  to  date,  the  round  complexity 
of  our  protocol  corresponds  directly  with  the  time  complexity  (as  when 
restricted  to  circuits,  parallel  complexity  corresponds  to  circuit  depth). 

That  is,  for  each  evaluated  PRAM  program  Ilj,  the  protocol  runs  in 
0(time(77j))  sequential  communication  rounds  to  securely  evaluate  Ilj. 

4  For  simplicity  of  exposition,  we  assume  all  parties  have  the  same  input  size  and 
receive  the  same  output. 
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Remark  2  (On  the  achieved  parameters).  Note  that  in  terms  of  mem¬ 
ory,  each  party  only  stores  her  input,  output,  and  her  “fair”  share  of 
the  required  space  complexity,  up  to  polylogarithmic  factors.  In  terms  of 
computation  (up  to  polylogarithmic  factors),  each  party  does  her  “fair” 
share  of  the  computation,  receives  her  outputs,  and  in  addition  is  re¬ 
quired  to  read  her  entire  input  at  an  initial  preprocessing  stage  (even 
though  the  computations  may  only  involve  a  subset  of  the  input  bits; 
this  additional  overhead  of  “touching”  the  whole  input  once  is  neces¬ 
sary  to  achieve  security).5  Finally,  the  time  complexity  corresponds  to 
the  parallel  complexity  of  the  PRAM  being  computed,  as  long  as  the 
combined  number  of  available  processors  nk  from  all  parties  matches  or 
exceeds  the  number  of  required  parallel  processes  of  the  program  (and 
degrades  with  the  corresponding  deficit). 

Remark  3  (Instantiating  the  single-use  broadcast).  The  broadcast  chan¬ 
nel  can  be  instantiated  either  by  the  0(y/n)-locality  broadcast  proto¬ 
col  of  King  et  al.  [KSSV06],  or  the  polylog (n)-average  locality  protocol 
of  [BSGH13]  at  the  expense  of  a  cost  of  a  one-time  per-party  compu¬ 
tational  cost  of  O(\A0>  or  average  cost  of  polylog(n),  respectively.  We 
separate  the  broadcast  cost  from  our  protocol  complexity  measures  to 
emphasize  that  any  (existing  or  future)  broadcast  protocol  can  be  di¬ 
rectly  plugged  in,  yielding  associated  desirable  properties.6 

1.2  Construction  Overview 

Our  starting  point  is  an  Oblivious  PRAM  ( OPRAM)  compiler  [BCP14b,G096], 
a  tool  that  compiles  any  PRAM  program  into  one  whose  memory  access 
patterns  are  independent  of  the  data  (i.e.,  “oblivious”).  Such  a  compiler 
(with  polylogarithmic  overhead)  was  recently  attained  by  [BCP14b]. 

Indeed,  it  is  no  surprise  that  such  a  tool  will  be  useful  toward  our  goal. 

It  has  been  demonstrated  in  the  sequential  setting  that  Oblivious  (se¬ 
quential)  RAM  (ORAM)  compilers  can  be  used  to  builds  secure  2-party 
protocols  for  RAM  programs  [0S97,GKK+11,L013,GGH+13].  Taking 
a  similar  approach,  building  upon  the  OPRAM  compiler  of  [BCP14b] 
directly  yields  2-party  protocols  for  PRAMs. 

However,  OPRAM  on  its  own  does  not  directly  provide  a  solution  for 
multi- party  computation  (when  there  are  many  parties).  While  this  ap¬ 
proach  gives  protocols  whose  complexities  scale  well  with  the  RAM  (or 

5  For  general  secure  computation,  and  even  if  we  restrict  to  functionalities  that  only 
access  a  few  parties’  inputs,  and  only  a  few  bits  of  their  data,  essentially  all  parties 
must  perform  computation  at  least  J?(|x|).  To  see  this,  consider  secure  computation 
of  a  “multi-party  Private  Information  Retrieval  (PIR)”  functionality:  each  party 
i  >  1  has  as  input  some  “big  data”  and  party  1  has  as  input  a  party  index  i 
and  an  index  j  into  their  data  Xi.  The  functionality  returns  Xi\j]  (i.e.,  the  j’th  bit 
of  party  i’s  data)  to  party  1  and  nothing  to  everyone  else.  We  claim  that  each  party 
i  >  1  must  access  every  bit  of  x,;.  if  not,  it  learns  that  that  particular  bit  of  its  data 
was  not  requested,  which  it  cannot  learn  in  an  ideal  execution  of  the  functionality. 

6  For  instance,  it  remains  open  to  achieve  statistically  secure  broadcast  with  worst-case 
polylog(n)  locality. 
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PRAM)  complexity  of  the  programs,  the  complexities  grow  poorly  with 
the  number  of  parties.  Indeed,  the  only  current  technique  for  securely 
evaluating  a  RAM  program  on  multiple  parties’  inputs  [DMN11]  is  for 
all  parties  to  hold  secret  shares  of  all  parties’  inputs,  and  then  jointly 
execute  (using  standard  MPC  for  circuits)  the  trusted  CPU  instructions 
of  the  ORAM-compiled  version  of  the  program.  This  means  each  party 
must  communicate  and  maintain  information  of  size  equivalent  to  all 
parties  ’  inputs,  and  everyone  must  talk  to  everyone  else  for  every  time 
step  of  the  RAM  program  evaluation. 

One  may  attempt  to  improve  the  situation  by  first  electing  a  small 
polylog(n)-size  representative  committee  of  parties,  and  then  only  per¬ 
forming  the  above  steps  within  this  committee.  This  approach  drops  the 
total  communication  and  computation  of  the  protocol  to  reasonable  lev¬ 
els.  However,  this  approach  does  not  save  the  subset  of  elected  parties 
from  carrying  the  burden  of  the  entire  computation.  In  particular,  each 
elected  party  must  memory  storage  equal  to  the  size  of  all  parties’  inputs 
combined ,  making  the  protocol  unusable  for  “large-scale”  computation. 

In  this  paper,  we  provide  a  new  approach  for  dealing  with  this  issue. 

We  show  how  to  use  an  OPRAM  in  a  way  that  achieves  balancing  of 
memory,  computation,  and  communication  across  all  parties. 

Our  MPC  construction  proceeds  in  the  following  steps: 

1.  From  OPRAM  to  MPC.  Given  an  OPRAM,  we  begin  by  consid¬ 
ering  MPC  in  a  “benign”  adversarial  setting,  which  we  refer  to  as 
oblivious  multi-party  computation,  where  all  parties  are  assumed  to 
be  honest,  and  we  only  require  that  an  external  attacker  that  views 
communication  and  activation  (including  memory  and  computation 
usages)  patterns  does  not  learn  anything  about  the  inputs.  We  show: 

(a)  OPRAM  yields  efficient  memory-balanced  oblivious  MPC  for  PRAM. 

(b)  Using  committee  election  techniques  (a  la  [KLST11,DKMS12,BGT13]), 
any  oblivious  multi-party  computation  can  be  compiled  into  a 
standard  secure  MPC  with  only  polylog  overhead  (and  a  one¬ 
time  use  of  a  broadcast  channel  per  party). 

2.  Load  Balancing  &  Communication  Locality.  We  next  show 
semi-generic  compilers  for  “nice”  (formally  defined)  oblivious  multi¬ 
party  protocols,  each  introducing  only  polylog(n)  overhead: 

(a)  From  any  “nice”  protocol  to  one  whose  computation  and  com¬ 
munication  are  load-balanced. 

(b)  From  any  “nice”  protocol  to  one  that  is  both  load-balanced  and 
communication  local  (i.e. ,  polylog(n)  locality). 

Our  final  result  is  obtained  by  combining  the  above  steps  and  observ¬ 
ing  that  Step  1(b)  preserves  load-balancing  and  communication  locality 
(and  thus  can  be  applied  after  Step  2).  Let  us  mention  that  just  Step  1 
(together  with  existing  construction  of  ORAMs)  already  yields  the  first 
MPC  protocol  for  (sequential)  RAM  programs  in  which  no  party  must 
store  all  parties’  inputs.  Additionally,  just  Step  1  (together  with  the 
OPRAM  construction  of  [BCP14b])  yields  the  first  MPC  for  PRAMs. 

We  now  expand  upon  each  of  these  steps. 
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MPC  from  OPRAM  Recall  that  our  construction  proceeds  via  an 
intermediate  notion  of  oblivious  security,  in  which  we  do  not  require  secu¬ 
rity  against  corrupted  parties,  but  rather  against  an  external  adversary 
who  sees  the  activation  patterns  (i.e.,  accessed  memory  addresses  and 
computation  times)  and  communication  patterns  (i.e.,  sender/receiver 
ids  and  message  lengths)  of  parties  throughout  the  protocol. 

Oblivious  MPC  from  OPRAM.  At  a  high  level,  our  protocol  will  emu¬ 
late  a  distributed  OPRAM'  structure,  where  the  CPUs  and  memory  cells 
in  the  OPRAM  are  each  associated  with  parties.  (Recall  that  we  need 
only  achieve  “oblivious”  security,  and  thus  can  trust  individual  parties 
with  these  tasks).  The  “CPU”  parties  will  control  the  evaluation  flow  of 
the  (OPRAM-compiled)  program,  communicating  with  the  parties  em¬ 
ulating  the  role  of  the  appropriate  memory  cells  for  each  address  to  be 
accessed  in  the  (OPRAM-compiled)  database. 

The  distributed  OPRAM  structure  will  enable  us  to  evenly  spread  the 
memory  burden  across  parties,  incurring  only  polylog(n)  overhead  in  to¬ 
tal  memory  and  computation,  and  while  guaranteeing  that  the  com¬ 
munication  patterns  between  committees  (corresponding  to  data  access 
patterns)  do  not  reveal  information  on  the  underlying  secret  values. 

This  framework  shares  a  similar  flavor  to  the  protocols  of  [DKMS12,BGJK12], 
which  assign  committees  to  each  of  the  gates  of  a  circuit  being  evaluated, 
and  to  [BGT13],  which  uses  CPU  and  input  committees  to  direct  pro¬ 
gram  execution  and  distributedly  store  parties’  inputs.  The  distributed 
OPRAM  idea  improves  and  conceptually  simplifies  the  input  storage 
handling  of  Boyle  et  al.  [BGT13],  in  which  n  committees  holding  the 
n  parties’  inputs  execute  a  distributed  “oblivious  input  shuffling”  pro¬ 
cedure  to  break  the  link  between  which  committees  are  communicating 
and  which  inputs  are  being  accessed  in  the  computation. 

Compiling  from  “Oblivious”  Security  to  Malicious  Security.  We 
next  present  a  general  compiler  taking  an  oblivious  protocol  to  one 
that  is  secure  against  (1/3  —  e)n  statically  corrupted  malicious  parties. 

(This  step  can  be  viewed  as  a  refinement  and  formalization  of  ideas 
from  [KLST11,DKMS12,BGT13].)  We  ensure  the  compiler  tightly  pre¬ 
serves  the  computation,  memory,  load-balancing,  and  communication  lo¬ 
cality  of  the  original  protocol,  up  to  polylog(n)  factors  (modulo  a  one¬ 
time  broadcast  per  party).  This  enables  us  to  apply  the  transformation 
to  any  of  the  oblivious  protocols  resulting  from  the  intermediate  steps  in 
our  progression. 

At  a  high  level,  the  compiler  takes  the  following  form:  (1)  First,  the 
parties  collectively  elect  a  large  number  of  “good”  committees,  each  of 
size  polylog(n),  where  “good”  means  each  committee  is  composed  of  at 
least  2/3  honest  parties,  and  that  parties  are  spread  roughly  evenly  across 
committees.  (2)  Each  party  will  verifiably  secret  share  his  input  among 
the  corresponding  committee  Ci.  (3)  From  this  point  on,  the  role  of  each 
party  Pi  in  the  original  protocol  will  be  emulated  by  the  corresponding 

'  We  remark  that  the  term  “distributed  ORAM”  was  used  with  a  different  meaning 
in  [LO!3],  in  regard  to  an  ORAM  that  was  split  across  two  users. 
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committee  C;.  That  is,  each  local  F\  computation  will  be  executed  via  a 
small-scale  MPC  among  C;,  and  each  communication  from  Pi  to  Pj  will 
be  performed  via  an  MPC  among  committees  C;  and  Cj. 

The  primary  challenge  in  this  step  is  how  to  elect  such  committees  while 
incurring  only  polylog(n)  locality  and  computation  per  party.  To  do  so, 
we  build  atop  the  “almost-everywhere”  scalable  committee  election  pro¬ 
tocol  of  King  et  al.  [KSSV06]  to  elect  a  single  good  committee,  and 
then  show  that  one  may  use  a  polylog(n)-wise  independent  function  fam¬ 
ily  {Fs}ses  to  elect  the  remaining  committees  with  small  description 
size  (in  the  fashion  of  [KLST11,BGT13],  for  the  case  of  combinatorial 
samplers  and  computational  pseudorandom  functions),  with  committee 
i  defined  as  Ci  :=  Fs(i)  for  fixed  random  seed  s. 

We  remark  that,  aside  from  the  one-time  broadcast,  this  compiler  pre¬ 
serves  load  balancing  and  polylog(n)  locality.  Indeed,  load  balancing  is 
maintained  since  the  committee  setup  procedure  is  computationally  inex¬ 
pensive,  and  each  party  appears  in  roughly  the  same  number  of  “worker” 
committees.  The  locality  of  the  resulting  protocol  increases  by  an  addi¬ 
tive  polylog(n)  for  the  committee  setup,  and  a  multiplicative  polylog(n) 
term  since  all  communications  are  now  performed  among  polylog(n)-size 
committees  instead  of  individual  parties. 


Load  Balancing  Distributed  Protocols 

Load-balancing  (Without  Locality).  We  now  show  how  to  modify  our 
protocol  such  that  the  total  computational  complexity  and  memory  bal¬ 
ancing  are  preserved,  while  additionally  achieving  a  strong  computation 
load  balancing  property — with  high  probability,  at  all  times  throughout 
the  protocol  execution,  every  party  performs  close  to  1/n  fraction  of  cur¬ 
rent  total  work,  up  to  an  additive  polylog(n)  amount  of  work.  This  will 
hold  simultaneously  for  both  computation  and  communication.8 
We  present  and  analyze  our  load-balancing  solution  in  the  intermedi¬ 
ate  oblivious  MPC  security  setting  (recall  that  one  can  then  apply  the 
compiler  from  Step  2(b)  above  to  obtain  malicious  MPC  with  analogous 
load-balancing).  Let  us  mention  that  there  is  a  huge  literature  on  “load- 
balanced  distributed  computation”  (e.g.,  [ACMR95,MPS02,MR98,AAK08]): 

As  far  as  we  can  tell,  our  setting  differs  from  the  typical  studied  scenarios 
in  that  we  must  load  balance  an  underlying  distributed  protocol,  as  op¬ 
posed  to  a  collection  of  independent  “non-communicating  jobs”.  Indeed, 
the  main  challenge  in  our  setting  is  to  deal  with  the  fact  that  “jobs” 
talk  to  one  another,  and  this  communication  must  remain  efficient  also 
be  made  load  balanced.  Furthermore,  we  seek  a  load-balanced  solution 
with  communication  locality. 

We  consider  a  large  class  of  arbitrary  (potentially  load-unbalanced  and 
large-locality)  distributed  protocols  77,  where  we  view  each  party  in  this 
underlying  protocol  as  a  “job” .  Our  goal  is  to  load-balance  77  by  passing 

Note  that  while  our  current  protocol  is  memory  balanced,  it  is  currently  rather 
imbalanced  in  computation:  e.g.,  the  parties  emulating  OPRAM  CPUs  are  required 
to  perform  computation  that  is  proportional  to  the  whole  PRAM  computation. 
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“jobs”  between  “workers”  (which  will  be  the  actual  parties  in  the  new 
protocols).  More  precisely,  we  start  off  with  any  protocol  II  that  satisfies 
the  following  (natural)  “nice”  properties: 

—  Each  “job”  has  polylog(n)  size  state; 

—  In  each  round,  each  “job”  performs  at  most  polylog(n)  computation 
and  communication; 

—  In  each  round,  each  “job”  communicates  (either  sending  or  receiving 
a  message)  to  at  most  one  other  “job” . 

It  can  be  verified  that  these  properties  hold  for  our  oblivious  MPC  for 
PRAM  protocol. 

Our  load-balanced  version  of  such  a  protocol  first  randomly9  efficiently 
assigns  “workers”  (i.e.,  parties)  to  “jobs”.  Next,  whenever  a  worker  W 
has  performed  “enough”  work  for  a  particular  job  J,  it  randomly  selects 
a  replacement  worker  W'  and  passes  the  job  over  to  it  (that  is,  it  passes 
over  the  state  of  the  job  J — which  is  “small”  by  assumption).  The  key 
obstacle  in  our  setting  is  that  the  job  J  may  later  communicate  with 
many  other  jobs,  and  all  the  workers  responsible  for  those  jobs  need 
to  be  informed  of  the  switch  (and  in  particular,  who  the  new  worker 
responsible  for  the  job  J  is).  Since  the  number  of  jobs  is  l?(n),  workers 
cannot  afford  to  store  a  complete  directory  of  which  worker  is  currently 
responsible  for  each  job. 

We  overcome  this  obstacle  by  first  modifying  IT  to  ensure  that  it  has 
small  locality — this  enables  each  job  to  only  maintain  a  short  list  of  the 
workers  currently  responsible  for  the  “neighboring”  jobs.  We  achieve  this 
locality  by  requiring  that  parties  (i.e.,  jobs)  in  the  original  protocol  IT 
route  their  messages  along  the  hypercube.  Now,  whenever  a  worker  W 
for  a  job  J  is  being  replaced  by  some  worker  W' ,  W  informs  all  J’s 
neighboring  jobs  (i.e.,  the  workers  responsible  for  them)  of  this  change. 

We  use  the  Valiant-Brebner  [VB81]  routing  procedure  to  implement  the 
hypercube  routing  because  it  ensures  a  desirable  “low-congestion  prop¬ 
erty,”  which  in  our  setting  translates  to  ensuring  that  the  overhead  of 
routing  is  not  too  high  for  any  individual  worker. 

The  above  description  has  not  yet  mentioned  what  it  means  for  a  worker 
to  have  done  “enough”  work  for  a  job  J.  Each  round  a  job  is  active  (i.e., 
performing  some  computation),  its  “cost”  increases  by  1  — we  refer  to 
this  as  an  emulation  cost.  Additionally,  each  time  a  worker  W  is  switched 
out  from  a  job  J,  then  J’s  and  each  of  J’s  neighboring  jobs’  costs  are 
increased  by  1  -we  refer  to  this  as  a  switch  cost.  Finally,  once  a  job’s 
(total)  cost  has  reached  a  particular  threshold  r,  its  cost  is  reset  to  1 
and  the  worker  responsible  for  the  job  is  switched  out.  The  threshold  r 
is  set  to  2  log  M  +  1  where  M  is  the  number  of  jobs. 

We  show:  (1)  This  switching  does  not  introduce  too  much  overhead.  We, 
in  fact,  show  that  the  total  induced  switching  cost  is  bounded  above 
by  the  emulation  cost.  (2)  The  resulting  total  work  is  load  balanced 
across  workers — we  show  this  by  first  demonstrating  that  the  protocol  is 
load-balanced  in  expectation,  and  then  using  concentration  to  argue  our 
stronger  online  load-balancing  property. 

9  In  the  actual  analysis,  we  show  that  it  also  suffices  to  use  polylog(n)-wise  independent 
randomness  to  pick  this  and  subsequent  assignments. 
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Finally,  note  that  although  communication  between  jobs  is  being  routed 
through  the  hypercube,  and  thus  the  job  communication  protocol  has 
small  locality,  the  final  load-balanced  protocol,  being  run  by  workers, 
does  not  have  small  locality.  This  is  because  workers  are  assigned  the 
role  of  many  different  jobs  over  time,  and  may  possibly  speak  to  a  new 
set  of  neighbors  for  each  position.  (Indeed,  over  time,  each  worker  will 
eventually  need  to  speak  to  every  other  worker).  We  next  show  how  to 
modify  this  protocol  to  achieve  locality,  while  preserving  load-balancing. 


Achieving  Both  Load- Balancing  and  Locality.  In  our  final  step,  we 
show  how  to  modify  the  above-mentioned  protocol  to  also  achieve  local¬ 
ity.  We  modify  the  protocol  to  also  let  workers  route  messages  through 
a  low-degree  network  (on  top  of  the  routing  in  the  previous  step).  This 
immediately  ensures  locality.  But,  we  must  be  careful  to  ensure  that  the 
additional  message  passing  does  not  break  load-balancing. 

A  natural  idea  is  to  again  simply  pass  messages  between  workers  along  a 
low-degree  hypercube  network  via  Valiant-Brcbner  (VB)  routing  [VB81]. 
Indeed,  the  low-congestion  property  will  ensure  (as  before)  that  routing 
does  not  incur  too  large  an  overhead  for  each  worker. 

However,  when  analyzing  the  overall  load  balance  (for  workers),  we  see 
an  inherent  distinction  between  this  case  and  the  previous.  Previously, 
the  nodes  of  the  hypercube  corresponded  to  jobs,  each  emulated  by  work¬ 
ers  who  swap  in  and  out  over  time.  When  the  underlying  jobs  protocol 
required  job  s  to  send  a  message  to  job  t,  the  resulting  message  routing 
induced  a  cost  along  a  path  of  neighboring  jobs  (that  is,  the  workers 
emulating  them),  independent  of  which  workers  are  currently  emulating 
them.  This  independence,  together  with  the  fact  that  a  worker  passes  his 
job  after  performing  “enough”  work  for  it,  enabled  us  to  obtain  concen¬ 
tration  bounds  on  overall  load  balancing  over  the  random  assignment  of 
workers  to  jobs. 

Now,  the  nodes  correspond  directly  to  workers.  When  the  underlying 
jobs  protocol  requires  a  message  transferred  from  job  s  to  job  t,  routing 
along  the  workers’  graph  must  traverse  a  path  from  the  worker  currently 
emulating  job  s  to  the  worker  currently  emulating  job  t.,  removing  the 
crucial  independence  property  from  above.  Even  worse,  workers  along 
the  routing  path  can  now  incur  costs  even  if  they  are  not  assigned  to  any 
job.  In  this  case,  it  is  not  even  clear  that  job  passing  in  of  itself  will  be 
sufficient  to  ensure  balancing. 

To  get  around  these  issues,  we  add  an  extra  step  in  the  VB  routing 
procedure  (itself  inspired  by  [VB81])  to  break  potential  bad  correlations. 
The  idea  is  as  follows:  To  route  from  the  worker  Ws  emulating  job  s  to 
the  worker  Wt  emulating  job  t,  we  first  route  (as  usual)  from  Ws  to  a 
random  worker  Wu,  and  then  from  Wu  to  Wt;  i.e.,  travel  from  Ws  to 
Wt  by  “walking  into  the  woods”  and  back.  We  may  now  partition  the 
cost  of  routing  into  these  two  sub-parts,  each  associated  with  a  single 
active  job  (s  or  t).  Now,  although  workers  along  the  worker-routing  path 
will  still  incur  costs  from  this  routing  (even  though  their  jobs  may  be 
completely  unrelated),  the  distribution  of  these  costs  on  workers  depends 
only  on  the  identity  of  the  initiating  worker  (Ws  or  Wt).  We  may  thus 
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generalize  the  previous  analysis  to  argue  that  if  the  expectation  of  work 
is  load-balanced,  then  it  still  has  concentration  in  this  case. 

For  a  modular  analysis,  we  formalize  the  required  properties  of  the  un¬ 
derlying  communication  network  and  routing  algorithm  (to  be  used  for 
the  s-to-u  and  it-to -t  routing)  as  a  local  load-balanced  routing  network, 
and  show  that  the  hypercube  network  together  with  VB  routing  satisfies 
these  conditions. 

1.3  Discussion  and  Future  Work 

With  the  explosive  growth  of  data  made  available  in  a  distributed  fash¬ 
ion,  and  the  growth  of  efficient  parallel,  distributed  algorithms  (such  as 
those  enabled  by  MapReduce)  to  compute  on  this  data,  ensuring  privacy 
and  security  in  such  large-scale  parallel  settings  is  of  fundamental  im¬ 
portance.  We  have  taken  the  first  steps  in  addressing  this  problem  by 
presenting  the  first  protocols  for  secure  multi-party  computation,  that 
with  only  polylogarithmic  overhead,  enable  evaluating  PRAM  programs 
on  a  (large)  number  of  parties’  inputs.  Our  work  leaves  open  several 
interesting  open  problems: 

Honest  Majority.  We  have  assumed  that  2/3  of  the  players  are  honest. 

In  the  absence  of  a  broadcast  channel,10  it  is  known  that  this  is 
optimal.  But  if  we  assume  the  existence  of  a  broadcast  channel,  it 
may  suffice  to  assume  1/2  fraction  honest  players. 

Asynchrony.  Our  protocol  assumes  a  synchronous  communication  net¬ 
work.  We  leave  open  the  handling  of  asynchronous  communication. 

Trading  efficiency  for  security.  An  interesting  avenue  to  pursue  are 
various  tradeoffs  between  boosted  efficiency  and  partial  sacrifices  in 
security.  For  example,  in  some  settings,  it  is  not  detrimental  to  leak 
which  parties’  inputs  were  used  within  the  computation;  in  such 
scenarios,  one  could  then  hope  to  remove  the  one-time  €)(n\x\)  in¬ 
put  preprocessing  cost.  Similarly,  it  may  be  acceptable  to  reveal  the 
input-specific  resources  (runtime,  space)  required  by  the  program 
on  parties  inputs;  in  such  cases,  we  may  modify  the  protocol  to  take 
only  input-specific  runtime  and  use  input-specific  memory. 

In  this  work  we  focus  only  on  achieving  standard  “full”  security. 

However,  we  remark  that  our  protocol  can  serve  as  a  solid  basis 
for  achieving  such  tradeoffs  (e.g.,  a  straightforward  tweak  to  our 
protocol  results  in  input-specific  resource  use). 

Communication  complexity.  As  with  all  existing  generic  multi-party 
computation  protocols  in  the  information-theoretic  setting,  the  com¬ 
munication  complexity  of  our  protocol  is  equal  to  its  computation 
complexity.  In  contrast,  in  the  computational  setting  (based  on  cryp¬ 
tographic  assumptions),  protocols  with  communication  complexity 
below  the  complexity  of  the  evaluated  function  have  been  constructed 

by  relying  on  fully  homomorphic  encryption  (FHE)  [Gen09]  (e.g.,  [Gen09,AJLA+12,MSS13]). 
We  leave  as  an  interesting  open  question  whether  FHE-style  tech¬ 
niques  can  be  applied  also  to  our  protocol  to  improve  the  communi¬ 
cation  complexity,  based  on  computational  assumptions. 

While  the  statement  of  our  result  makes  use  of  a  broadcast  channel,  as  we  mention, 
this  channel  can  also  be  instantiated  with  known  protocols. 
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1.4  Overview  of  the  Paper 

Section  2  contains  preliminaries.  In  Section  3  we  provide  our  ultimate 
theorem,  and  the  sequence  of  intermediate  notions  and  theorems  which 
combine  to  yield  this  final  result.  We  refer  the  reader  to  the  full  version 
of  this  work  [BCP14a]  for  a  complete  descriptions  and  proofs. 


2  Preliminaries 

2.1  Multi-party  Computation  (MPC) 

Protocol  Syntax.  We  model  parties  as  (parallel)  RAM  machines.  An 
n-party  protocol  $  is  described  as  a  collection  of  n  (parallel)  R  AM  pro¬ 
grams  (Pi);e[n],  to  be  executed  by  the  respective  parties,  containing  ad¬ 
ditional  special  communication  instructions  Comm(i,  msg),  indicating  for 
the  executing  party  to  send  message  msg  to  party  i. 

The  per-party  space,  computation,  and  time  complexities  of  the  proto¬ 
col  d?  =  (-Pi)ig [n]  are  defined  directly  with  respect  to  the  corresponding 
party’s  PRAM  program  Pi,  where  each  Comm  is  charged  as  a  single 
computation  time  step.  (See  Section  2.2  for  a  definition  of  CPUs(P), 
space(P),  comp(P),  time(P)  for  PRAM  P).  The  analogous  total  proto¬ 
col  complexities  are  defined  as  expected:  Namely,  space(^)  and  comp($) 
are  the  sums,  space(<7)  =  £)ie[n]  space(P),  comp(^)  =  JAg[n]  comp(P), 
and  time(^)  is  the  maximum,  time(^)  =  maxi6[„]  time(P;). 

MPC  Security.  We  consider  the  standard  notion  of  (statistical)  MPC 
security.  We  refer  the  reader  to  e.g.  [BGW88]  for  more  a  more  complete 
description  of  MPC  security  within  this  setting. 

2.2  Parallel  RAM  (PRAM)  Programs 

A  Concurrent  Read  Concurrent  Write  (CRCW)  m-processor  parallel 
random-access  machine  (PRAM)  with  memory  size  n  consists  of  num¬ 
bered  processors  CPUi, . . . ,  CPUm,  each  with  local  memory  registers  of 
size  logn,  which  operate  synchronously  in  parallel  and  can  make  access 
to  shared  “external”  memory  of  size  n. 

A  PR  AM  program  77  (given  m,  n,  and  some  input  x  stored  in  shared 
memory)  provides  CPU-specific  execution  instructions,  which  can  access 
the  shared  data  via  commands  Access(r,  v),  where  r  £  [n]  is  an  index  to 
a  memory  location,  and  v  is  a  word  (of  size  logn)  or  _L.  Each  Access(r,  v ) 
instruction  is  executed  as: 

1.  Read  from  shared  memory  cell  address  r;  denote  value  by  Void- 

2.  Write  value  v  ^  1  to  address  r  (if  v  =s  _L,  then  take  no  action). 

3.  Return  v0id . 

In  the  case  that  two  or  more  processors  simultaneously  initiate  Access(r,  Vi) 
with  the  same  address  r,  then  all  requesting  processors  receive  the  previ¬ 
ously  existing  memory  value  Void,  and  the  memory  is  rewritten  with  the 
value  Vi  corresponding  to  the  lowest-numbered  CPU  i  for  which  Vi  _L. 
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We  more  generally  support  PRAM  programs  with  a  dynamic  number 
of  processors  (i.e.,  rm  processors  required  for  each  time  step  i  of  the 
computation),  as  long  as  this  sequence  of  processor  numbers  mi,  m2, . . . 
is  fixed,  public,  information.  The  complexity  of  our  OPRAM  solution  will 
scale  with  the  number  of  required  processors  in  each  round,  instead  of 
the  maximum  number  of  required  processors. 

We  consider  the  following  worst-case  metrics  of  a  PRAM  (over  all  inputs): 

—  CPUs(II):  number  of  parallel  processors  required  by  77. 

—  space(77):  largest  database  address  accessed  by  77. 

—  time(77):  maximum  number  of  time  steps  taken  by  any  processor  to 
evaluate  77  (where  each  Access  is  charged  as  a  single  step).11 

—  comp(77):  the  total  sum  of  all  computation  steps  of  active  CPUs 
evaluating  77  (which,  for  programs  with  fixed  activation  schedules 
as  we  consider,  is  a  fixed  value). 


3  Local,  Load-Balanced  MPC  for  PRAM 

Ultimately,  we  construct  a  protocol  that  securely  realizes  the  ideal  func¬ 
tionality  Tprams  (Figure  1)  for  evaluating  a  sequence  of  PRAM  programs 
(with  bounded  state  maintained  between  program)  on  parties’  fixed  in¬ 
puts.  For  simplicity  of  exposition,  we  assume  each  party  has  equal  input 
size  and  receives  the  same  output.  We  further  assume  the  total  remnant 
state  from  one  program  execution  to  the  next  is  bounded  in  size  by  the 
combined  input  size  of  all  parties.12 

Theorem  2  (Main  Theorem).  For  any  constant  e  >  0  and  polyno¬ 
mial  parallelism  parameter  k  =  k(n),  there  exists  an  n-party  statisti¬ 
cally  secure  (with  error  negligible  inn)  protocol  realizing  the  functionality 
Arams,  handling  (1/3  —  e)  fraction  static  corruptions  with  the  following 
complexities,  where  each  party  is  a  k-processor  PRAM  (and  where  |*|,  |i/| 
denote  per-party  input  and  output  size,  space(77),  comp(77),  and  time(77) 
denote  the  worst-case  space,  computation,  and  (parallel)  runtime  of  77, 
and  CPUs(II)  denotes  the  number  of  CPUs  of  77 ): 

—  Computation  per  party,  per  77 j:  0(comp(77j)/n  +  |y|). 

—  Time  steps,  per  Tlj-.  O  ^time(77j)  •  max  {l,  CPl^n'>  . 

—  Memory  per  party:  O  ( | m|  +  \y\  +  max^/.,  space(77j)/n) . 

—  Communication  Locality:  0(1). 
given  a  one-time  preprocessing  phase  with  complexity: 

—  Computation  per  party:  0(\x\),  plus  single  broadcast  o/0(l)  bits. 

—  Time  steps:  O  ^max  {l, If!})  • 

11  We  remark  that  the  PRAM  time  complexity  of  any  function  /  is  bounded  above 
by  its  circuit  depth  complexity  (where  the  PRAM  complexity  of  /  is  defined  as  the 
minimal  value  of  time(77)  of  any  PRAM  77  which  evaluates  /). 

12  To  support  larger  shared  state  size  spaceRemnant,  the  memory  requirements  of  the 
protocol  must  grow  with  an  extra  additive  0(spaceRemnant). 
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Ideal  Functionality  J-prams: 

•Fprams  running  with  parties  P\, . . . ,  Pn  and  an  adversary  proceeds  as  follows.  The 
functionality  maintains  longterm  storage  of  parties’  inputs  {*i}i6 \n]  (each  of  equal  size 
|a;|),  per-CPU  state  information  state,,  and  remnant  memory  dataRemnant  of  total  size 
spaceRemnant  £  0(n  ■  |*|)  transferred  from  computation  to  computation. 

—  Initialize  dataRemnant  t—  0  and  state,  t—  0  for  each  processor  i  £  [m]. 

—  Input  Submission:  Upon  receiving  an  input  (commit,  sid,  input,  xf)  from  party  Pi, 
record  the  value  Xi  as  the  input  of  Pi. 

—  Computation:  Upon  receiving  a  tuple  (compute,  sid,  II,  space,  time)  consist¬ 
ing  of  an  m-processor  PRAM  program  77,  a  space  bound  space,  and 
a  time  bound  time,  execute  77  as  (output,  statei, ...,  statem,  dataRemnant)  t— 
77(*i,  ...,*„,  statei, ...,  statem,  dataRemnant)  with  the  current  value  of  state;  for 
each  CPU  i  £  [m].  Send  output  to  all  parties. 

Fig.  1  :  The  ideal  functionality  -Fprams,  corresponding  to  secure  computation  of 
a  sequence  of  adaptively  chosen  PRAMs  on  parties’  inputs. 


Additionally,  the  protocol  achieves  polylog(n)  communication  locality, 
and  a  strong  “online”  load-balancing  guarantee: 

Online  Load  Balancing:  For  every  constant  5  >  0,  with  all  but  negligi¬ 
ble  probability  in  n,  the  following  holds  at  all  times  during  the  protocol: 
Let  cc  and  cc(Wj)  denote  the  total  communication  complexity  and  com¬ 
munication  complexity  of  party  Pj ,  comp  and  comp(Pj)  denote  the  total 
computation  complexity  and  computation  complexity  of  party  Pj,  we  have 


(!-<*) 

n 


cc  —  polylog(n)  <  cc(Pj)  < 


(l+j) 

n 


cc  +  polylog(n) 


(!-<*) 

n 


comp  —  polylog(n)  <  comp  (Pj)  < 


(i  +  *) 

n 


comp  +  polylog(n). 


3.1  Proof  of  Main  Theorem 

At  a  very  high  level,  the  proof  takes  three  steps:  We  first  obtain  MPC 
realizing  J-prams  with  a  weaker  notion  of  oblivious  security.  We  then  show 
how  to  attain  communication  locality  and  load  balancing,  while  preserv¬ 
ing  oblivious  security.  (This  combines  two  steps  described  within  the 
introduction).  Finally,  we  convert  the  obliviously  secure  protocol  to  one 
secure  in  the  malicious  setting.  We  now  proceed  to  describe  these  steps 
in  greater  technical  detail. 

Step  1:  Oblivious-Secure  MPC  for  PRAM.  Intuitively,  an  adversary 
in  the  oblivious  model  is  not  allowed  to  corrupt  any  parties,  and  instead 
is  restricted  to  seeing  the  “externally  measurable”  properties  of  the  pro¬ 
tocol  (e.g.,  party  response  times,  communication  patterns,  etc). 

Definition  1  (Oblivious  secure  MPC).  Secure  realization  of  a  func¬ 
tionality  F  by  a  protocol  in  the  oblivious  model  is  defined  by  the  following 
real-ideal  world  scenario: 
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Ideal  World:  Same  as  standard  MPC  without  corrupted  parties.  That 
is,  the  adversary  learns  only  public  outputs  of  the  functionality  F 
evaluated  on  honest-party  inputs. 

Real  World:  Instead  of  corrupting  parties,  viewing  their  states,  and  con¬ 
trolling  their  actions  (as  in  the  standard  malicious  adversarial  set¬ 
ting),  the  adversary  is  now  limited  as  an  external  observer,  and  is 
given  access  only  to  the  following  information: 

—  Activation  Patterns:  Complete  list  of  tuples  of  the  form 

•  (timestep,  party-id,  compute-time):  Specifying  all  local  com¬ 
putation  times  of  parties. 

•  (timestep,  party-id,  local-mem-addr):  Specifying  all  memory  ac¬ 
cess  patterns  of  parties. 

—  Communication  Patterns:  Complete  list  of  tuples  of  the  form 

•  (timestep,  sndr-id,  rcvr-id,  msg-len):  Specifying  all  sender-receiver 
pairs,  in  addition  to  the  corresponding  communicated  mes¬ 
sage  bit-length. 

The  output  of  the  real-world  experiment  consists  of  the  outputs  of 
the  (honest)  parties,  in  addition  to  an  arbitrary  PPT  function  of  the 
adversary’s  view  at  the  conclusion  of  the  protocol. 

(Statistical)  Security:  For  every  PPT  adversary  A  in  the  real-world  ex¬ 
ecution,  there  exists  a  PPT  ideal-world  adversary  S  for  which  for  ev- 
ery  environment  Z,  we  have  outputRea,(l  ,  *4,  Z)  =  output|dea|(l  ,  S,  Z). 

Toward  our  result,  it  will  be  advantageous  to  think  of  computations  as 
composed  of  several  sub-parts,  or  “jobs,”  that  each  maintain  and  com¬ 
pute  on  small  polylogarithmic-size  state  (Note  that  this  is  natural  in  the 
PRAM  setting,  where  each  CPU  has  polylogarithmic-size  local  memory). 
Later,  to  achieve  load  balancing,  jobs  will  be  assigned  to  and  passed 
around  between  “workers,  ”  so  that  each  worker  roughly  performs  the 
same  amount  of  work.  (The  small  state  requirement  per  job  will  guaran¬ 
tee  that  “job  passing”  is  not  too  expensive).  Then,  to  obtain  malicious 
security,  each  worker  will  ultimately  be  emulated  by  a  committee  of  par¬ 
ties  via  small-scale  MPCs;  because  of  the  polynomial  overhead  in  the 
underlying  MPC  protocol,  it  will  be  important  that  this  is  only  done  for 
computations  of  polylog(n)  size  on  polylog(n)-size  memory. 

We  now  define  the  notion  of  a  protocol  in  the  jobs  model. 

Definition  2  (Jobs  Model).  Let  n  be  a  security  parameter.  A  jobs 
protocol  consists  of  a  poly (n)-size  set  Jobs  of  agents  (called  jobs),  and 
a  distributed  protocol  description  IIj,  instructing  each  job  to  perform 
local  computations  and  to  communicate  over  a  synchronized  network  (via 
point-to-point  communication),  with  the  following  properties: 

—  Bounded  memory:  each  job’s  space  complexity  is  w  £  polylog(n). 

—  Bounded  per-round  computation  and  communication:  the  computa¬ 
tion  and  communication  complexity  of  each  job  at  each  round  is  upper 
bounded  by  w  G  polylog(n). 

A  job  is  active  in  a  round  if  it  performs  computation  within  this  round. 

A  jobs  protocol  is  further  said  to  have  injective  communication  if  the 
following  property  is  satisfied: 

—  Injective  communication:  each  round,  a  set  of  jobs  are  activated,  and 
each  sends  a  single  polylog(n) -sized  message  to  a  distinct  job. 
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By  convention,  we  assume  the  first  m\„  jobs  of  a  jobs  protocol  are  input 
jobs,  the  last  ma „t  are  output  jobs,  and  the  remaining  jobs  are  helper 
jobs.  Each  input  job  J;  holds  a  single-word  input  Xi  £  {0, 1}W  (for 
w  £  polylog(n));  output  and  helper  jobs  have  no  input.  We  then  have  a 
canonical  correspondence  between  functionalities  in  the  standard  n-party 
setting  and  the  equivalent  functionalities  in  the  Worker-Jobs  Model: 

—  Functionality  F:  In  the  n-party  setting.  Accepts  inputs  Xi  from  each 
party  Pi,  evaluates  y  <—  F(x i|  ■  ■  ■  ||®n),  outputs  the  resulting  value 
y  to  all  parties  Pi. 

—  Functionality  ,7rJobs:  In  the  Jobs  Model.  Accepts  (short)  inputs  xxu 
from  each  Input  Job,  evaluates  y  ■£-  F(a:i||  •  •  •  \\xt),  and  distributes 
the  resulting  value  y  (in  short  pieces)  to  the  Output  Jobs. 

We  may  analogously  define  oblivious  security  of  a  jobs  protocol  (where 
jobs  are  honest  and  the  adversary  sees  only  “externally  measurable” 
properties  of  the  protocol,  as  in  Definition  1).  Within  the  jobs  model, 
we  thus  wish  to  securely  realize  the  functionality  J>ramsi  equivalent  to 
•Fprams  with  the  above  syntactic  change.  Note  that  in  the  regime  of  obliv¬ 
ious  security,  a  jobs  protocol  yields  a  memory-balanced  protocol  in  the 
standard  n-party  model,  by  simply  assigning  jobs  to  the  n  parties  evenly. 

Theorem  3.  There  exists  an  oblivious-secure  protocol  in  the  Jobs  Model 
realizing  the  functionality  ^prams  for  securely  computing  a  sequence  of  N 
adaptively  chosen  PRAM  programs  Ilj,  with  the  following  complexities 
(where  n  ■  \x\,  \y\  denote  the  total  input  and  output  size,  and  space(77), 
comp,  and  time(77)  denote  the  worst-case  space,  computation,  and  (par¬ 
allel)  runtime  of  77  over  all  inputs): 

—  Number  of  jobs:  O  (n  •  |*|  +  \y\  +  maxjgjjv]  space(IIj)) . 

—  Computation  complexity,  per  Ilj:  0(comp(I7j)) . 

—  Time  steps,  per  Ilj :  O  (time(ZZ),)). 

—  The  number  of  active  jobs  in  each  round  is  0(max.,grjv]  CPU  s(IIj)). 
given  a  one-time  preprocessing  phase  with  complexity 

—  Computation  complexity:  0(n  •  |*|). 

—  Time  steps:  0(1). 

Further,  the  protocol  has  injective  communication;  in  each  round,  each 
activated  job  sends  a  single  polylog (n)-size  message  to  a  distinct  job. 

Recall  within  the  Jobs  Model  each  job  is  limited  to  maintaining  state  of 
size  polylog(n);  thus  the  memory  requirement  of  the  above  protocol  is 

Ol  n  ■  \x\  +  \y\  +  max  space(/U) ) , 

V  je[N]  / 

based  on  the  number  of  required  jobs. 

Idea  of  proof.  The  result  builds  upon  the  existence  of  an  Oblivious  PRAM 
compiler  with  polylog(n)  time  and  space  overhead  that  is  collision-free 
(i.e.,  where  no  two  CPUs  must  access  the  same  memory  address  in 
the  same  timestep),  which  is  guaranteed  to  exist  unconditionally  based 
on  [BCP14b].  In  addition  to  the  standard  Input  and  Output  jobs,  our 
protocol  will  have  one  Helper  job  for  each  of  the  CPUs  and  each  memory 
cell  in  the  database  of  the  OPRAM-compiled  program.  The  CPU  jobs 
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store  the  local  state  and  perform  the  computations  of  their  corresponding 
CPU.  In  each  round  that  the  ith  CPU’s  instructions  dictate  a  memory 
access  at  location  addr^,  the  CPU  job  i  will  communicate  with  the 
Memory  job  addr^  to  perform  the  access.  (Thus,  in  each  round,  at  most 
2  •  CPUs(OPRAM(II))  jobs  are  active,  where  OPRAM(TT)  denotes  the 
OPRAM-compilation  of  17).  Activation  and  communication  patterns  in 
the  resulting  protocol  are  simulatable  directly  by  the  OPRAM  security. 

The  preprocessing  phase  of  the  protocol  corresponds  to  inserting  all  in¬ 
puts  into  the  OPR  AM-protected  database  in  parallel  (i.e.,  emulating  the 
OPR  AM-compiled  input  insertion  program  that  simply  inserts  each  in¬ 
put  Xi  into  address  i  of  the  database). 

Step  2:  Locality  and  Load  Balancing.  This  step  attains  polylog(n) 
communication  locality ,13  and  computation  load  balancing  from  any  jobs 
protocol  IIj  with  injective  communication.  We  do  so  by  emulating  II j  by 
a  fixed  set  of  parties  (which  we  sometimes  refer  to  as  “workers”),  where 
each  worker  is  assigned  several  jobs,  and  will  pass  jobs  to  other  workers 
once  he  has  performed  a  certain  amount  of  work.  This  yields  a  standard 
Wparty  protocol  with  a  special  decomposable  state  structure:  i.e.,  parties’ 
memory  can  be  decomposed  into  separate  polylog(n)-size  memory  blocks, 
which  are  only  ever  computed  on  independently  or  in  pairs,  in  steps  of 
polylog(n)  computation  per  round.  This  is  because  parties’  computation 
is  limited  to  individual  jobs  to  which  it  was  assigned.14 

Definition  3  (Decomposable  State).  An  N -party  protocol  II  is  said 
to  have  decomposable  state  if  for  every  party  P,  the  local  memory  mem  of 
P  can  be  decomposed  into  polylog (n)-size  blocks  mem  =  (memi,  mem2, . . . ,  memm) 
such  that:  In  each  round  of  77 ,  the  (parallel)  local  computation  performed 
by  party  P  is  described  as  a  list  {( i,j ,  /i,y)}(j,y)e/  for  some  I  C  [m]  x  [m], 
such  that  each  fij  has  complexity  polylog(n).  For  each  ( i,j )  £  I,  party 
P  executes  (mem;,  memy)  /ij(mem,-,  memy).15  By  convention,  received 
communication  messages  are  stored  in  local  memory. 

We  achieve  the  following  “fully  load-balanced”  properties.  Note  that  the 
first  two  properties  correspond  directly  to  our  final  load-balancing  goal. 

The  final  property  will  be  used  to  ensure  that  no  individual  worker  is 
ever  assigned  drastically  more  than  the  expected  number  of  simultaneous 
parallel  computation  tasks;  this  is  important  since  workers  will  eventually 
be  emulated  by  (technically,  committees  of)  parties,  who  themselves  may 
have  bounded  parallelism  capability  (i.e.,  small  number  of  CPUs). 

Definition  4  (Fully  Load  Balanced).  An  N -party  protocol  II  is  said 
to  be  fully  load  balanced  with  respect  to  security  parameter  n  if  the  fol¬ 
lowing  properties  hold: 

13  Recall  a  protocol  has  (communication)  locality  l(n)  if  during  the  course  of  the  pro¬ 
tocol  every  party  communicates  with  at  most  £(n)  other  parties. 

14  Looking  ahead,  pairwise  computation  will  be  used  when  emulating  job-to-job  com¬ 
munication,  and  will  be  sufficient  when  the  original  jobs  protocol  has  injective  com¬ 
munication,  so  that  each  job  communicates  with  at  most  one  other  job  per  round. 

15  With  some  canonical  resolution  for  write  conflicts.  (In  our  constructions,  the  sets 
(i,j)  will  be  disjoint). 


Approved  for  Public  Release;  Distribution  Unlimited. 


72 


Multi-party  Computation  for  (Parallel)  RAM  Programs 


17 


—  Memory  load  balancing:  Let  space(TT)  denote  the  total  space  complex¬ 
ity  of  protocol  LI.  For  every  constant  5  >  0,  with  all  but  negligible 
probability  in  n,  every  party  Pj  has  space  complexity 


spac e(Pj)  < 


(1+j) 

TV 


space(TT)  +  polylog(n). 


—  Online  computation/ communication  load  balancing:  For  every  con¬ 
stant  5  >  0,  with  all  but  negligible  probability  in  n,  the  following  holds 
at  all  times  during  the  protocol:  Let  cc  and  cc (Pj)  denote  the  total 
communication  complexity  and  communication  complexity  of  party 
Pj,  comp  and  comp(Pj)  denote  the  total  computation  complexity  and 
computation  complexity  of  party  Pj,  we  have 


(1-*) 

TV 


cc  —  polylog(n)  <  cc  (Pj)  < 


(!-<*) 

TV 


comp  —  polylog(n)  <  comp(Pj)  < 


(1  +  *) 

TV 

(1  +  5) 


TV 


cc  +  polylog(n) 
comp  +  polylog(n). 


—  Per-round  per-party  efficiency:16  Let  A  be  an  upper  bound  on  the 
number  of  active  jobs  at  each  round  in  77 j.  With  all  but  negligible 
probability  in  n,  the  per-round  per-party  computation  complexity  is 
upper  bounded  by  0(1  +  (A/TV)). 


Theorem  4.  Let  77 j  be  an  M-job  protocol  with  computation  complex¬ 
ity  comp  and  injective  communication,  realizing  functionality  JrJobs .  Then 
there  exists  a  fully  load-balanced  (Definition  4)  0(n) -party  protocol  77w 
with  decomposable  states  (Definition  3)  that  realizes  T  with  total  compu¬ 
tation  O(comp),  space  complexity  O(M),  and  polylog(n)  locality.  If  II j 
satisfies  oblivious  security,  so  does  LI\v- 

Idea  of  proof.  Recall  that  in  our  construction  of  77yy  (in  the  introduc¬ 
tion),  at  any  point  of  the  protocol  execution,  each  job  is  assigned  to 
a  random  worker1'  and  is  stored  in  at  most  2  workers.  This  is  suffi¬ 
cient  to  imply  memory  load  balancing  by  standard  concentration  and 
union  bounds.  Online  computation/communication  load  balancing  fol¬ 
lows  by  observing  that  (i)  the  job-passing  pattern  is  independent  of  the 
worker-job  assignment,  and  (ii)  jobs  are  passed  frequently  enough  before 
accumulating  large  cost.  This  allows  us  to  think  of  the  execution  as  par¬ 
titioned  into  “job  chunks”  each  of  which  is  assigned  to  a  random  worker, 
thus  amenable  to  concentration  bounds.  The  last  load-balanced  property 
follows  again  by  the  fact  that  each  job  is  independently  assigned  to  a  ran¬ 
dom  worker  and  that  each  job  only  performs  polylog(n)  amount  of  work 
per  round.  To  obtain  locality,  we  consider  a  fixed  low-degree  communica¬ 
tion  network  between  workers,  and  pass  messages  using  a  load-balanced 

16  We  note  that  the  last  two  properties  are  related  but  incomparable.  The  online  load 
balancing  property  focuses  on  accumulated  work,  whereas  the  per-round  per-party 
efficiency  concerns  upper  bounds  on  per-round  work,  which  is  used  to  bound  the 
required  amount  of  parallelism  to  execute  the  protocol  with  efficient  parallel  time. 

17  Technically,  the  initial  job-worker  assignment  is  only  A'-wise  independent  for  A  = 
log3  n.  Nevertheless,  this  is  sufficient  for  concentration  bounds  to  go  through. 
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routing  algorithm.  Load  balancing  of  this  modified  scheme  follows  by 
similar,  but  more  delicate  analysis. 

The  resulting  protocol  has  decomposable  state,  since  parties’  memory  and 
computation  are  completely  local  to  individual  jobs,  or  pairs  of  jobs  in 
the  case  of  emulating  job-to-job  communication  (since  the  starting  jobs 
protocol  has  injective  communication). 

Step  3:  From  Oblivious  to  Malicious  Security.  Finally,  we  present  a 
general  transformation  that  produces  an  n-party  MPC  protocol  securely 
realizing  a  functionality  T  against  (1/3— e)n  static  corruptions,  given  any 
(9(n)-party  protocol  with  decomposable  states  (see  Definition  3)  realizing 
the  corresponding  jobs-model  functionality  .Pot,s  with  only  oblivious  se¬ 
curity.  This  step  can  be  viewed  as  a  refinement  and  formalization  of  ideas 
from'  [KLST11,DKMS12,BGT13]. 

Theorem  5  (From  Oblivious  Security  to  Malicious  Security). 

Suppose  there  exists  an  N  £  &{n-po\y\og(n))-party  oblivious  protocol  with 
decomposable  state,  realizing  functionality  iFiobs  in  space,  computation, 
and  (parallel)  time  complexity  space,  comp,  time.  Then  for  any  constant 
e  >  0  there  exists  an  n-party  MPC  protocol  (with  error  negligible  inn) 
securely  realizing  the  corresponding  functionality  T  against  (1/3  —  e)n 
static  corruptions,  with  the  following  complexities  (where  each  party  is 
a  PRAM  with  possibly  many  processors),  given  a  one-time  preprocessing 
phase  with  a  single  broadcast  o/0(l)  bits  per  party: 

—  Per-party  memory:  0(space/n). 

—  Total  computation:  O(comp). 

—  Time  complexity:  O(time). 

In  addition,  if  the  original  protocol  has  0(1)  locality  and  is  fully  load- 
balanced  (i.e.,  satisfying  all  properties  of  Definition  4),  then  the  resulting 
protocol  additionally  possesses  the  following  properties: 

—  Communication  locality  0(1). 

—  Online  computation  load  balancing,  as  in  Definition  4(c)- 
—  Time  complexity  O  (time  -  maxjl,  /^})  when  each  party  is  limited 
to  being  a  k-processor  PRAM,  where  A  denotes  the  maximum  per- 
round  per-party  computation  complexity  of  any  party  in  the  original 
oblivious-secure  protocol.18 

Idea  of  Proof.  The  compiler  takes  the  following  form:  (1)  First,  par¬ 
ties  collectively  elect  a  large  number  of  “good”  committees,  each  of  size 
polylog(n),  where  “good”  means  each  committee  is  composed  of  at  least 
2/3  honest  parties,  and  that  parties  are  spread  roughly  evenly  across 
committees.  The  one-time  broadcast  is  used  to  reach  full  agreement  on 
the  first  committee.  (2)  Each  party  verifiably  secret  shares  his  input 
among  the  corresponding  committee  Ci.  (3)  From  this  point  on,  the  role 
of  each  party  Pi  in  the  original  protocol  will  be  emulated  by  the  corre¬ 
sponding  committee  Ci  via  small-scale  MPCs.  Since  committees  are  only 

In  particular,  for  our  MPC  for  PRAMs  protocol  formed  by  combining  Steps  1  and  2, 
the  parameter  A  will  correspond  to  the  number  of  CPUs  required  in  the  evaluated 
PRAM  77,  with  polylog  overhead. 
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size  polylog(n),  the  memory,  computation,  and  time  complexity  over¬ 
head  is  small.  Since  parties  are  spread  across  committees,  the  protocol 
remains  load  balanced.  Finally,  by  using  a  perfectly  secure  underlying 
MPC  protocol  (such  as  [BGW88]),  the  only  information  revealed  corre¬ 
sponds  directly  to  the  “observable”  properties  (communication  patterns, 
etc.),  thus  reducing  directly  to  oblivious  security  (as  per  Definition  1). 
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Abstract 

Assuming  the  existence  of  iO  for  P/poly  and  one-way  functions,  we  show  how  to  succinctly 
garble  bounded-space  computations  (BSC)  M :  the  size  of  the  garbled  program  (as  well  as  the 
time  needed  to  generate  the  garbling)  only  depends  on  the  size  and  space  (including  the  input 
and  output)  complexity  of  M,  but  not  its  running  time.  The  key  conceptual  insight  behind 
this  construction  is  a  method  for  using  iO  to  “compress”  a  computation  that  can  be  performed 
piecemeal,  without  revealing  anything  about  it. 

As  corollaries  of  our  succinct  garbling  scheme,  we  demonstrate  the  following: 

•  functional  encryption  for  BSC  from  iO  for  P/poly  and  one-way  functions; 

•  reusable  succinct  garbling  schemes  for  BSC  from  iO  for  P/poly  and  one-way  functions; 

•  succinct  iO  for  BSC  from  sub-exponentially-secure  iO  for  P/poly  and  sub-exponentially 
secure  one-way  functions; 

•  (Perfect  NIZK)  SNARGS  for  bounded  space  and  witness  NP  from  sub-exponentially-secure 
iO  for  P/poly  and  sub-exponentially-secure  one-way  functions. 

Previously  such  primitives  were  only  know  to  exists  based  on  “knowledge-based”  assumptions 
(such  as  SNARKs  and/or  differing-input  obfuscation). 

We  finally  demonstrate  the  first  (non-succinct)  iO  for  RAM  programs  (with  bounded  in¬ 
put  and  output  lengths)  with  only  poly-logarithmic  overhead  based  on  the  existence  of  sub- 
exponentially-secure  iO  for  P/poly  and  sub-exponentially-secure  one-way  functions. 
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1  Introduction 


Since  the  seminal  work  of  Yao  [Yao86]  in  the  1980s,  garbled  circuits  and  more  generally  garbled 
programs  (such  as  e.g.,  garbled  RAMs  [L013])  have  been  extensively  studied.  A  garbling  scheme 
consists  of  three  procedures:  a)  program  garbling  method,  b)  an  input  encoding  method,  and  c)  an 
evaluation  procedure.  Given  a  program  II,  the  garbling  method  produces  a  “garbled”  version  II  of 
II  as  well  as  some  key  key.  Next,  given  the  key  key  and  some  input  x,  the  input  encoding  method 
produces  an  encoding  x  of  x;  this  encoding  method  is  “efficient”-  the  time  needed  to  encode  x 
(and  as  a  consequence  also  the  length  of  x)  does  does  not  depend  on  the  complexity  of  II.  Finally, 
given  a  garbled  program  II  and  an  encoded  input  x,  the  evaluation  procedure  evaluates  II(.t); 
additionally,  given  only  the  encoded  program  and  inputs,  II,  x,  an  attacker  cannot  learn  more  than 
just  n(x).  As  a  direct  application,  a  garbling  scheme  enables  a  client  to,  in  an  “off-line”  stage, 
garble  a  program  II,  and  next  provide  the  garbled  program  II  to  a  server.  Later,  in  an  on-line  stage, 
when  the  input  x  on  which  the  client  wants  to  evaluate  II  becomes  known,  it  can  efficiently  and 
without  revealing  neither  II  nor  x  ask  the  server  to  evaluate  II  simply  by  sending  it  the  encoding  x 
of  x — in  essence,  garbling  schemes  provide  a  method  for  privately  delegating  computation  (with  an 
expensive  off-line  stage).  Furthermore,  on  top  of  this  direct  application  of  garbling  schemes,  they 
have  found  numerous  other  applications  (e.g.,  secure  two-party  computation  [Yao86],  multi-party 
computations  [BMR90],  reusable  delegation  of  computation  [GGP10],  and  so  on  and  so  forth.) 

But  a  major  deficiency  of  the  all  known  garbling  schemes  (both  of  circuit  and  RAM  garbling 
schemes)  is  that  the  size  of  the  garbled  program  II  (and  thus  also  the  time  needed  to  generate  it) 
grows  linearly  with  (and  in  particular  is  lower-bounded  by)  the  circuit-size/time-complexity  of  the 
underlying  program  II.  Thus,  even  if  get  a  succinct  description  of  II  (e.g.,  as  a  Turing-machine  or 
RAM  program),  the  size  of  II  will  be  proportional  to  the  running-time  of  II. 

1.1  Succinct  Garbling  Schemes 

In  this  work  we  study  succinct  garbling  schemes  where  the  size,  as  well  as  the  time  required  to 
generate,  the  garbled  program  II  only  grows  logarithmically  with  the  running-time  of  the  under¬ 
lying  program  II  (but  polynomially  in  the  size  of  it).  We  provide  constructions  of  such  succinct 
garbling  schemes  for  general  classes  of  computation  (assuming  the  existence  of  indistinguishability 
obfuscators  [BGI+01,  GGH+13b]  for  appropriate  classes  of  computation),  and  next  demonstrate 
several  new  applications  of  succinct  garbling  schemes. 

As  an  initial  observation,  we  show  that  assuming  the  existence  of  “succinct”  iO  for  some  “nice” 
class  C  of  computations  [BGI+01,  BCP14,  ABG+13],  there  exists  succinct  garbling  the  same  class, 
with  the  same  complexity. 

Theorem  1  (Initial  observations — Informally  stated).  Assume  the  existence  of  succinct  indistin¬ 
guishability  obfuscators  for  a  “nice”  class  of  computations  C  and  one-way  function.  Then,  there 
exists  a  succinct  garbling  scheme  for  C.  (In  particular,  the  size  of  the  garbled  program  depends 
polynomially  on  the  size  of  the  program,  the  length  of  the  input  and  outputs  of  the  program,  but 
only  poly-logarithmically  on  its  running-time  and  space.) 

Roughly  speaking,  the  garbling  of  a  program  II  is  an  obfuscation  a  slightly  modified  program 
U'key  that  takes  as  input  an  authenticated  encrypted  input,  decrypts  and  verifies  the  authenticity  of 
the  input  (w.r.t  the  key  key )  and  if  it  the  input  is  valid  simply  runs  II  on  this  input;  the  encoding 
of  an  input  is  simply  an  authenticated  encryption  of  the  input.1 

lrThe  overview  oversimplies.  To  prove  this  construction  secure  assuming  only  that  the  underlying  obfuscation 
satisfies  iO  we  need  to  rely  on  a  particular  method  for  authenticated  encryption. 
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Let  us  remark  here  that  the  reason  the  above-mentioned  construction  is  succinct  is  that  we 
rely  on  the  succinctness  of  the  underlying  iO  (as  e.g.,  in  the  definition  of  iO  for  Turing  machine 
[BGI+01,  BCP14,  ABG+13].)  As  such  it  provides  little  into  into  how  to  achieve  succinctness  “frorn- 
scratch”.  Additionally,  to  date,  the  only  constructions  of  succinct  iO  for  Turing  machines  rely 
on  “knowledge-based”  assumptions — more  specifically,  the  existence  of  differing-input  obfuscation 
[BGI+01,  BCP14,  ABG+13].  Rather,  we  are  here  interested  in  basing  succinct  garbling  schemes 
on  some  hardness  assumption.  (As  we  shall  see  shortly,  doing  this  will  also  provide  insight  into 
constructions  of  succinct  iO  for  Turing  machines  based  on  some  hardness  assumption.) 

Our  main  result  shows  how  to  obtain  succinct  garbling  schemes  relying  only  on  (non-succinct) 
iO  for  circuits -  by  now  there  are  several  constructions  of  iO  [GGH+13b,  PST14,  GLSW14]  for 
P/poly  based  on  specific  hardness  assumptions  regarding  graded  encodings  [GGH13a],  and  some 
of  them  are  even  falsifiable  [PST14,  GLSW14],  Our  succinct  garbling  construction  from  iO  for 
P/poly,  however,  only  works  for  any  a-priori  bounded-space  computation — in  other  words,  the  size 
of  the  garbled  circuit  depends  polynomially  on  the  space  complexity  of  the  computation,  but  is 
independent  of  its  running-time. 

Theorem  2  (Main  Theorem — Informally  stated).  Assume  the  existence  of  indistinguishability  ob- 
fuscators  for  P/poly  and  one-way  functions.  Then,  for  every  polynomial  p,  there  exists  a  succinct 
garbling  scheme  for  all  polynomial-time  programs  II  with  space- complexity  p(-) .  (In  particular,  the 
size  of  the  garbled  program  depends  polynomially  on  the  size  of  II,  the  length  of  the  input  and  output 
of  II  and  the  ,  and  the  space  complexity  s(-),  but  only  logarithmically  on  Id’s  running-time.) 

The  key  conceptual  insight  behind  our  construction  is  a  method  for  using  iO  to  “compress”  a 
computation  that  can  be  performed  piecemeal,  without  revealing  anything  about  it.  More  precisely, 
in  a  first  step,  we  show  how  to  obtain  a  “non-succinct”  garbling  of  bounded-space  Turing  machines, 
and  next,  in  a  second  step,  we  show  how  to  use  iO  to  compress  this  non-succinct  garbling  into  a 
succinct  one.  (We  believe  that  this  compression  technique  may  be  of  independent  interest.) 

Next,  we  use  this  main  theorem  to  enable,  among  other  things,  bounded  space  (polynomial¬ 
time)  computations  in  the  context  of  a)  functional  encryption  (FE),  b)  resusable  succinct  garbling 
schemes,  c)  iO,  and  d)  succinct  non-interactive  arguments  (SNARGs),  assuming  iO  for  P/poly 
and  one-way  function  (for  some  of  these  results  with  sub  exponential  security);  prior  to  this  paper, 
these  primitives  could  only  be  constructed  based  on  “knowledge-based”  assumptions  [GKP+13a, 
BCP14,  ABG+13]  or  in  the  Random  Oracle  model  [MicOO]. 

1.2  Succinct  Garbling  Schemes  for  Bounded-Space  Computations 

We  turn  to  providing  an  overview  of  our  construction  of  succinct  garbling  schemes  for  bounded 
space  Turing  machines.  Our  construction  proceeds  in  two  steps:  we  first  construct  a  non-succinct 
garbling  scheme,  with  the  property  that  the  garbled  program  consists  of  many  “small  pieces”  that 
can  be  independently  generated.  Next,  in  a  second  step,  we  use  indistinguishability  obfuscation 
to  “compress”  the  size  of  the  garbled  program,  by  releasing  an  obfuscated  program  that  takes  an 
index  as  input  and  generates  the  “piece”  corresponding  to  that  index.  As  a  result,  the  final  garbled 
program  (namely  the  obfuscated  program)  is  small  and  can  be  efficiently  computed,  and  it  is  only 
at  the  evaluation  time  that  the  underlying  non-succinct  garbled  program  gets  “decompressed”  (by 
running  the  obfuscated  program  on  all  possible  indexes  to  recover  it). 
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A  Non-succinct  Garbling  Scheme:  Construction  Overview  Let  us  first  outline  a  non 
succinct  garbling  scheme  for  Turing  machines2  based  on  any  one-way  function.  Note  that  a  “trivial” 
approach  for  achieving  this  is  to  simply  transform  any  polynomial-time  Turing  machine  into  a 
polynomial-size  circuits  and  then  garble  the  circuit.  While  our  construction  in  essence  relies  on  this 
principle,  we  provide  a  construction  that  uses  as  a  black-box  a  garbling  scheme  for  “small”  fixed¬ 
sized  circuits  (and  thus  this  construction  may  be  of  independent  interest).  More  precisely,  we  will 
rely  on  the  existence  of  a  garbling  scheme  for  circuits  (as  in  [Yao86])  satisfying  an  additional  useful 
property:  the  key  key  can  be  generated  independently  of  the  circuit  to  be  garbled  (more  precisely, 
we  now  have  a  key  generation  algorithm  Gen  that  outputs  the  key  key,  next,  both  the  encoding 
and  garbling  methods  receive  this  key  as  input);  furthermore,  we  additionally  require  that  encoded 
inputs  can  be  simulated  without  knowledge  of  the  circuit  to  be  garbled.  We  refer  to  such  schemes 
as  garbling  schemes  with  independent  key  generation  and  note  that  Yao’s  original  scheme  (which 
can  be  based  on  one-way  functions)  satisfies  this  property.  Our  non-succinct  garbling  scheme  now 
proceeds  as  follows  for  a  Turing  machine  II  with  bounded  space  complexity  s(-)  and  running-time 
T(-)  and  inputs  of  length  n.  We  construct  a  “chain”  of  T(n)  garbled  circuits  that  evaluate  II 
step  by  step.  More  precisely,  we  first  generate  keys  key\ , . . . ,  keyT(n)  f°r  the  T(n)  garbled  circuits. 
The  ith  garbled  circuit  (which  is  computed  using  key  keyf)  takes  as  input  some  state  of  II  and 
computes  the  next  state  (ie.,  the  state  after  one  computation  step);  if  the  next  state  is  a  final  state, 
it  outputs  the  outputs  generated  by  II,  otherwise  its  outputs  an  encoding  of  this  new  state  using 
key  keyi+\.  (Note  that  after  T(n)  steps  we  are  guaranteed  to  get  to  a  final  state  and  thus  this 
process  is  well-defined.) 

The  input  encoding  method  simply  encodes  the  initial  state  of  II  with  input  x  using  the  key\, 
and  to  evaluate  the  garbled  program  we  simply  sequentially  evaluate  each  garbled  circuit,  using 
the  encodings  generated  in  the  previous  one  as  inputs  to  the  next  one,  and  finally  outputting  the 
output  generated. 

A  Non-succinct  Garbling  Scheme:  Proof  Overview  To  show  that  this  construction  is  a 
secure  (non-succinct)  garbling  scheme  we  need  to  exhibit  a  simulator  that  given  just  the  output 
y  =  II(x)  of  the  program  II  on  input  x  and  the  number  of  steps  t*  taken  by  II(x)  can  simulate  the 
encoded  input  and  program.  (The  reason  we  provide  the  simulation  with  the  number  of  steps  t*  is 
that  we  desire  a  garbling  scheme  with  a  “per- instance  efficiency” — that  is,  the  evaluation  time  is 
polynomial  in  the  actual  running-time  t*  and  not  just  the  worst-case  running-time.  To  achieve  such 
“per-instance  efficiency”  requires  leaking  the  running-time,  which  is  why  the  simulator  gets  access 
to  it.)  Towards  this,  we  start  by  simulating  the  t*th  garbled  circuit  with  the  output  being  set  to  y, 
this  simulation  generates  an  encoded  input  conf;*_i  and  a  garbled  program  lit*  (if  the  simulation 
is  valid,  conft*_i  is  supposed  to  be  an  encoding  of  the  configuration  conff  of  the  TM  after  t  steps 
of  computation).  We  then  iteratively  in  descending  order  simulate  the  ith  (i  <  t*)  garbled  circuits 
II;  with  the  output  being  set  to  conf;+i  generated  in  the  previously  simulated  garbled  circuit.  We 
finally  simulate  the  remaining  i  >  t*  garbled  circuits  II;  with  the  output  being  set  to  some  arbitrary 
output  in  the  range  of  the  circuit  (e.g.,  simply  y),  and  release  confi  and  (IIi, . . .  nT(-n\).  (Note  that 
the  fact  that  we  simulate  the  zth  (i  >  t*)  garbled  circuit  with  the  output  being  set  to  some  arbitrary 
value  is  fine  since  encoded  inputs  to  those  circuits  are  not  released.) 

To  prove  indistinguishability  of  this  simulation,  we  consider  a  sequence  of  hybrid  experiments 

2The  choice  of  a  Turing  machine  as  the  model  of  computation  is  arbitrary  and  the  solution  work  no  matter  what 
the  model  of  bounded-space  computation  (e.g.,  Turing  machine,  RAM,  PRAM  etc)  as  long  as  a  computation  can  be 
decomposed  into  a  sequence  of  sequential  computation  steps  operating  on  the  memory. 
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Hq,  ,  HTtn),  where  in  Hj  the  first  j  garbled  circuits  are  simulated,  and  the  remaining  T(n)  —  j 
garbled  circuits  are  honestly  generated.  To  “stitch  together”  the  simulated  circuits  with  the  honestly 
generated  ones,  the  jth  garbled  circuit  is  simulated  using  as  output,  an  honest  encoding  confj  of 
the  actual  configuration  confj  of  the  TM  after  t  steps.  It  follows  from  the  security  of  the  garbling 
scheme  (and  the  fact  that  a  only  single  encoded  input  is  released  for  circuit  j  +  1)  that  hybrids 
Hj  and  Hj+ 1  are  indistinguishable  and  thus  also  Ho  (i.e.,  the  real  experiment)  and  Hx(n)  (he.,  the 
simulation) . 

Let  us  finally  remark  a  useful  property  of  the  above-mentioned  simulation.  Due  to  the  fact 
that  we  rely  on  a  garbling  scheme  with  independent  key  generation,  each  garbled  circuit  can  in  fact 
be  independently  simulated -  recall  that  the  independent  key  generation  property  guarantees  that 
encoded  inputs  can  be  simulated  without  knowledge  of  the  circuit  to  be  computed  and  thus  all 
simulated  encoded  inputs  confi, . . .  confy(n)  can  be  generated  in  an  initial  step.  Next,  the  garbled 
circuits  can  simulated  in  any  order. 

The  Succinct  Garbling  Scheme:  Construction  Overview  Let  us  now  turn  to  making  this 
garbling  scheme  succinct.  The  key  idea  is  to,  instead  of  releasing  the  actual  garbled  circuits,  release 
an  obfuscation  of  the  randomized  program  that  generates  the  garbled  circuits.  More  precisely,  we 
release  an  indistinguishability  obfuscation  of  a  program  rP,s,s  (t)  where  x  €  {0,  l}n  is  an  input  to 
n,  t  G  [T(n)j  is  a  “time-step”  of  II  and  s  is  the  seed  for  a  PRF  F:  rF,,s’s  (t)  generates  and  outputs 
the  fth  garbled  circuit  in  the  non-succinct  garbling  of  II  using  pseudo-random  coins  generated  by 
the  PRF  with  seed  s  and  s'.  More  specifically,  it  uses  F (s,t)  and  F(s,  t  +  1)  as  randomness  to 
generate  keyt  and  keyt+i  (recall  that  the  functionality  of  the  fth  garbled  circuit  may  depend  on 
keyt+i),  and  uses  F(s',t)  as  randomness  for  generating  the  tth  garbled  circuit. 

Now,  the  new  succinct  garbled  program  is  the  obfuscated  program  A  G-  iO(Ylx,s's'),  and  the 
encoding  x  of  x  remains  the  same  as  before,  except  that  now  generated  using  pseudo-random  coins 
F(s,  1).  Given  such  a  garbled  pair  A  and  x,  one  can  compute  the  output  by  first  generating  the 
entire  non-succinct  garbled  program  by  computing  A  on  every  time  step  t,  and  evaluating  the 
non-succinct  garbling  with  x. 

The  Succinct  Garbling  Scheme:  Proof  Overview  Given  that  the  new  succinct  garbled 
program  A  produces  “pieces”  of  the  non-succinct  garbled  program,  the  natural  idea  for  simulating 
the  succinct  garbled  program  is  to  obfuscate  a  program  that  produces  “pieces”  of  the  simulated 
non-succinct  garbled  program.  The  above-mentioned  “independent  simulation”  property  of  the 
non-succinct  garbled  program  enable  exactly  this. 

More  precisely,  given  an  output  y  and  the  running-time  t*  of  II(x),  the  simulator  outputs  the 
obfuscation  A  of  a  program  Hy’*  ,s’s  that  on  input  t: 

•  outputs  the  simulation  of  the  tth  garbled  circuit  (as  described  in  the  simulation  of  the  non¬ 
sucking  garbling  scheme,  and  using  y  as  the  output  of  the  whole  program)  using  F(s,t)  and 
F(s,  t  +  1)  as  randomness  to  generate  conft  and  confi+i,  and  F(s',  t)  as  randomness  to  generate 
the  simulated  garbled  circuit; 

The  encoding  of  input  x  is  simulated  as  the  non-succinct  garbling  scheme  does,  but  using  pseudo¬ 
random  coins  F(s,  1).  (Note  that  we  here  strongly  rely  on  the  independent  simulation  property  of 
the  non-succinct  garbled  program  constructed  above,  which  in  turn  relies  on  the  independent  key 
generation  property  of  the  underlying  garbled  circuit.) 

It  is  not  hard  to  see  that  this  simulation  works  if  the  obfuscation  is  virtually  black-box  secure, 
as  the  entire  truth  tables  of  the  two  programs  LP’5’5  and  Tly,t  ,s,s  are  indistinguishable  when  the 
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hardwired  PRF  keys  s,  s'  are  chosen  at  random.  Our  goal,  however,  is  to  show  that  assuming 
indistinguishability  obfuscation  suffices.  Towards  doing  this,  as  above,  we  consider  a  sequence  of 
hybrid  experiments  H'0, ... ,  ^T(n)  obfuscates  a  sequence  of  programs  that  “morph”  gradually 

from  II  to  fl.  In  particular,  the  program  obfuscated  in  H’-  produces  a  non-succinct  hybrid 

garbled  program  as  in  hybrid  Hj  in  the  proof  of  the  non-succinct  garbling  scheme,  except  that 
pseudo-random  coins  generated  using  seeds  s,  s'  are  used  instead  of  truly  random  coins.  (More 
specifically,  for  the  first  j  inputs,  II  j  produces  simulated  garbled  circuits  (as  in  Hj),  and  for  the 
rest  inputs,  it  produces  honestly  generated  garbled  circuits.) 

To  prove  indistinguishability  of  any  two  consecutive  hybrids  H'-  and  ,  we  finally  rely  on 
the  punctured  program  technique  of  Sahai  and  Waters  [SW14],  to  replace  pseudo-random  coins 
F(s,  j  +  1),  F (s' ,j  +  1)  for  generating  the  j  +  1th  simulated  garbled  circuit  with  truly  random  coins, 
and  can  then  rely  on  the  indistinguishability  of  the  simulation  of  the  j  +  1th  garbled  circuit  to 
conclude  the  indistinguishability  of  neighboring  hybrids. 

A  note  on  the  efficiency  of  the  Garbling  Scheme  Note  that  the  time  (and  size)  of  the  garbled 
program  depends  polynomially  on  the  space  bound  and  the  length  of  the  inputs  and  outputs  and 
only  poly-logarithmically  in  the  upper  bound  on  the  running-time  of  the  program.  The  evaluation 
time,  on  the  other  hand,  is  linear  in  the  time  complexity  of  the  program  II  -no  matter  what  model 
of  computation  we  rely  on  ( e.g .,  TM,  RAM,  or  PRAM),  and  again  polynomial  in  the  space  and 
input / output  lengths . 

1.3  Applications  of  (Succinct)  Garbling  Schemes 

We  now  turn  to  presenting  applications  of  garbling  schemes.  While  our  focus  here  is  applications  of 
succinct  garbling  schemes,  as  we  shall  explain  shortly,  our  results  are  general  and  lead  to  interesting 
corollaries  also  when  relying  on  non  succinct  schemes. 

Application  1:  Succinct  Randomized  Encoding  Recall  that  a  randomized  encoding  [IK02, 
AIK04]  is  a  method  to,  given  an  input  x  and  a  function  /,  (randomly)  encode  f(x )  in  a  way  that 
leaks  nothing  beyond  just  f(x).  As  is  well  known,  garbling  schemes  imply  randomized  encoding: 
the  randomized  encoding  of  f,x  is  simply  the  garbling  of  /  and  the  encoding  of  x.  Whereas  previous 
works  on  randomized  encoding  have  focused  on  encoding  methods  that  can  be  performed  by  low- 
depth  computations  [AIK04],  when  relying  on  succinct  garbling  schemes,  we  obtain  a  new  type  of  a 
succinct  randomized  encoding  where  the  encoding  can  be  produced  much  more  efficiently  than  com¬ 
puting  / — in  particular,  the  time  needed  to  produce  the  encoding  only  grows  poly-logarithmically 
with  the  time-complexity  of  /.  We  next  show  how  such  succinct  randomized  encodings  are  useful 
for  applications.  For  notational  convenience,  we  describe  these  applications  using  garbling  scheme, 
but  it  should  be  appreciated  that  for  these  application  succinct  randomized  encodings  actually 
suffice. 

Applications  2:  FE,  reusable  garbling  schemes,  secure  computations  We  observe  that  in 
contexts  such  as  secure  computation  [GMW87]  and  functional  encryption  [SW05,  O’NIO,  BSW12], 
to  evaluate  a  function  /  on  an  input  x,  it  suffices  to  evaluate  the  randomized  function  that  com¬ 
putes  a  garbled  program  of  /  and  an  encoding  of  the  input  (recall  that  by  the  security  of  the 
garbling  scheme  this  reveal  no  more  than  the  output  of  the  function).3  Thus,  by  plugging- in 

3That  is,  we  are  computing  a  randomized  encoding  of  /( x). 
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our  construction  of  succinct  garbling  schemes  for  bounded-space  computations  (BSC)  into  ear¬ 
lier  constructions  of  secure  computation  or  randomized  functional  encryption  [GJKS]4,  we  directly 
obtain,  assuming  iO  for  P/poly  and  one-way  functions,  a  randomized  functional  encryption  for 
BSC,  and  secure  computation  protocols  for  bounded-space  programs,  where  the  communication 
complexity  is  grows  logarithmically  with  the  the  running-time  of  the  program  to  be  evaluated. 
We  additionally  observe  that  by  combing  our  construction  of  functional  encryption  for  BSC  with 
previous  results  [CIJ+13,  GKP+13b]-—  [CIJ+13]  showed  that  function  encryption  schemes  with 
indistinguishability-based  security  implies  ones  with  simulation-based  security,  which  further  im¬ 
plies  reusable  garbling  schemes  by  [GKP+13b] — directly  yields  a  construction  of  reusable  succinct 
garbling  schemes  for  BSC  from  iO  for  P/poly  and  one-way  functions.  Summarizing, 

Theorem  3  (Informally  stated).  Assume  the  existence  of  indistinguishability  obfuscators  for  P / poly 
and  one-way  function.  Then,  for  every  polynomial  p,  the  exists  secure  constructions  of  the  following 
primitives  which  handle  computations  all  polynomial-time  computations  with  space-complexity  s(-): 

•  reusable  succinct  garbling; 

•  functional  encryption  where  the  size  of  the  secret  key  for  a  function  is  independent  of  its 
running  time; 

•  secure  computation  where  the  communication  complexity  of  the  protocol  is  independent  of  the 
running-time  of  the  program. 

Let  us  mentioned  that  prior  to  this  paper,  the  second  of  these  primitives  could  only  be  con¬ 
structed  based  on  “knowledge-based”  assumptions  (such  as  SNARKs  and  extractable  witness  en¬ 
cryption  [GKP+13a]  or  differing-input  obfuscation  [BCP14,  ABG+13]),  and  the  third  one  based  on 
incomparable  assumptions  (namely,  FHE — it  is  unknown  whether  iO  and  one-way  functions  imply 
FHE). 

Applications  3:  Succinct  iO  and  SNARGs  Recall  that  in  Theorem  1  we  demonstrated  how 
to  use  succinct  iO  to  get  succinct  garbling  schemes — in  fact,  the  construction  works  for  any  “nice” . 
We  now  show  a  converse  of  this  result:  assuming  sub-exponentially-secure  iO  for  P/poly,  the 
existence  of  a  sub-exponentially-secure  succinct  garbling  scheme  for  a  “nice”  ’5  class  of  algorithms 
yields  an  iO  for  the  same  class  of  algorithms  with  the  same  complexity.  We  first  observe  that  if 
we  had  an  appropriate  notion  of  iO  for  randomized  functionalities,  then  we  could  rely  on  the  same 
argument  as  in  the  context  of  secure  computation  and  functional  encryption — instead  of  evaluating 
a  function  /,  simply  compute  the  randomized  functionality  that  computes  the  garbled  version  of 
/  and  the  encoded  input.  We  observe  that  a  notion  recently  considered  by  Canetti,  Lin,  Tessaro 
and  Vaikuntanathan  [CLTV14]  (which  can  be  achieved  based  on  sub-exponentially-secure  iO  and 
one-way  functions)  suffices  for  our  purposes  as  long  as  the  garbling  scheme  is  sub-exponentially 
secure. 

Combined  with  Theorem  2,  this  yields  succinct  iO  for  BSC  from  sub-exponentially-secure  iO 
for  P/poly  and  sub-exponentially  secure  one-way  functions.  Plugging  in  this  result  into  the  Per¬ 
fect  NIZK  construction  of  Sahai- Waters  [SW14]  directly  yields  a  construction  of  (Perfect  NIZK) 

4The  reason  we  need  randomized  functional  encryption  is  to  be  able  to  compute  the  randomized  garbling  function. 

5Here  by  “nice”,  we  mean  that  C  (1)  contains  algorithms  with  a-priori  polynomially-bounded  input  and  output 
lengths,  (2)  is  closed  under  composition  with  polynomial-sized  circuits,  and  (3)  algorithms  contained  in  C\  is  also 
contained  in  Cy,  with  X'  >  X.  The  last  requirement  is  a  technicality  in  order  to  enable  applying  a  cryptographic 
algorithm  on  an  algorithm  from  C\  with  a  bigger  security  parameter  A'. 
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SNARGS  for  bounded-space  NP  from  sub-exponentially-secure  iO  for  P/poly  and  sub-exponentially- 
secure  one-way  functions.  Summarizing, 

Theorem  4  (Informally  state).  Assume  the  existence  of  sub-exponentially-secure  indistinguisha- 
bility  obfuscators  for  P/poly  and  sub-exponentially-secure  one-way  function.  Then,  for  every  poly¬ 
nomial  p,  there  exists 

•  iO  for  all  polynomial-time  computations  with  space- complexity  s-); 

•  (Perfect  NIZK)  SNARGS  (with  adaptive  soundness f  for  all  languages  in  NP  that  can  be 
decided  by  a  non- deterministic  polynomial-time  Turing  machines  with  space- complexity  s(-). 

These  primitives  were  only  know  to  exists  based  on  “knowledge-based”  assumptions  [BCP14, 
ABG+13,  BP13]  or  in  the  Random  Oracle  Model  [MicOO]. 

Application  4:  iO  for  RAM  with  poly-logarithmic  overhead  We  finally  observe  that  the 
above  observation  that  in  the  context  of  iO  it  suffices  to  evaluate  the  garbling  of  the  function  instead 
of  directly  evaluating  the  functions  is  useful  also  if  relying  on  non-succinct  garbling  schemes.  In 
particular,  by  relying  on  the  garbled  RAM  constructions  of  [L013,  GHL+14]  we  directly  obtain  as 
a  corollary, 

•  iO  for  RAM  programs  with  bounded  input  and  output  lengths,  where  the  size  of  the  obfus¬ 
cated  program  only  grows  quasi-linearly  with  the  RAM  complexity  of  the  program,  assuming 
iO  for  P/poly  and  one-way  functions,  both  with  sub-exponential  security. 

There  is  one  subtle  detail  that  needs  to  be  dealt  with  to  obtain  the  above  corollary.  If  simply 
relying  on  any  iO  in  the  above  construction,  then  the  use  of  this  underlying  primitive  could  blow¬ 
up  the  running-time.  (If  we  rely  on  an  iO  for  circuits  with  quasi-linear  overhead  then  we  are  fine, 
but  this  seems  to  require  stronger  assumptions.)  Rather,  we  rely  on  an  observation  from  Gentry, 
Halevi,  Raykova  and  Wichs  [GHRW14]:  the  garbled  RAM  constructions  of  [L013,  GHL+14]  satisfy 
a  nice  “bit-wise  compactness”  property,  where  each  bit  of  the  garbled  circuit  can  be  independently 
generated  by  a  “small”  circuit  of  size  depending  quasi-linearly  in  the  input  and  output  lengths 
and  only  poly- logarithmically  in  the  running  time.7  Thus,  (inspired  by  [GHRW14],)  instead  of 
obfuscating  the  program  that  generates  the  whole  garbled  circuit  in  one  shot,  we  simply  obfuscate 
many  “small”  programs,  each  of  which  generates  one  bit  of  the  garbled  circuit.  (Note  that  the 
resulting  iO  is  not  succinct:  the  size  of  the  obfucated  program  depends  on  the  size  of  the  garbled 
RAM). 

Let  us  remark  that  a  similar  construction  was  recently  provided  in  [GHRW14];  the  difference 
between  our  construction  and  theirs  is  that  they  propose  to  obfuscate  only  a  single  “small”  program 
that  will  generate  all  bits  in  the  garbled  RAM,  whereas  our  iO  consists  of  the  obfuscation  of  many 
“small”  programs,  each  of  which  generates  only  a  single  bit  in  the  garbled  RAM.  But,  the  authors 
of  [GHRW14]  simply  conjecture  the  security  of  their  construction;  in  contrast,  we  prove  it  secure 
assuming  that  the  underlying  obfuscator  satisfies  sub-exponentially  secure  iO. 

6The  Perfect  NIZK  construction  of  [SW14]  only  satisfies  non-adaptive  soundness.  But  by  a  standard  complexity 
leveraging  trick,  it  can  be  made  to  satisfy  adaptive  soundness.  Since  we  anyway  assume  sub-exponential  security  of 
the  iO  this  comes  at  no  cost  for  us. 

7More  precisely,  the  size  of  the  small  circuit  is  0(|-R|  +  n  +  m )  x  poly(A, logT),  where  R  is  the  RAM  machine 
under  consideration,  n  and  m  are  its  input  and  output  lengths,  and  T  is  its  running  time. 
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2  Preliminaries 


Let  M  denote  the  set  of  positive  integers,  and  [n]  denote  the  set  {1,2 , . . .  ,n}.  We  denote  by  PPT 
probabilistic  polynomial  time  Turing  machines.  The  term  negligible  is  used  for  denoting  functions 
that  are  (asymptotically)  smaller  than  one  over  any  polynomial.  More  precisely,  a  function  u(-) 
from  non- negative  integers  to  reals  is  called  negligible  if  for  every  constant  c  >  0  and  all  sufficiently 
large  n,  it  holds  that  v(n)  <  n~c. 

2.1  Models  of  Computation 

In  this  work  we  will  consider  different  models  of  computation.  Below  we  define  formally  different 
classes  of  algorithms;  we  will  start  by  defining  classes  of  deterministic  algorithms  of  fixed  polynomial 
size,  and  then  move  to  define  classes  of  randomized  algorithms  and  classes  of  algorithms  of  arbitrary 
polynomial  size. 

Classes  of  deterministic  algorithms  of  fixed  polynomial  size. 

Polynomial-time  Circuits.  For  every  polynomial  D ,  the  class  CIR[Z)]  =  {Ca}  of  include  all 
deterministic  circuits  of  size  at  most  D{ A). 

NC1  Circuits.  For  every  constant  c  and  polynomial  D ,  the  class  NCc[D]  =  {Ca}  of  polynomial¬ 
sized  circuits  of  depth  clog  A  include  all  deterministic  circuits  of  size  D( A)  and  depth  at  most 
clog  A. 

Exponential-time  Turing  Machines.  We  consider  a  canonical  representation  of  Turing  ma¬ 
chines  M  =  {M' ,n,m,  S,T)  with  \n\  =  \m\  =  |S|  =  \T\  =  A  and  n,m  <  S  <  T;  M  takes 
input  x  of  length  n,  and  runs  M'(x )  using  S  space  for  at  most  T  steps,  and  finally  out¬ 
puts  the  first  m  bits  of  the  output  of  M' .  (If  M'{x )  does  not  halt  in  time  T  or  requires 
more  than  S  space,  M  outputs  _L.)  In  other  words,  given  the  description  M  of  a  Turing 
machine  in  this  representation,  one  can  efficiently  read  off  its  bound  parameters  denoted  as 
(. M.n,M.m,M.S,M.T ). 

Now  we  define  the  class  of  exponential  time  Turing  machines.  For  every  polynomial  D ,  the 
class  TM[D]  =  {Ma}  includes  all  deterministic  Turing  machines  II m  containing  the  canonical 
representation  of  a  Turing  machine  M  of  size  D( A);  II m(xR)  takes  input  x  and  t  of  length 
M.n  and  A  respectively,  and  runs  M(x )  for  t  steps,  and  finally  outputs  what  M  returns. 

Remark:  Note  that  machine  t)  on  any  input  terminates  in  t  <  2A,  and  hence  its 

output  is  well-defined.  Furthermore,  for  any  two  Turing  machines  M\  and  M-2,  they  have 
the  same  functionality  if  and  only  if  they  produce  identical  outputs  and  run  for  the  same 
number  of  steps  for  every  input  x.  This  property  is  utilized  when  defining  and  constructing 
indistinguishability  obfuscation  for  Turing  machines,  as  in  previous  work  [BCP14], 

Exponential-time  RAM  Machines.  We  consider  a  canonical  representation  of  RAM  machines 
R  =  (R' ,  n,  m,  S,  T )  identical  to  the  canonical  representation  of  Turing  machines  above. 

For  every  polynomial  D ,  the  class  RAM[H]  =  {^-a}  of  polynomial-sized  RAM  machines 
include  all  deterministic  RAM  machines  11^,  defined  as  II m  above  for  Turning  machines, 
except  that  the  Turing  machine  M  is  replace  with  a  RAM  machine  R. 
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Classes  of  randomized  algorithms:  The  above  defined  classes  contain  only  deterministic  al¬ 
gorithms.  We  define  analogously  these  classes  for  their  corresponding  randomized  algorithms.  Let 
X[D\  be  any  class  defined  above,  we  denote  by  rA[D]  the  corresponding  class  of  randomized  algo¬ 
rithms.  For  example  rCIR[D]  denote  all  randomized  circuits  of  size  D( A),  and  rTM[D]  denote  all 
randomized  turning  machine  of  size  D{ A). 

Classes  of  (arbitrary)  polynomial-sized  algorithms:  The  above  defined  classes  consist  of 
algorithms  of  a  fixed  polynomial  D  description  size.  We  define  corresponding  classes  of  arbitrary 
polynomial  size.  Let  X[D ]  be  any  class  defined  above,  we  simply  denote  by  X  =  Upoiy dX[D]  the 
corresponding  class  of  algorithms  of  arbitrary  polynomial  size.  For  instance,  CIR  and  rCIR  denotes 
all  deterministic  and  randomized  polynomial-sized  circuits,  and  TM  denotes  all  polynomial-sized 
Turing  machines. 

In  the  rest  of  the  paper,  when  we  write  a  family  of  algorithms  {AL\}  £  X,  we  mean  {AL\}  £ 
X[D\  for  some  polynomial  D.  This  means,  the  size  of  the  family  of  algorithms  is  bounded  by 
some  polynomial.  Below,  for  convenience  of  notation,  when  X  is  a  class  of  algorithms  of  arbitrary 
polynomial  size,  we  write  AL  £  X\  as  a  short  hand  for  {AL\}  £  {X\}. 

Classes  of  well-formed  algorithms:  In  the  rest  of  the  preliminary,  we  define  various  crypto¬ 
graphic  primitives.  In  order  to  avoid  repeating  the  definitions  for  different  classes  of  machines,  we 
provide  definitions  for  general  classes  of  algorithms  {AC\\  that  can  be  instantiated  with  specific 
classes  defined  above.  In  particular,  we  will  work  with  classes  of  algorithms  that  are  well-formed, 
satisfying  the  following  properties: 

1.  For  every  AL  £  AC\,  and  input  x,  AL  on  input  x  terminates  in  2A  steps.  Note  that  this  also 
implies  that  AL  has  bounded  input  and  output  lengths. 

2.  the  size  of  every  ensemble  of  algorithms  {AL\}  £  {AC\}  is  bounded  by  some  polynomial  D 
in  A,  and 

3.  given  the  description  of  an  algorithm  AL  £  AC\,  one  can  efficiently  read  off  the  bound 
parameters  AL.n ,  AL.m ,  AL.S,  AL.T. 

All  above  defined  algorithm  classes  are  well- formed.  Below,  we  denote  by  Tal(x)  the  running  time 
of  AL  on  input  x,  and  Tal  the  worst  case  running  time  of  AL.  Note  that  well-formed  algorithm 
classes  are  not  necessarily  efficient;  for  instance  the  class  of  polynomial-sized  Turing  machines  TM 
contain  Turing  machines  that  run  for  exponential  time.  In  order  to  define  cryptographic  primitives 
for  only  polynomial-time  algorithms,  we  will  use  the  notation  ALG7  =  {A£y }  to  denote  the  class 
of  algorithms  in  ALG  =  {AC\\  that  run  in  time  T( A)  (in  particular,  these  with  AL\.T  <  T( A)). 

In  the  rest  of  the  paper,  all  algorithm  classes  are  well- formed. 

2.2  Garbling  Scheme 

Definition  1  (Garbling  Scheme).  A  Garbling  scheme  QS  for  a  class  of  (well-formed)  determinis¬ 
tic  algorithms  {A£a}apn  consists  of  algorithms  QS  =  (Garb,  Encode,  Eval)  satisfying  the  following 
properties: 

Syntax:  For  every  A  £  N,  AL  £  AC \  and  input  x, 

•  Garb  is  probabilistic  and  on  input  (l'\  AL)  outputs  a  pair  {AL,  key).8 

s(Note  that  as  the  algorithm  class  is  well-formed,  Garb  implicitly  has  all  bound  parameters  of  AL. 
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•  Encode  is  deterministic  and  on  input  (key,  x)  outputs  x. 

•  Eval  is  deterministic  and  on  input  ( AL,x )  produced  by  Garb,  Encode  outputs  y. 

Correctness:  For  every  polynomial  T  and  every  family  of  algorithms  {AL\}  £  and  se¬ 

quence  of  inputs  {xa},  There  exists  a  negligible  function  p,  such  that,  for  every  A  £  N, 
AL  =  AL\,  x  =  x\, 

Pr[(AL,  key)  •£-  Garb(lA,  AL),  x  •£-  Encode(key,  x)  :  Eval(AL,  x)  7^  AL{x)}  <  p(X) 

Definition  2  (Security  of  a  Garrbling  Scheme).  We  say  that  a  Garbling  scheme  QS  for  a  class  of 
deterministic  algorithms  {ACaIasn  secure  If  the  following  holds. 

Security:  There  exists  a  uniform  machine  Sim,  such  that,  for  every  non-uniform  PPT  distinguisher 
V,  every  polynomial  T' ,  every  sequence  of  algorithms  {AL\}  £  {AL  a  },  and  sequence  of  inputs 
{xx}  where  x\  £  {0,  \}AL*-n ,  there  exists  a  negligible  function  p,  such  that,  for  every  A  £  N, 
AL  =  AL\,  x  =  x\  the  following  holds: 

Pr[(AL,  key)  •£-  Garb(lA,  AL),  x  •£-  Encode(key,  x)  :  V(AL,x)  =  1] 

-Pv[(AL,x)  ^  S\m{lx,lW,fAL\,(n,m,S,T),TAL(x),AL(x))  :  V{AL,x)  =  1]  <  p{\) 

where  (n,m,  S,T)  =  (AL.n,  AL.m,  AL.S,  AL.T)  and  Sim  runs  in  time  poly(A,  T'(A)).  More¬ 
over,  p  is  called  the  distinguishing  gap 

Furthermore,  we  say  that  QS  is  (5-indistinguishable  if  the  above  security  condition  holds  with  a 
distinguishing  gap  p  bounded  by  6.  Especially,  QS  is  sub-exponentially  indistinguishable  if  p( A) 
is  bounded  by  2^  for  a  constant  e. 

We  note  that  the  sub-exponentially  indistinguishability  defined  above  is  weaker  than  usual  sub¬ 
exponential  hardness  assumptions  in  that  the  distinguishing  gap  only  need  to  be  small  for  PPT 
distinguisher,  rather  than  sub-exponential  time  distinguishes. 

We  remark  that  in  the  above  definition,  simulator  Sim  receives  many  inputs,  meaning  that,  a 
garbled  pair  AL,x  reveals  nothing  but  the  following:  The  output  AL(x),  instance  running  time 
Tal(x),  input  length  |x|  and  machine  size  \AL\,  together  with  various  parameters  (n,m,  S,T)  of 
AL.  We  note  that  the  leakage  of  the  instance  running  time  is  necessary  in  order  to  achieve  instance- 
based  efficiency  (see  efficiency  guarantees  below).  The  leakage  of  \AL\  can  be  avoided  by  padding 
machines  if  an  upper  bound  on  their  size  is  known.  The  leakage  of  parameters  (n,  m ,  S,  T )  can  be 
avoided  by  setting  them  to  2A;  see  Remark  1  for  more  details.  In  particular,  when  the  algorithms 
are  circuits,  inputs  to  the  simulation  algorithm  can  be  simplified  to  (1A,  llxl,  1^1,  AL(x)),  since  all 
bound  parameters  n,  m,  S,  T  can  be  set  to  2A. 

Efficiency  Guarantees,  we  proceed  to  describe  the  efficiency  requirements  for  garbling  schemes. 
When  considering  only  circuit  classes,  all  algorithms  Garb,  Encode,  Eval  should  be  polynomial  time 
machines,  that  is,  the  complexity  of  Garb,  Eval  scales  with  the  size  of  the  circuit  |C|,  and  that  of 
Encode  with  the  input  length  |a:|.  However,  when  considering  general  algorithm  classes,  since  the 
description  size  \AL\  could  be  much  smaller  than  the  running  time  AL.T ,  or  even  other  parameters 
AL.S,  AL.n,  AL.m,  there  could  be  different  variants  of  efficiency  guarantees,  depending  on  what 
parameters  the  complexity  of  the  algorithms  depends  on.  Below  we  define  different  variants. 
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Definition  3  (Different  Levels  of  Efficiency  of  Garbling  Schemes).  We  say  that  a  garbling  scheme 
QS  for  a  class  of  deterministic  algorithms  {ATaIasn  has  succinctness  or  I/O  /  space  /  time- 
dependent  complexity  if  the  following  holds. 

Optimal  efficiency:  There  exists  universal  polynomials  PGarb>PEncode>PEvab  such  that,  for  every 
A  G  N,  AL  G  AC  a  and  input  x  G  {0,  \fAL-n) 

•  (A,  key)  G-  Garb(lA,  AL)  runs  in  time  PGarbl'V  \AL\,  AL.m)/ 

•  x  =  Encode(key,  x)  runs  in  time  PEncode(-V  \x\,AL.m),  and 

•  y  =  Eval(AL,x)  runs  in  time  PEvai(A,  |AL|,  \x\,AL.m)  xTal(x),  with  overwhelming  prob¬ 
ability  over  the  random  coins  of  Garb.  We  note  that  Eval  has  instance-based  efficiency. 

I/O-dependent  complexity:  The  above  efficiency  conditions  hold  with  PGarbiPEncodeiA’Evai  taking 
AL.n  as  additional  parameters. 

Space-dependent  complexity:  The  above  efficiency  conditions  hold  with  pGarb)PEncode)PEvai  tak¬ 
ing  AL.S  as  an  additional  parameter. 

Linear-time-dependent  complexity:  The  above  efficiency  conditions  hold  with  PGarb>PEncode 
taking  AL.T  as  an  additional  parameter  and  depending  (quasi-) linearly  in  AL.T,  and  the 
running  time  of  Eval  is  bounded  by  PEvai(A, \AL\,  \x\)AL.T. 

Furthermore,  we  say  that  the  garbling  scheme  QS  has  succinct  input  encodings  if  the  encoding 
algorithm  Encode(key,  x)  runs  in  time  PEncode(l'\  M)- 

We  say  that  a  garbling  scheme  is  “succinct”  if  its  complexity  depends  only  poly-logarithmically 
on  the  time  bound.  Thus  a  scheme  with  space-dependent  complexity  is  succinct  for  a  class  of 
algorithms  whose  space  usage  is  bounded  by  a  fixed  polynomial. 

On  the  dependency  on  the  length  of  the  output.  Note  that  in  the  optimal  efficiency  defined  above, 
the  complexity  of  the  algorithms  depends  on  the  length  of  their  respective  inputs  and  the  bound  on 
their  output  lengths  AL.m.  We  argue  that  this  is  necessary.  This  is  because  that  the  garbling  of 
an  algorithm  AL  together  with  an  encoding  of  an  input  x  encodes  the  output  AL(x),  while  leaking 
nothing  beyond  AL(x).  ( AL,x  is  a  randomized  encoding  of  AL,x.)  Then,  assuming  the  existence 
of  pseudorandom  generators  G ,  the  total  size  of  the  garbled  function  G  and  encoded  input  x  must 
be  at  least  the  length  of  the  output  of  the  function.  Otherwise,  the  simulator  can  “compress” 
random  strings  with  overwhelming  probability,  which  is  a  contradiction.  Therefore,  we  allow  the 
complexity  of  the  algorithms  to  depend  on  the  length  of  the  output  in  optimal  efficiency. 

Garbling  Schemes  for  Specific  Algorithm  Classes.  Next  we  instantiate  the  above  definition 
of  garbling  scheme  for  general  algorithm  classed  with  concrete  classes. 

Definition  4  (Garbling  Scheme  for  Polynomial-sized  Circuits).  A  triplet  of  algorithms  f?5ciR  = 
(GarbQR,  EncodeciR,  EvalciR)  is  a  garbling  scheme  (with  linear- time- dependent  complexity)  for  poly¬ 
nomial  sized  circuits  if  it  is  a  garbling  scheme  for  class  CIR  (with  linear-time- dependent  complexity). 

We  note  that  in  the  case  of  circuits,  succinctness  means  the  complexity  scales  polynomially  in 
\C\,  whereas  linear-time-dependency  means  the  complexity  scales  linearly  with  \C\. 

®Note  that  the  running  time  of  Garb  and  similarly  other  algorithms  that  takes  AL  as  an  input,  implicitly  depends 
logarithmically  on  the  time  bound  of  AL,  as  its  description  contains  the  time  bound  AL.T. 
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Definition  5  (Garbling  Schemes  for  Polynomial  Time  Turing  Machines).  A  triplet  (/5tm  = 
(GarbjM^  Encodeyivn  Evaljivi)  of  algorithms  is  a  garbling  scheme  with  optimal  efficiency  or  I/O- 
/  space-  /  linear-time- dependent  complexity  (and  succinct  input  encodings)  for  Turing  machines,  if 
it  is  a  garbling  scheme  for  class  TM  ,  with  the  same  level  of  efficiency. 

Different  efficiency  requirements  impose  qualitatively  different  restrictions.  In  this  work,  we 
will  construct  a  garbling  scheme  for  Turing  machines  with  space-dependent  complexity  assuming 
indistinguishability  obfuscation  for  circuits.  The  construction  of  garbling  scheme  from  iO  for  Turing 
machines,  sketched  in  the  introduction,  has  I/O-dependent  complexity.  On  the  other  hand,  we  show 
that  a  scheme  with  is  impossible;  in  particular,  the  complexity  of  the  scheme  must  scale  with  the 
bound  on  the  output  length. 

Definition  6  (Garbling  Schemes  for  Polynomial  Time  RAM  Machines).  A  triplet  £/5ram  = 
(GarbRAM,  EncodeRAivn  EvalRAM)  of  algorithms  is  a  garbling  scheme  for  polynomial-time  RAM  ma¬ 
chines  with  optimal  efficiency  or  I/O-  /  space-  /  linear-time-  dependent- complexity,  ( and  succinct 
input  encodings),  if  it  is  a  garbling  scheme  for  class  RAM,  with  the  same  level  of  efficiency. 

Recently,  the  works  by  [L013,  GHL+14]  give  construction  of  a  garbling  scheme  for  RAM  ma¬ 
chines  with  linear-time-dependent  complexity  and  succinct  input  encodings,  assuming  only  one-way 
functions. 

Garbled  Circuits  with  Independent  Key  Generation.  In  this  work,  we  will  make  use  of 
a  garbling  scheme  for  circuits  with  a  special  structural  property.  In  Definition  4,  the  key  key 
for  garbling  inputs  is  generated  depending  on  the  circuit  (by  Garb(lA,  C));  the  special  property  of 
a  circuit  garbling  scheme  is  that  the  key  can  be  generated  depending  only  on  the  length  of  the 
input  llxl  and  the  security  parameter,  which  implies  that  the  garbled  inputs  x  can  also  be  generated 
depending  only  on  the  plain  input  x  and  the  security  parameter  A,  independently  of  the  circuit — we 
call  this  independent  key  generation. 

Definition  7  (Garbling  Scheme  for  Circuits  with  Independent  Key  Generation).  A  Garbling 
scheme  QS  =  (Garb,  Encode,  Eval)  for  a  deterministic  circuit  class  {CaIasN  has  independent  key 
generation  if  the  following  holds:  For  every  A  £  N,  and  every  C  G  C\, 

•  The  algorithm  Garb  on  input  (1A,  C)  invokes  firsfkey  -4-  Gen(lA,  l^l)  and  then  C  A  Gb(key,  C), 
where  Gen  and  Gb  are  all  PPT  algorithms. 

•  The  security  condition  holds  w.r.t.  a  simulator  Sim  that  on  input  (1A,  l^l,  1^1,  Tc(x),  C(x)) 
invokes  first  (x,  st)  A  Sim-Gen(lA,  l^l)  and  then  C  A  Sim-Gb((lA,  llxl, \\c\  C(x),  st),  where 
Sim-Gen  and  Sim-Gb  are  all  uniform  PPT  algorithms. 

It  is  easy  to  check  that  many  known  circuit  garbling  schemes,  in  particular  the  construction  by 
Yao  [Yao86],  has  independent  key  generation. 

Proposition  1.  Assume  the  existence  of  one-way  functions  that  are  hard  to  invert  in  T  time.  Then, 
there  exists  a  garbling  scheme  I/5cir  for  polynomial-sized  circuits  with  independent  key  generation 
that  is  r~£ -indistinguishable  for  some  constant  e  G  (0, 1). 
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2.3  Indistinguishability  Obfuscation 

We  recall  the  definition  of  indistinguishability  obfuscation,  adapting  to  arbitrary  classes  of  algo¬ 
rithms.  As  before,  we  first  define  the  syntax,  correctness  and  security  of  iO,  and  then  discuss  about 
different  efficiency  guarantees. 

Definition  8  (Indistinguishability  Obfuscator  ( iO )).  A  uniform  machine  iO  is  a  indistinguisha¬ 
bility  obfuscator  for  a  class  of  deterministic  algorithms  {ACaIasN’  */  ^e  following  conditions  are 
satisfied: 

Correctness:  For  all  security  parameters  A  £  N,  for  all  AL  £  AC\,  for  all  input  x,  we  have  that 

Pr [AU  <-  iO(lx,AL)  :  AL' {x)  =  AL(x)\  =  1 

Security:  For  every  polynomial  T,  every  non-uniform  PPT  samplable  distribution  V  over  the  sup¬ 
port  {AC\  x  AC^  x  {0,  l}poIy(A)  7  and  adversary  A,  there  is  a  negligible  function  p,  such 
that,  for  sufficiently  large  A  £  N,  if 

Pr[(ALi,  AL2,  z)  •£-  V(lx)  :  Vx,  ALi(x)  =  AL2(x),  TAL,{x)  =  TAL(x), 

(\AL\,  AL.n,  AL.m,  AL.S,  AL.T)  =  (\AL'\,AL'.n,AL'.m,AL'.S,AL'.T)}  >  1  -  p(X) 

Then, 

Pr[(AL1,AL2,z)^V{lx)  :  A(iO(lx,  Ah),  z)\ 
-Pi-[(AL1,AL2,z)^V(1x)  :  A(iO(lx,  AL2),  z)\  |  <  p(X) 

where  p  is  called  the  distinguishing  gap  for  V  and  A. 

Furthermore,  we  say  that  iO  is  ^-indistinguishable  if  the  above  security  condition  holds  with  a 
distinguishing  gap  p  bounded  by  5.  Especially,  iO  is  sub-exponentially  indistinguishable  if  p( A) 
is  bounded  by  2~x~  for  a  constant  e. 

Note  that  in  the  security  guarantee  above,  the  distribution  V  samples  algorithms  AL\,  AL2  that 
has  the  same  functionality,  and  matching  bound  parameters.  This  means,  an  obfuscated  machine 
“reveals”  the  functionality  (as  desired)  and  these  bound  parameters.  We  remark  that  the  leakage 
of  the  latter  is  without  loss  of  generality:  In  the  case  of  circuits,  all  bound  parameters  are  set  to  2X. 
In  the  case  of  other  algorithm  classes,  say  Turing  and  RAM  machines.  If  an  iO  scheme  ensures  that 
one  parameter,  say  AL.S ,  is  not  revealed,  one  can  simply  consider  a  representation  that  always 
sets  that  parameter  to  2^;  then  security  definition  automatically  ensures  privacy  of  that  parameter. 
See  Remark  1  for  more  details. 

Definition  9  (Different  Levels  of  Efficiency  of  IO).  We  say  that  an  indistinguishability  obfuscator 
iO  of  a  class  of  algorithms  {AC\}  has  optimal  efficiency,  if  there  is  a  universal  polynomial  p  such 
that  for  every  A  £  N,  and  every  AL  £  AC\,  iO(lx,  AL)  runs  in  time  p(  A,  |AL|). 

Additionally,  we  say  that  iO  has  input-  /  space-  /  linear-time-  dependent  complexity,  if 
iO(lx,  AL)  runs  in  time  poly(A,  \AL\,  AL.n)  /  poly  (A,  \AL\,  AL.S)  /  poly(A,  |AL|)AL.T. 

We  note  that  unlike  the  case  of  garbling  schemes,  the  optimal  efficiency  of  an  iO  scheme  does 
not  need  to  depend  on  the  length  of  the  output.  Loosely  speaking,  the  stems  from  the  fact  that 
indistinguishability-based  security  does  not  require  “programing”  outputs,  which  is  the  case  in 
simulation-based  security  for  garbling. 
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iO  for  Specific  Algorithm  Classes.  We  recall  the  definition  of  iO  for  polynomial-sized  circuits, 
NC1  [BGI+01];  and  give  definitions  of  iO  for  polynomial  time  Turing  machines  [BCP14]  and  RAM 
machines  with  different  efficiency  guarantees. 

Definition  10  (Indistinguishability  Obfuscator  for  Poly-sized  Circuits  and  NC1).  A  uniform  PPT 
machine  iC>ciR(-,-)  an  indistinguishability  obfuscator  for  polynomial-sized  circuits  if  it  is  an  in¬ 
distinguishability  obfuscator  for  CIR  with  optimal  efficiency. 

A  uniform  PPT  machine  iONCi  (•,  •,  •)  is  an  indistinguishability  obfuscator  for  NC1  circuits  if 
for  all  constants  c  G  A f,  iONCi  (c,  •,  •)  is  an  indistinguishability  obfuscator  for  NCc  with  optimal 
efficiency. 

Definition  11  (IO  for  Turing  Machines).  A  uniform  machine  iOju(--,-)  is  a  indistinguishability 
obfuscator  for  polynomial-time  Turing  machines,  with  optimal  efficiency  or  input-  /  space- dependent 
complexity,  if  it  is  an  indistinguishability  obfuscator  for  the  class  TM  with  the  same  efficiency. 

Recently,  the  works  by  [BCP14,  ABG+13]  give  constructions  of  iO  for  Turing  machines10 
with  input-dependent  complexity  assuming  FHE,  differing-input  obfuscation  for  circuits,  and  P- 
certificates  [CLP  13];  furthermore,  the  dependency  on  input  lengths  can  be  removed — leading  to  a 
scheme  with  optimal  efficiency — if  assuming  SNARK  instead  of  P-certificates. 

Definition  12  (iO  for  RAM  Machines).  A  uniform  machine  iOj^/\{-,  •)  is  a  indistinguishability 
obfuscator  for  polynomial-time  Turing  machines,  with  optimal  efficiency  or  linear- time- dependent 
complexity,  if  it  is  an  indistinguishability  obfuscator  for  the  class  RAM  with  the  same  efficiency. 

Remark  1  (Explicit  v.s.  Implicit  Bound  Parameters).  In  the  above  definitions  of  Garbling  Scheme 
and  iO  for  general  algorithms,  we  considered  a  canonical  representation  of  algorithms  AL  that 
gives  information  of  various  bound  parameters  of  the  algorithm,  specifically,  the  size  \AL\,  bound 
on  input  and  output  lengths  AL.n ,  AL.m,  space  complexity  AL.S,  and  time  complexity  AL.T .  This 
representation  allows  us  to  define,  in  a  unified  way,  different  garbling  and  iO  schemes  that  depend 
on  different  subsets  of  parameters.  For  instance, 

•  The  Garbling  and  iO  schemes  for  TM  that  we  construct  in  Section  3  and  6  (from  iO  and  sub- 
exp  iO  for  circuits  respectively)  has  complexity  poly(|AL|,  AL. S,  log(AL.T)) .  (In  particular, 
the  size  of  the  garbled  TM  and  obfuscated  TM  is  of  this  order.) 

•  The  garbling  scheme  for  TM  constructed  (from  iO  for  TM)  sketched  in  the  introduction  has 
complexity  poly(|  AL|,  AL.n ,  AL.m,  log  (AL.T)). 

•  The  garbling  scheme  for  RAM  from  one-way  functions  by  [L013,  GHL+  If]  has  complexity 
scales  polynomially  in  (\AL\,  AL.n,  AL.m)  and  quasi-linearly  in  AL.T.  This  construction 
leads  to  an  iO  for  RAM  (from  sub- exp  iO  for  circuits)  of  the  same  complexity  in  6. 

By  using  the  canonical  representation,  our  general  definition  allows  the  garbling  or  iO  scheme 
to  depend  on  any  subset  of  parameters  flexibly.  Naturally,  if  a  scheme  depends  on  a  subset  of  param¬ 
eters,  the  resulting  garbled  or  obfuscated  machines  may  “leak”  these  parameters  (in  the  above  three 
examples  above,  the  size  of  the  garbled  or  obfuscated  machines  leaks  the  parameters  they  depend  on); 
thus,  the  security  definitions  must  reflect  this  “ leakage  ”  correspondingly.  The  general  security  defi¬ 
nitions  2  and  8  captures  this  by  allowing  leakage  of  all  parameters  \AL\,  AL.n,  AL.m,  AL.S,  AL.T . 

10Their  works  actually  realize  the  stronger  notion  of  differing-input,  or  extractability,  obfuscation  for  Turing  ma¬ 
chines 
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However,  this  seems  to  “overshoot”,  as  if  a  specific  scheme  does  not  depend  on  a  particular  param¬ 
eter  (e.g.  AL.S),  then  this  parameter  should  be  kept  private.  This  can  be  easily  achieved,  by  simply 
considering  an  algorithm  representation  that  always  set  that  parameter  to  2X  (e.g.  AL.S  =  2X). 

2.4  Puncturable  Pseudo-Random  Functions 

We  recall  the  definition  of  puncturable  pseudo-random  functions  (PRF)  from  [SW14].  Since  in  this 
work,  we  only  uses  puncturing  at  one  point,  the  definition  below  is  restricted  to  puncturing  only 
at  one  point  instead  of  at  a  polynomially  many  points. 

Definition  (Puncturable  PRFs).  A  puncturable  family  of  PRFs  is  given  by  a  triple  of  uniform  PPT 
machines  (PRF-Gen,  PRF-Punc,  F),  and  a  pair  of  computable  functions  n(-)  and  m(-),  satisfying  the 
following  conditions: 

Correctness.  For  all  outputs  K  o/PRF-Gen(lA),  allpointsi  £  {0,  l}n(A\  andK(-i)  =  PRF-Punc(it,  i), 
we  have  that  F (K(—i),x)  =  F (K,x)  for  all  x  fii. 

Pseudorandom  at  punctured  point.  For  every  PPT  adversary  (A\,A2),  there  is  a  negligible 
function  /./,  such  that  in  an  experiment  where  Mi(lA)  outputs  a  point  i  £  {0,  l}n(A)  and  a  state 
a,  K  £-  PRF-Gen(lA)  and  K(i )  =  PRF-Punc(iG,  i),  the  following  holds 

\Pv[A2(a,K(i),i,F(K,i))  =  l}-Pv[A2(a,K(i),i,Um{x))  =  1] |  <  A) 

where  fi  is  called  the  distinguishing  gap  for  (Mi,  M2). 

Furthermore,  we  say  that  the  puncturable  PRF  is  ^-indistinguishable  if  the  above  pseudorandom 
property  holds  with  a  distinguishing  gap  bounded  by  5.  Especially,  the  puncturable  PRF  is  sub- 
exponentially  indistinguishable  if  /i(A)  is  bounded  by  2~x e  for  a  constant  e. 

As  observed  by  [BW13,  BGI14,  KPTZ13],  the  GGM  tree-based  construction  of  PRFs  [GGM86] 
from  pseudorandom  generators  (PRGs)  yields  puncturable  PRFs.  Furthermore,  it  is  easy  to  see 
that  if  the  PRG  underlying  the  GGM  construction  is  sub-exponentially  hard  (and  this  can  in  turn  be 
built  from  sub-exponentially  hard  OWFs),  then  the  resulting  puncturable  PRF  is  sub-exponentially 
pseudo-random. 

3  A  Succinct  Garbling  Scheme  for  BSTM 

In  this  section,  we  construct  a  garbling  scheme  for  the  class  of  Turing  machines  TM  with  space- 
dependent  complexity.  Thus  when  the  space  complexity  of  the  TM  is  bounded,  it  yields  a  succinct 
scheme.  We  will  see  in  the  next  section  that  our  construction  for  Turing  machines  directly  applies 
to  general  bounded  space  computation. 

Theorem  5.  Assuming  the  existence  of  10  for  circuits  and  one-way  functions.  There  exists  a 
garbling  scheme  for  TM  with  space- dependent  complexity. 

Towards  this,  we  proceed  in  two  steps:  In  the  first  step,  we  construct  a  non-succinct  garbling 
scheme  for  TM,  which  satisfies  the  correctness  and  security  requirements  of  Definition  1  and  2, 
except  that  the  garbling  and  evaluation  algorithms  can  run  in  time  polynomial  in  both  the  time 
and  space  complexity,  M.T  and  M.S,  of  the  garbled  Turing  machine  M  (as  well  as  the  simulation 
algorithm);  the  produced  garbled  Turing  machine  is  of  size  in  the  same  order.  In  the  second  step, 
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we  show  how  to  reduce  the  complexity  to  depend  only  on  the  space  complexity  M.S,  leading  to  a 
garbling  scheme  with  space-dependent  complexity.  Since  in  this  section,  only  the  space  and  time 
bound  parameters  matter,  we  will  simply  write  S  and  T  as  M.S  and  M.T ,  and  we  use  the  notion 
D  to  represent  the  description  size  of  M. 

3.1  A  Non-Succinct  Garbling  Scheme 

Overview.  The  execution  of  a  Turing  machine  M  consists  of  a  sequence  of  steps,  where  each  step 
t  depends  on  the  description  of  the  machine  M  and  its  current  configuration  conf^,  and  produces 
the  next  configuration  confj+i.  In  the  Turing  machine  model,  each  step  takes  constant  time, 
independent  of  the  size  of  the  Turing  machine  and  its  configuration.  However,  each  step  can  be 
implemented  using  a  circuit  Next15"5  that  on  input  (M,  conft)  with  \M\  <  D,  |  confj  |  <  S,  outputs 
the  next  configuration  confj+i — we  call  this  circuit  the  “universal  next-step  circuit”.  The  size  of 
the  circuit  is  a  fixed  polynomial  pNext  in  the  size  of  the  machine  and  the  configuration,  that  is, 
PNext{D,  S).  The  whole  execution  of  M (x)  can  be  carried  out  by  performing  at  most  T  evaluations 
of  NextD’5(M,  •),  producing  a  chain  of  configurations  denoted  by, 

CONFIG(M,  x)  =  (T*,  confi,  •  •  •  ,  conf-r, conf^+i),  where  T*  =  Tm(x),  confi  is  the  ini¬ 
tial  configuration  with  input  x  {confi,  •  •  •  ,  conf^-i,  conf^*}  are  the  sequence  of  con¬ 
figurations  until  M{x )  halts  (confi  is  the  configuration  before  the  tth  step  starts),  and 
{confj’*,  •  •  •  ,  conbr+i}  are  simply  set  to  the  output  y  =  M(x). 

We  note  that  the  initial  configuration  confi  can  be  derived  efficiently  from  x,  conf^* 
is  called  the  final  configuration,  which  can  be  efficiently  recognized  and  from  which  an 
output  y  can  be  extracted  efficiently. 

When  succinctness  is  not  required,  the  natural  idea  to  garble  a  T-step  Turing  machine  compu¬ 
tation  of  M(x)  is  to  produce  a  chain  of  T  garbled  circuits  (Ci,  •  •  •  ,  C t),  for  evaluating  the  next 
step  circuit  Next13’5  (Af,  •)  for  M.  The  tth  circuit  C t  is  designated  to  compute  from  the  tth  configu¬ 
ration  confj  (as  input)  to  the  next  confi+i;  if  the  produced  conft+i  is  a  final  configuration,  then  it 
simply  outputs  the  output  y:  otherwise,  to  enable  the  evaluation  of  the  next  garbled  circuit  Ci+i, 
it  translates  confi+i  into  the  corresponding  garbled  inputs  conft_|_i  for  Ci+i  —we  call  C i  the  fth 
step-circuit.  Then  evaluation  propagates  and  the  intermediate  configurations  of  the  execution  of 
M  on  x  is  implicitly  computed  one  by  one,  until  it  reaches  the  final  configuration,  in  which  case, 
an  output  is  produced  explicitly  (without  translating  into  the  garbled  inputs  of  the  next  garbled 
circuit).  Since  each  computation  step  is  garbled,  and  all  intermediate  configurations,  except  from 
the  final  output  y,  are  “encrypted”  as  garbled  inputs,  the  entire  chain  of  garbled  circuits  can  be 
simulated  given  only  the  output  y. 

Finally,  we  note  that  each  step-circuit  C t  evaluates  NextD,s  (Mt  •)  and  has  the  capability  of 
garbling  an  input  for  the  next  garbled  circuit  Cp,  this  can  only  be  achieved  if  the  circuit  garbling 
scheme  has  independent  key  generation,  which  ensures  that  the  input  garbling  can  be  done  inde¬ 
pendently  of  the  circuit  garbling,  and  only  takes  time  polynomial  in  the  length  of  the  input  (rather 
than,  in  the  size  of  the  circuit). 

Our  Non-Succinct  Garbling  Scheme.  We  now  describe  formally  our  non-succinct  garbling 
scheme  QSns  =  (Garbns,  Encoderas,  Evalns).  We  rely  on  a  garbling  scheme  for  polynomial-sized 
circuits  with  independent  key  generation. 
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•  Let  t/5ciR  =  (GarbciR,  EncodeciR,  EvalciR)  be  a  garbling  scheme  for  polynomial-sized  circuits, 
and  SimciR  the  simulation  algorithm.  We  require  £?5cir  to  have  independent  key  generation, 
that  is,  GarbciR  =  (GenciR,  GbciR),  and  SimciR  =  (Sim-GenciR,  Sim-GbciR)  as  described  in 
Definition  7. 

Let  Next'0"9  be  the  universal  next  step  circuit  for  machine  of  size  at  most  D  and  space  complexity 
at  most  5;  it  has  a  fixed  polynomial  size  pNext(D,  S )  and  can  be  generated  efficiently  given  D  and 
S.  For  every  A  and  M  6  TM^,  our  scheme  proceeds  as  follows: 

The  garbling  algorithm  Garbns(lA,  M): 

Let  S  =  M.S,  T  =  M.T  and  D  =  \M\. 

Sample  2 T  sufficiently  long  random  strings  a\ ,at  and  /3i ,  -  -  - /?*;  produce  a  chain  of  T 
garbled  circuits  using  GarbciR  by  running  the  following  program  for  every  t  G  [T], 

Program  PA’5’M(t  ;  (at,at+i,  fit))  ■ 

1.  Generate  the  key  keyt+1  for  the  next  garbled  circuit: 

If  t  <  T,  compute  the  key  for  the  t  +  1th  garbled  circuit  keyt+1  =  GenciR(lA,  l,s;cq+i) 
using  randomness  cq+i-  (Note  that  key^.  is  generated  for  inputs  of  length  S .) 

2.  Prepare  the  step-circuit  Ct: 

Stept  on  a  5-bit  input  confi  (i)  compute  conft+i  =  Next°'5(M,  conf*);  (ii)  if  conft+i 
is  a  final  configuration,  simply  outputs  the  output  y  contained  in  it11;  (iii)  otherwise, 
translate  conft+i  to  the  garbled  inputs  of  the  t  +  1th  garbled  circuit,  by  computing 
confi+i  =  EncodeC|R  (keym,  confm). 

3.  Garble  the  step-circuit  Ct: 

Compute  the  key  using  randomness  at,  keyt  =  GenciR(lA,  Is;  at),  and  garble  Ct  using 
randomness  fdt,  Ct  =  GbC|R(keyt,  Cf;  j3t), 

4.  Output  C t- 

Generate  key  as  follows:  Compute  the  key  for  the  first  garbled  circuit  using  randomness  Q| , 
keyx  =  GenCiR(lA,  l5;ai);  set  key  =  keyx  ||15. 

Finally,  output  M  =  (Ci,  •  •  •  ,  Ct),  key. 

The  encoding  algorithm  Encodens(key,  x):  Let  confi  G  {0,  l}5  be  the  initial  configuration  of 
M  with  input  x;  compute  x  =  confi  =  EncodeciR(keyl5 confi). 

The  evaluation  algorithm  Eval  ns(M,x):  Evaluate  the  chain  of  garbled  circuits  Af  =  (Ci,--  -  ,  Ct) 
in  sequence  in  T  iterations:  In  iteration  t,  compute  z  =  EvalciR(Ct,  conft);  if  z  is  the  garbled 
inputs  confi+i  for  the  next  garbled  circuit  Ct+i,  proceed  to  the  next  iteration;  otherwise, 
terminate  and  output  y  =  z. 

Next,  we  proceed  to  show  that  QSns  is  a  non-succinct  garbling  scheme  for  TM. 

Efficiency.  We  summarize  the  complexity  of  different  algorithms  of  the  non-succinct  scheme. 

It  is  easy  to  see  that  for  any  Turing  machine  M  with  D  =  \M\,  S  =  M.S  and  T  =  M.T,  the 
garbling  algorithm  Garbns  runs  in  time  poly(A,  D,  5)  x  T,  and  produces  a  garbling  machine  of  size 
in  the  same  order.  Thus  the  garbling  scheme  is  non-succinct.  On  the  other  hand,  the  encoding 
and  evaluation  algorithms  Encoderas  and  Evalns  are  all  deterministic  polynomial  time  algorithms. 
Finally,  the  simulation  run  in  time  poly(A,  D,S)  x  T  as  the  garbling  algorithm. 

11Pad  y  with  0  if  it  is  not  long  enough 
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Correctness.  We  show  that  for  every  polynomial  T' ,  every  sequence  of  algorithms  {M  =  M\}  £ 
{TM^  },  and  sequence  of  inputs  {x  =  x\}  where  x\  £  {0,  l}M'n,  there  exists  a  negligible  function 
H,  such  that, 

Pr[(key,  M)  A  Garbns(l\  M),  x  =  Encodens(key,  x)  :  Eval ns(M,x)  /  M(x)\  <  /x( A) 

Let  CONFIG(M,  x)  =  (T*,  confi,  •  •  •  ,  confer,  conf t+i)  be  the  sequence  of  configurations  gener¬ 
ated  in  the  computation  of  M(x),  where  T  <  T'( A).  It  follows  from  the  correctness  of  the  circuit 
garbling  scheme  GarbciR  that  with  overwhelming  probability  (over  the  randomness  of  Garbns),  the 
following  is  true:  (1)  for  every  t  <  T* ,  the  garbled  circuit  C t,  if  given  the  garbled  input  conft  cor¬ 
responding  to  confj,  computes  the  correct  garbled  inputs  confi+i  corresponding  to  conff+i,  and  (2) 
for  t  =  T*,  the  garbled  circuit  C t*,  if  given  the  garbled  input  confer* -i  corresponding  to  confr*_i, 
produces  the  correct  output  y.  (Note  that  the  evaluation  procedure  terminates  after  T*  iterations 
and  circuits  C*  for  t  >  T*  are  never  evaluated).  Then  since  the  garbled  input  x  equals  to  the 
garbled  initial  configuration  confi,  by  conditions  (1)  and  (2),  the  evaluation  procedure  produces 
the  correct  output  with  overwhelming  probability. 

Security.  Fix  any  polynomial  T1 ,  any  sequence  of  algorithms  {M  =  M\\  £  {TM^  },  and  any 
sequence  of  inputs  {x  =  .ta}  where  x\  £  {0,  l)Mn.  Towards  showing  the  security  of  QSns ,  we 
construct  a  simulation  algorithm  Simns,  and  show  that  the  following  two  ensembles  are  indistin¬ 
guishable:  For  convenience  of  notation,  we  suppress  the  appearance  of  M.n  and  M.m  as  input  to 
Sim. 

|realns(lA,  M,  x)|  =  |(M,  key)  A  Garbns(lA,  M),  x  =  Encodens(key,  x)  :  (M,f)j  (1) 

|simuns(lA,  M,  x)|  =  {(M,x)^S\mns(lx,lW,lm,S,T,TM(x),M(x))  :  (M,x)}^  (2) 

Below  we  describe  the  simulation  algorithm.  Observe  that  the  garbled  machine  M  consists  of  T 
garbled  circuits  (Ci,  •  •  •  ,  Ct)  and  the  garbled  input  x  is  simply  the  garbled  input  of  the  initial  con¬ 
figuration  confo  (corresponding  to  x)  for  the  first  garbled  circuit  Ci.  Naturally,  to  simulate  them, 
the  algorithm  Simn,s  needs  to  utilize  the  simulation  algorithm  SimciR  =  (Sim-GenciR.  Sim-GbciR)  of 
the  circuit  garbling  scheme,  which  requires  knowing  the  output  of  each  garbled  circuit.  In  a  real 
evaluation  with  M,  x,  the  output  of  the  (T*)th  garbled  circuit  is  y  =  M(x),  the  output  of  the 
garbled  circuits  t  <  T*  is  the  garbled  input  conft+i  for  next  garbled  circuit  t  +  1,  and  the  garbled 
circuits  t  >  T*  are  not  evaluated,  but  for  which  y  is  a  valid  output.  Thus,  in  the  simulation,  garbled 
circuits  t  =  T* ,  •  •  •  ,  T  can  be  simulated  using  output  y.  whereas  garbled  circuits  t  =  1,  •  •  ■  ,  T*  —  1 
will  be  simulated  using  the  simulated  garbled  inputs  for  circuit  t  +  1 .  More  precisely, 

The  simulation  algorithm  Simns(lA,  l^l,  llMl ,S,T,T*  =  T]\i(x),y  =  M(x )): 

Sample  2 T  sufficiently  long  random  strings  a i,--  -  ,Pt-  Simulate  the  chain  of 

garbled  circuits  by  running  the  following  program  for  every  t  £  [T], 

Program  QA’S’lMl’T*’3/(t  ;  (at,at+i,  fit))  ■ 

1.  Prepare  the  output  outt  for  the  tth  simulated  circuit  Ct: 

If  t  >  T* .  outt  =  y-  Otherwise,  if  t  <  T*^ set  the  output  as  the  garbled  input  for 
the  next  garbled  circuits,  that  is,  outt  =  conft+i  computed  from  (conft+i,  stt+i)  = 
Sim-GenciR(lA,  Is  ;  at+i)  using  randomness  att+ 1- 
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2.  Simulate  the  tth  step-circuit  C t.: 

Given  the  output  outt ,  simulate  the  tth  garbled  circuit  Ct  by  computing  first  (conft,  stt)  = 
Sim-GenciR(lA,  l5  ;  at)  and  then  Ct  =  Sim-GbciR(lA,  1  ,  l9,  outt,  stt  ;  /3t),  using  random¬ 
ness  at,  fit  where  q  =  q( A,  S)  is  the  size  of  the  circuit  Ct. 

3.  Output  C t- 

Simulate  the  garbled  input  x  by  computing  again  (confi,sti)  =  Sim-GenciR(lA,  l5  ;  a\)  using 
randomness  a\ ,  and  setting  x  =  confi. 

Finally,  output  (M  =  (Ci,  •  •  •  ,  C t),x). 

Towards  showing  the  indistinguishability  between  honestly  generated  garbling  (M,  x)  and  the 
simulation  (M,x),  we  will  consider  a  sequence  of  hybrids  hyb°s,  •  •  •  ,  hyb^,  where  hyb°s  samples 
(M,x)  honestly,  while  hyb^s  generates  the  simulated  garbling  (M,x).  In  every  intermediate  hybrid 
hyb7s,  a  hybrid  simulator  HSim7,,  is  invoked,  producing  a  pair  (M1,x1)  .  At  a  high-level,  the  7th 
hybrid  simulator  on  input  (1A,M,  x)  simulate  the  first  7  —  1  garbled  circuits  using  the  program 
Q,  generates  the  last  T  —  7  garbled  circuits  honestly  using  the  program  P,  and  simulates  the  7th 
garbled  circuits  using  the  program  R  described  below,  which  “stitches”  together  the  first  7  —  1 
simulated  circuits  with  the  last  T  —  7  honest  circuits  into  a  chain  that  evaluates  to  the  correct 
output.  More  precisely,  we  will  denote  by 

COMBINE[(Pi,  Si),  •,  (P(,  5^)]  a  merged  circuit  that  on  input  x  in  the  domain  X,  com¬ 
putes  Pj(x )  if  x  &  Sj,  where  Si,  -  ■  ■  ,Sf  is  a  partition  of  the  domain  X. 

The  hybrid  simulation  algorithm  HSim7g(lA,  M,  x)  for  7  =  0,  •  •  •  ,  T: 

Compute  T*  =  Tm(x )  and  y  =  M(x),  and  the  intermediate  configuration  conf7+i  as  defined 
by  CONFIG (M,x). 

Sample  2 T  sufficiently  long  random  strings  {at,  Pt}te[T]-  Simulate  the  chain  of  garbled  circuits 
by  running  the  following  program  for  every  f  £  [ T ],  which  combines  programs  P,  Q  and  R 
as  below. 

Program  M7  =  COMBINE  [(Q,  [7  -  1]),  (R,{7»,  (P,  [7  +  1, 2”])]  (t  ;  (at,at+i,  (3t))  : 

•  If  t  <  7  —  1,  compute  Ct  =  QA-7IMI -T*’y(t  ;  (at,  at+\,  fit))',  output  Ct. 

•  If  t  >  7  +  1,  compute  Ct  =  P X’S’M(t  ;  (at,at+i,f3t))',  output  Ct. 

•  If  t  =  7,  compute  Ct  =  RA>5'confT-+i  (^  j  (a7,  a7+i,  j3^))  define  as  follow: 

1 .  Prepare  the  output  out 7  of  the  simulated  jth  circuit  Ct : 

Set  the  output  out7  to  y  if  conf7+i  is  a  final  configuration.  Otherwise,  the  output 
should  be  the  garbled  input  corresponding  to  conf7+i  for  the  next  garbled  circuit; 
since  the  7  +  1th  circuit  is  generated  honestly,  we  compute  out 7  =  conf7+i  by 
first  computing  key7+1  =  GenciR(lA,  l5  ;  a7+i),  and  then  encoding  conf7+i  = 
EncodeGR(key7+1,conf7+1). 

(Note  that  the  difference  between  program  Q  and  R  is  that  the  former  prepares  the 
output  out7  using  simulated  garbled  input  confj+i,  whereas  the  latter  using  honestly 
generated  garbled  input  conf7+i.) 

2.  Simulate  the  7th  circuit  Ct: 

Given  the  output  ouf7,  simulate  the  7th  garbled  circuit  C7  by  computing  (conf7,  st7)  = 
Sim-GenciR(lA,  Is  ;  a7)  and  C t  =  Sim-GbciR(lA,  l5,  l9,  out7,  st7  ;  /07),  where  q  = 
q( A,  S )  is  the  size  of  the  circuit  Ct. 
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If  7  >  0,  simulate  the  garbled  input  x7  as  Simns  does.  Otherwise,  if  7  =  0,  generate  the 
garbled  input  xq  honestly  as  in  Garbns  and  Encode,^. 

Finally,  output  (M7  =  (Ci,  •  •  •  ,  C7,  C7+iCt),  cc7). 

We  overload  notation  hyb^s(lA,  M,  x)  as  the  output  distribution  of  the  hybrid  simulator  HSim)(s. 
By  construction,  in  HSim^s,  when  7  =  0,  M°  =  P  and  the  garbled  input  xq  is  generated  honestly; 
thus,  {hyb^s(lA,  M,  x)}  =  {realns(lA,  M,  x)}  (where  realns  is  the  distribution  of  honestly  generated 
garbling;  see  equation  (1));  furthermore,  when  7  =  T,  M°  =  Q  and  the  garbled  input  x7  is  simu¬ 
lated;  thus  {hyb^s(lA,  M,  x)}  =  |simuns(lA,  M,  x)}  (where  simuns  is  the  distribution  of  simulated 
garbling;  see  equation  (2)).  Thus  to  show  the  indistinguishability  between  {realns(lA,  M,  x)}  and 
{simuns(lA,  Af,  a;)},  it  suffices  to  show  the  following  claim: 

Claim  1.  For  every  7  G  N,  the  following  holds 

(1  \M,x)}a 

Proof.  Fix  a  7  G  N,  a  sufficiently  large  A  6  N,  an  M  =  M\  and  ax  =  x\.  The  only  difference 
between  the  garbling  (M7_  1,  x7_i)  sampled  by  hyb((“1(lA,  M,  x)  and  the  garbling  (M7,  x7)  sampled 
by  hyb^s(lA,  M,  x)  is  the  following:  Let  conf7  be  the  intermediate  configuration  at  the  beginning 
of  step  7. 

•  In  hyb^”1,  the  7th  garbled  circuit  C7  is  generated  honestly  using  program  P.  The  circuit 
C7  (as  described  in  algorithm  Garbns)  is  the  composition  of  the  circuit  NextA,s(Af,  •)  and  the 
encoding  algorithm  EncodeciR(key7+1,  ■),  where  key7+1  =  GenciR(lA,  Is;  a7+i)  is  generated 
honestly. 

Furthermore,  the  first  7  —  1  garbled  circuits  are  simulated  using  R  and  Q.  The  simulation  of 
the  first  7  —  1  circuits  as  well  as  the  generation  of  the  garbled  input  x1  depends  potentially  on 
the  garbled  input  conf7  corresponding  to  conf7  for  C7  (when  conf7  is  not  a  final  configuration; 
see  Step  1  in  R). 

In  other  words,  the  output  of  hyb^”1  can  be  generated  by  the  following  alternative  sampling 
algorithm: 

—  Generate  garbled  circuits  7  + 1 ,  •  •  •  ,  T  honestly  using  program  P ;  prepare  the  7th  circuit 
C7  using  key7+1. 

—  Receive  externally  honest  garbling  (C7,conf7)  of  (C7,conf7). 

—  Simulate  the  first  7  —  1  circuits  using  R  and  Q,  with  conf7  hardwired  in  R. 

•  In  hyb^s,  the  7th  garbled  circuit  C7  is  simulated  using  program  R;  the  output  oitt7  used  for 
simulation  is  set  to  either  y  (if  conf7+i  is  a  final  configuration)  or  the  honestly  generated 
gabled  input  conf7+i.  In  other  words,  ont7  =  C7(conf7),  where  C7  is  prepared  in  the  same 
way  as  above. 

Furthermore,  the  previous  7  —  1  garbled  circuits  are  also  simulated  using  program  Q.  Their 
simulation  as  well  as  the  generation  of  the  garbled  input  x7+i  depends  potentially  on  the 
corresponding  simulated  garbled  input  conf7  of  C7. 

In  other  words,  the  output  of  hyb^s  can  be  generated  by  the  same  alternative  sampling 
algorithm  above,  except  that  the  second  step  is  modified  to: 
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—  Receive  externally  simulated  garbling  (C7,conf7)  generated  using  output  C7(conf7). 


Then  it  follows  from  the  security  of  the  circuit  garbling  scheme  f/5ciR  that  the  distributions  of 
(C7,conf7)  and  (C7,conf7)  received  externally  by  the  alternative  sampling  algorithm  above  are 
computationally  indistinguishable,  and  thus  the  distributions  of  outputs  of  hyb))”1  and  hyb^s,  which 
can  be  efficiently  constructed  from  them,  are  also  indistinguishable  □ 

Finally,  by  the  above  claim,  it  follows  from  a  hybrid  argument  over  7,  that  {realns(lA,  M,  x)} 
and  {simur)S(lA,  M,  x)}  are  indistinguishable;  Hence,  QSns  is  a  secure  garbling  scheme  for  TM. 

3.2  A  Garbling  Scheme  for  TM  with  Space-dependent  Complexity 

In  this  section,  we  construct  a  garbling  scheme  QS  =  (Garb,  Encode,  Eval)  for  TM  with  space- 
dependent  complexity.  This  scheme  will  rely  on  the  non-succinct  garbling  scheme  QSns  =  (Garbns, 
Encodens,  Evalns)  in  a  non-black-box,  but  largely  modular,  way. 

Overview.  The  garbling  scheme  QSns  described  in  the  previous  section  is  non-succinct  because 
its  garbling  algorithm  Garbns  runs  in  time  proportional  to  the  time-bound  T  (and  generates  a 
garbling  of  size  proportional  to  T.)  Our  first  observation  is  that  the  “bulk”  of  the  computation  of 
Garbns  is  evaluating  the  same  randomized  program  P(-)  for  T  times  with  coordinated  random  coins , 
to  create  a  chain  of  garbled  circuits: 

M  =  (Ci,  •  •  •  ,  Ct),  Ct  =  P (i;  at,  at+i,/3t) 

The  complexity  of  each  garbled  circuit  depends  only  on  the  size  of  M  and  its  space  complexity 
S,  that  is,  poly  (D,S)  (independent  of  T ).  Our  main  idea  towards  constructing  a  garbling  scheme 
QS  with  space-dependent  complexity  is  to  defer  the  T  executions  of  P,  from  garbling  time  (that 
is,  in  Garb),  to  evaluation  time  (that  is,  in  Eval),  by  using  an  indistinguishability  obfuscator  iO 
for  circuits.  More  specifically,  instead  of  computing  the  chain  of  garbled  circuits  M  directly,  the 
new  garbling  algorithm  Garb  generates  an  obfuscation  of  the  program  P,  that  is  P  =  iO( P),  and 
use  that  as  the  new  garbled  machine;  (since  P  has  size  poly (D,S),  the  obfuscation  is  “succinct” 
and  so  is  the  new  garbling  algorithm).  The  procedure  for  creating  garbled  inputs  x  remains  the 
same  as  in  the  non-succinct  scheme  QSns.  Then,  on  input  (P,x),  the  new  evaluation  algorithm 
Eval  first  generates  the  chain  of  garbled  circuits  M  =  (Ci,  •  •  •  ,  Ct)  by  evaluating  P  on  inputs  from 
1,  ■  ■  •  T;  once  the  chain  M  of  garbled  circuits  is  generated,  the  output  can  be  computed  by  evaluating 
Evalns(M,  x)  as  in  the  non-succinct  scheme  QSns.  (Note  that  to  make  sure  that  evaluation  algorithm 
has  instance-based  efficiency,  the  algorithm  Eval  actually  generates  and  evaluates  Ct’s  one  by  one, 
and  terminates  as  soon  as  an  output  is  produced.) 

To  make  the  above  high-level  idea  go  through,  a  few  details  need  to  be  taken  care  of.  First, 
the  program  P  is  randomized,  whereas  indistinguishability  obfuscators  only  handles  deterministic 
circuits.  This  issue  is  resolved  by  obfuscating,  instead,  a  wrapper  program  P (t)  that  runs  P (t)  with 
pseudo-random  coins  generated  using  a  PRF  on  input  t.  In  fact,  the  use  of  pseudo-random  coins 
also  allows  coordinating  the  random  coins  used  in  different  invocations  of  P  on  different  inputs, 
so  that  they  will  produce  coherent  garbled  circuits  that  can  be  run  together.  The  second  question 
is  how  to  simulate  the  new  garbled  machine  P  iO( P).  In  the  non-succinct  scheme  the  chain 
M  of  garbled  circuits  is  simulated  by  running  the  program  Q  for  T  times  (again  with  coordinated 
random  coins), 

M  =  (Ci,  •  •  •  ,  Ct)  Ct  =  Q(f;  ay,  cq+i,  fit) 
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Naturally,  in  the  succinct  scheme,  the  simulation  creates  Q  <—  iO(Q)  (where  Q  is  the  de-randomized 
version  for  Q,  as  P  is  for  P).  By  the  pseudo-randomness  of  PRF  and  the  security  of  garbled 
circuits,  we  have  that  the  truth  tables  M  and  M  of  P  and  Q  are  indistinguishable;  but  this  does 
not  directly  imply  that  their  obfuscations  are  indistinguishable.  We  bridge  the  gap  by  considering 
the  obfuscation  of  a  sequence  of  hybrid  programs  (as  in  the  security  proof  of  the  non-succinct 
garbling  scheme). 

V7  G  [0,  T  +  1],  ivr  =  COMBINE  [(Q,  [7-1]),  (R,  {7}),  (P,  [7  +  1,  T])],  M7  A  iC>(M7) 

The  sequence  of  hybrid  programs  “morphs”  gradually  from  program  P  =  M°  to  program  Q  = 
Mt+1;  since  every  pair  of  subsequent  programs  M7  1 ,  M7  differs  only  at  two  inputs  (7  —  1  and  7) 
with  indistinguishable  outputs,  we  can  use  standard  techniques  such  as  puncturing  and  programing 
to  show  that  their  obfuscations  are  indistinguishable,  and  hence  so  are  P  and  Q. 

Our  Succinct  Garbling  Scheme.  We  now  describe  the  formal  construction,  which  relies  on  the 
following  building  blocks. 

•  A  garbling  scheme  for  polynomial-sized  circuits,  with  independent  key  generation:  f?5ciR  = 
(GarbciR,  EncodeciR,  EvalciR),  where  GarbciR  =  (GenciR,  GbciR)  and  its  the  simulation  algo¬ 
rithm  is  SimciR  =  (Sim-GenciR,  Sim-GbciR). 

•  An  indistinguishability  obfuscator  iO cir(-,  •)  for  polynomial-sized  circuits. 

•  A  puncturable  PRF  (PRF-Gen,  PRF-Punc,  F)  with  input  length  n( A)  and  output  length  m{ A), 
where  n( A)  can  be  set  to  any  super-logarithmic  function  n( A)  =  cu(logA),  and  m  is  a  suffi¬ 
ciently  large  polynomial  in  A. 

For  every  A  and  M  G  TM^,  the  garbling  scheme  QS  proceeds  as  follows: 

Circuit  P  =  P \,S,M,Ka,Kfj .  Qn  jnpU^  1  g  Joes: 

Generates  pseudo-random  strings  at  =  F (Ka,t),  at+ 1  =  F (Ka,t  +  1)  and  /3t  =  F(Kp,t); 
Compute  Ct  =  P  X’S’M(t  ;  (at,at+i,  (3t))  and  output  Cf. 

Circuit  Q  =  QA,S'>IMI.T  ,y,Ka,KB;  Qn  jnpU^  f  g  [X1] ,  does: 

Generate  pseudo-random  strings  at  =  F(AA,f),  cct+i  =  F (Ka,t+  1)  and  /3 1  =  F (Kp,t); 
Compute  Ct  =  QaA,|at| .  (at,  at+\,  Pt))  and  output  Ct. 

The  circuits  in  Figure  1,  2  and  3  are  padded  to  their  maximum  size. 

Figure  1:  Circuits  used  in  the  construction  and  simulation  of  QS 

The  garbling  algorithm  Garb(lA,M): 

1.  Sample  PRF  keys:  Ka  A  PRF-Gen(lA)  and  Kp  A  PRF-Gen(lA). 

2.  Obfuscate  the  circuit  P: 

Obfuscate  the  circuit  P (t)  =  F‘X'S,M,Ka,KP  (t)  as  described  in  Figure  1,  which  is  essentially 
a  wrapper  program  that  evaluates  P  on  t  using  pseudo-random  coins  generated  using 
Ka  and  Kp  as  described  above.  Obtain  P  e-  iO(lA,P). 

Approved  for  Public  Release;  Distribution  Unlimited. 

22 

99 


3.  Generate  the  key  for  garbling  input: 

Compute  key  in  the  same  way  as  the  garbling  scheme  Garbns  does,  but  using  pseudo¬ 
random  coins  generated  using  Ka.  That  is,  Compute  the  key  for  the  first  garbled  circuit 
using  randomness  a\  =  F (Ka,  1),  keyx  =  GenciR(lA,  l^ai);  set  key  =  keyx  Hi5. 

4.  Finally,  output  (P,  key). 

The  encoding  algorithm  Encode(key,  x):  Compute  x  =  Encodens(key,  x). 

The  evaluation  algorithm  Eval(P, x):  Generate  and  evaluate  the  garbled  circuits  in  the  non- 
succinct  garbling  M  one  by  one;  terminate  as  soon  as  an  output  is  produced.  More  precisely, 
evaluation  proceeds  in  T  iterations  as  follows: 

At  the  beginning  of  iteration  t  £  [T],  previous  t  —  1  garbled  circuits  has  been  generated  and 
evaluated,  producing  garbled  input  conR  (confi  =  x).  Then,  compute  C t  =  P(t)*,  evaluate 
z  =  EvalciR(Ct,  conft);  if  z  is  a  valid  output,  terminate  and  output  y  =  z\  otherwise,  proceed 
to  the  next  iteration  t  +  1  with  conff+i  =  z. 

Next,  we  proceed  to  show  that  QS  is  a  garbling  scheme  for  TM  with  space-dependent  complexity. 

Correctness.  Fix  any  machine  M  £  TM  and  input  x.  Recall  that  the  garbling  algorithm  Garb 
generates  a  pair  (P,  key);  the  latter  is  later  used  by  the  encoding  algorithm  Encode  to  obtain 
garbled  input  x,  while  the  former  is  later  used  by  the  evaluation  algorithm  Eva  I  to  create  the  non- 
succinct  garbling  M  =  { Cf  =  P(t)}terTi;  the  non-succinct  garbling  M  is  then  evaluated  with  x  using 
algorithm  Evalns.  The  distribution  of  the  garbled  input  and  the  non-succinct  garbling  recovered  by 
Eva  I  is  as  follows: 

T>i  =  j(P, key)  <£-  Garb(lA, M)  :  =  Encode(key, x),  M=  jct  =  P(f)j  )} 

It  follows  from  the  construction  of  Garb,  Encode  and  the  correctness  of  the  indistinguishability 
obfuscator  that  the  above  distribution  V\  is  identical  to  the  distribution  V 2  of  a  garbled  pair 
( M',x ')  generated  by  the  algorithms  Garbns,  Encodens  of  the  non-succinct  scheme,  using  pseudo¬ 
random  coins ,  formalized  below. 


V2  =  [Ka,Kp  A  PRF-Gen(lA),  Vf  £  [T],  at  =  F fo  =  F (Kfi,t)  : 

(x'  =  Encodens(key/  =  GenCiR(l\  l5;ai),  x),  M'  =  |ct  =  P(t;  at,  at+1,  Pt)}  )  } 

By  the  pseudo-randomness  of  PRF,  distribution  V2  is  computationally  indistinguishable  from  the 
garbled  pair  generated  by  Garbns,  Encoderas,  using  truly  random  coins. 

X>3  =  |(M",key")  A  Garbns(lA,  M)  :  (x"  =  Encoden.s(key",x-),  M"^j  | 

The  correctness  of  the  non-succinct  garbling  scheme  QSns  guarantees  that  with  overwhelming 
probability,  evaluating  M"  with  x"  produces  the  correct  output  y  =  M(x );  furthermore,  the  correct 
output  y  is  produced  after  evaluating  only  the  first  T*  =  Tm(x)  garbled  circuits.  Thus,  it  follows 
from  the  indistinguishability  between  T>  1  and  T> 3  that,  when  evaluating  a  garbled  pair  (Af ,  x) 
sampled  from  V\,  the  correct  output  y  is  also  produced  after  evaluating  the  first  T*  garbled  circuits. 
Given  that  T>\  is  exactly  the  distribution  of  the  non-succinct  garbled  pairs  generated  in  Eva  I,  we 
have  that  correctness  holds. 
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Efficiency.  We  show  that  the  garbling  scheme  QS  has  space-dependent  complexity. 

•  The  garbling  algorithm  Garb(lA,M)  runs  in  time  poly(A,  \M\,S).  This  is  because  Garb  pro¬ 
duces  an  obfuscation  of  the  program  P  (a  de-randomized  version  of  P )  which  garbles  cir¬ 
cuits  C t  using  pseudo-random  coins  for  every  input  t  £  [T],  Since  the  program  Ct  has  size 
q  =  poly(A,  \M\,S)  as  analyzed  in  the  non-succinct  garbling  scheme,  so  does  P  and  P  (note 
that  the  input  range  T  of  these  two  programs  are  contained  as  part  of  the  description  of 
M,  and  hence  \M\  >  logT).  Therefore,  Garb  takes  time  poly(A,  |M|,  S)  to  produced  the 
obfuscation  of  P.  Additionally,  notice  that  Garb  generates  the  key  as  the  algorithm  Garbns 
does,  which  in  turn  runs  GarbciR(lA,  l5)  and  takes  time  poly(A,  S ).  Overall,  Garb  runs  in  time 
poly(A,  \M\,S)  as  claimed. 

•  Encode  run  in  time  the  same  as  the  Encodens  algorithm  which  is  poly(A,  \M\,S). 

•  The  evaluation  algorithm  Eval  on  input  (P,  x)  produced  by  (P,  key)  A  Garb(lA,  Is)  and 
x  =  Encode(key,  x)  runs  in  time  poly(A,  \M\,  S)  x  T* ,  T*  =  Tm{x),  with  overwhelming 
probability. 

It  follows  from  the  analysis  of  correctness  of  QS  that  with  overwhelming  probability  over  the 
coins  of  Garb,  the  non-succinct  garbling  M  defined  by  P  satisfies  that  when  evaluated  with 
x ,  the  correct  output  is  produced  after  T*  iterations.  Since  Eval  does  not  compute  the  entire 
non-succinct  garbling  M  in  one  shot,  but  rather,  generates  and  evaluates  the  garbled  circuits 
in  M  one  by  one.  Thus  it  terminates  after  producing  and  evaluating  T*  garbled  circuits. 
Since  the  generation  and  evaluation  of  each  garbled  circuit  takes  poly  (A,  \M\,  S )  time,  overall 
Eval  runs  in  time  Tqq(x)  x  poly(A,  \M\,S)  as  claimed. 

Security.  Fix  any  polynomial  T' ,  any  sequence  of  algorithms  {M  =  M\}  6  {TM^  },  and  any 
sequence  of  inputs  {x  =  xq}  where  x\  €  {0,  l}M'n.  Towards  showing  the  security  of  QS,  we 
construct  a  simulator  Sim,  satisfying  that  the  following  two  ensembles  are  indistinguishable  in  A: 

|real(lA,  M,  x)j  =  j(P,  key)  A  Garb(lA,  M),  x  =  Encode(key,  x)  :  (P,x)j  (3) 

|simu(lA,  M,  x)|  =  {(Q,x)  ASim(lA,lNllMl,5,T,TM(x),M(x))  :  (Q,x)}a  (4) 

As  discussed  in  the  overview,  the  simulation  will  obfuscate  the  program  Q  used  for  simulating 
the  non-succinct  garbled  machine  M  =  (Ci,  •  •  •  ,  C^).  More  precisely, 

The  simulation  algorithm  Sim(lA,  l^l,  ilMl ,  s,  T,  T*  =  Tm{x),  y  =  M(x)): 

1.  Sample  PRF  keys:  Ka  A  PRF-Gen(lA)  and  Kg  A  PRF-Gen(lA). 

2.  Obfuscate  the  circuit  Q: 

Obfuscate  the  circuit  Q(t)  =  QX’S,\M\,T*,y,Ka,Kp^  ag  c|escri|,ed  in  Figure  1,  which  is 
essentially  a  wrapper  program  that  evaluates  Q  on  t,  using  pseudo-random  coins  {at,  Pt} 
generated  by  evaluating  F  on  keys  Ka  and  Kg  and  inputs  t  E  [Tj.  Obtain  Q  ?'0(1  ,Q). 

3.  Simulate  the  garbled  input: 

Simulate  the  garbled  input  x  in  the  same  way  as  simulator  Simns  does,  but  using  pseudo¬ 
random  coins.  That  is,  compute  (confi,sti)  =  Sim-GenciR(lA,  Is  ;  aq),  where  aq  = 
F (Ka,  1);  set  x  =  confi. 
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4.  Finally,  output  (Q,  x). 

The  simulator  Sim(lA,  l^l,  \\M\,  S,  T,  T* ,  y  =  M(x))  runs  in  time  poly(A,  \M\,  S).  This  follows 
because  the  simulator  simulates  the  garbled  Turing  machine  by  obfuscating  the  program  Q.  As  the 
program  Q  simply  runs  Q  using  pseudo-random  coins,  its  size  is  poly  (A,  \M\,  S );  thus  obfuscation 
takes  time  in  the  same  order.  On  the  other  hand,  Sim  simulates  the  garbled  input  x  as  the  simulator 
Simns  does,  which  simply  invokes  SimciR(lA,  l5)  of  the  circuit  garbling  scheme,  which  takes  time 
poly(A,  S).  Therefore,  overall  the  simulation  takes  time  poly  (A,  \M\,S)  as  claimed. 

Towards  showing  the  indistinguishability  between  honestly  generated  garbling  (P,  x)  <—  real(l  ,  M ,  x) 
and  the  simulation  (Q,x)  P-  simu(lA,  M,  x)  (see  equation  (3)  and  (4)  for  formal  definition  of  real 
and  simu),  we  will  consider  a  sequence  of  hybrids  hyb°,  •  •  •  ,  hyb7  ,  where  the  output  distribution  of 
hyb°  is  identical  to  real,  while  that  of  hyb7  is  identical  to  simu.  In  every  intermediate  hybrid  hyb7,  a 
hybrid  simulator  HSirrT  is  invoked,  producing  a  pair  (M  ,  a;7),  where  M7  is  the  obfuscation  of  (the 
de-randomized  wrapper  of)  a  merged  program  M7  that  produces  a  hybrid  chain  of  garbled  circuit 
as  in  the  security  proof  of  the  non-succinct  garbling  scheme,  where  the  first  7  garbled  circuits  are 
simulated  and  the  rest  are  generated  honestly.  More  precisely, 

The  hybrid  simulation  algorithm  HSim7(lA,  M,  x)  for  7  =  0, • •  •  ,T: 

Compute  T*  =  Tm{x)  and  y  =  M(x),  and  the  intermediate  configuration  conf7+i  as  defined 
by  CONFIG (M,x). 

1.  Sample  PRF  keys:  Ka  A  PRF-Gen(lA)  and  Kp  A  PRF-Gen(lA). 

2.  Obfuscate  the  circuit  M7: 

Obfuscate  the  circuit  M7(f)  =  (M7 ) A>s> A7T*  :2/,c°nf7+ 1  ,Ka ,Kg  (^)  ag  described  in  Figure  1, 
which  is  essentially  a  wrapper  program  that  evaluates  the  combined  program 

M7  =  COMBINE  [(Q,  [7  -  1]),  (R,  {7}),  (P,  [7  +  1,  T])]  (t  ;  (at,  at+i,  ft)), 

using  pseudo-random  coins  {at,  Pt}  generated  using  Ka  and  Kp.  Obtain  M7  A  iO(  1A,  M7). 

3.  Simulate  the  garbled  input: 

If  7  >  0,  simulate  the  garbled  input  x1  in  the  same  way  as  in  Sim.  Otherwise,  if  7  =  0, 
generate  xP  honestly,  using  Garb  and  Encode. 

4.  Finally,  output  (M7, a:7). 


Circuit  M7  =  (M7)A’S.MT*,y,conf,+1,KQ)^;  Qn  input  f  e  [T])  does: 

Generate  pseudo-random  strings  at  =  F (Ka,t),  at+\  =  F (Ka,t+  1)  and  ftt  =  F (Kp,t); 
Compute  Ct  =  M7(t  ;  {at,at+i,  St))  and  output  C(,  where  M7  is: 

(M7)A,sr,M,r*lW, confix  =  COMBINE  [(Q,  [7  -  1]),  (R,  {7}),  (P,  [7  +  1,  T})]  (t ;  (at,  at+1,/3t)) 
The  circuits  in  Figure  1,  2  and  3  are  padded  to  their  maximum  size. 


Figure  2:  Circuits  used  in  the  security  analysis  of  QS 
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We  describe  circuits  M7  to  Mg.  They  all  have  parameters  A,  S,  M,  T* ,  y,  conf7+i  hardwired  in; 
for  simplicity,  we  suppress  these  parameters  in  the  superscript. 

Circuit  M^  =  (M2)x“(7+1)’X^7+1)’a7+1’^'T+1:  On  input  t  £  [T],  does: 

If  t  ^  7,  generate  pseudo-random  string  at+i  =  F(Xa(7  +  1),  t  +  1). 

If  t  ^  7  +  1,  generate  pseudo-random  strings  at+\  =  F(ATa(7  + 1), t)  and  f3t  = 
F(A>(7+  l),t). 

Proceed  as  M7  does  using  random  coins  at,at+i ,/?*. 

Circuit  M7  =  (M2)x“(7+1)’^(7+1)’a7+i’^+«* 

Identical  to  (M]')fi'‘‘^+1'’R'(J^+1'’V1’,3i+1,  with  a^+1,^+1  sampled  at  random. 

Circuit  Mg  =  (M])lf“(7+1)',fi!(i+1)>61+ii<:onf7+ii  On  input  t  £  [T],  does: 

If  t  =  7  +  1,  output  C7+i. 

If  t  =  7,  set  out7  using  conf7+i  as  in  Step  1  of  program  R;  simulate  and  output  C7  as  in 
Step  2  of  R. 

Otherwise,  compute  as  M^  does  using  the  punctured  keys  Ka(j  +  1),  AT^y  +  1). 

Circuit  M]  =  (M2)x“(7+1)’-ff'3(7+1)’e^+1’c°"f^+1: 

Identical  to  (M2)Xa^7+1^‘R',3^7+1-)’^7+1’confn'+1 ,  with  simulated  garbling  pair  C7+i,  conf7+i. 

Circuit  M^  =  (M2)x“(7+1)’^(7+1)’a7+i^+i:  On  input  t  £  [T],  does: 

If  t  =  7  +  1,  compute  C7+i  using  program  R  with  randomness  a7+2,  P'-y+i- 

If  t  =  7,  compute  C7  using  program  Q,  which  internally  computes  conf7+1  for  setting  the 
output  ouf7  using  randomness 

Otherwise,  compute  as  M^  does  using  the  punctured  keys  ATQ(y  +  1),  A^y  +  1). 

Circuit  M^  =  (M 7)^a(7+i)>^(7+i),«7+i  A+i: 

Identical  to  (M2)k“(7+1)’^(7+1)’“7+1’^+S  with  a7+i  =  F(ATa,y+l),  p1+1  =  F(iC/3, 7+  1) 

The  circuits  in  Figure  1,  2  and  3  are  padded  to  their  maximum  size. 

Figure  3:  Circuits  used  in  the  security  analysis  of  QS ,  continued 

We  overload  the  notation  hyb7(lA,  M,  x)  as  the  output  distribution  of  the  7th  hybrid.  By 
construction,  when  7  =  0,  M°  =  P  and  the  garbled  input  x°  is  generated  honestly;  thus, 
{hyb°(lA,  M,  x)}  =  {real(lA,  M,  x)};  furthermore,  when  7  =  T,  Mr  =  Q  and  the  garbled  in¬ 
put  xT  is  simulated;  thus  { hyb7  (1  A,M,  x)}  =  {simu(lA,  M,  x)}.  Therefore,  to  show  the  security  of 
QS,  it  boils  down  to  proving  the  following  claim: 

Claim  2.  For  every  7  >  0,  the  following  holds 

jhyb7(lA,M,x)}^  «  jhyb7+1(lA,M,x)}^ 

Proof.  Fix  a  7  £  N,  a  sufficiently  large  A  £  N,  an  M  =  M\  and  a  x  =  x\.  Note  that  the  only 
difference  between  (M7,x7)  +-  hyb7  and  (M7+1,a:7+1)  +-  hyb7+1  is  the  following: 

•  For  every  7,  the  underlying  obfuscated  programs  M7,M7+1  differ  on  their  implementation  for 
at  most  two  inputs,  namely  7, 7  +  1,  and, 
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•  when  7  =  0,  the  garbled  input  x°  is  generated  honestly  in  hyb°,  whereas  x 1  is  simulated  in 
hyb1. 

To  show  the  indistinguishability  of  the  two  hybrids,  we  consider  a  sequence  of  sub-hybrids  from 
Hq  =  hyb7  to  H7  =  hyb7+1.  Below  we  describe  these  hybrids  Hq,---H7,  and  argue  that  the 
output  distributions  of  any  two  subsequent  hybrids  are  indistinguishable.  We  denote  by 
the  garbled  pair  produced  in  hybrid  IT  for  i  =  0,  •  •  •  ,  7.  For  convenience,  below  we  suppress  the 
superscript  7,  and  simply  use  notations  H,  =  H7,  Mj  =  M7,  Mj  =  Mj  and  27  =  xj. 

Hybrid  H  1:  Generate  a  garbled  pair  (Mi,  27)  by  running  a  simulation  procedure  that  proceeds 
identically  to  HSim7,  except  from  the  following  modifications: 

•  In  the  first  step,  puncture  the  two  PRF  keys  I\a ,  Kp  at  input  7  +  1,  and  obtain  Ka{ 7  +  1)  = 
PRF-Punc(/ia>  7  +  1)  and  Kp( 7  T  1)  =  PRF-Punc(A"/3, 7  +  1).  Furthermore,  compute 
a7+i  =  F(AQ,7  +  1)  and  /37+i  =  F(I<p,'y  +  1). 

•  In  the  second  step,  obfuscate  a  circuit  Mi  slightly  modified  from  M7:  Instead  of  having 
the  full  PRF  keys  Kai  Kp  hardwired  in,  Mi  has  the  punctured  keys  Ka{ 7  +  1),  Kp(j  +  1) 
and  the  PRF  values  a7+i,  /37+i  hardwired  in;  Mi  proceeds  identically  to  Mi,  except  that 
it  uses  the  punctured  PRF  keys  to  generate  pseudo-random  coins  corresponding  to  input 
t  /  7  +  1  and  directly  use  a7+i,  /37+i  as  the  coins  for  input  t  =  7  +  1.  See  Figure  1  for 
a  description  of  Mi  =  M]\ 

By  construction,  Hi  only  differs  from  hyb7  at  which  underlying  program  is  obfuscated,  and 
program  Mi  has  the  same  functionality  as  M7.  Thus  it  follows  from  the  security  of  indistin¬ 
guishability  obfuscator  iO  that,  the  obfuscated  programs  M7  and  Mi  are  indistinguishable. 
(Furthermore,  the  garbled  inputs  x7  and  27  in  these  two  hybrids  are  generated  in  the  same 
way.)  Thus,  we  have  that  the  output  (Mi,  27)  of  Hi  is  indistinguishable  from  the  output 
(M7,x7)  of  hyb7.  That  is, 

{hyb7(l\M,x)}A  «  {h0(1\M,x)}a 

Hybrid  H  2'  Generate  a  garbled  pair  (M2,  £2)  by  running  the  same  simulation  procedure  as  in 
Hi  except  from  the  following  modifications:  Instead  of  using  pseudo-random  coins  a7+i  and 
/37+i,  hybrid  H2  samples  two  sufficiently  long  truly  random  string  a'1+l , /3^+1  {0,  l}P°h(A) 

and  replace  a1+\,  f31+\  with  these  truly  random  strings.  More  specifically,  H2  obfuscates  a 
program  M2  that  is  identical  to  Mi,  but  with  (Ka( 7  +  1),  Kp(py  +  1),  cc7+i,  ^7+i)  hardwired 
in;  furthermore,  if  7  =  0,  a\  (as  opposed  to  a\  )  is  used  to  generate  the  garbled  input  x'2.  Since 
only  the  punctured  keys  Ka (7  +  1),  Kp  (7  +  1)  are  used  in  the  whole  simulation  procedure,  it 
follows  from  the  pseudo-randomness  of  the  punctured  PRF  that  the  output  (M2, 27)  of  H2  is 
indistinguishable  from  that  (M127)  of  hybi-  That  is, 

{Hi(1a,M,x)}a^{h2(1A,M,x)}a 

Hybrid  H3:  Generate  a  garbled  pair  (M3,  X3)  by  running  the  same  simulation  procedure  as  in  Ho 
with  the  following  modifications: 

•  Observe  that  in  program  M2,  aiy+1,/3'7+1  are  used  in  the  evaluation  of  at  most  two  inputs, 

7  and  7  +  I: 
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For  input  7  +  1,  program  P  is  invoked  with  input  7+I  and  randomness  a7+1,  a7+ 2,  /37+1, 
in  which  a  circuit  C7+i  is  prepared  depending  on  a7+ 2,  and  then  obfuscated  by  com¬ 
puting 


key7+1  =  GenCiR(lA,  lS;a7+1)  C7+i  =  GbGR(key7+1,  C7+i;  /3'7+1) 


If  7  >  0,  for  input  7  ,  program  R  is  invoked  with  input  7  and  randomness  a7,  a'  +1,/37,  in 

which  a  garbled  circuit  C7  is  simulated;  the  output  out7  used  for  the  simulation  depends 
potentially  on  an  honest  garbling  of  conf7+i,  that  is, 


conf7+i  =  EncodeciR  (GenCiR(l  ,  1 


,  s.  /  \ 

1  *^7+1/5 


Using  out7,  C7  is  simulating  using  randomness  a7,/37. 

First  modification:  Hybrid  H3  receives  externally  the  above  pair  C7+i .  conf7+i .  In¬ 
stead  of  obfuscating  M2  (which  computes  C7+i, conf7+i  internally),  H3  obfuscates  M3 
that  has  C7+i,  conf7+i  directly  hardwired  in  (as  well  as  Ka (7  +  1),  Kp (7  +  1)).  M3  on 
input  7  +  I,  directly  outputs  conf7+i;  on  input  7,  it  uses  conf7+i  to  compute  C7;  on  all 
other  inputs,  it  proceeds  identically  as  M2.  (See  Figure  1  for  a  description  of  M3.)  It  is 
easy  to  see  that  when  the  correct  values  C7+i,conf7+i  are  hardwired,  the  program  M3 
has  the  same  functionality  as  M2. 

•  In  H 2,  if  7  =  0,  a'x  is  used  for  garbling  the  input, 

key 3  =  GenCiR(lA,  Is; ay)  confi  =  EncodeaR(key1,  confi) 


where  confi  is  the  initial  state  corresponding  to  x. 

Second  modification:  Instead,  if  7  =  0,  hybrid  H3  receives  confi  externally,  and 
directly  outputs  it  as  the  garbled  inputs  X3  =  confi. 

When  H3  receives  the  correct  values  of  (conf7+i,  C7+i)  externally,  it  follows  from  the  security 
of  iO  that  the  output  distribution  of  H3  is  indistinguishable  from  that  of  H2.  That  is, 

{h2(1A,M,x)}a«{h3(1A,M,x)}a 


Hybrid  H4:  Generate  a  garbled  pair  (M4,  £4)  by  running  the  same  procedure  as  in  H3,  except  that 
H4  receives  externally  a  simulated  pair  (conf7+i,  C7+i)  produced  as  follows: 

(conf7+i,st7+i)  =  Sim-GenCiR(lA,  l's;a7+i)  (5) 

C7+i  =  Sim-GbciR  ^1A,  l5,  l9,  out7+i,  st7+i;  /?7+1^  (6) 

where  out7+\  is  set  to  be  the  output  of  circuit  C7+i  on  input  conf 7+ 1 .  Thus,  it  follows  from 
the  security  of  the  circuit  garbling  scheme  ^<Scir  that  the  simulated  pair  (conf7+i,  C7+i)  that 
hybrid  H4  receives  externally  is  indistinguishable  to  the  honest  pair  (conf7+i,  C7+i)  that  H3 
receives  externally.  Since  these  two  hybrids  only  differ  in  which  pair  they  receive  externally, 
it  follows  that: 

{h3(1a,M,x)}a«  {h4(1a,M,x)}a 
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Hybrid  H5:  Generate  a  garbled  pair  (MsjXs)  by  running  the  same  procedure  as  in  H4,  except 
that  instead  of  receiving  (conf7+i,  C7+i)  externally,  it  computes  them  internally  using  truly 
random  coins  q:{/+1,  More  precisely, 

•  It  obfuscate  a  program  M5  that  have  Ka (7  +  1),  Kg (7  +  1),  «7+1,  /37+1  hardwired  in: 

On  input  7+1,  it  computes  C7+i  using  the  program  R  with  randomness  a7+1,  a7+ 2,  /?7+1 
(which  computes  C7+i  as  described  in  equations  (5)  and  (6)). 

On  input  7,  it  computes  C7  using  the  program  Q  with  randomness  a7,  a7+2>  Ay  (which 
computes  internally  conf7+i  as  described  in  equation  (5)). 

On  other  inputs  t  /  7,7  +  1,  it  computes  as  M4  does. 

•  If  7  =  0,  a\  is  used  for  computing  confi  as  described  in  equation  (5),  and  then  output 
X4  =  confi. 

It  follows  from  the  fact  that  M5  computes  (conf7+i,  C7+i)  correctly  internally,  it  has  the 
same  functionality  as  M4;  thus,  the  obfuscation  of  these  two  programs  are  indistinguishable. 
Combined  with  the  fact  that  the  distribution  of  the  garbled  inputs  X4  is  identical  to  X3,  we 
have  that 

{h4(1\M,x)}a«  {h5(1A,M,x)}a 

Hybrid  Fig:  Generate  a  garbled  pair  (Mg,  xg)  by  running  the  same  procedure  as  in  H5,  except  that 
instead  of  using  truly  random  coins  a7+1,  /37+1,  use  pseudo-random  coins  a7+i  =  F (Ka,  7  +  1) 
and  j31+\  =  F(Kg,'y  +  1).  In  particular,  Fig  obfuscates  a  program  Mg  that  is  identical  to  M5 
except  that  Ka{ 7  +  1),  Kg(^  +  1),  cc7+i,  /37+i  are  hardwired  in,  and  if  7  =  0,  a\  is  used  to 
generate  the  garbled  input  xg.  It  follows  from  the  pseudo-randomness  of  the  punctured  PRF 
that: 

{h6(1a,M,x)}^  {h5(1a,M,x)}a 

Hybrid  H7:  Generate  a  garbled  pair  (M7,xy)  by  running  the  hybrid  simulator  HSim7+1.  Note 
that  the  only  difference  between  HSim7+1  and  the  simulation  procedure  in  Hg  is  that  instead 
of  obfuscating  Mg  that  has  tuple  (Ka( 7  +  1),  Kg( 7  +  1),  a7+i,  /37+i)  hardwired  in,  HSim7+1 
obfuscates  M7+1  that  has  the  full  PRF  keys  Ka,Kg  hardwired  in  and  evaluates  a7+ i,/37+i 
internally. 

Since  M7+1  and  Mg  has  the  same  functionality,  it  follows  from  the  security  of  iO  that 

{h6(1a,M,x)}a^  {h5(1A,M,x)}a 

Finally,  by  a  hybrid  argument,  we  conclude  the  claim.  □ 

Given  the  above  claim,  by  a  hybrid  argument  over  7,  we  have  that  { rea I ( 1 A ,  M ,  x)}  and  {simu(lA,  M,  x)} 

are  indistinguishable;  Hence,  QS  is  a  secure  garbling  scheme  for  TM. 
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4  Succinct  Garbling  of  Bounded  Space  Computation 


In  the  section,  we  observe  that  our  approach  for  constructing  a  succinct  garbling  scheme  for  bounded 
space  TM  in  the  previous  two  sections  applies  generally  to  any  bounded  space  computation  (e.g., 
bounded-space  RAM).  This  immediately  yields  a  garbling  scheme  for  any  model  of  computation 
with  space-dependent  complexity. 

Theorem  6.  Assuming  the  existence  of  10  for  circuits  and  one-way  functions.  There  exists  a 
garbling  scheme  for  any  abstract  model  of  sequential  computation,  such  as  TM  and  RAM,  with 
space- dependent  complexity. 

A  Garbing  Scheme  for  Any  Bounded  Space  Computation:  Given  an  underlying  circuit 
garbling  scheme  QS  =  (Garb,  Encode,  Eval)  with  independent  key  generation,  to  construct  a  garbling 
scheme  QSA  for  {AC\},  proceed  in  the  following  two  steps: 

Step  1:  Construct  a  non-succinct  garbling  scheme:  Observe  that  the  computation  of  a  ma¬ 
chine  AL  of  AL.T  steps  can  be  divided  into  AL.T  1-step  “ blocks ”  that  transforms  the  current 
configuration  to  the  next;  therefore,  to  garble  AL,  it  suffices  to  produce  a  sequence  of  “ gar¬ 
bled  blocks”,  one  for  each  1-step  block.  The  actual  programs  being  garbled  is  an  “augmented 
block”,  whose  execution  consists  of  a  1-step  block  followed  by  the  encoding  algorithm  of  QS 
that  encodes  the  output  configuration  for  the  next  garbled  block  (when  an  output  is  produced, 
it  is  output  directly  without  encoding).  The  final  garbling  then  consists  of  a  sequence  of  T 
garbled  blocks. 

Step  2:  Compress  the  size  using  IO:  As  before,  we  then  use  iO  to  “compress”  the  size  of  the 
non-succinct  garbling  constructed  in  the  first  step,  by  giving  the  obfuscation  of  the  algorithm 
that  on  input  t,  runs  Garb  to  garble  the  tth  augmented  block,  producing  the  tth  garbled  block. 
The  obfuscated  program  is  the  succinct  garbled  program. 

The  efficiency  and  security  analysis  remains  the  same  as  before.  This  concludes  Theorem  6. 

4.1  Improved  Construction  and  Analysis 

Notice  that  our  construction  of  QSA  uses  the  underlying  circuit  garbling  scheme  QS  in  a  black-box 
way.  In  fact,  the  scheme  does  not  even  require  the  underlying  garbling  scheme  to  be  for  circuits — 
any  garbling  scheme  for  any  class  of  algorithms  that  is  “complete” ,  in  particular  can  be  used  to 
implement  the  augmented  blocks  suffices.  Below  we  show  that  by  plugging  in  the  one-time  garbled 
RAM  of  [L013,  GHL+14],  and  modifying  the  construction  of  Theorem  6  slightly,  we  can  improve 
the  efficiency  of  QSA  when  the  algorithm  class  is  RAM.  More  precisely,  we  show  the  following 
theorem. 

Theorem  7.  Assuming  the  existence  of  10  for  circuits  and  one-way  functions.  There  exists  a 
garbling  scheme  QSRAM  for  RAM  with  linear -space-dependent  complexity.  Furthermore,  for  any 
RAM  machine  R  and  input  x,  such  that  T*  =  Tr(x),  evaluation  of  a  garbled  pair  (R,x)  produced 
by  the  scheme  takes  time  T*  x  poly  (A,  \R\). 

Towards  this,  we  will  rely  on  a  RAM  garbling  scheme  that  has  independent  key  generation  and 
linear-time  dependent  complexity,  and  moreover,  is  parallel  computable  as  defined  below. 
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Parallel  Computability:  We  say  that  a  randomized  algorithm  y  =  P(x;r )  with  K- bit  outputs 
is  £-time  parallel  computable,  if  there  is  a  set  of  f-size  circuits  {pi\i&K,  such  that,  for  every  A,  x, 
and  r, 

Vi  =  Pi  0[p;])  and  y  =  yi\\y2\\  ■  •  * J| Vk 

where  each  P[(x[Pi\)  accesses  (a  few  bits  of)  the  shared  random  tape  r  and  depends  on  a  fixed 
subset  Pj  of  bits  of  x,  producing  an  output  bit  yi.  The  running  time  of  the  algorithm  is  bounded 
by  K  •  t.  The  following  fact  will  be  instrumental  later. 

Fact  1:  The  composition  of  two  parallel  computable  algorithms  P  and  Q  is  also  parallel  computable. 

More  precisely,  given  two  randomized  algorithms  y  =  P(x;  r )  and  z  =  Q(y,  r')  that  are  respectively 
t-tiine  and  t'-time  parallel  computable  by  {P[  (x[P  i])}  and  {Q\  (y[Qi])}ie[ftr'])  their  composition 

R{x\r,r>)  =  Q{P{x\r)\r')  is  (t  ■  t')-time  parallel  computable,  by  {R\'r  (x’[Rj])}ie[A'']  defined  as, 

Vi  =  p7  (®[Ri])  =  Qi  (ph7[pii]),  ■  ■  ■  .-F£(&[Pii]))>  wliere  Q*  =  {*1,  •  ■  ■  ,tj}  and  Rj  =  q  P, 

A  Parallel  Computable  Garbling  Scheme  pQS:  Towards  obtaining  Theorem  7,  we  rely  on  a 
parallel  computable  garbling  scheme  pQS  =  (pGarb,  pEncode,  pEval)  with  the  following  properties. 

We  remark  all  these  properties  are  satisfied  by  the  construction  of  [L013,  GHL+14].  Let  R  be  a 
RAM  machine  with  parameters  n,  m,  S,  T. 

Independent  key  generation.  pQS  has  independent  key  generation  as  defined  in  Definition  7 
with  a  slight  strengthening.  We  repeat  the  definition  and  highlight  the  strengthening. 

•  The  garbling  algorithm  pGarb  consists  of: 

(key,  R)  7  pGarb(lA,  R)  :  key  7  pGen(lA),  R  A  pGb(key,  R) 

Strengthening:  Different  from  Definition  7,  the  PPT  key  generation  algorithm  pGen 
depends  only  on  the  security  parameter  1A  and  not  on  the  length  of  the  input  llxL  As 
a  result,  the  length  of  key  produced  is  bounded  by  poly(A). 

•  The  simulation  procedure  pSim  consists  of12: 

(R,  x)  7  pSim(lA,  (\R\,\x\,n,m,  S,  T),R(x))  : 

(. x ,  st)  A  pSim-Gen(lA,  |x|),  R  7  pSim-Gb(lA,  (\R\,\x\,n,m,  S,T),  R(x),  st) 

Rachel: 

[change  the  definition  of  independent  key  generation  to  not  depend  on  input  length,  and  change  the 
interfact  of  simulation  Sim(lA,  (|i?|,  \x\,n,m,  S,T),Tr(x),  R(x)).  Change  the  running  time  of  Sim  to 
depend  on  T.\ 

Linear  complexity.  The  complexity  of  algorithms  in  the  the  garbling  scheme  is: 

•  The  garbling  algorithm  pGarb(lA,R)  and  evaluation  algorithm  pEval(R,  x)  run  in  time 
poly(A)  x  |R|  x  T13,  which  also  bounds  the  size  of  the  the  garbled  program  R. 

12Note  that  the  simulation  procedure  described  below  does  not  receive  the  instance  running  time  Tr(x).  This  is 
because,  as  seen  shortly,  the  complexity  of  this  RAM  garbling  scheme  is  linear  in  the  time  complexity  of  the  RAM 
machine  being  garbled,  and  thus  does  not  have  instance  based  efficiency. 

13In  [L013,  GHL+14],  the  overhead  of  garbling  is  poly(A)  x  |i?|  x  polylog(n),  where  n  is  the  size  of  the  persisitent 
memory  data.  Since  in  this  work  we  do  not  consider  RAM  machine  with  persistent  memory  data,  we  ignore  this 
term. 
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•  The  input  encoding  algorithm  x  <—  pEncode(key,  x )  runs  in  time  linear  in  the  length  of 
the  input  poly(A)|x|,  which  also  bounds  the  size  <&x  of  the  garbled  input  x. 

Parallel  Computability.  The  following  algorithms  are  parallel  computable: 

•  The  garbling  algorithms  pGb  and  the  simulation  procedure  pSim-Gb  are  poly(A)|i2|-time 
parallel  computable,  and 

•  the  encoding  algorithm  pEncode  and  the  input  simulation  procedure  pSim-Gen  are  poly(A)- 
time  parallel  computable. 

More  Efficient  Garbling  Scheme  for  Boundes  Space  RAM:  We  now  use  a  parallel  com¬ 
putable  garbling  scheme  pQS  =  (pGarb,pEncode,pEval)  with  the  above  properties  to  construct  a 
more  efficient  garbling  scheme  QS  for  bounded  space  RAM  that  has  (1)  linear-space  dependent 
complexity  and  (2)  produces  garbled  RAM  with  poly(A,  \R\)  overhead  (that  is,  evaluation  of  R,  x 
takes  poly(A,  \R\)Tr(x)  steps).  In  comparison,  the  previous  general  construction  has  polynomial 
space  dependent  complexity  and  poly(A,  |i?|,5)  overhead. 

Towards  this,  we  plug  in  the  parallel  computable  garbling  scheme  pQS  with  simulation  pSim 
into  our  general  construction  with  the  following  modifications. 

Modification  to  Step  1:  As  before,  the  first  step  is  constructing  a  non-succinct  garbling  scheme, 
by  dividing  a  RAM  computation  into  small  blocks  and  garbling  all  of  them  using  pQS . 

The  only,  and  key,  difference  is,  instead  of  dividing  a  T  step  RAM  computation  into  T  1-step 
“blocks”,  dividing  it  into  \T/S ]  5-step  “blocks”.  As  before,  each  block  is  then  augmented 
with  the  encoding  algorithms  pEncode(key,  •)  for  garbling  the  output  configuration;  and  each 
augmented  block  is  garbled  using  pGarb,  producing  garbled  blocks. 

Efficiency.  We  now  analyze  various  efficiency  parameters. 

•  Each  augmented  block,  say  the  fth,  is  a  RAM  consisting  of  5  steps  of  computation  of  R 
followed  by  Encode(keyt+1,  -)14 — denote  this  program  as  B(t,  R,  keyt+1,  •).  Since  keyt+1 
has  size  poly  (A),  we  have, 

size  of  B  =  T  =  \R\  +  poly(A),  run-time  of  B  =  poly(A)5 

•  By  the  efficiency  of  pGarb,  each  garbled  block  has  size 

<3?  =  poly(A)(size  of  £>) (run-time  of  B)  =  poly(A)|i?|5 

•  Overall,  there  are  [~T/5~|  blocks,  resulting  in  a  non-succinct  garbled  RAM  R  of  size 

\R\  =  \T/S]  x<&  =  poly(A)|R|T 

•  We  note  that  for  any  input  x  of  instance  complexity  T*\  the  output  R(x)  is  produced 
after  evaluating  |"T*/5]  garbled  blocks,  taking  poly(A)|i?|T*  steps. 

14It  also  has  the  additional  logic  for  deciding  whether  the  output  configuration  is  a  final  configuration,  and  returns 
the  output  if  so. 
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Modification  to  Step  2:  As  before,  the  second  step  is  using  obfuscation  to  “compress”  the  size 
of  the  non-succinct  garbling  scheme  constructed  in  Step  1.  However,  if  directly  obfuscate  the 
program  that  generates  each  of  \T / S']  garbled  blocks  completely,  it  leads  to  an  obfuscated 
program  of  size  at  least  poly(A,  <f>)  =  poly(A,  |i?|,  S).  In  this  case,  the  complexity  of  the  new 
garbling  scheme  is  not  linear  in  S ,  and  the  overhead  of  the  produced  garbled  RAM  is  at  least 
poly(A,|R|,S). 

Better  efficiency:  Instead  of  obfuscating  the  program  that  generates  a  whole  garbled  block, 
we  rely  on  the  parallel  computability  of  pQS  to  obfuscate  the  decomposed  small  circuits  that 
generates  individual  bits  of  each  garbled  block.  More  precisely,  the  program  that  produces 
the  garbled  blocks  is 

Bt  =P *,S,R,K<*,K(}(t)  .  Bf  _  pGb(keyt,  B(t,  R,  keyt+1,  •);  pt)  with  key,,  =  Gen(lA;  <x,) 

where  all  random  coins  at,  at+i,  Pt  are  generated  using  a  PRF  with  keys  Ka,Kp.  It  follows 
directly  from  that  pGb  is  poly  (A)  ^-parallel  computable,  where  \k  is  the  size  of  the  program 
obfuscated  (the  augmented  block  in  this  case)  that  P  is  poly(A)|i?|-parallel  computable  by 
circuits  {pA’  ’R,Ka,Kp (recall  that  <1>  is  the  size  of  each  garbled  block).  Thus  to  obtain 
better  efficiency,  obufscate  each  P*  independently.  The  new  garbled  program  R  is  the  array 
of  obfuscated  programs: 


R  =  (Pi,  •  •  •  ,  P$),  where  P*  A  iO(lx,  Pj)  . 

Evaluation  of  the  garbled  RAM  proceeds  the  same  as  before,  except  that  the  tth  garbled  block 
is  generated  by  evaluating  the  array  of  obfuscated  programs  on  input  t. 

The  security  proof:  Security  follows  the  same  blue-print  as  before — the  simulated  program  R 
is  the  obfuscation  of  a  program  Q  that  produces  simulated  garbled-blocks  using  the  simula¬ 
tion  procedure  pSim-Gen  and  pSim-Gb  of  pQS.  The  indistinguishability  of  R  and  R  is  then 
established  through  a  sequence  of  hybrids  where  the  obfuscated  program  simulates  the  first 
j  garbled-blocks,  and  generates  the  rest  honestly;  to  stitch  these  two  parts  together,  the  jth 
garbled  block  is  produced  using  a  program  M  that  invokes  pSim-Gen,  pSim-Gb  and  pEncode  of 
pQS .  The  only  difference  now  is  that  Q  and  M  are  not  obfuscated  directly,  but  rather  their 
decomposition  {Qj}je[$]  and  is  obfuscated:  It  follows  from  the  fact  that  pSim-Gen, 

and  pEncode  are  poly(A)-parallel  computable  and  pSim-Gb  is  poly(A)T-prallel  computable 
that  both  Q  and  M  are  poly(A)|R| -parallel  computable.  Then  in  simulation  and  hybrids,  Qi 
and  Mj  are  obfuscated  independently. 

Efficiency.  Since  each  Pj,  Qi  and  Mi  have  size  poly(A)|i?|,  each  obfuscated  program  has  size 
poly  (A,  \R\).  Therefore,  the  size  of  the  new  garbled  RAM  (and  the  complexity  for  generating 
it)  is, 

size  of  garbled  RAM  =  d>  x  poly  (A,  \R\)  =  poly  (A,  \R\)  x  S  , 
which  is  linear  in  the  space  complexity  of  R. 

Moreover,  evaluation  of  an  input  x  of  instance  complexity  T*  requires  generating  and  evalu¬ 
ating  \T* /S~\  garbled  blocks,  which  takes  time 

run-time  of  garbled  RAM  =  \T* /S]  x  poly(A,  |i?|)  x  S  =  poly(A,  |i?|)  x  T*  . 

This  concludes  Theorem  7. 
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5  From  Garbling  to  FE  to  Reusable  Garbling 

We  observe  that  in  contexts  such  as  secure  computation  [GMW87]  and  functional  encryption 
[SW05,  O’NIO,  BSW12],  to  evaluate  a  function  /  on  an  input  x,  it  suffices  to  evaluate  the  random¬ 
ized  function  that  computes  a  garbled  program  of  /  and  an  encoding  of  the  input  (recall  that  by 
the  security  of  the  garbling  scheme  this  reveal  no  more  than  the  output  of  the  function).  Thus, 
by  plugging-in  our  construction  of  garbling  schemes  with  space-dependent  complexity  into  earlier 
constructions  of  secure  computation  or  randomized  functional  encryption  [GJKS],  we  directly  ob¬ 
tain,  assuming  iO  for  P/poly  and  one-way  functions,  a  randomized  functional  encryption  with 
space-dependent  complexity,  and  secure  computation  protocols  whose  the  communication  com¬ 
plexity  grows  polynomially  with  the  space  complexity  of  the  program  to  be  evaluated,  but  only 
logarithmically  with  the  the  running-time. 

We  additionally  observe  that  by  combing  our  construction  of  functional  encryption  with  pre¬ 
vious  results  [CIJ+13,  GKP+13b] — [CIJ+13]  showed  that  function  encryption  schemes  with  indis- 
tinguishability  based  security  implies  ones  with  simulation-based  security,  which  further  implies 
reusable  garbling  schemes  by  [GKP+13b] — directly  yields  a  construction  of  reusable  succinct  gar¬ 
bling  schemes  with  space-dependent  complexity  from  iO  for  P/poly  and  one-way  functions. 

We  emphasize  that  the  above  applications  work  generally  for  any  “nice”  class  of  algorithms; 
(conditions  on  the  algorithm  classes  are  specified  in  the  theorem  statements  below).  Therefore, 
below  we  show  the  connections  between  Garbling,  randomized  functional  encryption  and  reusable 
garbling  w.r.t.  general  classes  of  algorithms.15  Applications  to  specific  models  of  computation  can 
then  be  derived  as  special  cases. 

Below,  we  start  with  the  definitions  of  function  encryption  and  reusable  garbling  scheme,  and 
then  move  to  showing  the  connections. 

5.1  Functional  Encryption 

We  first  recall  definitions  of  public  key  functional  encryption  schemes,  both  the  indistinguishability- 
based  definitions  and  simulation-based  definitions,  adapting  to  general  algorithm  classes.  For 
indistinguishability-based  security,  we  recall  the  definition  for  randomized  algorithms  in  [GJKS], 
whereas  for  simulation-based  security,  we  recall  the  definition  of  [BSW12,  O’NIO]  for  deterministic 
Boolean  algorithms.  Below  we  first  introduce  the  syntax,  then  various  security  notions  and  finally 
the  efficiency  guarantees. 

Syntax.  We  introduce  the  syntax  and  correctness  of  functional  encryption  scheme  w.r.t.  classes 
of  potentially  randomized  algorithms,  which  immediately  imply  the  syntax  and  correctness  for 
deterministic  algorithms. 

Definition  (Functional  Encryption.).  A  functional  encryptions  scheme  P£  for  a  class  of  (well- 
formed)  (potentially  randomized)  algorithms  {ACaIasN  consists  of  algorithms  (FE. Setup,  FE.Enc, 
FE.KeyGen,  FE.Dec)  where  the  first  three  are  probabilistic  algorithms  while  the  last  is  deterministic; 
furthermore,  they  satisfy  the  following  syntax  and  correctness: 

•  FE.Setup(lA)  outputs  a  public  key  MPK  and  a  master  secret  key  MSK. 

•  FE.Enc(x,  MPK)  outputs  a  ciphertext  CT. 

•  FE.KeyGen(AL,  MSK)  on  input  an  algorithm  AL  £  AC\,  outputs  a  secret  key  sk al- 

15Since  the  application  to  MPC  is  straightforward,  we  omit  the  details  of  the  proof  below. 
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FE.Dec(CT,  sk^L)  outputs  a  string  y. 


Correctness:  For  every  polynomial  T  and  polynomial  n  =  n(\),  every  sequence  of  algorithm  tuples 
{AL  =  AL\}  G  {ACf\  and  every  sequence  of  input  tuples  {x  =  ar\}  where  x,  G  {0,  l}Poly(A); 
the  following  two  distributions  are  computationally  indistinguishable: 

•  Real:  {  F E.  Dec ( CT; ,  SKalj  ) } ie [n] [n]  where, 

(MPK,  MSK)  A  FE.Setup(lA) 

CTj  A  FE.Enc(MPK,  xf)  for  i  G  [n] 

sk aLj  G-  FE.KeyGen(AL,-,  MSK)  for  j  G  [n] 

•  Ideal:  {ALj(®i;rij)}ie[n]Je[n]  where, 

for  every  j  G  [n],  are  sufficiently  long  random  strings  if  ALj  is  a  randomized 

algorithm  and  are  empty  if  ALj  is  a  deterministic  algorithm.  (In  the  case  that  xt  exceeds 
the  input  length  bound  of  the  algorithm  ALj,  \xi\  >  ALj.n,  the  output  is  set  to  L). 

Indistinguishability  based  security.  We  provide  the  definition  of  indistinguishability  based 
security  for  classes  of  (potentially  randomized)  algorithms.  Our  definition  is  a  generalization  of 
that  in  [GJKS]  to  the  case  of  full  security. 

Definition  13  ((Full)  q i-f-q2-l N D-security) .  A  functional  encryption  scheme  F£  is  (ful-)qi-F-q2-IND 
secure  if  for  every  polynomial  T ,  the  advantage  of  any  PPT  adversary  A  in  the  following  game  is 
negligible. 


Experiment  (ful-)qi-F-q2-IND^(lA, T  =  T( A)): 

1.  Setup:  (MPK,  MSK)  A  FE.Setup(lA) 

2.  Non-Adaptive  Key  Queries:  (mo,rai,sti)  G-  ylFE-KeyGen(MSK’')>0i(-)(MPK). 

3.  Generate  Challenge  Ciphertext:  Mi,  CT,  G-  FE.Enc(MPK,  m^i),  where  b  G-  {0,1}. 

4-  Adaptive  Key  Queries:  a  G-  ylFE-KeyGen(MSK.-),C,2(-)(st1,  CT). 

O i  is  a  stateful  oracle  that  on  input  (AL,  null),  generates  a  secret  key  sk^L  <—  FE.KeyGen(MSK,  AL) 
and  records  it  internally,  and  on  input  (AL,  C)  checks  if  a  secret  key  has  been  generated  for  AL, 
and  returns  FE.Dec(skJ4^,  C)  if  it  is  the  case  (AL  otherwise).  O 2  is  identical  to  0\  except  that  it 
only  decrypts  ciphertext  C  f  CT(;  for  all  i.  The  advantage  of  A  is  Pr[a  =  b]  —  1/2. 

Restriction  on  A:  Let  S 1  and  S-2  represent  the  sets  of  non-adaptive  and  adaptive  key  queries 
made  by  A  in  Step  2  and  4  respectively;  let  Q\ ,  Q2  be  the  sets  of  key  queries  A  submits  to  0\  and 
O2  respectively.  A  must  follow  the  restriction  that  0)  S\,  S2,  Qi,  Q2  Q  1)  |5i|  <  qi(X),  2) 

I1S2I  <  52(A),  3)  \fho\  =  |mi|  <  t  and  for  every  i  G  [|mo|]  |uro,i|  =  and  4)  for  every  i,  j,  let 

ALj  be  the  jth  query  in  S\  U  S2,  the  following  distributions  are  indistinguishable: 

{r  A  {0,  l}poly(A)  :  (ALj (m0 j;  r),TAL(moy,  r))}\ 

{r  G- {0,  l}poly(A)  :  (ALj(mij-,r),TAL(mij-,r))}x 
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Additionally,  we  consider  the  following  weaker  notions. 

Definition  14  (Selective  qi-Oq2-IND-security).  A  functional  encryption  scheme  J-E  is  selective 
qi-£-q2-IND  secure  if  for  every  polynomial  T,  the  advantage  of  any  PPT  adversary  A  is  negligible 
in  the  sel-qi-£-q2-IND(lA,  T)  game,  which  is  the  same  as  the  above  qiT-q2-IND  game,  except  that  A 
is  required  to  select  the  challenge  messages  mo,  mi  at  the  beginning  of  experiment  before  MPK,  MSK 
are  chosen. 

Note  that  in  the  selective  game  sel-qi-T-q2-IND,  it  is  without  loss  of  generality  to  remove  Step  2 
in  the  experiment;  thus,  we  can  assume  w.l.o.g.  that  q\  =  0.  Furthermore,  it  follows  from  standard 
hybrid  argument  that  for  any  polynomials  q\,t,  g2,  qi-l-q2-IND  security  implies  qi-Oq2-IND  security, 
both  in  the  selective  and  full  game.  Thus  in  the  rest  of  the  paper  we  use  interchangeably  qi-l-q2-IND 
security  and  qi-^-q2-IND  security. 

Definition  15  (Honest-Sender  (full  or  selective)  qi--Oq2-IND-Security).  We  say  that  a  functional 
encryption  scheme  is  honest-sender  (full  or  selective)  qi-^-q2-IND  secure,  if  it  satisfies  the  same 
security  condition  as  in  Definition  13,  except  that,  in  the  experiments  the  oracles  (D\  and  02  are 
empty. 

When  the  class  of  algorithms  are  deterministic,  the  standard  definition  in  the  literature  considers 
only  honest-sender  security.  We  follow  this  convention;  when  an  algorithm  class  is  deterministic 
only  security  against  malicious  receiver  is  considered. 

Definition  ((Honest-sender)  Full  or  Selective  IND-security).  A  functional  encryption  scheme  J-E  is 
(honest-sender)  fu I -I ND -secure  or  sel -IN D -secure,  if  it  is  (honest-sender)  ful-poly-l-poly-IND-secwe 
or  sel-O-l-poly-IND  -secure. 

Simulation  based  security.  Next  we  proceed  to  define  simulation  based  security  notions.  In 
this  case,  we  consider  only  classes  of  algorithms  {AC\}  that  are  deterministic.  Furthermore,  we 
note  that  it  is  without  loss  of  generality  to  consider  only  Boolean  algorithms.  This  is  because 
a  functional  encryption  scheme  for  Boolean  algorithms  can  be  easily  turned  into  a  scheme  for 
algorithms  with  m-bit  outputs,  by  running  the  Boolean  scheme  for  m  times  in  parallel.  Such 
parallel  repetition  leads  to  a  scheme  where  the  ciphertext  length  is  linear  in  n  x  m  (as  well  as  in 
A),  where  n  is  the  input  length.  On  the  other  hand,  it  was  shown  that  simulation-based  secure 
functional  encryption  must  have  the  size  of  ciphertexts  growing  linearly  with  the  output  length  (if 
there  is  any  non-adaptive  queries  made  before  the  challenge  ciphertexts  are  generated).  Thus,  the 
parallel  repetition  is  essentially  optimal. 

Definition.  A  functional  encryption  scheme  J:£  for  a  class  {AC\\  of  deterministic  Boolean  al¬ 
gorithms  with  is  (ful-)qi-t-q2-SIM  secure  if  for  every  PPT  adversary  A,  there  exists  a  simulator 
Sim  =  (Simi,Sim2)  such  that  the  output  of  the  following  two  experiments  are  indistinguishable  for 
every  polynomial  T. 
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Experiment  (ful-)qi-C-q2-RealExp^(lA,  T  =  T( A)): 

1.  Setup:  (MPK,  MSK)  A  FE.Setup(lA) 

2.  Non-Adaptive  Key  Queries:  (m,  sti)  -e-  ^lFE-KeyGen(MSK’')(MPK). 

3.  Generate  Challenge  Ciphertext:  Vi,  CT,  -e-  FE.Enc(MPK,  mf),  where  b  -e-  {0,1}. 

4 ■  Adaptive  Key  Queries:  a  A  „4FE-KeyGen(MSK.-)(st1,  CT). 

5.  Output  (MPK,  m,  Si,  S2,  a),  where  S\  and  S-2  are  the  sets  of  non- adaptive  and  adaptive  key 
queries  made  by  A  in  Step  2  and  4  respectively. 

Experiment  (ful-)qi-f'-q2-ldealExpJ£(lA, T  =  T( A)): 

1.  Setup:  (MPK,  MSK)  A  FE.Setup(lA) 

2.  Non-Adaptive  Key  Queries:  (m,sti)  A  _4FE-KeyGen(MSK.-)(MPK);  let  </!  =  |m| 

3.  Generate  Challenge  Ciphertext:  (CT,  st')  A  Simi(MPK, 

4 ■  Adaptive  Key  Queries:  a  A  *40(')(sti,  CT) 

5.  Output  (MPK,  in,  Si,  S2,  a). 

In  the  above  experiment  V  in  Step  3  contains  the  outputs  of  the  algorithms  in  S±  applied  to  m,  that 
is,  V  =  Uq^Vq  with  Vq  =  {Q,  skg,  Tg(mi),  <5(rr;.i)}igj£,j .  Additionally,  the  oracle  0(- )  in  Step 
4  is  the  second  stage  simulator,  namely  Sirr^st',  MSK, -,  •),  where  the  third  argument  is  a  query 
circuit  Q  and  the  fourth  argument  is  Vq  . 

Restriction  on  A  in  the  above  two  experiments:  0)  Si,  £2  Q  1)  |Si|  <  q\  (A),  2) 

1 52 1  <  92(A),  3)  |m|  <  t. 


Additionally,  afunctional  encryption  scheme  F£  is  (honest-sender)  selective  qi-£-q2-SIM  secure  if 
for  every  PPT  adversary  A,  the  outputs  of  the  experiments  sel-qiT-q2-RealExp  and  sel-qi-£-q2-ldealExp 
are  indistinguishable  for  every  polynomial  T,  where  the  two  games  are  the  same  as  the  above,  ex¬ 
cept  that  A  is  required  to  select  the  challenge  messages  mo,  mi  at  the  beginning  of  experiment  before 
MPK,  MSK  are  chosen  (and  without  access  to  the  FE.KeyGen  oracle). 

We  note  that  in  the  above  definition,  the  second  state  simulator  Sirri2  receive  as  input  the 
instance  running  time  Tg(mj)  for  every  Q  and  m,.  This  is  necessary  since  the  efficiency  guarantees 
below  require  the  decryption  algorithm  to  have  instance-based  efficiency. 

Efficiency.  Finally,  We  now  move  to  define  different  efficiency  requirement  for  functional  encryp¬ 
tion. 

Definition  (Different  Levels  of  Efficiency  of  Functional  Encryption  Scheme).  We  say  that  a  func¬ 
tional  encryption  scheme  has  optimal  efficiency,  or  I/O-  /  space-  /  linear-time  dependent 
complexity  if  the  following  conditions  hold. 
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Optimal  efficiency:  Algorithms  FE. Setup,  FE.Enc,  FE.KeyGen  run  in  time  polynomial  in  their  in¬ 
put  lengths,  that  is  psetup(A),  PEnc(A,  \x\),  PKeyGen(A,  |AL|),  and  FE.Dec  runs  in  time 
PDec (A,  \AL\,  \x\)Tal{x)  for  a  polynomial  poec- 

I/O-dependent  complexity:  The  above  condition  holds,  except  that  the  running  time  o/FE.KeyGen 
and  FE.Dec  additionally  depends  on  AL.n,  AL.m. 

Space-dependent  complexity:  The  above  condition  holds,  except  that  the  running  time  o/FE.KeyGen 
and  FE.Dec  additionally  depends  on  AL.S. 

linear-time-dependent  complexity:  The  above  condition  holds,  except  that  the  running  time  of 
FE.KeyGen  and  FE.Dec  depends  quasi-linearly  on  AL.T . 

We  note  that  the  FE. Setup  and  FE.Enc  always  runs  polynomially  in  their  input  length,  indepen¬ 
dent  of  the  parameters  of  the  algorithms  that  are  potentially  to  be  evaluated.  Furthermore,  in  the 
case  of  SIM-secure  functional  encryptions,  we  only  consider  Boolean  algorithms;  thus,  it  is  possible 
to  have  schemes  with  optimal  efficiency,  where  the  encryption  and  key  generation  algorithms  runs 
in  time  independent  of  the  output  length. 

5.2  Reusable  Garbling  Scheme 

We  recall  the  definition  of  reusable  garbled  circuits  in  [GKP+13b],  adapted  for  general  algorithm 
classes.  In  [GKP+13b],  their  definition  considers  adaptive  input  selection,  and  their  construction 
achieves  so.  An  alternative  definition  with  static  input  selection  is  considered  in  [GHRW14]  for 
reusable  garbled  RAM.  The  two  variants  corresponds  tightly  with  fully  or  selectively  SIM-secure 
functional  encryption  schemes.  Below  we  define  both  variants. 

Definition  16  (Reusable  Security  [GKP+13b].).  We  say  that  a  garbling  scheme  QS  for  a  class  of 
deterministic  Boolean  algorithms  {ACaIasn  ^ as  reusable  security  with  adaptive  input  selection,  if 
for  all  PPT  adversary  A  there  is  a  simulator  Sim  =  (Sim-Gb,  Sim-lnp)  the  following  two  games  are 
indistinguishable  for  all  polynomial  T . 
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Experiment  RealExp^'s(lA, T  =  T( A)): 

1.  (AL,  sti)  £  A(1a) 

2.  (AL,  key)  -e-  Garb(lA,  AL) 

3.  a  ^Encode(key’-)(sti,,4L) 

Experiment  ldealExp^'s(lA, T  =  T(A)): 

1.  (AL,  sti)  £  A(1a) 

2.  (AL,  st)  A  S\m-Gb(lx,  \AL\,  (AL.n,  AL.m,  AL.S,  AL.T)) 

3.  a  A  *4°(')(sti,  AL) 

where  the  oracle  in  the  third  step  is  the  second  stage  simulator  Sim-lnp(st,  •,  •,  •)  that  receives  as 
the  second  parameter  the  length  of  the  input  llxl,  as  the  third  parameter  the  instance  running  time 
Tal(x )  and  the  fourth  parameter  the  output  AL(x ). 

Restriction  on  A  in  the  above  two  experiments:  the  algorithm  AL  chosen  by  A  is  in  AC J. 


Furthermore,  we  say  that  QS  has  reusable  security  with  selective  input  selection,  if  the  above 
indistinguishability  is  true  for  all  PPT  adversary  A  that  selects  its  oracle  queries  in  the  third  step 
at  the  beginning  of  the  games. 

5.3  IND-secure  FE  for  General  Classes  of  Randomized  Algorithm 

We  show  a  general  method  for  constructing  (full  or  selective)  IND-secure  functional  encryption 
for  a  general  class  {AC\]  of  (potentially  randomized)  algorithms,  from  a  garbling  scheme  QS  = 
(Garb,  Encode,  Eval)  for  the  corresponding  class  of  “de-randomized”  algorithms,  and  a  (full  or  se¬ 
lective  respectively)  IND-secure  functional  encryption  for  circuits. 

Towards  this,  consider  a  randomized  algorithm  AL,  let  deRandfAL,  k\  be  the  following  de- 
randomized  algorithm  corresponding  to  AL,  where  k  <—  PRF-Gen(lA)  is  a  PRF  key. 

deRandF[AL,  k](x)  :  Run  AL(x)  with  pseudo-random  coins  rt  =  F (k,t)  for  step  t 

Then  the  high-level  idea  for  constructing  a  IND-secure  FE  T£A  for  {AC\\  is  the  following: 
The  secret  key  corresponding  to  algorithm  AL  will  a  the  secret  key  generated  using  the  I N  D-secure 
circuit-FE  J-£c  for  the  (randomized)  algorithm  that  garbles  the  de-randomized  Cal  as  described 
above.  More  specifically,  the  circuit  Cal  is  constructed  as  follows: 

(f ,  x)  •£-  Cal(x)  :  k  A  PRF-Gen(lA),  (f ,  key)  A  Garb(lA,  deRandF[AL,  kj),  x  -4-  Encode(key,  x) 

Below  we  state  our  result  formally.  Note  that  since  the  garbling  algorithm  must  work  with  algo¬ 
rithms  of  the  form  deRandF[RL,  k]),  we  require  that  it  is  for  an  algorithms  class  that  is  closed  under 
composition  with  polynomial- sized  circuits,  which  implies  that  for  every  AL  £  AC\,  deRandF[RL,  kj) 
is  in  AC\. 

Proposition  2  (IND-secure  FE  for  General  Classes  of  Randomized  Algorithms).  Let  {AC\\  be  any 
class  of  (potentially  randomized)  algorithms  that  is  closed  under  composition  with  polynomial- sized 
circuits.  It  holds  that  if  there  are 
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•  i)  a  garbling  scheme  QS  =  (Garb,  Encode,  Eval)  for  deterministic  algorithms  in  {AC a}- 

ii)  a  (ful-)IND-serare  (or  se\-\HD- secure)  functional  encryption  scheme  IND-Tuf^  for  the  class 
rCIR  of  polynomial-sized  randomized  circuits. 

•  then,  there  is  a  (ful-)IND-secwe  (or  sel-IND- secure  respectively)  functional  encryption  scheme 
\ND-F£a  for  {AC\}. 

Furthermore,  ifQS  has  optimal  efficiency  or  I/O- dependent  complexity,  IND-JTfv4  has  I/O- dependent 
complexity.  IfQS  has  space-  /  linear-time-  dependent  complexity,  so  does  IND-Tuf  . 

Proof.  Below  we  give  the  construction  and  proof.  Given  an  IND-secure  circuit  FE  T£c  =  (FE. Setup, 
FE.KeyGen,  FE.Enc,  FE.Dec),  our  IND-secure  FE  is  constructed  as  follows:  It  has  the  same  setup 
and  encryption  algorithm.  The  key  generation  and  decryption  algorithms  invokes  the  algorithms 
FE.KeyGen  and  FE.Dec  as  sub-routines.  To  generate  a  key  for  algorithm  AL,  T£A  generates  a  key 
skcAi  using  T£c  for  the  circuit  Cal  as  described  above  and  returns  sk  al  =  sk cAL-  To  decrypt  a 
ciphertext  c  of  value  x,  it  invokes  the  decryption  algorithm  FE.Dec(skcAi,  c)  to  obtain  a  pair  (T,  x), 
and  then  evaluates  the  garbled  pair  to  obtain  an  output  y. 

The  IND-security  of  J-£A  reduces  to  the  IND-security  of  T£c .  This  follows  as  an  adversary  A 
attacking  the  former  can  be  transformed  into  an  adversary  A'  attacking  the  latter.  More  specifically, 
in  an  IND^f  game,  the  adversary  A'  can  internally  emulate  a  game  IND^  for  A:  For  every  key 
query  AL  from  A,  A!  translates  AL  to  a  key  query  Cal  to  its  own  key  generation  oracle,  and 
for  every  decryption  query  c  from  A,  A'  simply  relays  c  to  its  own  decryption  oracles,  and  upon 
receiving  an  output  (f,  x),  it  evaluates  the  garbled  pair  to  obtain  y  and  feeds  A  with  y. 

It  is  easy  to  see  that  A  emulates  the  view  of  A'  perfectly.  The  only  thing  we  need  to  establish 
is  that  whenever  A  sends  a  legitimate  key  query  AL — that  is,  for  the  two  challenge  messages  x\ 
and  X2,  the  outputs  and  running  time  of  AL  on  x\  and  x 2  are  indistinguishable — the  translated 
key  queries  Cal  is  also  legitimate — that  is,  its  outputs  on  x\  and  X2  are  indistinguishable.  Below 
we  argue  this. 

It  follows  from  the  pseudo-randomness  of  PRF  and  the  security  of  the  garbling  scheme  that 
for  any  polynomial  T,  any  T-tirne  randomized  algorithm  AL  and  any  two  inputs  x\ ,  X2  such  that 
AL(x\\  r),  Tal(x\,  r)  for  random  r  is  indistinguishable  from  AL(x2',r),TAL{x2,x)  for  random  r,  we 
have  that  the  outputs  of  Cal  on  input  x\  and  X2  are  also  indistinguishable.  More  precisely,  for 
every  polynomial  T, 

V  {AL}xe  {ACl}  ,{x1}x,{x2}x, 

if  jV  •£-  {0,  \{ALT  :  AL(xr,r),TAL(xi,r)} {r  {0,1}AL  T  :  AL(x2-,r),TAL(x2,r)} 
then,  {CAl{xi)}x  ~  {CAl{x2)}x 

This  follows  since  for  each  i  £  {1,2},  it  follows  from  the  pseudo-randomness  of  the  PRF  that  the 
output  and  running  time  of  deRandF[AL,  k\  on  x\  and  X2  are  indistinguishable,  when  the  PRF  key 
is  chosen  at  random,  that  is, 

\k  A  PRF-Gen(lA)  :  deRandF[AL,  fc](xi),  TdeRand[AL,k](xi) }a 
«  {*:  ^  PRF-Gen(lA)  :  deRandF[AL,  k}(x2),  TdeRand[AL,fc](>2)}A  , 

Then  it  follows  from  the  security  of  the  garbling  scheme  that  the  output  of  CAl{x  1),  which  is  a 
freshly  generated  garbled  pair  {r,xi},  can  be  simulated  by  random  variables  in  the  first  ensemble 
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above,  and  that  of  Cal{x 2)  can  be  simulated  by  variables  in  the  second  ensembles.  Therefore,  the 
indistinguishability  of  Cal(x  1)  and  Cal{x2 )  holds. 

This  concludes  the  security  of  iF8A.  □ 

Combining  with  known  garbling  schemes  for  circuits  [Yao86],  and  TM  and  RAM  with  space- 
dependent  complexity  (our  construction),  the  above  lemma  immediately  implies  the  following  the¬ 
orem: 

Theorem  8.  The  following  statements  hold: 

•  Assume  the  existence  of  randomized  functional  encryption  for  NC1,  there  is  a  randomized 
functional  encryption  for  P/poly. 

•  Assume  the  existence  of  randomized  functional  encryption  for  P/poly,  there  is  a  randomized 
functional  encryption  scheme  for  TM  and  RAM  with  space- dependent  complexity. 

5.4  From  IND  security  to  SIM  security. 

The  work  by  De  Caro  et.  al.  [CIJ+13]  showed  a  tight  connection  between  functional  encryption 
with  indistinguishability-based  security  and  that  with  simulation-based  security.  More  precisely, 
they  provide  a  generic  transformation  that  turns  any  (full  or  selective)  q-t-poly-IND  secure  func¬ 
tional  encryption  scheme  IND-YY  for  polynomial-sized  circuits  to  a  (full  or  selective)  q-Ypoly-SIM 
functional  encryption  scheme  SIM-J-Y  for  polynomial-sized  circuits,  assuming  one-way  functions. 

With  a  closer  examination  of  their  transformation,  it  is  easy  to  see  that  their  transformation 
works  for  general  classes  of  algorithms  (beyond  circuits) .  Below  we  state  the  generic  transformation 
theorem  implicit  in  their  security  proof. 

Proposition  3  (Generic  Transformation  from  FE  with  IND-Security  to  SIM-Security  (Implicit 
in  [CIJ+13])).  For  every  class  {AL \}  of  deterministic  Boolean  algorithms  that  are  closed  under 
composition  with  polynomial-sized  circuits,  the  following  holds:  Assuming  the  existence  of  one-way 
functions,  for  every  polynomial  q  and  i, 

•  if  there  is  a  (ful-)q-Ypoly-IND-secwe  (or  sel-q-Ypoly -IND -secure)  functional  encryption  scheme 
IND-YY  for  the  class  of  algorithms  {AL\\. 

•  then  there  is  a  (ful-)q-Ypoly-SIM-secrire  (or  sel-q-Ypoly-SIM-secwe  respectively)  functional 
encryption  scheme  SIM-YY  for  {AC\\, 

Furthermore,  the  following  efficiency  preservation  holds. 

•  if  IND-YY  has  optimal  efficiency,  or  space-  /  linear -time- dependent  complexity,  so  does 
SIM-YY,  and 

•  if  IND-YY  has  succinct  ciphertexts,  so  does  SIM-YY. 

Note  that  the  fact  that  the  resulting  SIM-secure  functional  encryption  scheme  can  have  optimal 
efficiency  (if  the  underlying  IND-secure  functional  encryption  has)  does  not  contradict  with  the  lower 
bound  that  the  ciphertext  and  key  sizes  must  scale  with  the  output  length,  because  we  consider 
only  Boolean  algorithms.  SIM-secure  functional  encryption  scheme  for  multi-bit  algorithms  can  be 
constructed  via  parallel  repetition  of  a  scheme  for  Boolean  algorithms;  in  this  case,  the  ciphertext 
and  key  sizes  do  scale  with  the  output  length. 
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5.5  From  SIM-secure  FE  to  Reusable  Garbling  Scheme 

The  work  by  Goldwasser  et.  al.  [GKP+13b]  give  a  transformation  from  a  (ful-)  1-1-0-SI  M-secure  func¬ 
tional  encryption  scheme  for  circuits  to  a  fully  secure  reusable  garbling  scheme.  It  is  straightforward 
to  see  that  their  construction  works  for  general  classes  of  algorithms  and  when  considering  reusable 
garbling  schemes  with  only  static  input  selection,  only  sel-l-l-O-SI M-secure  functional  encryption 
is  needed. 

Proposition  4  (Generic  Transformation  from  1-1-0-SI M-Secure  FE  to  Reusable  Garbling  Scheme 
(Implicit  in  [GKP+13b])).  For  every  class  {AC a}  of  well-formed  deterministic  Boolean  algorithms 
that  are  closed  under  composition  with  polynomial-sized  circuits,  the  following  holds:  Assuming 
the  existence  of  one-way  functions, 

•  if  there  is  a  (ful-)l-l-O-SIM-secure  (or  sel-l-l-O-SIM-secwreJ  functional  encryption  scheme 
SIM-JAS  for  the  class  of  algorithms  {AL\}, 

•  then  there  is  a  reusable  garbling  scheme  QS  for  {AC\]  with  adaptive  (or  static)  input  selec¬ 
tion. 

Furthermore,  the  following  efficiency  preservation  holds. 

•  if  S\M-F£  has  optimal  efficiency  or  I/O-  /space-  /  linear-time- dependent  complexity,  so  does 
QS,  and 

•  if  S\M-F£  has  succinct  ciphertexts,  QS  has  succinct  input  encodings. 

Combining  Proposition  2,  3  and  4,  with  our  construction  of  garbling  schemes  with  space- 
dependent  complexity,  we  obtain  the  following. 

Theorem  9.  Assume  the  existence  of  iO  for  P/poly  and  one-way  function,  there  is  re-usable 
garbling  scheme  for  TM  and  RAM  with  space  dependent  complexity. 

6  Garbling  v.s.  iO 

In  this  section  we  show  a  connection  between  (succinct)  iO  for  classes  of  algorithms  C  and  (succinct) 
garbling  schemes  for  the  same  classes  C.  Roughly  speaking, 

•  assuming  the  existence  of  (succinct)  iO  for  any  “nice”  class  C  of  algorithms  and  one-way 
functions,  there  exists  a  (succinct)  garbling  scheme  for  C; 

•  assuming  the  existence  of  iO  for  P/poly  and  a  (succinct)  garbling  scheme  for  any  “nice”  class 
C  of  algorithms,  both  with  sub-exponential  security,  there  exists  a  (succinct)  iO  for  C. 

6.1  From  Garbling  to  iO 

We  present  a  generic  transformation  from  a  garbling  scheme  for  an  algorithm  class  {AC\\  to  an 
indistinguishability  obfuscator  for  {AL\\,  assuming  sub-exponentially  indistinguishability  obfusca- 
tors  for  circuits.  We  require  that  the  algorithm  class  to  have  the  property  that  for  any  A  <  X'  £  N, 
it  holds  that  every  algorithm  AL  e  AC\  is  also  contained  in  AL\' — we  say  that  such  a  class  is 
“monotonically  increasing”.  For  instance,  the  class  of  Turing  machines  TM  and  RAM  machines 
RAM  are  all  monotonically  increasing. 
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Proposition  5.  Let  {AL\]  be  any  monotonically  increasing  class  of  deterministic  algorithms.  It 
holds  that  if  there  are 

•  i)  a  sub -exponentially  indistinguishable  iO,  iO° ,  for  circuits,  and 

ii)  a  sub- exponentially  indistinguishable  garbling  scheme  QS  for  {AC\}. 

•  then,  there  is  an  indistinguishability  obfuscator  iOA  for  {AC\\. 

Furthermore,  the  following  efficiency  preservation  holds. 

•  ifQS  has  optimal  efficiency  or  I/O- dependent  complexity,  iOA  has  I/O-dependent  complexity. 

•  If  QS  has  space- dependent  complexity,  so  does  iOA . 

•  IfQS  and  iOc  have  linear- time- dependent  complexity,  so  does  iOA. 

Proof  of  Proposition  5.  This  result  relies  on  a  notion  from  the  recent  work  by  Canetti,  Lin, 
Tessaro  and  Vaikuntanathan  [CLTV14]  which  they  refer  to  as  probabilistic  iO.  In  [CLTV14],  they 
show  that  assuming  sub- exponentially  indistinguishable  IO  for  circuits  and  sub- exponentially  secure 
puncturable  PRF,  the  following  natural  way  for  obfuscating  probabilistic  circuits  does  achieve  a 
limited  notion  of  indistinguishability-based  security.  Below,  we  first  recall  their  result  and  show 
how  to  apply  it  to  obtain  iO  from  garbling. 

Probabilistic  iO.  Consider  the  following  natural  way  of  obfuscating  a  probabilistic  circuit  C. 


C  A  piO(lx,C)  :  k£-  PRF-Gen(lA');  C'(x)  =  C(x;  F(k,  x));  C  A  iO{lx' ,  C'),  with  A'  =  poly(A,  C.n) 

The  work  of  [CLTV14]  showed  that  when  the  underlying  iO  and  PRF  are  all  sub-exponentially 
indistinguishable,  the  above  algorithm  piO  ensures  the  indistinguishability  of  the  obfuscation  of 
two  strongly  indistinguishable  circuits.  More  precisely,  two  circuits  (Ci,^)  with  n  =  C\.n  =  C2.n 
are  strongly  indistinguishable  w.r.t.  auxiliary  input  z  if  for  every  input  x  G  {0,  l}n,  outputs  of 
C\(x)  and  C2(x)  are  negl(A)2_n  indistinguishable  given  z. 

Lemma  1  (pIO  for  Circuits  [CLTV14]).  Consider  any  sequence  of  probabilistic  circuit  pairs  and 
auxiliary  input  {Cj),  C|,  z\},  such  that,  for  every  non-uniform  PPT  1Z,  and  every  A  G  N,  C1  =  C\, 

C2  =  C\,  z  =  z\, 

Vx  G  {0,  l}n,  where  n  =  C1  .n  =  C2.n 

|  Pr [y  G-  C'i(x)  :  K(Ci,C2,x,y,  z)  =  1]  -  Pr[y  A  C2(x)  :  C2,  x,  y,  z)  =  1]  |  <  negl(A)2_n 

Assuming  sub-exponentially  indistinguishable  iO  for  circuits  iOc ,  and  sub-exponentially  indis¬ 
tinguishable  OWF.  The  algorithm  piO  described  above  ensures  that, 

{cu  C2,piO( l\  Cl),  z}x  «  {Cl,  C2,piO(l\  C2),  z}x 

For  completeness,  we  include  a  proof  sketch  of  the  lemma. 

Proof  Sketch:  The  proof  of  the  lemma  essentially  relies  on  complexity  leveling.  To  see  the  proof, 
first  consider  a  simpler  case,  where  the  two  circuits  Ci  and  C2  have  identical  implementation  on 
all  but  one  input  x* ,  and  the  outputs  on  x* ,  Ci(x*)  and  C2(x*),  are  indistinguishable.  In  this  case, 
we  show  that  pi(D(lx,Ci)  «  piO(lx,C2).  Recall  that  C&  G-  piO(lx,Cb)  is  the  iO  obfuscation  of 
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program  C'b  that  evaluates  Cb  with  pseudo-random  coins  generated  using  a  hardwired  PRF  key 
k.  Thus,  it  follows  from  the  security  of  iO  that  Cb  is  indistinguishable  to  iO(C'f)  where  Cb  has  a 
punctured  key  k(x*)  and  Cb(x*;  F (k,  re*))  hardwired  in.  Then  it  follows  from  the  pseudo-randomness 
of  puncturable  PRF  and  the  indistinguishability  of  C\  (x*)  and  C2(x*)  that  iO(Cq)  and  iO(C ")  are 
indistinguishable.  Therefore,  by  a  hybrid  argument,  we  have  that  piO(  1A,  C\)  ~  piO(  1A,  C2). 

Now  consider  the  case  where  C±  and  C2  are  completely  different,  but  their  output  distributions 
are  negl(A)2_n-indistinguishable.  To  show  that  their  p IO  obfuscation  are  indistinguishable,  we  just 
need  to  consider  an  exponential,  2n,  number  of  hybrids,  where  in  each  hybrid,  the  implementation 
for  one  input  x*  is  changed  from  using  C 1  to  C2.  By  the  same  argument  as  before,  neighboring 
hybrids  have  a  distinguishing  gap  0(negl(A)2_n);  thus  by  an  exponential  hybrid  argument,  the 
overall  distinguishing  gap  is  bounded  by  negl(A).  This  concludes  the  lemma. 

Construction  of  iO  for  General  Algorithms.  Using  the  lemma  from  [CLTV14],  we  now  prove  Propo¬ 
sition  5. 

Given  2_Ae -indistinguishable  iO  iOc  and  garbling  scheme  QS ,  let  piO  be  the  obfuscator  for 
probabilistic  circuits  from  iOc  as  described  above.  Let  RE  be  the  following  “randomized  encoding” 
algorithm: 

( AL,x )  £-  RE(1X,  AL,x),  where  (AL,  key)  A  Garb(lA  ,AL,x ),  x  =  Encode(key,  2),  X'  =  (A+AL.n)1^ 

Note  that  it  is  due  to  the  monotonically  increasing  property  of  the  algorithm  class  that  we  can 
invoke  Garb  with  a  bigger  security  parameter  A'  for  AL  £  AC\.  Then  our  iO  for  the  general 
algorithm  class  proceeds  as, 

AL  A  iOA( l\  AL)  where  AL  A  piO{ A,  RE(l\  AL,  •)) 

It  follows  from  the  correctness  of  QS  and  iOc  underlying  piO  that  iOA  has  correctness. 

Security.  Next,  we  argue  about  the  security  of  iOA  by  contra-position.  Fix  a  polynomial  T,  a  non- 
uniform  PPT  samplable  distribution  V  over  the  support  {AL\  x  AC[  x  {0,  l}Poly(A)|j  such  that, 
with  overwhelming  probability,  (AL\,  AL2,  z )  P(1A)  satisfies  that  AL\  and  AL2  are  functionally 

equivalent  and  has  matching  parameters.  Suppose  that  iOA  is  insecure,  that  is,  there  is  a  non- 
uniform  PPT  A  that  distinguishes  the  following  ensembles  with  inverse  polynomial  probability 

l/p(A)- 


{(AL1,AL2,z)^V(1x)  :  (iOA(lx,  AL{), 

{(AL1,AL2,z)  AD(1A)  :  (iOA(lx,AL2),z)}^ 

Since  T>  satisfies  that  with  overwhelming  probability,  AL\,AL2  sampled  from  it  have  the  same 
functionality  and  matching  parameters,  there  exists  one  such  sequence  {{AL\^\,  AL2t\,  z\)}  w.r.t. 
which  A  distinguishes  obfuscation  of  ALi  \  and  AL2,\  given  2^  with  probability  l/2p(A).  By 
construction  of  iOA,  this  implies  that  A  distinguishes  the  following  ensembles  with  probability 
l/2p(A). 


{(piO(lx,RE(lx,ALhX,.)),zx)}x 

(7) 

{(piO(lx,RE(lx,AL2,x,-)),zx)}x 

(8) 
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We  show  this  A  contradicts  with  Lemma  1.  It  follows  from  2_Ae-indistinguishability  of  QS  and  the 
fact  that  algorithm  RE  invokes  the  garbling  algorithm  with  security  parameter  A'  =  (A  +  n)1/6,  for 
every  A  £  N,  and  x\  €  {0,  the  following  ensembles  are  negl(A)2_n-indistinguishable. 

{<?!,  c2,  xx,  RE(l\  ALhX,  xa)),  zx)}x 
|Ci,C2,xa,  RE(1A,  x\)),  ^a)|a 

where  Cb  =  RE(1A,  ALb,\,  •)•  Thus  it  follows  from  Lemma  1  that  ensembles  (7)  and  (8)  are  indis¬ 
tinguishable.  This  gives  a  contradiction  with  the  fact  that  A  distinguishes  them  and  hence,  the 
security  of  iOA  holds. 

Efficiency.  Finally,  we  analyze  the  efficiency  of  iOA.  It  is  easy  to  see  that  piO(\^  ,C)  runs  in 
polynomial  time  ppio(^' ,  |C|)  where  the  polynomial  ppio  depends  on  the  running  time  of  the  un¬ 
derlying  iO  and  PRF;  moreover,  if  the  underlying  iO  has  linear-time-dependent  complexity,  ppio 
also  depends  quasi-linearly  in  \C\.  Let  jore(A/,  \  AL\,n,  rn,  S ,  T)  be  the  running  time  of  RE(1A,  AL,  x) 
(depending  on  the  efficiency  of  QS,  the  polynomial  pre  depends  on  a  subset  of  the  parameters). 
Overall,  the  running  time  of  iOA(l>' ,  AL)  is 

Ppio{ A',  Pre(A', \AL\,n,  m,  S,  T))  where  A'  =  poly(A,  n) 

Therefore, 

•  If  QS  has  optimal  efficiency  (that  is,  pre  depends  only  on  rn)  or  I/O-dependent  complexity 
(that  is,  pre  does  not  depend  on  S,T),  iOA  has  I/O-dependent  complexity. 

•  If  QS  has  space-dependent  complexity  (that  is,  pre  depend  on  T),  so  does  iOA. 

•  If  QS  and  the  underlying  iO  has  linear-time-dependent  complexity  (that  is,  pre  depends 
quasi-linearly  on  T  and  so  does  ppio  on  IC'D,  so  does  iOA. 

Finally,  we  note  that  combining  the  proposition  with  constructions  of  garbling  schemes  for 
TM  and  RAM  in  Section  3  and  4,  we  directly  obtain  iO  for  TM  and  RAM  with  space-dependent 
complexity. 

Theorem  10.  Assume  a  sub- exponentially  indistinguishable  iO  for  circuits  and  sub- exponentially 
secure  OWE.  There  is  an  indistinguishability  obfuscator  for  TM  and  RAM  with  space- dependent 
complexity. 

Regarding  Evaluation  Efficiency.  Evaluating  the  iO  for  TM  and  RAM  obtained  in  Theorem  10 
on  input  x,  involves  evaluating  the  obfuscated  program  on  x  once  to  obtain  a  garbled  pair  (AL,  x), 
and  then  evaluate  them.  Therefore,  overall,  evaluation  takes  time  Tal(x)  x  poly(A,  \AL\,  AL.S). 
When  the  space  is  large,  the  overhead  on  computation  time  is  large.  We  can  then  improve  the 
evaluation  efficiency  (at  the  price  of  losing  succinctness  of  the  garbled  RAM)  by  combining  propo¬ 
sition  with  the  construction  of  garbling  RAM  by  [L013,  GHL+14],  Since  their  garbled  RAM  has 
size  and  evaluation  time  quasi-linear  in  the  time  complexity  (i.e. ,  poly(A,  |AL|,  AL.m)T),  we  can 
obtain  the  following: 

Theorem  11.  Assume  a  sub- exponentially  indistinguishable  iO  for  circuits  and  sub- exponentially 
secure  OWF.  There  is  an  indistinguishability  obfuscator  for  RAM  with  input  and  output  lengths 
bounded  by  a-priori  fixed  polynomials,  and  the  indistinguishability  obfuscator  has  linear-time  de¬ 
pendent  complexity. 
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We  note  that  when  combining  the  theorem  with  the  garbling  scheme  for  RAM  of  [L013, 
GHL+14]  in  a  straightforward  way,  it  actually  yields  only  an  iO  for  RAM  with  complexity  (in 
terms  of  both  size  and  evaluation  time)  polynomial  in  the  time  complexity  T  of  the  RAM  machine 
being  obfuscated.  However,  we  can  apply  the  same  trick  as  described  in  [GHRW14]  to  improve 
the  efficiency  of  the  iO  for  RAM  to  depend  only  quasi-linearly  on  T.  In  the  work  of  [GHRW14], 
they  noticed  that  in  the  construction  of  [L013,  GHL+14],  each  bit  in  a  garbled  RAM  and  an 
input  encoding  can  be  generated  using  a  small  circuit  of  size  0(|i?|  +  n  +  m)  x  poly(A,  log T), 
where  R  is  the  RAM  machine  under  consideration,  n  =  R.n ,  m  =  R.m  and  T  =  R.T.  Thus, 
to  achieve  linear-time-dependent  complexity,  we  can  simply  modify  our  construction  above  as  fol¬ 
lows.  Instead  of  directly  obfuscating  the  whole  randomized  encryption  algorithm  RE,  which  has 
size  S  =  0(\R\  +  n  +  m)  x  poly(A,logT)  x  T  and  leads  to  a  poly(S)  size  obfuscated  circuit,  do 
the  following:  Decompose  RE  into  a  set  of  S  small  circuits  {RE;}  each  of  which  computes  the 
ith  bit  in  the  randomized  encoding,  and  then  obfuscate  each  RE.;  separately.  Since  each  RE;  is 
small,  the  final  obfuscation  only  depends  on  T  quasi-linearly;  more  precisely,  the  complexity  is 
poly(A,  \R\,n,m,\ogT)  x  T. 

6.2  From  iO  to  Garbling 

We  here  show  how  to  transform  iO  for  a  class  C  into  garbling  scheme  for  the  same  class  with  the 
same  efficiency. 

Proposition  6.  Let  {AC \}  be  any  class  of  deterministic  algorithms.  R  holds  that  if  there  is  an 
iO  iO  for  {AC a},  then  there  is  a  garbling  scheme  QS  for  this  class.  Furthermore,  the  following 
efficiency  preservation  holds. 

•  if  iO  has  optimal  efficiency  or  input-  /  I/O-  dependent  complexity,  QS  has  I/O-dependent 
complexity. 

•  If  iO  has  space-  /  linear-time-  dependent  complexity,  so  does  QS. 

We  observe  that  combining  the  construction  of  iO  for  Turing  machines  with  input-dependent 
complexity  by  [BCP14,  ABG+13]  with  the  theorem,  we  obtain  a  Garbling  scheme  for  Turing  ma¬ 
chine  with  only  I/O  dependent  complexity. 

Corollary  1.  Assume  the  existence  of  iO  for  Turing  machines  with  input- dependent  complexity. 
There  is  a  garbling  scheme  for  Turing  machines  with  I/O-dependent  complexity. 

Proof  of  Proposition  6.  The  construction  is  quite  straight-forward  and  illustrates  the  difference  be¬ 
tween  obfuscation  and  garbling  schemes.  The  key  generation  is  simply  the  key  generation  algorithm 
for  Lamport’s  one-time  signature  scheme  [Lam79]  with  the  tweak  that  instead  of  using  a  one-way 
function  (as  in  Lamport’s  construction),  we  use  a  length  doubling  PRG — the  public  key  for  signing 
messages  of  length  n  consist  of  2 n  images  {c/  =  /(^;)};e[nl,6e{o,i}  °f  a  PRG  /,  and  the  secret  key 
is  the  set  of  pre-images  {^;};g[n],6e{o,i}i  both  the  public  and  secret  keys  are  output  as  part  of  the 
garbling  key.  The  encoding  of  an  input  x  is  a  signature  of  x  (i.e.,  (r}1, . . .  ,rfp),  and  the  encoding 
of  an  algorithm  AL  is  the  obfuscation  of  a  program  n  [AL]  that  on  input  n  (presumed)  pre-images  r 
determines  whether  there  exist  an  input  x  such  that  /(?’;)  =  cfl  and  if  so  runs  AL{x)\  otherwise  it 
simply  outputs  _L;  it  is  important  that  the  computation  performed  to  determine  the  input  x  takes 
a  number  of  steps  to  that  is  independent  of  the  input. 

To  show  that  this  construction  is  a  secure  garbling  we  need  to  exhibit  a  simulator  that  given  just 
the  output  y  =  AL(x)  of  the  program  AL  on  input  x  and  the  number  of  steps  T*  taken  by  AL(x) 
(as  well  as  other  parameters  (n,  m,  S,  T)  of  AL)  can  simulate  the  encoded  input  and  program. 
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To  simulate  the  encoded  input,  we  simply  output  n  random  pre-images  r,  and  to  simulate  the 
the  encoded  program,  we  simply  obfuscate  the  program  II  that  on  input  r  outputs  y  while  taking 
T*  steps,  and  on  any  other  input  outputs  _L  while  taking  to  steps.  (The  bound  parameters  of  II 
are  set  to  (n,  rri,  S ,  T).) 

To  show  indistinguishability  of  the  simulation,  we  consider  a  hybrid  experiment  which  proceeds 
just  as  the  real  one  expect  that  the  key  generation  algorithm  is  modified  so  that  (with  overwhelm¬ 
ing  probability)  there  only  exists  a  signature  for  the  message  x — we  simply  let  c]  ~~Xi  be  chosen 
as  a  uniform  random  string  (instead  of  picking  it  in  the  image  of  /.  By  the  security  of  the  PRG 
this  experiment  is  indistinguishable  from  the  real  one;  furthermore  (with  overwhelming  probabil¬ 
ity)  the  program  being  obfuscated  in  this  experiment  is  functionally  equivalent  and  has  the  same 
running-time  as  II  for  all  inputs,  and  thus  by  security  of  the  TM  indistinguishability  obfuscator 
this  experiment  is  indistinguishable  from  the  simulated  one.  □ 
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Abstract 

We  show  unconditionally  that  the  existence  of  commitment  schemes  implies  the  existence  of 
constant-round  non-malleable  commitments;  earlier  protocols  required  additional  assumptions 
such  as  collision  resistant  hash  functions  or  subexponential  one-way  functions. 

Our  protocol  also  satisfies  the  stronger  notions  of  concurrent  non-malleability  and  robustness. 
As  a  corollary,  we  establish  that  constant-round  non-malleable  zero-knowledge  arguments  for 
NP  can  be  based  on  one-way  functions  and  constant-round  secure  multi-party  computation  can 
be  based  on  enhanced  trapdoor  permutations;  also  here,  earlier  protocols  additionally  required 
either  collision-resistant  hash  functions  or  subexponential  one-way  functions. 
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1  Introduction 


Commitment  schemes  are  one  of  the  most  fundamental  cryptographic  building  blocks.  Often  de¬ 
scribed  as  the  “digital”  analogue  of  sealed  envelopes,  commitment  schemes  enable  a  sender  to 
commit  itself  to  a  value  while  keeping  it  secret  from  the  receiver.  This  property  is  called  hiding. 
Furthermore,  the  commitment  is  binding,  and  thus  in  a  later  stage  when  the  commitment  is  opened, 
it  is  guaranteed  that  the  “opening”  can  yield  only  a  single  value  determined  in  the  committing 
stage.  Their  applications  range  from  coin  flipping  [?]  to  the  secure  computation  of  any  efficiently 
computable  function  [?,?].  In  light  of  their  importance,  commitment  schemes  have  received  a 
considerable  amount  of  attention.  This  has  resulted  in  a  fairly  comprehensive  understanding  of 
the  hardness  assumptions  under  which  they  can  be  realized;  in  particular,  by  the  results  of  Naor 
[?]  and  Hastad  et  al  [?],  the  existence  of  one-way  functions  implies  the  existence  of  two-round 
commitments. 

For  many  applications,  however,  the  most  basic  security  guarantees  of  commitments  are  not 
sufficient.  For  instance,  the  basic  definition  of  commitments  does  not  rule  out  an  attack  where 
an  adversary,  upon  seeing  a  commitment  to  a  specific  value  v,  is  able  to  commit  to  a  related 
value  (say,  v  —  1),  even  though  it  does  not  know  the  actual  value  of  v.  This  kind  of  attack 
might  have  devastating  consequences  if  the  underlying  application  relies  on  the  independence  of 
committed  values  (e.g.,  consider  a  case  in  which  the  commitment  scheme  is  used  for  securely 
implementing  a  contract  bidding  mechanism).  Indeed,  for  the  general  task  of  secure  multi-party 
computation  [?],  such  independence  is  cruicial.  The  state  of  affairs  is  even  worsened  by  the  fact 
that  many  of  the  known  commitment  schemes  are  actually  susceptible  to  this  kind  of  attack.  In 
order  to  address  the  above  concerns,  Dolev,  Dwork  and  Naor  (DDN)  introduced  the  concept  of  non- 
malleable  commitments  [?].  Loosely  speaking,  a  commitment  scheme  is  said  to  be  non-malleable 
if  it  is  infeasible  for  an  adversary  to  “maul”  a  commitment  to  a  value  v  into  a  commitment  to  a 
related  value  v. 

More  precisely,  we  consider  a  man-in-the-middle  (MIM)  attacker  that  participates  in  two  con¬ 
current  execution  of  a  commitment  scheme  (C,  R)\  in  the  “left”  execution  it  interacts  with  an  honest 
committer  (running  C);  in  the  “right”  execution  it  interacts  with  an  honest  receiver  (running  R). 
Additionally,  we  assume  that  the  players  have  n-bit  identities  (where  n  is  polynomially  related  to 
the  security  parameter),  and  that  the  commitment  protocol  depends  only  on  the  identity  of  the 
committer;  we  sometimes  refer  to  this  as  the  identity  of  the  interaction.  Intuitively,  (C,  R)  being 
non-malleable  means  that  if  the  identity  of  the  right  interaction  is  different  than  the  identity  of 
the  left  interaction  (i.e.,  A  does  not  use  the  same  identity  as  the  left  committer),  the  value  A 
commits  to  on  the  right  does  not  depend  on  the  value  it  receives  a  commitment  to  on  the  left;  this 
is  formalized  by  requiring  that  for  any  two  values  V\,V2,  the  values  A  commits  to  after  receiving 
left  commitments  to  v\  or  v 2  are  indistinguishable. 

The  first  non-malleable  commitment  protocol  was  constructed  by  Dolev,  Dwork  and  Naor  [?] 
in  1991.  The  security  of  their  protocol  relies  on  the  minimal  assumption  of  one-way  functions  and 
requires  fi(logn)  rounds  of  interaction,  where  n  £  N  is  the  length  of  party  identities.  Non-malleable 
commitments  have  since  been  extensively  studied  in  the  literature;  the  main  question  has  been  to 
determine  the  number  of  communication  rounds  needed  for  non-malleable  commitments.  Let  us 
briefly  survey  some  of  this  literature. 

1.1  The  State  of  the  Art  of  Non-malleable  Commitments 

As  mentioned,  the  original  work  by  DDN  assumes  only  one-way  functions,  and  considers  the  “plain” 
model  of  execution;  that  is,  there  is  no  trusted  infrastructure.  DiCrenenzo,  Ishai  and  Ostrovsky 
[?]  and  follow-up  works  in  e.g.,  [?,  ?,  ?,  ?,  ?]  showed  how  to  improve  the  round-complexity  of  the 
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DDN  construction  when  assuming  the  existence  of  some  trusted  infrastructure  (e.g.  a  common 
random  string);  in  such  models  non-interactive  (i.e. ,  single  message)  non- malleable  commitments 
based  on  only  one-way  function  are  known  [?].  The  first  improvement  to  the  round-complexity  of 
the  DDN  construction  without  any  trusted  infrastructure  came  more  than  a  decade  later.  Following 
the  ground-breaking  work  by  Barak  on  non-black-box  simulation  [?],  in  2002,  Barak  [?]  presented  a 
constant-round  protocol  for  non-malleable  commitments;  the  security  of  this  protocol  however  relies 
on  the  existence  of  trapdoor  permutations  and  hash  functions  that  are  collision-resistant  against 
circuits  of  sub-exponential  size.  A  few  years  later,  Pass  and  Rosen  [?]  (relying  on  a  technique  from 
[?]),  showed  that  collision  resistant  hash  functions  secure  against  polynomially-sized  circuits  are 
sufficient  to  obtain  a  constant-round  protocol.  Next,  Pandey,  Pass  and  Vaikuntanathan  [?]  provided 
a  construction  of  a  non-interactive  non-malleable  commitment  based  on  a  new  hardness  assumption 
with  a  strong  non- malleability  flavour;  in  contrast  to  the  earlier  constant-round  constructions,  their 
protocol  has  a  black-box  proof  of  security. 

But,  despite  two  decades  of  research,  there  have  been  no  improvements  over  the  original  DDN 
construction,  when  only  assuming  the  existence  of  one-way  functions,  leaving  open  the  following 
question. 

Does  there  exist  a  sub-logarithmic  non-malleable  commitment  scheme,  assuming  only 

one-way  functions? 

1.2  Settling  the  Round-complexity  of  Non-Malleable  Commitments 

In  this  work,  we  settle  the  round-complexity  of  non-malleable  commitments:  we  present  a  constant- 
round  protocol  in  the  “plain”  model  that  is  based  on  the  assumption  of  one-way  functions,  and 
has  a  black-box  proof  of  security.  Since  the  existence  of  commitment  schemes  already  implies  the 
existence  of  one-way  functions  (cl.  [?]),  we  have: 

Theorem  1.  Assume  the  existence  of  a  commitment  scheme.  Then,  there  exists  a  constant-round 
non-malleable  commitment  scheme  with  a  black-box  proof  of  security. 

Concurrent  Non-malleability:  As  mentioned,  the  original  notion  of  non-malleability  considers 
an  MIM  attacker  participating  in  a  single  execution  on  the  left  and  a  single  execution  on  the  right. 
Already  the  original  DDN  paper  suggested  that  a  stronger  notion  of  non-malleability — concurrent 
non-malleability — where  the  MIM  may  participate  in  an  unbounded  number  of  executions  on  both 
the  left  and  the  right,  is  desirable.  Pass  and  Rosen  [?]  provided  the  first  construction  of  a  concur¬ 
rently  non-malleable  commitment  scheme;  their  scheme  only  has  a  constant  number  of  rounds  but 
relies  on  the  existence  of  claw- free  permutations  (and  non-black-box  techniques).  Subsequently, 
Lin,  Pass  and  Venkitasubramaniam  [?]  provided  an  0(n)-round  construction  based  on  one-way 
functions.  As  we  show,  our  protocol  is  also  concurrently  non-malleable. 

Robust  Non-malleability:  In  this  work  we  also  introduce  a  new  notion  of  non-malleability: 
robust  non-malleability.  Roughly  speaking,  whereas  traditional  non-malleability  considers  a  scenario 
where  a  MIM  participates  in  the  same  commitment  protocol  on  the  left  and  the  right,  r-robustness 
considers  a  notion  of  non-malleability  for  commitments  where  the  MIM  attacker  participates  in  an 
arbitrary  r-round  protocol  on  the  left,  and  the  commitment  protocol  on  the  right.  Robustness  is 
useful  when  using  non-malleable  commitments  as  subprotocols  within  larger  protocols  (see  Section 
1.3).  As  we  show,  for  any  constant  r,  our  protocol  can  be  made  r-robust  while  still  remaining 
constant-round. 

Thus  summarizing  the  above  discussion,  we  have: 
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Theorem  2.  Assume  the  existence  of  a  commitment  scheme.  Then,  for  any  constant  r,  there  exists 
a  constant-round  commitment  scheme  that  is  r-robust  concurrently  non-malleable  with  a  black-box 
proof  of  security. 

1.3  Applications  to  Secure  Computation 

As  mentioned,  “independence”  of  inputs  is  crucial  for  secure  multi-party  computation  protocols. 
Indeed,  there  has  been  a  tight  interplay  between  work  on  the  round-complexity  of  multi-party 
computation  (MPC)  and  work  on  non-malleable  commitments. 

Goldreich,  Micali  and  Wigderson’s  [?]  original  work  on  secure  multi-party  computation  showed 
a  Q(m)-round  multi-party  computation  protocol  based  on  the  existence  of  enhanced  trapdoor  per¬ 
mutations  (TDPs),  where  m  is  the  number  of  players  in  the  execution;  implicit  in  their  work  is  a 
0(n)-round  non-malleable  commitment  for  the  special  case  of  so-called  “synchronizing”  adversaries 
that  have  identities  of  length  log  n.  Subsequent  works  improved  the  round-complexity  by  making 
stronger  assumptions.  Katz,  Ostrovsky,  and  Smith  [?],  following  the  work  by  Chor  and  Rabin  [?], 
obtained  a  0(logm)-round  MPC  protocol  assuming  TDPs  and  dense-crypto  systems  by  relying  on 
the  non-malleable  commitments  from  [? ] .  By  additionally  assuming  the  existence  of  hash- function 
collision-resistant  against  circuits  of  sub-exponential  size  (and  non-black-box  techniques),  they  also 
obtained  a  0(l)-round  MPC  protocol  by  instead  relying  on  the  non-malleable  commitment  from 
[?].  More  recently,  Pass  [?],  showed  the  existence  of  a  0(l)-rounds  MPC  protocol  assuming  only 
TDPs  and  (standard)  collision  resistant  hash  functions  (but  still  using  non-black  box  techniques); 
this  technique  in  turned  was  used  in  the  non-malleable  commitment  of  [?]. 

The  implicit  connection  between  the  round-complexity  of  non-malleable  commitments  and  se¬ 
cure  multi-party  was  formalized  by  Lin,  Pass  and  Venkitasubramaniam  in  [?]:  they  show  that  the 
existence  of  k-round  4- robust  non-malleable  commitments  and  the  existence  of  TDPs  implies  the 
existence  of  0(k) -round  secure  midti-party  computation. 

Combining  the  result  of  [?]  with  Theorem  2,  we  get  that  secure  multi-party  computations  can 
be  performed  in  a  constant  number  of  round  based  on  only  TDPs. 

Theorem  3.  Assume  the  existence  of  enhanced  trapdoor  permutations.  Then  there  exists  a  constant- 
round  protocol  for  secure  multi-party  computation. 

1.4  Applications  to  Non-malleable  ZK 

Non-malleable  zero- knowledge  [?]  consider  the  execution  of  zero-knowledge  protocols  in  the  presence 
of  a  MIM  attacker.  Roughly  speaking,  a  zero- knowledge  protocol  is  non-malleable  if  the  MIM 
attacker  can  only  provide  convincing  right-interaction  proofs  of  statements  that  it  could  have  proved 
without  participating  in  the  left  interaction.  The  recent  result  of  [?]  shows  that  the  existence  of 
k-round  4- robust  non-malleable  commitments  implies  the  existence  of  O(k) -round  non-malleable 
zero-knowledge  arguments  for  NP.  By  combining  their  results  with  Theorem  2  we  directly  have 
that  the  existence  of  one-way  functions  implies  the  existence  a  constant-round  zero-knowledge 
argument  for  NP. 

Theorem  4.  Assume  the  existence  of  one-way  functions.  Then  there  exists  a  constant-round  non- 
malleable  zero-knowledge  argument  for  NP  with  a  black-box  proof  of  security. 

1.5  A  New  Technique:  “Message-scheduling  in  the  head” 

The  main  idea  underlying  all  non-malleable  commitment  schemes  is  to  “encode”  the  identity  of 
the  committer  into  the  protocol.  At  the  very  least,  this  ensure  that  unless  the  attacker  copies  the 

Approved  for  Public  Release;  Distribution  Unlimited. 

3 

130 


identity  of  the  left  committer,  the  attacker  cannot  simply  forward  messages  between  the  left  and 
the  right  executions.  But  we  also  need  to  ensure  that  the  attacker  cannot  in  a  clever  way  maul  the 
messages  it  receives  on  the  left  so  they  become  useful  on  the  right.  For  instance,  in  the  original 
DDN  construction,  the  identity  is  encoded  into  the  scheduling  of  messages  in  the  protocol;  on  a 
very  high-level  (and  oversimplifying),  the  idea  is  to  ensure  that  at  some  point  in  the  execution,  the 
MIM  must  “speak”  while  only  receiving  “useless”  messages.  The  problem  with  this  approach  is 
that  it  requires  a  high  round-complexity. 

We  will  revisit  the  DDN  approach.  The  main  idea  behind  our  scheme  is  to  perform  the  message 
scheduling  “in  the  head”.  A  bit  more  precisely,  our  protocol  follows  the  “simulation-soundness” 
paradigm  of  Sahai  [?],  first  used  in  the  context  of  CCA-secure  encryption,  and  next  used  by  Pass 
and  Rosen  [?]  in  the  context  of  non-malleable  commitments;  that  is,  the  main  component  of  our 
construction  is  a  method  for  enabling  us  to  “simulate”  the  left  interaction,  while  ensure  that  the 
right  interaction  remains  “sounds”.  Towards  this,  we  embedd  a  “trapdoor”  into  the  protocol  which 
depends  on  the  identity  of  the  interaction;  proving  simulation-soundness  then  essentially  amounts 
to  showing  that  there  exists  a  way  to  recover  the  trapdoor  for  the  left  intraction,  while  ensuring 
that  the  adversary  does  not  recover  the  trapdoor  for  the  right  interaction  (as  long  as  the  right 
interaction  has  a  different  identity  than  the  left  interaction). 

The  idea  is  to  have  a  protocol  where  the  trapdoor  can  be  recovered  by  “rewinding”  some  specific 
messages  in  the  protocol — called  “slots” — in  a  specific  order  which  depends  on  the  identity  of  the 
interaction.  Furthemore,  the  protocol  should  have  the  property  that  if  this  specific  rewinding  order 
is  not  the  rewinding  order  actually  used,  then  a  trapdoor  cannot  be  recovered.  So,  if  we  rewind  the 
left  interaction  according  to  the  rewinding  order  corresponding  to  the  identity  of  the  left  interaction, 
this  will  still  not  enable  the  adversary  to  recover  the  trapdoor  corresponding  to  the  right  interaction 
(unless  the  identity  of  the  right  interaction  is  the  same  as  the  identity  of  the  left  interaction).  In 
our  particular  instantiation  of  this  idea,  the  trapdoor  will  be  a  “signature-chain”  (i.e.,  a  signature 
on  a  signature  on  a  signature,  etc.)  of  length  n  (i.e.,  the  identity  length)  using  different  keys;  the 
choice  of  the  keys  in  the  signature  chain  are  determined  by  the  identity  of  the  interaction.  Next,  the 
protocol  will  have  a  “slot”  for  each  of  the  keys  where  the  receiver  is  willing  to  sign  a  single  message 
for  the  committer  using  the  key  corresponding  to  the  slot.  The  key  point  is  that  the  simulator  is 
able  to  rewind  the  slots  in  an  appropriate  order  to  recover  a  signature-chain  corresponing  to  the 
identity  of  the  left  interaction;  but  the  rewindings  will  still  not  enable  the  adversary  to  recover  a 
signature-chain  corresponding  to  any  other  identity. 

1.6  Historical  Notes 

This  paper  is  a  combined  version  of  [?]  and  [?].  In  [?],  we  first  showed  the  existence  of  a  0(l)log  n- 
round  protocol  that  is  based  on  the  existence  of  one-way  functions  and  uses  a  black-box  proof  of 
security.  On  a  high-level,  the  main  technique  of  [?]  was  a  method  for  amplifying  non-malleability : 
that  is,  we  presented  a  method  for  transforming  a  non-malleable  commitment  scheme  that  handles 
identities  of  length  t  into  one  that  handles  identities  of  length  0( 2t).  The  O(l)log  "-round  protocol 
was  finally  obtained  starting  off  with  the  protocol  of  DDN  for  constant  length  identities  and  next 
iteratively  amplifying  it.  The  notion  of  robust  non- malleability  was  also  first  defined  in  [?]  and  was 
an  intergral  part  of  the  amplification  procedure:  in  fact,  our  amplification  procedure  could  only  be 
applied  to  robust  non-malleable  commitments. 

In  [?],  we  additionally  pointed  out  that  amplification  procedure  also  yield  a  natural  route 
towards  constant-round  non-malleable  commitments:  it  suffices  to  come  with  a  constant-round 
protocol  that  handles  identities  of  length  log^  k)n  =  log  log  . . .  logn,  where  k  is  a  constant;  any  such 
protocol  can  be  amplified  to  a  full-fledged  non-malleable  commitment  while  still  remaining  constant 
round.  Subsequent  work  by  Pass  and  Wee  [?]  obtained  a  constant-round  protocol  based  on  sub- 
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exponetially  hard  one-way  functions  (again  using  a  black-box  proof  of  security),  by  following  this 
paradigm:  subexponential  one-way  functions  were  used  to  construct  a  constant-round  non-malleable 
commitment  for  “small”  identities,  and  the  protocol  can  then  be  amplified  into  a  full-fledged  one. 
An  elegant  work  by  Wee  [?]  later  simplified  an  imporved  the  amplification  procedure  of  [?],  leading 
to  a  protocol  using  0(log*  n)-rounds,  based  on  one-way  functions. Finally,  independently  of  [?],  a 
beatiful  work  by  Goyal  also  obtains  a  constant-round  non-malleable  commitment  based  on  one-way 
functions;  the  construction  of  [?]  also  follows  the  above  amplification  paradigm  by  Goyal  instead 
constant-round  robust  non-malleable  commitment  protocol  for  small  identities  based  on  one-way 
functions. 

The  construction  from  [?]  is  direct:  we  no  longer  require  amplification;  instead  we  directly 
construct  a  full-fledged  robust  non-malleable  protocol.  Nevertheless,  some  of  the  ideas  used  in  the 
amplification  procedure  are  helpful  when  analyzing  our  protocol. 

1.7  Outline 

In  Section  2,  we  provide  some  preliminaries.  In  Section  3,  we  provide  an  overview  of  our  protocol 
construction  and  its  security  proof.  In  Section  4  we  provide  some  formalizations  and  results  abouts 
“signature-chains”.  Our  protocol  (which  relies  on  the  notion  of  a  signature  chain)  is  presented  in 
Section  5.  We  provide  the  proof  of  (stand-alone)  non-malleabilty  in  Section  6;  in  Section  7  and  8, 
we  demonstrate  that  our  protocol  is  also  concurrent  non-malleable,  and  can  be  made  r-robust  for 
any  constant  r. 

2  Preliminaries 

Let  N  denote  the  set  of  all  positive  integers.  For  any  integer  n  G  N,  let  [n]  denote  the  set 
{1,2,...,  n},  We  denote  by  {0,  l}n  the  set  of  binary  strings  of  length  n,  and  {0, 1, 2}n  the  set  of 
trinary  strings  of  length  n.  Given  a  binary  (or  trinary)  string  ip  of  length  n,  we  denote  by  [ip]\ 
the  prefix  of  ip  of  length  i.  We  denote  by  WT  probabilistic  polynomial  time  Turing  machines. 
We  assume  familiarity  with  interactive  Turing  machines,  denoted  ITM,  interactive  protocols,  and 
computational  indistinguishability;  the  formal  definitions  of  interactive  protocols  and  comutational 
indistinguishability  are  provided  in  Appendix  A.  Given  a  pair  of  ITMs,  A  and  B,  we  denote  by 
(A(x),B(y))(z)  the  random  variable  representing  the  (local)  output  of  B ,  on  common  input  z  and 
private  input  y ,  when  interacting  with  A  with  private  input  x,  when  the  random  tape  of  each 
machine  is  uniformly  and  independently  chosen. 

2.1  Signature  Schemes 

We  focus  on  fixed-length  signature  schemes  II  =  (Gen,  Sign,  Ver),  that  is,  the  signing  algorithm 
Sign  on  input  ln,  a  public  key  pk  and  a  message  m  G  {0, 1}* ,  always  outputs  a  signature  of  length  n. 
We  refer  the  reader  to  [?]  for  a  formal  definition.  Such  signature  schemes  can  be  constructed  relying 
on  universal  one-way  hash  functions  [?],  which  in  turn  can  be  based  on  any  one-way  function  [?]. 
Below,  a  signature  scheme  always  refers  to  a  fixed-length  signature  scheme. 

2.2  Commitment  Schemes 

Commitment  schemes  are  used  to  enable  a  party,  known  as  the  sender,  to  commit  itself  to  a 
value  while  keeping  it  secret  from  the  receiver  (this  property  is  called  hiding).  Furthermore,  the 
commitment  is  binding,  and  thus  in  a  later  stage  when  the  commitment  is  opened,  it  is  guaranteed 
that  the  “opening”  can  yield  only  a  single  value  determined  in  the  committing  phase.  In  this  work, 
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we  consider  commitment  schemes  that  are  statistically-binding,  namely  while  the  hiding  property 
only  holds  against  computationally  bounded  (non-uniform)  adversaries,  the  binding  property  is 
required  to  hold  against  unbounded  adversaries.  We  refer  the  reader  to  [?]  for  a  formal  definition. 

Two-round  (i.e.,  a  single  message  from  the  receiver  followed  by  a  single  message  from  the 
committer)  commitment  schemes  are  known  to  exist  based  on  the  minimal  assumption  of  one-way 
functions  [?,  ?].  In  the  sequel  of  the  paper,  a  commitment  scheme  always  refers  to  a  statistically- 
binding  commitment. 

Tag-based  Commitment  Scheme.  Following  [?,  ?],  we  consider  tag-based  commitment  schemes 
where,  in  addition  to  the  security  parameter,  the  committer  and  the  receiver  also  receive  a  “tag” — 
a.k.a.  the  identity — id  as  common  input. 


2.3  Concurrent  Non-Malleable  Commitments 


We  recall  the  definition  of  concurrent  non-malleability  from  [?].  For  convenience,  we  use  a  slightly 
different  presentation  (based  on  indistinguishability  rather  than  simulation);  equivalence  follows 
using  a  standard  argument  (c.f.  [?,  ?]).  Let  (C,R)  be  a  tag-based  commitment  scheme,  and  let 
n  £  N  be  a  security  parameter.  Consider  a  man-in-the-middle  adversary  A  (as  shown  in  figure  1) 
that,  on  inputs  n  and  2  (where  z  is  received  as  an  auxiliary  input),  participates  in  m  left  and  right 
interactions  simultaneously.  In  the  left  interactions  the  man-in-the-middle  adversary  A  interacts 
with  C,  receiving  commitments  to  values  vi, . . .  ,vm,  using  identities  of  length  n,  idi,...,idm  G 
{0,  l}n,  of  its  choice.  In  the  right  interactions  A  interacts  with  R  attempting  to  commit  to  a 
sequence  of  related  values  v\, . . . ,  vm,  again  using  identities  of  length  n  i d  1 , . . . ,  idm  of  its  choice.  If 
any  of  the  right  commitments  are  invalid,  or  undefined,  its  value  is  set  to  _L.  For  any  i  such  that 
idj  =  idj  for  some  j,  set  Vi  =  _L  i.e.,  any  commitment  where  the  adversary  uses  the  same  identity 
as  one  of  the  left  interactions  is  considered  invalid.  Let  ^  (iq, . . . ,  vm,  z)  denote  a  random 

variable  that  describes  the  values  v\, . . .  ,vm  and  the  view  of  A,  in  the  above  experiment. 


Definition  1.  A  commitment  scheme  (C,R)  is  said  to  be  concurrent  non-malleable  (with  respect 
to  itself)  if  for  every  polynomial  p(-),  and  every  VVT  man-in-the-middle  adversary  A  that  par¬ 
ticipates  in  at  most  rri  =  p(n )  concurrent  executions,  the  following  ensembles  are  computationally 
indistinguishable. 


(tq,  .  .  .  ,  Vm ,  z)  ^ 


n£N,vi,...,vm 

n£N,vi,...,vm 


e{o,i}",</i,...yme{o,i}’ve{o,i}* 

e{o,i}^q,...yme{o,i}’ve{o,i}* 


We  also  consider  relaxed  notions  of  concurrent  non-malleability:  one-one,  one-many,  and  many- 
one  secure  non-malleable  commitments  (See  Figure  2  below.)  In  a  one-one  (a.k.a.,  a  stand-alone 
secure)  non-malleable  commitment,  we  consider  only  adversaries  A  that  participate  in  one  left  and 
one  right  interaction;  in  one-many,  A  participates  in  one  left  and  many  right,  and  in  many-one,  A 
participates  in  many  left  and  one  right. 

As  shown  in  [?],  any  protocol  that  is  one-many  non-malleable  is  also  concurrent  non-malleable. 

Proposition  1  ([?]).  Let  (C,R)  be  a  one-many  concurrent  non-malleable  commitment.  Then, 
( C ,  R)  is  also  a  concurrent  non-malleable  commitment. 


2.4  Robustness:  Non-Malleability  w.r.t.  /c-round  Protocols 

The  concept  of  non-malleability  is  traditionally  only  considered  in  a  setting  where  a  man-in-the 
middle  adversary  is  participating  in  two  (or  more)  executions  of  the  same  protocol.  We  here 
consider  a  new  notion  of  non-malleability  with  respect  to  arbitrary  L-round  protocols. 
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Com(vm 

Figure  1:  A  concurrent  man-in-the-middle  adversary. 


4.  Com{yi) 

Comfv  1)  \ 

Comfv )  -+A-+  Comfv ) 

/  ■" 

Com{v)  ->A->-  Com{vi) 

\  - 

\ 

Com(vi )  -» -A-*  Com(v) 

...  f 

*  Com(vm ) 

Com(vm )  / 

(i)  one-one 


(ii)  one-many 


(iii)  many-one 


Figure  2:  Restricted  man-in-the-middle  adversaries. 


Consider  a  one-many  man-in-the-middle  adversary  A  (as  shown  in  figure  3)  that  participates  in 
one  left  interaction — communicating  with  a  machine  B — and  many  right  interactions — acting  as  a 
committer  using  the  commitment  scheme  (C,R).  As  in  the  standard  definition  of  non-malleability, 
A  can  adaptively  choose  the  identities  in  the  right  interactions.  We  denote  by  m\m^  R^{y,z)  the 
random  variable  consisting  of  the  view  of  A(z)  in  a  man-in-the-middle  execution  when  communicat¬ 
ing  with  B(y )  on  the  left  and  honest  receivers  on  the  right,  combined  with  the  values  A(z)  commits 
to  on  the  right.  Intuitively,  we  say  that  ( C,R )  is  one-many  non-malleable  w.r.t  B  if  (y\,  z) 

and  (7/2,  z)  are  indistinguishable,  whenever  interactions  with  B(y\)  and  A? (2/2)  cannot  be 

distinguished. 

Definition  2.  Let  ( C,R }  be  a  commitment  scheme,  and  B  a  TVT  ITM.  We  say  the  commitment 
scheme  ( C ,  R)  is  one-many  non-malleable  w.r.t.  B,  if  for  every  two  sequences  {ylftn&N  and  {yfyneN, 
Vn ,  Vn  ^  {0, 1}”,  such  that,  for  all  VVT  ITM  A,  it  holds  that 


{(BfeJUMXl”)} 


ne^zefo,!}* 


{(B(yl),  A(*))(l“)} 


neiV,ze{  0,1}* 


then  it  also  holds  that,  for  every  VVT  one-many  man-in-the-middle  adversary  A, 


ne/Vizefo,!}* 


neA'izGfO,!}* 


We  say  that  ( C ,  R)  is  one-many  fc-robust  if  ( C ,  R)  is  one-many  non-malleable  w.r.t.  any  machine 
B  that  interacts  with  the  man-in-the-middle  adversary  in  k  rounds. 


3  Proof  Overview 

To  explain  the  main  ideas  behind  our  construction,  we  here  focus  on  outlining  the  construction 
of  a  constant-round  non-malleable  commitment  scheme  that  is  secure  for  synchronizing  and  non¬ 
aborting  adversaries;  we  next  comment  on  how  to  deal  with  general  adversaries.  An  adversary  is 
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B(y) 


A 


Com(v  i) 
Com(vi) 
Com(vm ) 


Figure  3:  A  concurrent  man-in-the-middle  adversary  with  respect  to  protocol  B  on  input  y. 


said  to  be  synchronizing  if  it  “aligns”  the  left  and  the  right  executions;  that  is,  whenever  it  receives 
message  i  on  the  left,  it  directly  sends  message  i  on  the  right,  and  vice  versa.  An  adversary  is  said 
to  be  non-aborting  if  it  never  sends  any  invalid  messages  in  the  left  interaction  (where  it  is  acting 
as  a  receiver);  it  might  still  send  invalid  messages  on  the  right. 

As  mentioned  in  the  introduction,  the  idea  is  to  have  a  protocol  with  an  “identity-based  trap¬ 
door”  embedded  into  it.  The  trapdoor  will  be  a  “signature-chain”  using  a  sequence  of  keys  that 
are  determined  by  the  identity  of  the  protocol.  More  precisely,  we  say  that  (<to,  <ti,  . . . ,  an)  is  a 
plain  signature  chain 1  with  respect  to  the  signature  scheme  II,  the  verification  keys  vko,vki  and 
the  pattern  tp  £  {0,  l}n  if  (j0  =  0  and  for  all  0  <  i  <  n,  (Jl+\  is  a  signature  on  the  message  (i,  cq) 
with  respect  to  the  key  vk^i+1 .  For  convenience  of  notation,  for  the  remainder  of  this  section  we 
fix  a  particular  signature  scheme  II;  all  signatures  we  use  are  with  respect  to  this  this  particular 
scheme. 

The  following  simple  claim  regarding  signature  chains  will  be  useful.  Consider  a  “signature 
game”  where  an  adversary  A  gets  access  to  two  randomly  chosen  verification  keys  vko,vki  and 
additionally  has  access  to  signature  oracles  with  respect  to  vko  and  vk\ ;  let  <p  denote  the  “access 
pattern”  of  the  adversary  to  the  signature  oracle  (that  is,  if  the  i’th  oracle  call  is  to  the  signature 
oracle  w.r.t.  vkb ,  then  pi  =  b).  The  claim  now  is  that,  with  overwhelming  probability,  if  in  the 
signature  game,  A  manages  to  output  a  plain  signature  chain  with  respect  to  vko,vk\  and  pattern 
ip,  then  ^  is  a  substring  of  ip. 

The  protocol  for  committing  to  a  string  v  with  identity  id  proceeds  as  follows: 

•  Slot  1:  The  receiver  R  generates  a  key-pair  (sko,vko)  for  the  signature  scheme  II,  and  sends 
vko  to  the  committer  C.  C  next  send  a  random  message  ro  to  R  who  signs  ro  and  then 
returns  the  signature  to  C. 

•  Slot  2:  R  generates  another  key-pair  (ski,vk\)  and  sends  vko  to  the  committer  C.  As  in 
Slot  1,  C  next  send  a  random  message  n  to  R  who  signs  r\  and  then  returns  the  signature 
to  C. 

•  Commit  phase:  C  commits  to  v  using  a  standard  statistically  binding  commitment. 

•  Proof  phase:  C  gives  R  a  “special-purpose”2  witness  indistinguishable  argument  of  knowl¬ 
edge  of  the  fact  that  it  either  knows  the  value  committed  to  in  the  commit  phase,  or  that  it 
knows  a  plain  signature  chain  with  respect  to  vko,vki  and  id. 

We  now  turn  to  argue  that  this  protocol  is  non  malleable  with  respect  to  non-aborting  and 
synchronizing  adversaries.  For  simplicity,  we  here  focus  only  on  one-one  (i.e.,  stand-alone)  non¬ 
malleability  (but  the  same  proof  actually  also  works  for  concurrent  non-malleability).  Consider  a 

1We  use  the  name  “plain  signature  chain”  (instead  of  just  “signature  chain”),  since  the  actual  signature  chains 
we  will  use  in  the  final  construction  will  be  a  bit  more  complicated. 

2We  will  shortly  explain  what  makes  this  proof  special. 
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man-in-the-middle  adversary  A  that  uses  identity  id  on  the  left  and  identity  id  ^  id  on  the  right, 
and  receives  a  commitment  to  the  value  v  on  the  left.  We  will  argue  that  no  matter  what  the  value 
of  v  is,  the  value  it  commits  to  on  the  right  will  be  indistinguishable.  Towards  this  goal,  consider  a 
hybrid  experiment  where  the  left  interaction  is  simulated  by  acting  honestly  in  Slot  1  and  2,  next 
committing  to  0,  and  finally  using  a  “fake-witness” — namely  a  signature  chain—  in  the  proof  phase; 
the  simulator  obtains  this  fake  witness  by  simply  rewinding  Slot  1  and  2  (that  is,  to  rewinding  slot 
b,  we  restore  the  state  of  A  after  vkb  has  been  sent,  and  send  a  new  message  to  be  signed)  in  the 
appropriate  order  to  obtain  a  signature  chain  with  respect  to  id  (note  that  since  A  is  non-aborting, 
each  time  the  simulator  asks  it  to  sign  a  message,  it  does).  To  show  the  above  claim,  we  now  argue 
that  no  matter  what  the  value  of  v  is,  the  value  A  commits  to  on  the  right  in  the  real  execution 
(when  receiving  a  commitment  to  v),  is  indistinguishable  from  the  value  it  commits  to  on  the  right 
when  the  left  interaction  instead  is  simulated. 

The  key-point  of  the  proof  is  the  claim  that  even  in  the  simulation,  A  cannot  use  a  fake-witness 
in  the  right  interaction.  This  follows  from  the  fact  that  since  A  is  synchronizing,  when  we  rewind 
Slot  1  and  2  on  the  left,  the  same  slots  are  rewound  on  the  right  in  exactly  the  same  order.  Thus,  by 
the  signature-game  claim,  if  A  manages  to  get  a  signature  chain  it  must  be  a  subset  of  the  pattern 
Olid  (the  reason  we  need  to  append  01  is  that  A  gets  two  signatures  in  the  honest  emulation  of 
Slot  1  and  2,  already  before  we  start  the  rewindings).  So,  if  we  appropriately  restrict  the  identity 
set  (for  instance,  by  requiring  that  all  identities  start  with  10)  then  the  only  valid  identity  that  is 
a  substring  of  Olid  is  id,  and  thus  id  =  id,  which  is  a  contradiction. 

To  argue  that  the  value  committed  to  on  the  right  does  not  change  when  we  move  from  the  real 
interaction  to  the  simulation,  consider  an  intermediary  hybrid  where  we  only  change  the  witness 
used  in  the  proof  phase  (but  keep  the  value  committed  to  in  the  commit  phase  to  v).  Note  that 
since  the  adversary  is  synchronizing,  the  proof  phase  of  the  left  interaction  appears  completely  after 
the  commitment  (in  Stage  2)  in  the  right  interaction.  Therefore,  the  right  value  does  not  change 
at  all  when  switching  the  the  witness  used  in  the  proof  phase  on  the  left. 

Finally,  we  simply  have  to  argue  that  the  value  on  the  right  does  not  change  once  we  change  the 
value  committed  to  in  the  commit  phase  on  the  left.  By  the  hiding  property  of  the  left  commitment, 
the  view  of  the  adversary  does  not  change  when  the  left  committed  value  switches.  But  since  the 
value  committed  to  on  the  right  cannot  be  efficiently  recovered,  this  does  not  directly  imply  that 
the  committed  value  also  is  indistinguishable.  To  resolve  this  problem,  we  rely  on  the  argument 
of  knowledge  property  of  the  proof  phase:  A  witness  on  the  right  can  be  extracted  efficiently  from 
the  proof  phase.  Since  the  witness  used  in  the  right  interaction  cannot  be  a  fake  witness  (by  the 
key-claim  above),  it  must  be  the  value  committed  to  in  the  commit  phase,  so  indistinguishability 
of  the  committed  value  follows  from  the  hiding  property  of  the  the  left  commitment. 

Dealing  with  aborting  adversaries:  When  considering  aborting  adversaries,  we  run  into  two 
obstacles: 

•  The  adversary  might  notice  that  the  simulator  is  feeding  it  signature  chains  to  sign  (instead  of 
random  messages)  and  thus  decide  to  abort  the  left  execution.  We  handle  this  by  adapting  the 
definition  of  a  signature  chain:  instead  of  requiring  the  chain  to  be  “a  signature  on  a  signature 
on  a  signature...  etc”,  we  require  a  signature-chain  to  be  a  signature  on  “a  commitment  of 
a  signature  on  a  commitment  of  a  signature...  etc”.  And  next,  in  the  protocol,  we  let  C 
send  commitments  to  0  instead  of  random  strings.  To  be  able  to  establish  an  analog  of  the 
above  signature-game  claim,  we  additionally  require  C  to  give  a  zero-knowledge  argument  of 
knowledge  of  the  value  it  committed  to  before  R  agrees  to  sign  it. 

•  Another  problem  is  that  A  might  abort  the  left  execution  with  some  probability  p.  This  means 
that  we  might  have  to  rewind  the  left  execution  many  times  (roughly  1/p  times)  before  getting 
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the  signature  we  are  looking  for.  As  a  consequence,  the  ”  access  pattern”  on  the  right  will  be 
a  substring  of  Olid^id^  . . .  id* .  To  get  around  this  problem,  we  add  an  additional  slot  (and  a 
corresponding  signature  key).  Next,  we  require  that  the  signature-chain  corresponding  to  the 
identity  id  to  be  with  respect  to  the  pattern  2idi2id22id3  . . .  2idn. 

Dealing  with  non-synchronizing  adversaries:  As  is  usually  the  case,  synchronizing  adversaries 
are  the  “hardest”  to  deal  with.  To  prove  security  against  non-synchronizing  adversaries,  we  follow 
basically  the  same  argument:  First,  if  A  is  not  synchronizing  there  exists  some  slot  that  is  never 
rewound  and  so  if  the  identity  of  the  right  interaction  contains  at  least  two  0’s  and  two  l’s,  we 
can  still  establish  the  above  key-claim.  Next,  to  argue  that  the  committed  value  on  the  right  does 
not  change,  we  consider  again  the  intermediary  hybrid  above.  However,  when  the  adverary  is  not 
synchronizing,  it  may  choose  to  interleave  messages  in  the  proof  phase  of  the  left  interaction  and 
the  commitment  of  the  right  interaction,  and  thus  the  right  committed  value  may  change  when 
the  witness  on  the  left  changes.  To  overcome  this  problem,  we  again  rely  on  the  argument  of 
knowledge  property  of  the  proof  phase  to  extract  a  witness  from  the  right  intearction.  Since  the 
witness  cannot  be  a  signature-chain  (by  the  key-claim),  it  must  be  the  committed  value;  then  the 
indistinguishablity  of  the  committed  vallue  follows  from  the  witness-indistinguishability  of  the  left 
proof  phase.  However,  one  problem  is  that  extraction  on  the  right  may  rewind  the  left  proof  phase 
and  thus  break  the  witness  indistinguishability  property.  One  way  of  resolving  this  problem  would 
be  to  (in  analogy  with  [?])  have  the  proof  phase  be  statistically  witness  indistinguishable;  but  this 
requires  additional  assumptions  (to  keep  it  constant-round).  Instead,  we  here  introduce  a  different 
technique  to  to  overcome  this  problem:  we  let  the  proof  phase  consist  of  multiple  sequentially 
ordered  witness  indistinguishable  special-sound  proofs.3  This  allows  us  to  change  the  witness  in 
each  of  the  proofs,  one  by  one,  while  ensuring  that  the  witness  on  the  right  can  be  extracted  from 
some  other  proof,  without  rewinding  the  left  proof  where  the  witness  currently  is  being  changed. 

4  Signature  Chains  and  Games 

Let  n  =  (Gen,  Sign,  Ver)  be  a  fixed-length  signature  scheme,  and  com  a  statistically-binding 
commitment  scheme.  For  simplicity  of  notation,  we  keep  these  schemes  fixed,  and  provide  our 
definitions  and  protocols  with  respect  to  those  particular  schemes.  Furthermore,  for  simplicity  of 
exposition,  we  assume  that  com  that  is  non-interactive;  however,  all  of  our  definitions  and  protocols 
can  be  easily  modified  to  work  with  any  two-round  statistically-binding  commitment  schemes;  see 
Remark  5  for  further  details. 

We  now  turn  to  formally  defining  the  notion  of  a  signature- chain  and  then  proceed  to  defining 
signature- games. 

Definition  3  (Signature-Chain).  Let  t  6  N,  6  {0,1, 2}^  and  vko,vk\,vk2  6  {0,1}*  be  three 
verification  keys  for  the  signature  scheme  n.  We  say  that  a  triplet  5  =  ( d,c,f )  is  a  signature-chain 
w.r.t.  keys  vko,vk\,vk2  and  pattern  if  a,  c,  and  f  are  vectors  of  length  £  satisfying  the  following 
properties. 

•  For  alii  6  [£],  di  is  valid  signature  of  the  message  Ci  under  key  vk^ ,  i.e.,  Ver(vkfa,(ji,Ci)  =  1. 

•  For  all  1  <  i  <  £,  Ci  is  a  commitment  to  the  tuple  (i  —  l,cfj_i)  using  com  and  randomness  ft; 
and  ci  is  a  commitment  to  0m  using  com  and  randomness  f\,  where  m  =  \og£  +  n. 

3This  method  was  originally  used  by  us  in  the  amplification  procedure  of  [?];  this  “trick”  is  also  a  central  component 
enabling  the  works  of  [?,  ?]. 
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We  say  that  a  signature-chain  6  =  (a,c,r)  has  length  £  if  |a|  =  l. 

We  proceed  to  define  a  signature-game  SGA'e(n,  z),  where  A  on  input  1  n,z  interacts  with  a 
Challenger  in  the  following  three  stages: 

Stage  1:  the  Challenger  samples  three  pairs  of  signing  and  verification  keys  at  random,  (skb,  vkf)  <— 
Gen(  1”),  where  b  £  {0, 1,2},  and  sends  A  the  verification  keys,  vko,  vk\,  and  vk2- 

Stage  2:  A  interacts  with  the  Challenger  in  a  sequence  of  iterations  for  as  long  as  it  wishes. 
Iteration  i  proceeds  as  follows: 

•  A  sends  the  Challenger  a  tuple  (< pi,c ),  where  pi  £  {0,1,2},  followed  by  a  5-round 
ZKAOK  proof  of  the  statement  that  c  is  a  valid  commitment  of  com. 

•  if  the  proof  is  convncing,  the  Challenger  signs  the  commitment  c  using  the  signing  key 
slfi  and  returns  the  signature  to  A;  otherwise,  it  aborts  the  iteration  (without  giving 
back  a  signature). 

Stage  3:  Finally,  A  outputs  the  tuple  {5, if). 

We  call  the  sequence  p  =  p\,p2,  •  •  •  of  signing  request,  the  “access  pattern”  of  A.  We  say  that  the 
output  of  A  is  well-formed  if  6  is  a  length  l{n)  signature-chain  with  respect  to  vko,vki,vk2  and  if. 
Finally,  we  say  that  A  wins  if  its  output  is  well- formed  at  if  is  not  a  substring  of  its  access  pattern 
c p  (and  looses  otherwise). 

Lemma  1.  For  every  VVT  adversary  A  and  every  polynomial  l,  there  exists  a  negligible  function 
H,  such  that  for  every  n  £  N,  z  £  {0, 1}* ,  the  probability  that  A  wins  in  SGA,e(n,  z )  is  at  most  g(n). 

Proof.  Consider  any  adversary  A,  polynomial  £,  n  £  N,  and  z  £  {0, 1}*.  Without  loss  of  generality, 
we  can  assume  that  A  always  outputs  tuples  (5  =  (a,c,f),if)  such  that  |d)  =  |c|  =  |f|  =  if\  =  l(n ) 
(since  whenever  it  doesn’t  it  loses).  For  each  i  £  [Z(n)],  define  the  random  variable  2}  to  be  the 
index  of  the  first  iteration  (in  Stage  2  of  the  game  SG A,e(n,  z))  in  which  A  queries  the  Challenger 
for  a  signature  of  the  commitment  c,  under  key  v ^ ;  if  A  never  queries  the  Challenger  for  a  signature 
of  Cj,  2}  is  set  to  _L. 

Note  that  if  the  output  of  A  is  well-formed,  it  contains  a  signature-chain  <5  =  ( <r,  c,  f )  w.r.t. 
pattern  if,  such  that  for  every  i,  cr,  is  a  valid  signature  of  c*  under  key  v^i.  It  thus  follows  from  the 
unforgibility  of  the  signature  scheme  that,  except  with  negligible  probability,  for  each  i,  A  must 
have  queried  c,  for  a  signature  of  v^i  in  some  iteration.  We  thus  have  the  following  claim. 

Claim  1.  For  every  VVT  adversary  A  and  polynomial  l,  there  exists  a  negligible  function  g \ , 
such  that  for  all  n  £  N,z  £  {0,1}*,  the  probability  that  the  output  of  A  in  SGA’£(n,  z)  is  of  A  is 
well-formed  and  there  exists  an  i  £  [ [£(n)\  such  that  2}  =  _L,  is  smaller  than  gi(n). 

We  also  have  the  following  claim. 

Claim  2.  For  every  VVT  adversary  A  and  polynomial  i,  there  exists  a  negligible  function  g2,  such 
that,  for  all  n  £  N,z  £  {0,1}*,  the  probability  that  the  output  of  A  in  SGA'e(n,  z)  is  well-formed 
and  there  exists  an  i  £  \£{n)  —  1]  such  that  ,  2}  /  _L,  2}+i  /  _L  and  T  >  T+i,  is  smaller  than  g2(n)- 

Before  proceeding  to  the  proof  of  Claim  2,  we  let  us  first  prove  Lemma  1  using  Claim  1  and  2. 
It  follows  from  the  two  claims  that,  except  with  negligible  probability,  either  the  output  of  A  is 
not  well- formed,  or  the  output  is  well- formed  and  for  all  i,  2}  T  -L  and  2}  <  It+ 1 .  In  the  former 
case,  the  adversary  loses  the  game.  In  the  latter  case,  as  2}  T  -L  f°r  all  C  A  must  have  asked  for 
a  signature  using  key  in  the  2}th  iteration,  which  means  px t  =  if%-  Furthermore,  as  2}  <  Z,+i 
for  all  i,  it  follows  that  if  is  a  substring  of  p.  Therefore,  A  loses  in  this  case  as  well.  Thus,  except 
with  negligible  probability,  A  looses. 

Approved  for  Public  Release;  Distribution  Unlimited. 

11 

138 


Proof  of  Claim  2.  First  notice  that  it  follows  from  the  (statistical)  binding  property  of  com,  that 
except  with  negligible  probability4,  if  the  output  (5  =  (a ,  c,  f) ,  if)  of  A  is  well-formed,  then  for  all 
i,  Ci  ^  Cj+i,  since  Cj,Cj+ 1  are  respectively  commitments  to  tuples  of  the  form  (i,  •)  and  (i  +  1,-). 
It  follows  that,  except  with  negligible  probability,  if  the  output  of  A  is  well-formed,  there  doesn’t 
exists  some  i  such  that  Z+Zj+i  /  _L  but  =  Zj+i.  Thus,  it  suffices  to  bound  the  probability  that 
the  output  of  A  is  well  formed  and  there  exists  some  i  such  that  Z+Zj+i  /  _L  and  Tt  >  Xl+  \ . 

Towards  this,  assume  for  contradiction  that  there  exists  an  adversary  A  and  a  polynomial  i, 
such  that  there  exists  a  function  i  :  N  — >•  N  and  a  polynomial  p,  such  that  for  infinitely  many 
n  G  N,  z  G  {0,1}*,  the  probability  that  the  output  of  A  in  the  game  SGA’^(n,  z)  is  well-formed, 
Zj,Zj+i  /  _L,  and  Z,  >  Z*+i  for  i  =  i(n),  is  at  least  l/p(n).  We  can  construct  a  machine  B  that 
violate  the  unforgibility  of  the  signature  scheme  II. 

B,  on  input  1”,  z  and  a  randomly  generated  verification  key  vk,  has  access  to  the  signing  oracle 
corresponding  to  vk,  and  tries  to  forge  a  signature  (of  vk)  as  follows:  it  internally  emulates  an 
execution  of  the  signature  game  SG A'\n,  z)  with  A  honestly,  with  the  following  exceptions: 

•  In  Stage  1,  it  picks  an  index  t  G  {0, 1,2}  at  random  and  forwards  the  verification  key  vk  to 
the  adversary  as  the  fth  verification  key. 

•  In  Stage  2,  whenever  A  requests  a  signature  of  a  message  m  under  key  vk,  it  obtains  such  a 
signature  from  the  signing  oracle  and  forwards  it  to  A. 

Furthermore,  it  guesses  that  =  u  and  Z,;+i  =  k,  for  random  u  >  k.  Then,  in  the  kth 
iteration  (in  Stage  2  of  SG A^{n,  z)),  after  receiving  a  request  from  A  to  sign  the  commitment 
c,  it  extracts  out  the  value  (j,  a*)  committed  to  in  c  from  the  ZKAOK  that  A  provides 
following  the  signing  request.  Later,  in  the  uth  iteration,  when  A  submits  a  query  c*  to  the 
Challenger,  it  checks  whether  a*  is  a  valid  signature  of  c*  under  key  vk.  If  so,  it  halts  and 
outputs  the  message-signature  pair  (c*,er*);  otherwise,  it  halts  and  outputs  fail. 

By  construction,  B  emulates  the  view  of  A  in  the  signature  game  SG A'\n,  z)  perfectly  before  it 
halts.  Therefore,  by  our  hypothesis,  with  probability  at  least  l/p(n),  in  emulation  by  B,  A  would 
query  for  the  first  time  the  commitments  Cj  and  Cj+i  in  iterations  Z,  and  Z,+  i  respectively,  such 
that  Zj+i  <  Z,  and  Cj+i  is  a  commitment  to  a  tuple  (i  +  1,07+1),  where  07+1  is  a  signature  of  oL 
under  the  verification  key  v^i .  Let  M (n)  be  the  maximum  number  of  iterations  in  the  game;  M  is 
polynomially  bounded  since  the  running-time  of  A  is.  With  probability  at  least  =  ^MT^pfn)  ’ 
it  holds  that  (1)  the  above  event  occurs  in  the  emulation  by  B  and  (2)  B  correctly  guesses  the 
values  of  Z,,  Z;+ 1  and  v^i .  In  this  case,  except  with  negligible  probability,  the  committed  value  a* 
that  B  extracts  out  from  the  ZKAOK  following  c  =  Cj+i  contains  a  valid  signature  of  Cj,  which  is 
queried  for  the  first  time  in  the  uth  iteration  for  a  signature  using  key  vk.  Hence  B  will  output  a 
valid  message-signature  pair  (c+o-*)  for  vk,  without  querying  the  signing  oracle  c*  (since  once  the 
query  c,  is  submitted  for  the  first  time  in  iteration  u,  B  halts  immediately  and  outputs  the  pair); 
this  violates  the  unforgibility  of  the  signature  scheme  n.  □ 

□ 


5  The  Protocol 

Let  n  =  (Gen,  Sign,  V er)  be  the  fixed-length  signature  scheme,  and  com  the  non-interactive 
statistically-binding  commitment  scheme  considered  in  the  last  section.  To  simplify  the  presen¬ 
tation  of  the  proof,  we  assume  that  both  n  and  com  can  be  “broken” — i.e.,  signatures  can  be 

4Since  we  assume  that  com  is  non-interactive,  we  actually  have  perfect  binding,  but  given  that  we  want  an  analysis 
that  works  also  for  two-round  commitments,  we  here  directly  consider  the  more  general  case  of  statistical  binding. 
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generated  for  any  message,  and  the  value  committed  to  can  be  recovered  for  any  commitment-  in 
time  2n/2  where  n  is  the  security  parameter;  this  is  without  loss  of  generality  since  we  can  always 
appropriately  “scale-down”  the  security  parameter  in  II  and  com  (and  make  sure  that  com  com¬ 
mits  to  values  “bit-by-bit”).  To  further  simplify  the  presentation,  we  provide  the  construction  of 
a  non-malleable  commitment  (C,  R)  that  works  assuming  player  identities  are  £-bit  binary  strings 
that  contains  at  least  two  0-bits  and  two  1-bits;  any  such  scheme  can  trivially  be  turned  into  one 
that  works  for  arbitrary  identities  (by  simply  appending  two  0’s  and  two  l’s  to  the  identity). 

To  commit  to  a  value  v,  the  Committer  and  the  Receiver  of  ( C ,  R ),  on  common  input  a  security 
parameter  ln  (in  unary)  and  an  identity  id  £  D  ,  proceed  in  the  following  three  stages: 

Stage  1:  The  receiver  interacts  with  the  Committer  in  three  iterations,  where  iteration  i  £  {0, 1,  2} 
proceeds  in  the  following  steps: 

1.  The  Receiver  generates  a  pair  of  signing  and  verification  keys,  ( Si,Vi )  Gen( l'1),  of  the 

signature  scheme  II,  and  sends  the  verification  key  u,. 

2.  The  Committer  commits  to  0m,  where  m  =  log  l  +  n,  using  com.  Let  Cj  be  the  commit¬ 
ment  sent  to  the  Receiver. 

3.  The  Committer  proves  that  c*  is  a  valid  com  commitment  using  a  5-round  ZKAOK 
protocol. 

4.  The  Receiver  signs  the  commitment  c*  using  the  signing  key  Sj,  and  sends  the  generated 
signature  to  the  Committer. 

Stage  2:  The  Committer  commits  to  the  value  v  using  com.  Let  d  be  the  commitment  generated. 
Stage  3:  The  Committer  proves  that 

•  either  d  is  a  valid  com  commitment, 

•  or  there  exists  a  signature-chain  5  w.r.t.  vo,v\,V2  and  pattern  pattern(id),  where  the 
function  pattern  :  {0, 1}*  — >  {0, 1,2}*  maps  a  (binary)  identity  id  of  length  i  to  a  trinary 
string  of  length  21  as  follows: 

pattern(id)  =  2,  idi,  2, . . . ,  id*,  2, . . . ,  id^ 

This  statement  is  proved  using  k  +  5  sequential  invocations  of  a  4-round  WX  special  sound 
proof  system,  where  k  is  the  number  of  messages  in  Stage  1  of  the  protocol;  we  additionally 
require  that  the  length  of  the  “challenge”  in  each  special-sound  proof  is  n. 

We  refer  to  the  last  three  steps  of  an  iteration  in  Stage  1  as  a  slot,  which  opens  when  the  Com¬ 
mitter  send  the  com  commitment  to  0m,  and  closes  when  the  Receiver  returns  a  signature  to  the 
commitment.  We  call  the  slot  in  iteration  i,  the  Ltli  slot. 

It  is  easy  to  see  that  the  protocol  (C,  R)  consists  of  a  constant  number  of  messages.  Furthermore, 
it  follows  using  standard  techniques  that  (C,  R)  is  a  valid  commitment  scheme. 

Proposition  2.  (C,R)  is  a  commitment  scheme. 

Proof.  We  show  that  the  (C,  R)  scheme  satisfies  the  binding  and  hiding  properties. 

Binding:  The  binding  property  follows  directly  from  the  statistically  binding  property  of  com  used 
in  Stage  2. 
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Hiding:  The  hiding  property  essentially  follows  from  the  hiding  property  of  com  and  the  fact  that 
Stage  3  of  the  protocol  is  WI  (since  WI  proofs  are  closed  under  concurrent  composition  [?]). 
For  completeness,  we  provide  the  proof.  We  show  that  any  adversary  R*  that  violates  the 
hiding  property  of  ( C,R )  can  be  used  to  violate  the  hiding  property  of  com.  More  precisely, 
given  any  adversary  R* ,  such  that,  for  infinitely  many  n  6  N,  and  V\,V2  €  {0,  l}n,  R* 
distinguishes  commitments  to  v\  and  V2  made  using  (C,R),  we  construct  a  machine  R'  that 
distinguishes  commitments  to  v\  and  V2  made  using  com.  Note  that  the  execution  of  a 
commitment  of  (C,  R)  to  v\  proceeds  identically  as  that  of  a  commitment  to  V2  before  the 
Stage  2  commitment  of  com  is  sent.  Then  by  our  hypothesis,  there  must  exist  a  partial  joint 
view  p  of  the  committer  and  R*  that  determines  the  execution  of  the  commitment  before 
Stage  2,  such  that,  conditioned  on  p  occurring,  R*  distinguishes  commitments  to  v\  and 
V2-  Let  8  be  a  valid  signature-chain  corresponding  to  the  transcript  of  Stage  1  in  p.  R1  on 
auxiliary  input  p  and  8  proceeds  as  follows:  it  internally  incorporates  R*,  and  feed  R*  its 
part  of  view  in  p;  it  then  forwards  the  external  commitment  made  using  com  to  R*  in  Stage 
2;  in  Stage  3,  it  gives  WI  proofs  using  8  as  a  “fake  witness”.  Finally,  it  outputs  whatever  R* 
outputs.  From  the  WI  property  of  Stage  3,  it  follows  that  R'  distinguishes  the  commitment 
made  using  com,  if  R*  distinguishes  the  commitment  made  using  (C,R)  conditioned  on  p 
occurring. 


□ 

Both  the  definition  of  of  signature-games  and  our  non-malleable  commitment  protocols  makes 
use  of  a  non-interactive  statistically-binding  commitment  scheme  com.  Both  can  be  easily  modified 
to  work  also  with  any  two-round  statistically  binding  commitment  schemes  com.  In  both  cases, 
we  the  first  message  r  of  a  commitment  of  com  is  sent  at  the  beginning  of  the  execution,  and  then 
the  rest  of  the  execution  proceeds  just  as  if  com  had  been  non-inter  active.  (Additionally,  in  the 
last  stage  of  the  protocol  ( C,R ),  the  sender  proves  that  either  the  Stage  2  message  is  the  second 
message  of  a  valid  com  commitment  with  first  message  r,  or  it  knows  a  signature-chain  8  =  (a,  c,  f), 
such  that,  8  is  well-formed,  except  that,  for  all  i,  Ci  is  the  second  message  of  a  com  commitment  to 
<7j_i,  generated  in  responding  to  the  first  message  r  using  randomness  ff).  Exactly  the  same  proof 
as  in  Section  4  and  Section  6  still  go  through  using  these  modified  construction,  since  commitments 
of  com  are  hiding,  no  matter  what  the  first  message  is,  and  even  if  the  first  message  is  reused. 


6  Proof  of  Non- malleability 


In  this  section,  we  show  that  (C.  R)  is  stand-alone  non-malleable.  In  Sections  8  and  7,  we  extend 
the  proof  to  show  that  {C,  R)  is  also  robust  and  concurrent  non-malleable. 

Theorem  5.  (C,R)  is  (one-one)  non-malleable. 


Proof.  The  goal  is  to  show  that  for  every  one-one  man-in-the-middle  adversary  A  that  participates 
in  one  left  and  one  right  execution,  the  following  ensembles  are  indistinguishable: 


nGiV,rJi,iJ2G{0,l}n,2G{0,l}* 


Towards  this,  we  define  a  series  of  hybrid  experiments  Hq,  . . . ,  Hk+6 •  In  each  of  these  experiments, 
we  show  that  the  view  of  A,  combined  with  the  value  that  A  commits  to  on  the  right,  are  indistin¬ 
guishable.  Let  hyb i(v,z)  denote  the  random  variable  describing  the  view  of  A(z),  combined  with 
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the  value  it  commits  to  in  the  right  interaction  in  hybrid  Ht  (as  usual,  the  committed  value  is 
replaced  with  _!_  if  the  right  interaction  fails  or  if  A  has  copied  the  identity  of  the  left  interaction). 

Hybrid  Hq :  In  Hq  we  first  perfectly  emulate  a  real  execution  of  mim ^c^(v,z) — we  call  this  the 
Main  Execution — and  next,  if  A  successfully  completed  Stage  1  in  the  Main  Execution,  we 
try  extract  a  “fake-witnesses”  (i.e.,  a  signature-chain)  for  the  left  interaction.  More  precisely, 
let  id i,  vq ,  v\ ,  V‘2  ■  respectively  be  the  identity  and  the  verification  keys  of  the  left  interaction 
in  the  Main  Execution,  and  let  ^  =  patterned;);  the  Extraction  Procedure  now  proceeds  in 
\rtp\  =  21  iterations  described  below. 

Iteration  1:  If  A  successfully  completes  Stage  1  of  the  left  interaction  in  the  Main  Execution, 
it  must  have  provided  three  valid  signatures  9q,  81,82  of  commitments  to  0m,  where 
m  =  log£  +  n,  under  keys  vq,  v\,  V2  respectively.  Since  a  signature-chain  with  pattern  1 /> 
starts  off  with  a  signature  o\  of  a  commitment  to  0m  under  key  v ^  =  V2 ,  the  procedure 
simply  sets  c>\  =  82 ,  ci  to  be  the  transcript  of  the  commitment  to  0m  generated  in 
iteration  2  (in  Stage  1)  of  the  left  interaction,  and  r\  to  be  the  randomness  used  in  the 
commitment. 

Iteration  i  +  1:  Assume  that  at  the  end  of  the  ith  iteration,  for  i  £  [11  —  1],  the  procedure 
has  obtained  a  signature-chain  5i  of  length  i  w.r.t.  (keys  vq,vi,V2  and)  pattern  [ip]\, 
containing  signatures  dy, . . .  ,cTj.  Then,  in  iteration  i  +  1,  we  obtain  a  signature-chain 
5i+ 1  of  length  i  +  1,  w.r.t.  pattern  [Vf]i+1  by  rewinding  the  appropriate  slot  in  Stage  1 
of  the  left  interaction.  More  precisely,  the  procedure  repeatedly  rewinds  A  from  where 
the  slot  V’i+i  opens  on  the  left  in  the  Main  Execution,  and  commits  to  the  tuple  (f,dj) 
(instead  of  0m)  in  the  rewindings,  until  this  left-slot  closes  successfully  (i.e.,  A  returns 
a  valid  signature  on  the  commitment  under  key  ity>i+1).  In  each  of  these  rewindings,  the 
right  executions  are  emulated  using  fresh  randomness;  in  particular,  this  means  that 
whenever  a  rewinding  goes  beyond  the  point  when  a  verification  key  is  sent  in  the  right 
interaction,  in  each  such  rewinding  a  fresh  verification  key  is  picked.  Then  the  extraction 
procedure  simply  sets  <7*+ 1  to  be  this  signature,  and  again  sets  q+ 1  and  fj+i  to  be  the 
commitment  and  randomness  used. 

If  the  extraction  procedure  takes  more  than  2n/2  steps,  it  is  “cut-off” ;  in  this  case,  a  signature 
chain  can  be  recovered  in  time  poly(2n/2)  by  our  assumption  on  the  signature  scheme  II.  The 
extraction  procedure  thus  always  terminates  and  always  recovers  a  valid  signature  chain  for 
the  left  interaction. 

Since  the  view  of  A  in  the  Main  Execution  in  Hq  is  perfectly  emulated  as  in  mim R^{v,z), 
we  trivially  have  that  the  view  and  value  A  commits  to  in  Hq  is  identically  distributed  to 
that  in  the  real  execution. 


Claim  3.  For  every  WT  adversary  A,  it  holds  that: 


neA'>e{o,i}n,ze{o,i}* 


{hyb0(u,  z)} 


neiV>e{o,i},i,ze{o,i}* 


Hybrid  H\  to  Hk+ 5:  In  hybrids  H\  to  Hk+ 5,  we  change  the  witness  used  in  the  k  +  5  WXSSV 
proofs  in  Stage  3  of  the  left  interaction.  More  specifically,  experiment  Hi  proceeds  identically 
to  H^  1,  except  that  in  the  first  i  proofs  in  Stage  3  of  the  left  interaction,  we  prove  that 
there  exists  a  signature-chain  w.r.t.  vq,vi,V2  and  pattern  patterned/),  by  using  the  extracted 
signature-chain  5  as  a  “fake-witness” .  We  show  that  the  view  and  value  committed  to  on  the 
right  interaction  in  H,-\  and  Hi  are  indistinguishable. 
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Proposition  3.  For  every  WT  adversary  A,  and  every  function  i  :  N  — >■  N,  it  holds  that: 

\  hybi(n'|_1  (v,  z)\  ~  i  hybj( n)  (v ,  z)  \ 

l  J  neiV,re{o,i}n,ze{o,i}*  l  1  1  J  neN,ve{o,i}n  ,ze{o,i}* 

Towards  this,  we  reduce  the  indistinguishability  of  {hybi(n)_1(u,  z)}  and  {hyb,;(n)(u,  z)}  to  the 
witness  indistinguishabilty  of  the  Stage  3.  More  specifically,  consider  some  adversary  A.  a 
function  i,  and  a  polynomial  p ,  such  that  (for  infinitely  many  n  6  N,  inputs  v  6  {0,  l}n  and 
z  <E  {0, 1}*,)  hyb 'l^-\v,z)  and  hyb1  (n)(v,z)  are  distinguishable  with  probability  \/p(n).  We 
show  that  there  exists  a  WT  machine  B  that  can  violate  the  WI  property  of  the  WISSV 
protocol  ( P ,  V)  used  in  Stage  3  of  the  protocol. 


Description  of  B 

Input:  B  receives  a  security  parameter  ln  and  v  and  z  as  auxiliary  input. 

Procedure:  B  externally  interacts  with  a  prover  P  of  the  WISSV  protocol  (P,  V),  receiving  a 

proof  of  a  statment  x  using  witness  wq  or  w\  .  where  x,  ujq  and  w\  are  chosen  by  B.  Internally,  it 

proceeds  in  the  following  three  phases: 

Simulation  Phase:  B  internally  emulates  an  execution  of  the  experiment  hyb i(v,z)  with  A, 
with  the  exception  that  messages  in  the  left-proof  of  the  Main  Execution  are  forwarded 
externally  to  P.  More  precisely,  at  the  beginning  of  the  ith  left-proof,  B  sends  the  external 
prover  P  the  statement  x  of  the  proof,  together  with  the  “real  witness”  u>o  =  (v,  r)  (the 
decommitment  of  the  Stage  2  commitment  of  the  left  interaction)  and  the  “fake  witness” 
wi  =  5  (the  signature-chain  of  the  left  interaction  extracted  from  A):  B  next  forwards  the 
proof  of  x  generated  by  P  (using  either  wo  or  w\)  to  A  as  the  zth  left-proof.  Let  A  be  the 
simulated  view  of  A  in  the  Main  Execution. 

Rewinding  Phase:  If  the  right  interaction  is  successful  and  has  a  different  identity  from  the  left 
interaction  in  A,  B  extracts  the  value  committed  to  in  this  interaction  as  follow: 

•  Find  the  first  WISSV  proof  («i, «2> /3> 7)  in  A,  such  that,  during  its  the  execution, 
no  messages  belonging  to  Stage  1  or  the  ith  proof  of  the  left  interaction  are  exchanged. 
(Such  a  WISSV  proof  must  exist  since  there  are  k  +  5  WISSV  proofs,  whereas  only 
k  +  4  messages  in  Stage  1  and  the  proof  of  the  left  interaction.) 

•  Rewinds  the  proof  by  sending  new  random  challenges  f3'  until  a  second  transcript 
(cti,  a?2>  /31 ,  y)  is  obtained. 

In  the  rewindings,  emulate  the  left  and  right  interaction  for  A  in  identically  the  same 
way  as  in  the  Main  Execution,  except  that,  whenever  A  expects  a  new  message  in  Stage 
1  or  the  ith  proof  of  the  left  interaction,  cancel  the  execution  and  start  a  new  rewinding 
again. 

•  If  [dp  T  ftp ,  extract  witness  w  from  (ai,a2,/0,7)  and  (ai,  c*2,  /3' ,  rf).  Otherwise  halt  and 
output  fa  ill. 

•  If  w  =  (v,  ?’)  is  valid  decommitment  for  the  right  interaction,  then  set  v  =  v.  Otherwise 
halt  and  output  fai  I2  - 

Output  Phase:  If  the  right  interaction  that  is  not  convincing  or  the  identity  of  the  right  inter¬ 
action  is  the  same  as  the  left  interaction,  set  v  =_L.  Output  v  and  A. 

Figure  4:  The  construction  of  B 
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On  a  high-level,  the  machine  B,  on  common  input  ln  and  auxiliary  input  v,  z,  externally 
interacts  with  an  honest  prover  P  and  receives  a  left-interaction  Stage  3  proof,  generated 
using  either  the  real  witness  wq — the  decommitment  of  the  Stage  2  commiment  in  the  left 
interaction — or  the  fake  witness  w\ — a  signature  chain  for  the  left  intearction.  Internally, 
B  emulates  an  execution  of  either  hyb,_1  or  hyb'  with  A  (depending  on  the  witness  used  in 
the  external  proof),  except  that,  messages  in  the  proof  in  Stage  3  of  the  left  interactions 
are  fowarded  externally.  Furthermore,  if  the  right  interaction  is  successful  and  has  a  different 
identity  from  the  left,  B  attempts  to  extract  the  value  committed  to  on  the  right  by  repeatedly 
rewinding  the  WISSV  proofs  in  Stage  3  of  the  right  inteaction  by  sending  new  challenge 
messages  in  this  proof.  Since  the  ?'th  left-proof  is  forwarded  externally,  the  rewinding  has 
to  be  done  in  a  manner  that  does  not  “affect”  the  ith  left-proof.  Roughly  speaking,  this  is 
possible  since  there  are  more  WISSV  proofs  in  Stage  3  of  the  right  interaction,  than  the 
number  of  messages  in  the  ?'th  left-proof.  Therefore,  in  the  right  interaction,  there  exist  some 
WISSV  proofs  that  does  not  interleave  with  any  messages  in  the  zth  left-proof,  and  B  can 
use  rewindings  to  extract  a  witness  without  rewinding  the  left-proof.  Our  actual  rewinding 
strategy  also  avoids  rewinding  Stage  1  of  the  left  interaction,  so  that  the  fake-witness  5  of 
the  left  interaction  remains  a  valid  signature  chain  also  in  the  rewindings,  and  thus  can  be 
reused  to  simulate  the  left  interaction  also  in  the  rewindings.  This  is  again  possible  since 
there  are  more  right-proofs  than  the  number  of  messages  in  Stage  1  and  the  ith  proof  in  the 
left  interaction.  To  slightly  simplify  the  analysis,  we  additionally  “cut-off”  the  rewindings  if 
B  takes  more  than  2n/2  steps  and  simply  recover  the  value  committed  to  in  time  poly(2n/2); 
recall  that  this  is  possible  due  to  our  assumption  on  com. 

If  during  the  rewindings,  B  sends  the  same  challenge  message  twice,  it  aborts  outputting  f a i  1 1 . 
Additionally,  if  the  witness  extracted  from  the  right  interaction  is  not  a  valid  decommitment 
(it  could  also  be  a  fake-witness),  B  aborts  outputting  f a i 1 2 •  Otherwise,  B  outputs  the  emulated 
view  of  A,  together  with  the  value  committed  to  in  the  right  interaction., 

See  Figure  4  for  a  formal  description  of  B.  Below,  in  Lemma  2,  we  show  that  the  running-time 
of  machine  B  is  “bounded” ,  in  the  sense  that  the  probability  that  B  runs  for  super-polynomial 
time  is  negligible. 

Lemma  2.  There  exists  a  polynomial  function  T ,  such  that  for  every  polynomial  function 
q,  every  b  G  {0,1},  every  sufficiently  large  n  G  N,  and  inputs  v  G  {0,  l}n  and  z  G  {0,1}*, 
the  probability  that  machine  B  runs  for  more  than  q(n)T(n )  steps  in  an  execution  of  the 
experiment  STA b((P,V),B,v,z)  is  smaller  than  l/q(n). 

Roughly  speaking,  the  Lemma  is  proven  by  first  bounding  the  running-time  of  a  “hypothetical 
procedure”  which  perform  all  the  same  rewindings,  but  otherwise  acts  honestly  (i.e.,  always 
commits  to  0m  in  Stage  1,  and  always  uses  the  honest  witness  in  Stage  3);  it  follows  using 
a  simple  up  x  1  /p”  argument  (similar  to  those  in  [?])  that  the  expected  running-time  of  this 
procedure  is  polynomial.  Next  we  show  that,  with  high  probability,  the  running-time  of  the 
actual  procedure  is  not  too  far  off.  We  note  that  due  to  reasons  similar  to  those  in  [?]  we 
are  not  able  to  bound  the  expected  running-time  of  B.  Additionally,  it  seems  unclear  if 
the  methods  of  [?]  could  be  applicable  to  obtains  a  simulation  with  an  expected  polynomial 
running-time.  Fortunately,  in  our  application,  since  we  do  not  actually  per  se  care  about  the 
running  time  of  the  simulation  (but  only  care  about  breaking  some  specific  security  property, 
namely  witness  indistinguishability)  our  weaker  bound  suffices. 

A  formal  proof  of  Lemma  2  can  be  found  in  Section  6.1. 

The  following  lemma  is  the  core  of  our  analysis. 
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Lemma  3.  The  following  holds. 


{STA0  ((P,V),B,v,z)}neNt 

^e{o,i}«,ze{o,i}* 

{STAi((P,  V),B,  v,  z)}n&N^ 

^e{o,i}™,ze{o,i}« 


jhyb*_1(w,  z)| 
{hyb>,z)} 


nGA/’,'yG{0,l}n,2:G{0,l}* 


nGAr,'uE{0,l}n,2E{0,l}* 


Before  proceeding  to  the  proof  of  3,  let  us  see  how  Lemma  3  and  2  together  violate  the 
W1  property  of  the  Stage  3  proofs.  Recall  that  by  our  assumption,  hyb l{v,z)  and  hyb'  — 
1  (v,z)  can  be  distinguished  with  probability  l/p(n);  by  Lemma  3,  STAo ((P,V),B,v,z)  and 
STAo ((P,V),  B,v,  z)  can  thus  be  distinguished  with  probability  at  least,  say,  3/4p(n).  By 
Lemma  2,  the  probability  that  B  runs  for  more  than,  say,  4 p(n)T(n)  steps  in  either  experiment 
is  at  most  1/4 p(n).  Therefore,  by  the  union  bound,  the  outputs  of  B  (in  STAo  and  STAi)  are 
still  distinguishable  with  probability  at  least  l/4p(n),  even  if  we  cut-off  the  execution  of  B 
after  4 p(n)T(n)  steps  (and  output  T  if  B  fails  to  complete),  which  is  a  contradiction. 

Let  us  now  turn  to  proving  Lemma  3. 

Proof,  (of  Lemma  3)  By  construction,  B  perfectly  emulates  the  view  of  A  in  hyb*_1(n,  z)  when 
receiving  an  external  proof  generated  using  the  real  witness  wq,  and  that  in  hyb l(v,z)  when 
receiving  a  proof  generated  using  the  fake  witness  w \ .  Therefore,  to  show  Lemma  3,  it  suffices 
to  show  that  B  (almost)  always  extracts  a  valid  decommitment  for  the  right  interaction  if  it 
is  successful  and  has  a  different  identity  from  the  left  interaction  (recall  that  by  statistical 
binding  of  ( C,R ),  the  committed  value  is  unique  with  overwhelming  probability).  In  other 
words,  showing  Lemma  3  amounts  to  showing  that  the  probability  that  B  outputs  faili  or 
fai  I2  is  negligible. 

Claim  4.  There  exists  a  negligible  function  ft,  such  that  for  every  b  £  {0, 1},  every  sufficiently 
large  n  £  N,  and  inputs  v  £  {0,  l}n  and  z  £  {0, 1}*,  the  probability  that  B  outputs  faili  in 
STA b((P,V),B,v,z)  is  smaller  than  fi(n). 

Proof.  Recall  that  B  outputs  faili  only  if  in  some  rewinding  it  picks  the  same  challenge  f3' 
as  the  challenge  j3  used  in  the  same  proof  in  the  Main  Execution.  Since  the  number  of 
rewindings  by  B  is  bounded  by  2n/2  and  the  length  of  each  challenge  is  n,  by  the  union 
bound,  the  probability  that  this  happens  is  negligble.  □ 

Claim  5.  There  exists  a  negligible  function  fa,  such  that,  for  every  b  £  {0, 1},  every  sufficiently 
large  n  £  N ,  and  inputs  v  £  {0,  l}n  and  z  £  {0, 1}*,  the  probability  that  B  outputs  faih  in 
STA b((P,V),B,v,z)  is  smaller  than  fi(n). 

Proof.  Assume  for  contradiction  that  there  exists  a  polynomial  g(n),  such  that,  with  prob¬ 
ability  l/g(n),  B  extracts  an  invalid  decommitment  from  the  right  interaction.  Towards 
reaching  a  contradiction,  we  consider  another  machine  B' ,  which  proceeds  identically  to  B 
except  that  it  cuts-off  the  execution  after  g[n)T{n)  steps  (and  outputs  T  in  this  case).  It 
follows  from  Lemma  2  that  the  probabilty  that  B  runs  for  more  than  g(n)T(n)  steps  is  at 
most  1/2 g(n).  Therefore,  the  probability  that  B'  extracts  out  an  invalid  decommitment  from 
the  right  interaction  k  is  at  least  1/2 g(n).  Furthermore,  by  the  special-soundness  property 
of  the  right-proofs,  if  the  witness  is  not  a  valid  decommitment,  it  must  be  a  signature-chain 
5  w.r.t.  the  right-interaction  keys  v'0,v[,v'2  and  pattern  pattern (idr).  Consider  the  following 
two  possible  adversarial  schedulings  w.r.t.  the  left  and  the  kth  right  interactions  in  the  Main 
Execution: 


Approved  for  Public  Release;  Distribution  Unlimited. 
18 
145 


Scheduling  1:  A  “aligns”  the  slots  in  the  left  and  right  interactions  one  by  one:  a  right-slot 
is  said  to  be  aligned  with  a  left-slot  if  (1)  its  corresponding  verification  key  is  sent  before 
the  left-slot  opens,  and  (2)  its  opening  message  (i.e.,  the  commitment  from  A)  is  sent 
after  the  left-slot  opens;  see  Figure  5  (i). 

Scheduling  2:  A  does  not  align  the  slots  in  the  left  and  right  interactions;  see  Figure  5  (ii). 
This  means  that  there  exists  some  right-interaction  slot  that  is  not  aligned  with  any 
left-interaction  slot. 
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(i)  Scheduling  1 


(ii)  Scheduling  2 


Figure  5:  The  two  schedulings  of  the  messages  in  Stage  1  of  the  left  and  right  interactions. 

Since  Scheduling  1  and  2  are  the  only  two  possible  schedulings,  by  our  hypothesis,  at  least 
one  of  the  following  two  conditions  holds. 

Condition  1:  The  probabilty  that  Scheduling  1  occurs  in  the  Main  Execution  and  that  B' 
extracts  an  invalid  decommitment  from  the  right  interaction  is  non-negligible. 

Condition  2:  The  probabilty  that  Scheduling  2  occurs  in  the  Main  Execution  and  that  B' 
extracts  an  invalid  decommitment  from  the  right  interaction  is  non-negligible. 

We  show  that  neither  condition  can  hold. 

Assume  Condition  1  holds.  We  reach  a  contradiction  by  constructing  a  machine  C  that 
externally  participates  in  the  signature  game,  while  internally  emulating  an  execution  of 
STA b({P,V),B',v,z)  except  that  messages  in  Stage  1  of  the  right  interaction  are  emulated 
by  fowarding  the  appropriate  messages  from  the  signature  games  to  A.  More  precisely,  C 
forwards  the  three  verification  keys  vko,  vki,vk2  in  the  signature  game  to  A  as  the  verification 
keys  in  Stage  1  of  the  right  interaction  in  the  Main  Execution.  If  Schedule  1  does  not  occur 
in  the  Main  Execution,  C  simply  aborts.  Otherwise,  whenever  during  some  rewinding,  A 
requests  another  signature  in  one  of  the  slots  on  the  Main  Execution  (and  thus  using  one 
of  vko,vki,vk2),  C  obtains  such  a  signature  by  accessing  the  appropriate  signature  oracle  in 
the  game  and  forwards  it  to  A.  Recall  that  whenever  we  rewind  beyond  the  point  where  a 
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verification  key  is  sent,  a  new  verification  key  is  generated  by  B  and  thus  B  can  obtain  the 
appropriate  signatures  without  querying  the  oracle.  Since  the  left  and  right  slots  in  the  Main 
Execution  are  aligned  one  by  one,  we  have  that  whenever  the  left-slot  is  rewound,  the 
adversary  A  may  only  request  new  signatures  using  key  v[  on  the  right.  It  follows  that  the 
“access-pattern”  of  the  signatures  requested  is  a  substring  of 

^  =  012||(idi)t,2*,..,;,.(idz)*,2  (idi)*e 

So,  whenever  B'  extracts  out  a  signature-chain  <5  w.r.t.  (keys  v'0,  v[,  v'2  and  pattern  pattern(idr)), 
C  wins  in  the  signature  game  since  patterned,.)  is  not  a  substring  of  cp  (as  id,  7^  id;).  Since 
the  running-time  of  C  is  polynomial  this  contradicts  Lemma  1. 

Assume  Condition  2  holds.  We  construct  a  machine  C  just  as  in  the  previous  case,  except 
that  C'  abort  whenever  Schedule  2  does  not  happen  in  the  Main  Execution.  When  Scheduling 
2  does  occurs  in  the  Main  Execution,  there  exists  a  right-slot  t  that  is  not  aligned  with  any 
left-slots;  in  other  words,  in  all  the  rewindings  where  A  gets  to  request  a  new  signature  in 
Slot  t  on  the  right,  the  rewinding  goes  beyond  the  point  where  the  verification  key  for  slot  t 
is  sent  (and  so  new  keys  gets  generated  in  each  rewinding)  and  thus  the  f’th  oracle  is  never 
used  during  the  extraction  phase.  It  follows  that  the  access  pattern  in  the  signature  game  has 
a  single  character  t,  but  the  signature  extracted  is  with  respect  to  a  pattern  with  two  of  each 
character.  So,  as  in  Condition  1,  whenever  B'  extracts  out  a  signature-chain  5,  C  wins  in  the 
signature  game.  There  is  just  one  slight  complication  with  the  implementation  of  C:  in  the 
rewindings,  B  might  rewind  A  in  the  middle  of  one  of  the  ZKAOK  in  Stage  1,  and  since  the 
ZKAOKs  are  not  public-coin,  we  might  not  be  able  to  emulate  the  continuation  of  the  verifier 
strategy  for  this  protocol.  Note,  however,  that  Lemma  1  still  holds  even  if  consider  a  slight 
variant  of  the  signature  game  where  after  each  ZKAOK  the  verifier  reveals  all  of  its  random 
coins;  this  follows  since  this  adjusted  protocol  would  still  be  an  ZKAOK  and  Lemma  1  no 
rnayyer  what  ZKAOK  we  use  in  the  signature  game.  C  can  now  easily  be  implemented  as 
an  adversary  for  this  modified  signature  game. 

□ 


□ 


Hybrid  H^+ 5  :  Hybrid  H^+ g  proceeds  identically  to  Hfc+5  except  that  the  Stage  2  commitment  of 
the  left  execution  is  emulated  by  committing  to  0n.  It  follows  using  the  same  argument  as  in 
hybrids  Hi,  for  i  E  [k  +  5],  that  the  value  committed  in  the  right  interaction  can  be  extracted 
without  rewinding  Stage  2  of  the  left  interaction.  It  then  follows  from  the  hiding  property  of 
the  Stage  2  commitment  that  the  combined  view  and  values  committed  to  by  A  in  5  are 
indistinguishable  from  that  in  Hk+§. 


It  follows  by  a  hybrid  argument  that, 


nEA^E{0,l}n,zE{0,l}* 

Since  the  above  holds  for  every  value  v ,  we  have 


|hybfc+6(u,z)| 


neiV,ue{o,i}n,ze{o,i}* 


{mimfc„R>(^)} 


neAr,tJi,r)2e{o,i},ve{o,i}* 


nGAr,tJi,tJ2S{0,l}rl,z€:{0,l}* 


{hybfc+6(ui,z)} 

hybfc+6(T2,£)} 


nGAr,<;i,D2e{0,l}n,z£{0,l} 


,  and 


ndN,v\  ,r2e{0,l}n,ze{0,l}* 
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Finally,  since  by  the  definition  of  hybfc+6,  it  holds  that  for  every  v\ ,  v-z  and  z,  hybfc+6(77i,  z)  = 
hybfc+6(f2 ,z),  we  conclude  that, 


{mimfc,R>(V2,^)} 


ngiV,tii,i)2S{O,l}n,0£{O,l}* 


□ 


6.1  Proof  of  Lemma  2 

Proof  of  Lemma  2.  The  running-time  of  B  consists  of  three  parts: 

Part  1 — Time  spent  simulating  the  Main  Execution:  Since  A  runs  in  strict  polynomial  time, 
the  time  T\  (n)  that  B  spends  in  the  Main  Execution  polynomially  bounded. 

Part  2 — Time  spent  extracting  the  left  “fake-witness” :  We  show  that  there  exists  a  poly¬ 
nomial  Tz(n)  such  that  for  every  polynomial  52,  (every  b  E  {0, 1},  every  sufficiently  large 
n  E  N,  and  inputs  v  E  {0,  l}n,  z  E  {0,1}*,)  the  probability  that  B  spends  more  than 
52(71)72(71)  steps  extracting  the  left  “fake-witness”  in  STA b({P,V),B,v,z)  is  smaller  than 
l/?2  (n). 

Part  3 — Time  spent  extracting  the  committed  value  on  the  right:  We  show  that  there  ex¬ 
ists  a  polynomial  73(77)  such  that  for  every  polynomial  53,  the  probability  that  B  spends  more 
than  53(77)73(77)  steps  extracting  the  right  committed  value  in  STA b({P,  V ),  B,  v,  z)  is  smaller 
than  1/53(71). 

So  given  an  arbitrary  polynomial  q,  we  get  by  the  union  bound  that,  the  probability  B  spends  more 
than  2c/(n)T2(n)  step  in  part  2,  or  more  than  2q(n)T^(n)  steps  in  part  3,  is  smaller  than  1/5(77). 
We  conclude  that  there  exists  some  sufficiently  big  polynomial  T{n )  >  T\  (n)  +  212(77)  +  213(77) 
such  that  for  every  polynomial  5,  the  probability  that  B  takes  more  than  q(n)T(n)  steps  is  smaller 
than  1/5(77). 

Analysis  of  Part  2:  Recall  that  in  an  execution  of  STA b({P,V),  B,v,  z),  the  extraction  of  the 
left  “fake-witness”  proceeds  in  2£  iterations.  The  running-time  of  the  first  iteration  is  clearly 
polynomial;  we  proceed  to  analyze  the  time  spent  in  the  remainder  of  the  iterations.  Recall  that 
in  an  iteration  i  >  1,  B  takes  the  signature-chain  1  =  ([d]}-1,  [c]}_1,  [f]}^1)  of  length  i  —  1,  w.r.t. 
(keys  uo,ui,7;2  and)  pattern  [t/]}-1,  (where  if  =  patterned;),)  obtained  in  the  previous  iteration, 
and  extends  it  to  a  signature-chain  dy  of  length  %  w.r.t.  pattern  [if]\.  This  is  done  by  repeatedly 
rewinding  A  from  the  start  of  the  left-slot  ifj  and  committing  to  (i  —  1,  <T_i )  hi  the  rewindings,  until 
A  closes  this  left-slot  successfully.  (Below  we  assume  for  simplicity  that  the  extraction  procedure 
is  never  cut-off  and  may  run  for  more  than  2n/2  steps,  since  this  only  increases  the  running  time). 
Towards  bounding  the  running-time  of  this  extraction  procedure,  we  first  consider  a  hypothetical 
procedure ,  which  proceeds  almost  the  same  as  the  actual  extraction  procedure,  except  that  in  the 
rewindings  in  iteration  i  >  1,  instead  of  committing  to  (*— 1,  d*_i),  it  commits  to  0m.  In  other  words, 
the  hypothetical  procedure  simulates  the  view  of  A  in  the  rewindings  using  identically  the  same 
distribution  as  in  the  Main  Execution.  We  show  that  the  expected  running-time  of  this  hypothetical 
procedure  is  poZ 7/(77);  we  next  bound  the  running-time  of  the  actual  extraction  procedure. 

Running-time  Analysis  of  the  Hypothetical  Procedure:  Let  if  =  patterned/)  be  the  pattern  of  the 
“fake- witness”  of  the  left  intearction.  In  iteration  i  >  1,  the  hypothetical  extraction  procedure 
repeatedly  rewinds  the  left-slot  iff,  let  Tl  be  the  random  variable  that  describes  the  time  spent  in 
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rewinding  the  left-slot  i pi  in  iteration  i  >  1 .  We  show  that  E[T‘]  <  poly(n )  and  then  by  linearity 
of  expectation,  we  conclude  that  the  expected  running-time  of  the  hypothetical  procedure  is 

2 1  2 1 

E  s  E  poly(n)  <  poly{n ), 

i= 2  i=2 

since  the  number  of  iterations  is  poly(n). 

Let  us  turn  to  bounding  E[T1].  Let  T,^  denote  the  set  of  prefixes  p — i.e. ,  partial  transcripts  of 
the  Main  Execution — from  where  the  left-slot  V’i  opens.  Given  a  prefix  p  £  Tpi:  we  introduce  the 
following  notations: 

•  let  Pr  [p]  denote  the  probability  that  p  occurs  as  a  prefix  in  the  Main  Execution; 

•  let  pp  denote  the  probability  that,  conditioned  on  the  prefix  p  occurring  (in  the  Main  Execu¬ 
tion),  the  left-slot  'ipi  closes  successfully  in  the  Main  Execution. 

Take  any  p  from  T,^.  We  claim  that  conditioned  on  p  occurring,  the  expected  value  of  Tl — denoted 
E[Tl\p] — is  poly(n).  This  follows  since,  first,  the  hypothetical  procedure  starts  rewinding  the  left- 
slot  V’i  hi  iteration  i  only  if  this  slot  closes  successfully  in  the  Main  Execution;  hence,  (conditioned 
on  p  occurring,)  the  probability  the  left-slot  ipi  is  rewound  is  at  most  pp.  Secondly,  once  it  starts 
rewinding  the  left-slot  V’i;  it  continues  until  the  slot  closes  successfully  again;  since  the  hypothetical 
procedure  proceeds  identically  in  the  rewindings  as  in  the  Main  Execution,  the  probability  that  the 
left-slot  ipi  closes  successfully  in  any  rewinding  is  also  pp ,  and  thus,  (conditioned  on  p  occurring,) 
the  expected  number  of  rewindings  performed  before  this  happens  is  1  /pp.  Therefore,  the  overall 
expected  number  of  rewindings  from  p  is  pp  x  4-  =  f.  As  each  rewinding  takes  at  most  poly(n) 

steps,  we  conclude  that  E[Tl\p\  <  poly(n).  Thus, 

E[Tl]  =  ^  E[Tl\p]Pi[p]  <  poly(n)  x  ^  Pr  [p]  <  poly{n) 

peW, 

Running-time  Analysis  of  the  Actual  Extraction  Procedure:  Given  that  the  expected  running  time 
of  the  hypothetical  procedure  is  bounded  by  a  polynomial  T(n),  it  follows  using  the  Markov  in¬ 
equality  that,  for  every  polynomial  q-2,  (every  b ,  every  n  G  N,  and  inputs  v,  z,)  the  probability  that 
the  hypothetical  procedure  takes  more  than  q2(n)T(n) /2  steps  is  smaller  than  2/q2(n).  Then  we 
claim  that  the  probability  that  actual  extraction  procedure  takes  more  than  q2{n)T(n) /2  steps  is 
smaller  than  l/q2(n).  This  follows  since  the  only  difference  between  the  hypothetical  and  the  ac¬ 
tual  extraction  procedures  is  that,  in  the  former  the  rewindings  are  simulated  by  committing  to  0m 
using  com,  whereas  in  the  latter  rewindings  are  simulated  by  committing  to  a  tuple  that  contains  a 
signature.  Since  the  ZKAOK  proof  following  the  commitment  is  never  rewound,  it  follows  directly 
from  the  hiding  property  of  com  and  the  zero  knowledge  property  of  the  ZKAOK  proof  that,  the 
probability  that  the  actual  extraction  procedure  runs  for  more  than  q2{n)T{n)/2  steps  differs  from 
that  of  the  hypothetical  procedure  by  at  most  a  negligible  amount.  Thus,  for  sufficiently  large  n,  we 
have  that  the  probablity  B  spends  more  than  T^n)  =  q2(n)T(n)/2  steps  is  smaller  than  l/q2(n). 

Analysis  of  Part  3:  We  show  that  the  time  that  B  spends  in  the  Rewinding  Phase  is  bounded 
by  a  polynomial  T^{n)  in  expectation,  ft  then  follows  by  the  Markov  inequality  that,  for  every 
polynomial  q 3,  the  probability  that  B  takes  more  than  f/3(n)T3(n)  steps  is  smaller  than  l/^3(n). 

It  follows  from  the  same  argument  as  in  the  above  “running-time  analysis  of  the  hypothetical 
procedure”  that  to  bound  the  expected  time  spent  extracting  the  right  committed  value  (also  here, 
we  consider  the  running-time  without  cut-offs),  it  suffices  to  bound  the  expected  time  spent  in 
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rewinding  each  right  WISSV  proof,  since  the  total  number  of  right-proofs  is  poly(ri).  Then  recall 
that  a  right-proof  is  rewound  only  if  the  proof  completes  successfully  in  the  Main  Execution,  without 
interleaving  with  any  message  in  Stage  1  or  the  ?'th  proof  of  the  left  interaction.  On  the  other  hand, 
once  the  rewinding  starts,  it  continues  until  this  right-proof  completes  successfully  again,  while 
cancelling  every  rewinding  in  which  the  proof  interleaves  with  any  message  in  Stage  1  or  the  ith 
proof  of  the  left  interaction.  Furthermore,  as  every  rewinding  is  simulated  exactly  the  same  as  in 
the  Main  Execution,  it  follows  using  the  same  “p  times  1/p  argument”  as  in  the  analysis  of  part 
2  that  the  expected  number  of  rewindings  for  every  right-proof  is  1,  and  hence  the  expected  time 
spent  in  extracting  the  right  committed  value  is  bounded  by  a  polynomial  T%(ri). 

□ 


7  Proof  of  Concurrent  Non-Malleability 

Let  us  turn  to  proving  that  ( C ,  R)  is  also  concurrently  non-malleable.  Recall  that  ny  Proposition  1, 
to  show  concurrent  non-malleability,  it  suffices  to  prove  that  ( C ,  R)  is  one-many  non-malleable; 
that  is,  for  every  one-many  man-in-the-middle  adversary  A,  that  participates  in  one  left  and  many 
right  interactions,  the  view  of  A  and  the  values  it  commits  to  on  the  right  are  indistinguishable, 
no  matter  what  value  it  is  receiving  a  commitment  to  on  the  left.  Towards  this,  we  consider  the 
same  hybrid  experiments  Hq  to  Hk+ 6  as  in  the  proof  of  stand-alone  non-malleability.  It  follows 
from  almost  the  same  proof  as  before  that  the  view  of  A  and  the  values  it  commits  to  on  the 
right  are  indisitnguishable  in  sequential  hybrids,  except  that,  in  hybrids  H\  to  H^+ g,  we  (or  more 
precisely,  the  simulator  B )  now  need  to  extract  out  the  values  that  A  commits  to  in  all  the  right 
interactions  (recall  that  the  proof  relies  on  the  fact  that  the  value  that  A  commits  to  in  the  right 
interaction  can  be  extracted  “efficiently”,  to  show  the  indistinguishability  of  hybrid  Hi  and  H,+\ 
for  1  <  i  <  k  +  6).  This  is  easy  to  achieve,  since  we  can  simply  extract  the  values  that  A  commits 
to  in  each  right  interaction  one  by  one ,  after  the  Main  Execution  completes.  More  precisely,  in 
the  Rewinding  Phase,  for  every  successful  right  interaction  that  has  a  different  identity  from  the 
left  interaction  in  the  Main  Execution,  B  finds  a  WISSV  proof  in  Stage  3  of  this  right  interaction 
that  does  not  interleave  with  any  message  in  Stage  1  and  the  ith  proof  (or  Stage  2  for  hybrid 
Hk~ i-6)  of  that  left  interaction,  and  repeatedly  rewinds  the  proof  until  a  second  transcript  is  obtain; 
it  then  computes  a  witness,  if  the  two  transcripts  are  different.  Since  there  are  only  polynomial 
number  of  right  interactions,  it  follows  using  almost  the  same  proof  of  Lemma  2  that  the  running 
time  of  B  is  “bounded”,  and  further  using  exactly  the  same  proof  of  Lemma  3  that,  except  with 
negligible  probability,  the  witnesses  that  B  extracts  out  are  indeed  the  values  committed  to  in  the 
right  interactions.  Thus  by  the  WX  property  of  the  Stage  3  proofs  (or  the  hiding  property  of  Stage 
2  resp.),  the  view  and  the  values  committed  to  by  A  are  indistinguishable  in  hybrids  Hi  and  Hl+\ 
for  1  <  i  <  k  +  4  (or  in  H^+ 5  and  Hk+ 6  resp.).  We  thus  have: 

Theorem  6.  ( C ,  R)  is  concurrent  non-malleable. 

8  Proof  of  Robust  Non-Malleability 

In  this  section,  we  show  that,  for  any  r  £  N,  ( C,R )  can  be  easily  modified  into  a  0(r)-round 
(concurrent)  non-malleable  commitment  scheme  ( C,R )  that  is  additionally  one-many  ?’-robust. 

It  is  shown  in  [?]  that  one-many  r-robust  commitment  schemes  are  easy  to  construct:  any  com¬ 
mitment  scheme  that  is  “extractable”  and  has  more  than  r  “rewinding  slots”  is  directly  one-many 
non-malleable  w.r.t.  r-round  protocols.  Therefore,  to  make  our  constant-round  non-malleable  com¬ 
mitment  scheme  (C.  R)  one-many  r-robust,  we  simply  add  more  WISSV  proofs  in  Stage  3  of  the 
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protocol.  More  precisely,  the  commitment  scheme  ( Cr,Rr }  proceeds  identically  to  (C,R),  except 
that  in  Stage  3  of  the  protocol,  the  Committer  C  needs  to  provide  max(r  +  1,  l)  WISSV  proofs  (of 
the  statement  that  either  the  Stage  2  message  is  a  valid  commitment  or  that  it  knows  a  “trapdoor”), 
where  l  is  the  number  of  WISSV  proofs  in  Stage  3  of  the  original  protocol  ( C ,  R).  It  follows  using 
the  same  proof  as  in  [?]  that  ( Cr,Rr )  is  one-many  r-robust.  Roughly  speaking,  the  main  idea 
of  the  proof  is  to  reduce  the  one-many  r-robustness  to  the  indistinguishability  of  the  interaction 
with  machine  B(yjl)  or  B(y^),  by  extracting  the  value  committed  to  in  the  right  interactions  from 
the  WISSV  proofs  in  Stage  3  of  the  protocol,  without  rewinding  the  left  interactions.  This  is 
achievable,  (similar  to  the  proof  of  the  indistinguishability  of  Hybrid  Hi  and  Hi+ 1  in  Section  6,) 
as  there  are  more  WISSV  proofs  in  Stage  3  than  the  nubrner  of  messages  in  the  left  interaction, 
and  one  can  always  find  a  WISSV  proof  that  does  not  interleave  with  the  left  interaction  and 
extract  a  witness  from  this  proof,  without  rewinding  the  left  interactions.  The  witness  extracted 
must  be  a  valid  decommitment,  as  otherwise,  by  the  special-soundness  of  the  proof,  it  must  be  a 
valid  signature-chain,  which  violates  the  soundness  of  the  signature-game  (since  the  adversary  here 
is  never  rewound  and  obtains  only  three  signatures  during  the  straight-line  execution  of  the  right 
interaction).  Therefore,  we  conclude  that  (Cr,Rr)  is  one-many  r-robust.  It  follows  using  the  same 
proof  in  Section  6  that  (Cr,  Rr)  is  stand-alone  non-malleable;  and  it  further  follows  using  the  same 
proof  as  in  Section  7  that  it  is,  in  fact,  also  concurrent  non-malleable. 

Lemma  4.  For  every  r  £  N,  the  protocol  ( Cr,Rr )  has  0(r)-round,  and  is  concurrently  non- 
malleable  and  one-many  r-robust. 

Theorem  2  follows  directly  from  Lemma  4.  Furthermore,  for  r  <  l,  the  protocol  ( Cr,Rr )  is  the 
same  as  ( C,R );  thus, 

Corollary  1.  For  any  r  <1,  (C,R)  is  concurrently  non-malleable  and  one-many  r-robust. 
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A  General  Definitions 

A.l  Witness  Relations 

We  recall  the  definition  of  a  witness  relation  for  a  A fV  language  [?]. 

Definition  4  (Witness  relation).  A  witness  relation  for  a  language  L  £  MV  is  a  binary  relation 
Rl  that  is  polynomially  bounded,  polynomial  time  recognizable  and  characterizes  L  by  L  =  {x  : 
Bys.t..  (x,y)  £  RL} 

We  say  that  y  is  a  witness  for  the  membership  x  £  L  if  (. x,y )  £  Rl-  We  will  also  let  Rl(x ) 
denote  the  set  of  witnesses  for  the  membership  x  £  L,  i.e. ,  Rl(x)  =  {y  :  (. x,y )  £  L}.  In  the 
following,  we  assume  a  fixed  witness  relation  Rl  for  each  language  L  £  J\fV. 
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A.  2  Indistinguishability 

Definition  5  (Computational  Indistinguishability).  Let  Y  be  a  countable  set.  Two  ensembles 
{Anty}neN,yeY  and  {BUjy}neN,yeY  are  said  to  be  computationally  indistinguishable  (denoted  by  {An^y}n&N,yeY 
{Bn,y}neN,yeY ) ,  if  for  every  WT  “distinguishing”  machine  D,  there  exists  a  negligible  function 
i/(-)  so  that  for  every  n  G  N,y  G  Y : 

|Pr  [a<-Anty  :  D(ln,  y,  a)  =  1]  -  Pr  [6  Bn>y  :  D(ln,  y,  b)  =  1]  |  <  v(n) 

A. 3  Interactive  Proofs 

We  use  the  standard  definitions  of  interactive  proofs  (and  interactive  Turing  machines)  [?]  and 
arguments  (a.k.a.  computationally-sound  proofs)  [?].  Given  a  pair  of  interactive  Turing  machines, 

P  and  V,  we  denote  by  ( P(w ),  V)(x)  the  random  variable  representing  the  (local)  output  of  V,  on 
common  input  x,  when  interacting  with  machine  P  with  private  input  w,  when  the  random  input 
to  each  machine  is  uniformly  and  independently  chosen. 

Definition  6  (Interactive  Proof  System).  A  pair  of  interactive  machines  {P,V)  is  called  an  inter¬ 
active  proof  system  for  a  language  L  if  there  is  a  negligible  function  u(-)  such  that  the  following  two 
conditions  hold  : 

•  Completeness:  For  every  x  6  L,  and  every  w  €  Rl(x),  Pr  [(P(w),  V)(x)  =  1]  =  1 

•  Soundness:  For  every  x  £  {0,  l}n  —  L,  and  every  interactive  machine  B,  Pr  [( B ,  V)(x)  =  1]  < 
u(n) 

In  case  that  the  soundness  condition  is  required  to  hold  only  with  respect  to  a  computationally 
bounded  prover,  the  pair  ( P ,  V)  is  called  an  interactive  argument  system. 


A. 4  Zero-Knowledge 


We  recall  the  standard  definition  of  ZfC  proofs.  Loosely  speaking,  an  interactive  proof  is  said  to  be 
zero-knowledge  (ZIC)  if  a  verifier  V  learns  nothing  beyond  the  validity  of  the  assertion  being  proved, 
it  could  not  have  generated  on  its  own.  As  “feasible”  computation  in  general  is  defined  though 
the  notion  of  probabilistic,  polynomial-time,  this  notion  is  formalized  by  requiring  that  the  output 
of  every  (possibly  malicious)  verifier  interacting  with  the  honest  prover  P  can  be  “simulated”  by 
a  probabilistic  expected  polynomial-time  machine  S  (a.k.a.  the  simulator ).  The  idea  behind  this 
definition  is  that  whatever  V*  might  have  learned  from  interacting  with  P,  he  could  have  learned 
by  himself  by  running  the  simulator  S. 

The  notion  of  ZIC  was  introduced  and  formalized  by  Goldwasser,  Micali  and  Rackoff  in  [?]. 
We  present  their  definition  below. 


Definition  7  (ZIC).  Let  L  be  a  language  in  NP,  RjJ  a  witness  relation  for  L,  ( P ,  V)  an  interactive 
proof  (argument)  system  for  L.  We  say  that  (P,  V)  is  statistical/computational  ZIC,  if  for  every 
probabilistic  polynomial-time  interactive  machine  V  there  exists  a  probabilistic  algorithm  S  whose 
expected  running-time  is  polynomial  in  the  length  of  its  first  input,  such  that  the  following  ensembles 
are  statistically  close/computationally  indistinguishable  over  L. 


.  {(P(y),V(z))(x)} 


n£N,x£{0,l}nnL,y£RL(x),z£{0,l}* 


n£N,x£{0,l}nr\L,y£RL  (a;),ze{0,l}* 


where  (P(y),V(z))(x)  denotes  the  view  ofV  in  interaction  with  P  on  common  input  x  and  private 
inputs  y  and  z  respectively. 
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A. 5  Witness  Indistinguishability 

An  interactive  proof  (or  argument)  is  said  to  be  witness  indistinguishable  (WZ)  if  the  verifier’s 
output  is  “computationally  independent”  of  the  witness  used  by  the  prover  for  proving  the  state¬ 
ment.  In  this  context,  we  focus  on  languages  L  £  MV  with  a  corresponding  witness  relation  R l- 
Namely,  we  consider  interactions  in  which,  on  common  input  x ,  the  prover  is  given  a  witness  in 
Rl(x).  By  saying  that  the  output  is  computationally  independent  of  the  witness,  we  mean  that 
for  any  two  possible  NP-witnesses  that  could  be  used  by  the  prover  to  prove  the  statement  x  £  L, 
the  corresponding  outputs  are  computationally  indistinguishable. 

Definition  8  (Witness-indistinguishability).  Let  [P,  V)  be  an  interactive  proof  (or  argument)  sys¬ 
tem  for  a  language  L  £  MV.  We  say  that  (P,V)  is  witness-indistinguishable  for  Rl,  if  for  every 
probabilistic  polynomial-time  interactive  machine  V*  and  for  every  two  sequences  {w^  x}neN,xeL 
and  {w(  x}neN,xeL,  such  that  w*  x,  w(  x  £  Rl(x )  for  every  x  £  Lfl  {0,  l}n,  the  following  probability 
ensembles  are  computationally  indistinguishable  over  n  £  N . 

*  {(P{Wn,x)i  ^*(z))(x)}neA^a:eLn{0,l}n,ze{0,l}* 

•  {(P{wi,x)i  ^*(^))(x)}neN,a:eLn{0,l}n,ze{0,l}* 

A. 6  Proofs  (Arguments)  of  Knowledge 

Loosely  speaking,  an  interactive  proof  is  a  proof  of  knowledge  if  the  prover  convinces  the  verifier 
that  it  possesses ,  or  can  feasibly  compute,  a  witness  for  the  statement  proved.  The  notion  of  a 
proof  of  knowledge  is  essentially  formalized  as  follows:  an  interactive  proof  of  x  £  L  is  a  proof  of 
knowledge  if  there  exists  a  probabilistic  expected  polynomial-time  extractor  machine  E,  such  that 
for  any  prover  P,  E  on  input  the  description  of  P  and  any  statement  x  £  L  readily  outputs  a  valid 
witness  for  x  £  L  if  P  succeeds  in  convincing  the  Verifier  that  x  £  L.  Formally, 

[Proof  of  knowledge  [?]  ]  Let  ( P ,  V)  be  an  interactive  proof  system  for  the  language  L.  We  say 
that  ( P ,  V )  is  a  proof  of  knowledge  for  the  witness  relation  Rl  for  the  language  L  it  there  exists  an 
probabilistic  expected  polynomial-time  machine  E,  called  the  extractor,  and  a  negligible  function 
u(n)  such  that  for  every  machine  P* ,  every  statement  x  £  {0,  l}n,  every  random  tape  r  £  {0, 1}* 
and  every  auxiliary  input  z  £  {0, 1}*, 

Pr  \[P'r(z),V){x)  =  l]  <  Pr[Epr(x,z\x )  £  Rl{x)\  +  v{n) 

consider  WT  provers.  An  interactive  argument  system  ( P ,  V)  is  an  argument  of  knowledge  if  the 
above  condition  holds  w.r.t.  probabilistic  polynomial-time  provers. 

Special-sound  WI  proofs  A  Around  public-coin  interactive  proof  for  the  language  L  £  Af'P  with 
witness  relation  Rl  is  special-sound  with  respect  to  Rl,  if  for  any  two  transcripts  (5,a,f3, 7)  and 
(S',  a',  j3',  7')  such  that  the  initial  two  messages,  5,  5'  and  a,  a’ ,  are  the  same  but  the  challenges  (5,  f3' 
are  different,  there  is  a  deterministic  procedure  to  extract  the  witness  from  the  two  transcripts 
and  runs  in  polynomial  time.  Special-sound  WI  proofs  for  languages  in  MV  can  be  based  on 
the  existence  of  2-round  commitment  schemes,  which  in  turn  can  be  based  on  one-way  functions 
[?,  ?,  ?,  ?]. 
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Abstract 

We  study  the  adaptive  security  of  constrained  PRFs  in  the  standard  model.  We  initiate  our  explo¬ 
ration  with  puncturable  PRFs.  A  puncturable  PRF  family  is  a  special  class  of  constrained  PRFs,  where 
the  constrained  key  is  associated  with  an  element  x'  in  the  input  domain.  The  key  allows  evaluation  at 
all  points  x  ^  x' . 

We  show  how  to  build  puncturable  PRFs  with  adaptive  security  proofs  in  the  standard  model  that 
involve  only  polynomial  loss  to  the  underlying  assumptions.  Prior  work  had  either  super-polynomial 
loss  or  applied  the  random  oracle  heuristic.  Our  construction  uses  indistinguishability  obfuscation  and 
DDFi-hard  algebraic  groups  of  composite  order. 

More  generally,  one  can  consider  a  f-puncturable  PRF:  PRFs  that  can  be  punctured  at  any  set  of 
inputs  S,  provided  the  size  of  S  is  less  than  a  fixed  polynomial.  We  additionally  show  how  to  transform  any 
(single)  puncturable  PRF  family  to  a  t-puncturable  PRF  family,  using  indistinguishability  obfuscation. 
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1  Introduction 


Pseudorandom  functions  (PRFs)  are  one  of  the  fundamental  building  blocks  in  modern  cryptography.  A 
PRF  system  consists  of  a  keyed  function  F  and  a  set  of  keys  K,  such  that  for  a  randomly  chosen  key  k  £  1C, 
the  output  of  the  function  F(k,x)  for  any  input  x  in  the  input  space  “looks”  random  to  a  computationally 
bounded  adversary,  even  when  given  polynomially  many  evaluations  of  F(k,-).  Recently,  the  concept  of 
constrained  pseudorandom  functions 1  was  proposed  in  the  concurrent  works  of  Boneh  and  Waters  [BW13], 
Boyle,  Goldwasser  and  Ivan  [BGI13]  and  Kiayias,  Papadopoulos,  Triandopoulos  and  Zacharias  [KPTZ13]. 
A  constrained  PRF  system  is  associated  with  a  family  of  boolean  functions  F  =  {/}.  As  in  standard  PRFs, 
there  exists  a  set  of  master  keys  K.  that  can  be  used  to  evaluate  the  PRF  F.  However,  given  a  master  key  k, 
it  is  also  possible  to  derive  a  constrained  key  kf  associated  with  a  function  f  £  F.  This  constrained  key  kf 
can  be  used  to  evaluate  the  function  F(k,-)  at  all  inputs  x  such  that  f(x)  =  1.  Intuitively,  we  would  want 
that  even  if  an  adversary  has  kf,  the  PRF  evaluation  at  an  input  x  not  accepted  by  /  looks  random.  Security 
is  captured  by  an  adaptive  game  between  a  PRF  challenger  and  an  adversary.  The  adversary  is  allowed  to 
make  multiple  constrained  key  or  point  evaluation  queries  before  committing  to  a  challenge  x*  not  equal  to 
any  of  the  evaluation  queries  or  accepted  by  any  of  the  functions  for  which  he  obtained  a  constrained  key.  2 
The  challenger  either  sends  the  PRF  evaluation  at  x*  or  an  output  chosen  uniformly  at  random  from  the 
PRF  range  space,  and  the  adversary  wins  if  he  can  distinguish  between  these  two  cases. 

Since  their  inception,  constrained  PRFs  have  found  multiple  applications.  For  example,  Boneh  and 
Waters  [BW13]  gave  applications  of  broadcast  encryption  with  optimal  ciphertext  length,  identity-based  key 
exchange,  and  policy-based  key  distribution.  Sahai  and  Waters  [SW14]  used  constrained  PRFs  as  a  central 
ingredient  in  their  punctured  programming  methodology  for  building  cryptosystems  using  indistinguishable 
obfuscation.  Boneh  and  Zhandry  [BZ14]  likewise  applied  constrained  PRFs  for  realizing  multi-party  key 
exchange  and  broadcast  systems. 

Adaptive  Security  in  Constrained  PRFs  In  their  initial  work,  Boneh  and  Waters  [BW13]  showed 
constructions  of  constrained  PRFs  for  different  function  families,  including  one  for  the  class  of  all  polynomial 
circuits  (based  on  multilinear  maps).  However,  all  their  constructions  offer  selective  security  -  a  weaker  notion 
where  the  adversary  must  commit  to  the  challenge  input  x*  before  making  any  evaluation/constrained  key 
ciueries.3  Using  complexity  leveraging,  one  can  obtain  adaptive  security  by  guessing  the  challenge  input 
x*  before  any  ciueries  are  made.  However,  this  results  in  exponential  security  loss.  The  works  of  [BGI13, 
KPTZ13]  similarly  dealt  with  selective  security. 

Recently,  Fuchsbauer,  Konstantinov,  Pietrzak  and  Rao  [FKPR14]  showed  adaptive  security  for  prefix- 
fixing  constrained  PRFs,  but  with  quasi-polynomial  security  loss.  Also  recently,  Hofheinz  [Hofl4]  presented 
a  novel  construction  that  achieves  adaptive  security  for  bit-fixing  constrained  PRFs,  but  in  the  random  oracle 
model. 

While  selective  security  has  been  sufficient  for  some  applications  of  constrained  PRFs,  including  many 
recent  proofs  leveraging  the  punctured  programming  [SW14]  methodology  (e.g.,  [SW14,  HSW14,  BZ14, 
BCPR13]),  there  are  applications  that  demand  adaptive  security,  where  the  security  game  allows  the  ad¬ 
versary  to  query  the  PRF  on  many  inputs  before  deciding  on  the  point  to  puncture.  For  instance,  [BZ14] 
give  a  construction  for  multiparty  key  exchange  that  is  semi-statically  secure,  and  this  construction  requires 
adaptively  secure  constrained  PRFs  for  circuits.  We  anticipate  that  the  further  realization  of  adaptively 
secure  PRFs  will  introduce  further  applications  of  them. 

Our  Objective  and  Results  Our  goal  is  to  study  adaptive  security  of  constrained  PRFs  in  the  standard 
model.  We  initiate  this  exploration  with  puncturable  PRFs,  first  explicitly  introduced  in  [SW14]  as  a  spe¬ 
cialization  of  constrained  PRFs.  A  puncturable  PRF  family  is  a  special  class  of  constrained  PRFs,  where  the 
constrained  key  is  associated  with  an  element  x'  in  the  input  domain.  The  key  allows  evaluation  at  all  points 

1These  were  alternatively  called  functional  PRFs  [BGI13]  and  delegatable  PRFs  [KPTZ13]. 

“This  definition  can  be  extended  to  handle  multiple  challenge  points.  See  Section  3  for  details. 

*sThe  prefix  construction  of  [BGI13]  and  [KPTZ13]  were  also  selective. 
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x  7^  x' .  As  noted  by  [BW13,  BGI13,  KPTZ13],  the  GGM  tree-based  construction  of  PRFs  from  one-way 
functions  (OWFs)  [GGM84]  can  be  modified  to  construct  a  puncturable  PRF.  4  A  selective  proof  of  security 
follows  via  a  hybrid  argument,  where  the  reduction  algorithm  uses  the  pre-determined  challenge  query  x*  to 
“plant”  its  OWF  challenge.  However,  such  a  technique  does  not  seem  powerful  enough  to  obtain  adaptive 
security  with  only  a  polynomial-factor  security  loss.  The  difficulty  in  proving  adaptive  security  arises  due  to 
the  fact  that  the  reduction  algorithm  must  respond  to  the  evaluation  queries,  and  then  output  a  punctured 
key  that  is  consistent  with  the  evaluations.  This  means  that  the  reduction  algorithm  must  be  able  to  evaluate 
the  PRF  at  a  large  set  S  (so  that  all  evaluation  queries  lie  in  S  with  non- negligible  probability).  However,  S 
cannot  be  very  large,  otherwise  the  challenge  x*  will  lie  in  S,  in  which  case  the  reduction  algorithm  cannot 
use  the  adversary’s  output. 

In  this  work,  we  show  new  techniques  for  constructing  adaptively-secure  puncturable  PRFs  in  the  stan¬ 
dard  model.  A  central  contribution  is  to  overcome  the  conflict  above,  by  allowing  the  reduction  algorithm 
to  commit  to  the  evaluation  queries,  and  at  the  same  time,  ensuring  that  the  PRF  output  at  the  challenge 
point  is  unencumbered  by  the  commitment. 

Our  main  idea  is  to  execute  a  delayed  commitment  to  part  of  the  PRF  by  partitioning.  Initially,  in  our 
construction  all  points  are  tied  to  a  single  (Naor-Reingolcl  [NR04]  style)  PRF.  To  prove  security  we  begin  by 
using  the  admissible  hash  function  of  Boneh  and  Boyen  [BB04].  We  partition  the  inputs  into  two  distinct 
sets.  The  evaluable  set  which  contains  about  (1  —  1  /q)  fraction  of  inputs,  and  a  challenge  set  which  contains 
about  1/q  fraction  of  inputs,  where  q  is  the  number  of  point  evaluation  queries  made  by  the  attacker.  Via 
a  set  of  hybrid  steps  using  the  computational  assumptions  of  indistinguishability  obfuscation  and  subgroup 
hiding  we  modify  the  construction  such  that  we  use  one  Naor-Reingold  PRF  function  to  evaluate  points  in 
the  evaluable  set  and  a  completely  independent  Naor-Reingold  PRF  to  evaluate  points  in  the  challenge  set. 

After  this  separation  has  been  achieved,  there  is  a  clearer  path  for  our  proof  of  security.  At  this  point  the 
reduction  algorithm  wrill  create  one  PRF  itself  and  use  it  to  answer  any  attacker  point  query  in  the  evaluable 
set.  If  it  is  asked  for  a  point  x  in  the  challenge  set,  it  will  simply  abort.  (The  admissible  hash  function 
ensures  that  we  get  through  without  abort  with  some  non-negligible  probability.)  Eventually,  the  attacker 
will  ask  for  a  punctured  key  on  x* ,  which  defines  x*  as  the  challenge  input.  Up  until  this  point  the  reduction 
algorithm  has  made  no  commitments  on  what  the  second  challenge  PRF  is.  It  then  constructs  the  punctured 
key  using  the  a  freshly  chosen  PRF  for  the  challenge  inputs.  However,  when  constructing  this  second  PRF 
it  now  knows  what  the  challenge  x*  actually  is  and  can  fall  back  on  selective  techniques  for  completing  the 
proof. 

At  a  lower  level  our  core  PRF  will  be  the  Naor-Reingold  PRF  [NR04],  but  based  in  composite-order 
groups.  Let  G  be  a  group  of  order  N  =  pq ,  where  p  and  q  are  primes.  The  master  key  consists  of  a  group 
element  v  G  G  and  2 n  exponents  di x  G  Z n  (for  i  =  1  to  n  and  b  G  [0, 1}).  The  PRF  F  takes  as  input  a 
key  k  =  (v,  {di,b}),  an  Gbit  input  x,  uses  a  public  admissible  hash  function  h  :  {0, 1}*  — >  {0, 1}"  to  compute 
h(x)  =  bi . . .  bn  and  outputs  «^'=i  di’bi .  A  punctured  key  corresponding  to  x'  derived  from  master  key  k 
is  the  obfuscation  of  a  program  P  which  has  k,x'  hardwired  and  outputs  F(k,x)  on  input  x  ^  x' ,  else  it 
outputs  J_. 

We  will  use  a  parameterized  problem  (in  composite  groups)  to  perform  some  of  the  separation  step.  Our 
assumption  is  that  given  g,ga, . . .  ,ga  for  randomly  chosen  g  G  G  and  a  G  Z*N  it  is  hard  to  distinguish 
ga  from  a  random  group  element.  While  it  is  somewhat  undesirable  to  base  security  on  a  parameterized 
assumption,  we  are  able  to  use  the  recent  results  of  Chase  and  Meiklejohn  [CM14]  to  reduce  this  to  the 
subgroup  decision  problem  in  DDH  hard  composite  order  groups. 

f-puncturable  PRFs  We  also  show  how  to  construct  f-puncturable  PRFs:  PRFs  that  can  be  punctured 
at  any  set  of  inputs  S,  provided  IS)  <  t  (where  f(-)  is  a  fixed  polynomial).  We  show  how  to  transform  any 
(single)  puncturable  PRF  family  to  a  f-puncturable  PRF  family,  using  indistinguishability  obfuscation.  In 
the  security  game  for  f-puncturable  PRFs,  the  adversary  is  allowed  to  query  for  multiple  f-punctured  keys, 
each  corresponding  to  a  set  S  of  size  at  most  f.  Finally,  the  adversary  sends  a  challenge  input  x*  that  lies 

4In  fact,  the  GGM  PRF  construction  can  be  used  to  construct  prefix-fixing  constrained  PRFs. 
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in  all  the  sets  queried,  and  receives  either  the  PRF  evaluation  at  x*  or  a  uniformly  random  element  of  the 
range  space. 

In  the  construction,  the  setup  and  evaluation  algorithm  for  the  f-puncturable  PRF  are  the  same  as  those 
for  the  puncturable  PRF.  In  order  to  puncture  a  key  k  at  set  S,  the  puncturing  algorithm  outputs  the 
obfuscation  of  a  program  P  that  takes  as  input  x,  checks  that  x  ^  S,  and  outputs  F(k,x). 

For  the  proof  of  security,  we  observe  that  when  the  first  f-punctured  key  query  S 1  is  made  by  the  adversary, 
the  challenger  can  guess  the  challenge  x  £  S If  this  guess  is  incorrect,  then  the  challenger  simply  aborts 
(which  results  in  a  1/t  factor  security  loss).  However,  if  the  guess  is  correct,  then  the  challenger  can  now  use 
the  punctured  key  ivj  for  all  future  evaluation/f-punctured  key  queries.  From  the  security  of  puncturable 
PRFs,  it  follows  that  even  after  receiving  evaluation/i-punctured  key  queries,  the  challenger  will  not  be  able 
to  distinguish  between  F(k,x)  and  a  random  element  in  the  range  space. 

We  detail  this  transformation  and  its  proof  in  Section  5.  We  also  believe  that  we  can  use  a  similar 
approach  to  directly  modify  our  main  construction  to  handle  multiple  punctured  points,  however,  we  choose 
to  focus  on  the  generic  transformation. 

Related  Works  Two  recent  works  have  explored  the  problem  of  adaptive  security  of  constrained  PRFs. 
Fuchsbauer,  Konstantinov,  Pietrzak  and  Rao  [FKPR14]  study  the  adaptive  security  of  the  GGM  construction 
for  prefix- free  constrained  PRFs.  They  show  an  interesting  reduction  to  OWFs  that  suffers  only  a  quasi¬ 
polynomial  factor  go0° &n)  loss,  where  q  is  the  number  of  queries  made  by  the  adversary,  and  n  is  the  length 
of  the  input.  This  beats  the  straightforward  conversion  from  selective  to  adaptive  security,  which  results  in 
0(2")  security  loss. 

Hofheinz  [Hof  14]  shows  a  construction  for  bit-fixing  constrained  PRFs  that  is  adaptively  secure,  assuming 
indistinguishability  obfuscation  and  multilinear  maps  in  the  random  oracle  model.  It  also  makes  novel  use 
of  the  random  oracle  for  dynamically  defining  the  challenge  space  based  on  the  output  of  h.  It  is  currently 
unclear  whether  such  ideas  could  be  adapted  to  the  standard  model. 

Fuchsbauer  et  al.  also  show  a  negative  result  for  the  Boneh- Waters  [BW13]  construction  of  bit-fixing 
constrained  PRFs.  They  show  that  any  simple  reduction  from  a  static  assumption  to  the  adaptive  security  of 
the  Boneh- Waters  [BW13]  bit-fixing  constrained  PRF  construction  must  have  an  exponential  factor  security 
loss.  More  abstractly,  using  their  techniques,  one  can  show  that  any  bit-fixing  scheme  that  has  the  following 
properties  will  face  this  obstacle:  (a)  fingerprinting  queries  -  By  querying  for  a  set  of  constrained  keys,  the 
adversary  can  obtain  a  fingerprint  of  the  master  key.  (b)  checkability  -  It  is  possible  to  efficiently  check  that 
any  future  evaluation/ const  rained  key  queries  are  consistent  with  the  fingerprint.  While  these  properties 
capture  certain  constructions,  small  perturbations  to  them  could  potentially  circumvent  checkability. 

Partitioning  type  proofs  have  been  used  in  several  applications  including  identity-based  encryption  [BB04, 
Wat05,  ABB10,  HK12],  verifiable  random  functions  [HW10],  and  proofs  of  certain  signature  signature 
schemes  [FHPS13,  HSW13,  HSW14].  We  believe  ours  is  the  first  to  use  partitioning  for  a  delayed  com¬ 
mitment  to  parameters.  We  note  that  our  delayed  technique  is  someway  reminiscent  to  that  of  Lewko  and 
Waters  [LW12], 

Recently,  there  has  been  a  push  to  prove  security  for  indistinguishability  obfuscation  from  basic  mul¬ 
tilinear  map  assumptions.  The  recent  work  of  Gentry,  Lewko,  Sahai  and  Waters  [GLSW14]  is  a  step  in 
this  direction,  but  itself  requires  the  use  of  complexity  leveraging.  In  the  future  work,  we  might  hope  for 
such  reductions  with  just  polynomial  loss  —  perhaps  for  special  cases  of  functionality.  And  thus  give  an 
end-to-end  polynomial  loss  proof  of  puncturable  PRFs  from  multilinear  maps  assumptions. 

Two  works  have  explored  the  notion  of  constrained  verifiable  random  functions  (VRFs).  Fuchsbauer  [?] 
and  Chandran,  Raghuraman  and  Vinayagamurthy  [?]  show  constructions  of  selectively  secure  constrained 
VRFs  for  the  class  of  all  polynomial  sized  circuits.  The  construction  in  [?]  is  also  delegatable. 

Future  Directions  A  natural  question  is  to  construct  adaptively-secure  constrained  PRFs  for  larger  classes 
of  functions  in  the  standard  model.  Given  the  existing  results  of  [FKPR14]  and  [Hofl4],  both  directions  seem 
possible.  While  the  techniques  of  [Hofl4]  are  intricately  tied  to  the  random  oracle  model,  it  is  plausible  there 
could  be  constructions  in  the  standard  model  that  evade  the  negative  result  of  [FKPR14].  On  the  other 
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hand,  maybe  the  negative  result  of  [FKPR14]  (which  is  specific  to  the  [BW13]  construction)  can  be  extended 
to  show  a  similar  lower  bound  for  all  constructions  of  constrained  PRFs  with  respect  to  function  family  T . 

2  Preliminaries 

First,  we  recall  the  notion  of  admissible  hash  functions  due  to  Bonelr  and  Boyen  [BB04],  Here  we  state  a 
simplified  definition  from  [HSW14]. 

Definition  2.1.  Let  l,n  and  9  be  efficiently  computable  univariate  polynomials.  Let  h  :  {0,  l}ztA)  — » 
{0, be  an  efficiently  computable  function  and  AdmSample  a  PPT  algorithm  that  takes  as  input  1A 
and  an  integer  q ,  and  outputs  u  £  {0, 1,  J_}ra(Ab  For  any  u  £  {0, 1,  _L}™(A\  define  Pu  :  {0, 1};(A)  — >■  {0, 1}  as 
follows:  Pu(x )  =  0  if  for  all  1  <  j  <  n{ A),  h{x)j  ^  Uj,  else  Pu(x)  =  1. 

We  say  that  (h,  AdmSample)  is  ^-admissible  if  the  following  condition  holds: 

For  any  efficiently  computable  polynomial  Q ,  for  all  aq,. . .  ,xq(\),x*  £  {0, 1}^A\  where  x*  ^  {aq}j, 

Pf[(yi  <  Q(\),Pu(xi)  =  1)  A  Pu(x*)  =  0]  > 
where  the  probability  is  taken  over  u  <—  AdmSample(lA,  (3(A)). 

Theorem  2.1  (Admissible  Hash  Function  Family  [BB04],  simplified  proof  in  [FHPS13]).  For  any  effi¬ 
ciently  computable  polynomial  l,  there  exist  efficiently  computable  polynomials  n,  6  such  that  there  exist 
0-admissible  function  families  mapping  l  bits  to  n  bits. 

Next,  we  recall  the  definition  of  indistinguishability  obfuscation  from  [GGH+13,  SW14],  Let  PPT  denote 
probabilistic  polynomial  time. 

Definition  2.2.  (Indistinguishability  Obfuscation)  A  uniform  PPT  machine  iO  is  called  an  indistinguisha¬ 
bility  obfuscator  for  a  circuit  class  {Ca}  if  it  satisfies  the  following  conditions: 

•  (Preserving  Functionality)  For  all  security  parameters  A  £  N,  for  all  C  £  C\,  for  all  inputs  x ,  we  have 
that  C'(x)  =  C( x)  where  C'  -s—  iO( A,  C). 

•  (Indistinguishability  of  Obfuscation)  For  any  (not  necessarily  uniform)  PPT  distinguisher  B  =  (Samp,  T>), 
there  exists  a  negligible  function  negl(-)  such  that  the  following  holds:  if  for  all  security  parameters 

A  €  N,  Pr[Va:,  Cq(x)  =  C\(x)  :  (Co;Ci;cr)  Samp(  1A)]  >  1  —  negl(A),  then 

|  PrpD(cr,  iO(X,  Co))  =  1  :  (C0-,Cv,a)  <-  Samp(  1A)]- 
Pr[P(u,  iO(\,  Ci))  =  1  :  (C^C^a)  £-  Samp(lx)]\  <  negl(A). 

In  a  recent  work,  [GGH+13]  showed  how  indistinguishability  obfuscators  can  be  constructed  for  the 
circuit  class  P/poly.  We  remark  that  ( Samp,T> )  are  two  algorithms  that  pass  state,  which  can  be  viewed 
equivalently  as  a  single  stateful  algorithm  B.  In  our  proofs  we  employ  the  latter  approach,  although  here  we 
state  the  definition  as  it  appears  in  prior  work. 

2.1  Assumptions 

Let  Q  be  a  PPT  group  generator  algorithm  that  takes  as  input  the  security  parameter  1A  and  outputs 
(N,p,  q,  <G,  Gp,  Gq,  gi,g2)  where  p,q  £  0(2A)  are  primes,  N  =  pq,  G  is  a  group  of  order  N,  Gp  and  Gq  are 
subgroups  of  G  of  order  p  and  q  respectively,  and  gi  and  <72  are  generators  of  Gp  and  Gq  respectively. 

Assumption  1  (Subgroup  Hiding  for  Composite  Order  DDH-Hard  Groups).  Let  (N,p,  q,G,Gp,Gq,  gi,  g2)  £- 
t/(lA)  and  b  £-  {0, 1}.  Let  T  £-  G  if  b  =  0,  else  T  4—  Gp.  The  advantage  of  algorithm  A  in  solving  Assumption 
1  is  defined  as 

Adv3fH  =  Pr[b  <-  A(N,G,Gp,Gq,9l,g2,T)}  -  1 
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We  say  that  Assumption  1  holds  if  for  all  PPT  A,  Adv^GH  is  negligible  in  A. 

Note  that  the  adversary  A  gets  generators  for  both  subgroups  Gp  and  Gq.  This  is  in  contrast  to  bilinear 
groups,  where,  if  given  generators  for  both  subgroups,  the  adversary  can  use  the  pairing  to  distinguish  a 
random  group  element  from  a  random  subgroup  element. 

Analogously,  we  assume  that  no  PPT  adversary  can  distinguish  between  a  random  element  of  G  and  a 
random  element  of  Gq  with  non-negligible  advantage.  This  is  essentially  Assumption  1,  where  prime  q  is 
chosen  instead  of  p ,  and  Gq  is  chosen  instead  of  Gp. 

Assumption  2.  This  assumption  is  parameterized  with  an  integer  n  £  Z.  Let  (N,p,  q,G,Gp,Gq,  51,32)  •<— 
£(1A),  9  G,  a  £-  Z*N  and  b  <-  {0, 1}.  Let  D  =  (N,G,Gp,Gq,  g±,  g2,  g,  ga ,  ■ .  •  ,ga"  X).  Let  T  =  ga™  if  b  =  0, 
else  T  <—  G.  The  advantage  of  algorithm  A  in  solving  Assumption  2  is  defined  as 


Adv^  = 


Pr[b£-  A{D,T)} 


1 

2 


We  say  that  Assumption  2  holds  if  for  all  PPT  A,  Adv^  is  negligible  in  A. 

We  will  use  Assumption  2  for  clarity  in  certain  parts  of  our  proof,  but  we  do  not  give  it  a  name  because 
it  is  implied  by  other  named  assumptions.  First,  Assumption  2  is  implied  by  the  n-Power  Decisional  Diffie- 
Hellman  Assumption  [GJM02].  Second,  it  is  also  implied  by  the  non-parameterized  Assumption  1.  The  recent 
results  of  Chase  and  Mciklejohn  [CM14]  essentially  show  this  latter  implication,  but  that  work  focuses  on  the 
target  groups  of  bilinear  maps,  whereas  our  algebraic  focus  does  not  involve  bilinear  maps.  For  completeness, 
we  give  a  proof  of  this  implication  in  Appendix  B. 


3  Constrained  Pseudorandom  Functions 


In  this  section,  we  define  the  syntax  and  security  properties  of  a  constrained  pseudorandom  function  family. 
This  definition  is  similar  to  the  one  in  Boneh- Waters  [BW13],  except  that  the  keys  are  constrained  with 
respect  to  a  circuit  family  instead  of  a  set  system. 

Let  1C  denote  the  key  space,  X  the  input  domain  and  y  the  range  space.  The  PRF  is  a  function 
F  :  K,  x  X  — »  y  that  can  be  computed  by  a  deterministic  polynomial  time  algorithm.  We  will  assume  there 
is  a  Setup  algorithm  F.setup  that  takes  the  security  parameter  A  as  input  and  outputs  a  random  secret  key 
k  £  1C. 

A  PRF  F  :  A  x  X  — >  y  is  said  to  be  constrained  with  respect  to  a  circuit  family  C  if  there  is  an  additional 
key  space  /Cc,  and  three  algorithms  F.setup,  F.constrain  and  F.eval  as  follows: 


•  F.setup(lA)  is  a  PPT  algorithm  that  takes  the  security  parameter  A  as  input  and  outputs  a  description 
of  the  key  space  1C,  the  constrained  key  space  K,c  and  the  PRF  F. 

•  F.constrain(fc,  C)  is  a  PPT  algorithm  that  takes  as  input  a  PRF  key  k  £  1C  and  a  circuit  C  £  C  and 
outputs  a  constrained  key  kc  £  1CC. 


•  F.eval(fcc,  x)  is  a  deterministic  polynomial  time  algorithm  that  takes  as  input  a  constrained  key  kc  £  1CC 
and  x  £  X  and  outputs  an  element  y  £y.  Let  kc  be  the  output  of  F.constrain(fc,  C).  For  correctness, 
we  require  the  following: 


F.eval(fc(7,  x) 


F[k ,  x )  if  C(x)  =  1 

_L  otherwise 


3.1  Security  of  Constrained  Pseudorandom  Functions 

Intuitively,  we  require  that  even  after  obtaining  several  constrained  keys,  no  polynomial  time  adversary  can 
distinguish  a  truly  random  string  from  the  PRF  evaluation  at  a  point  not  accepted  by  the  queried  circuits. 
This  intuition  can  be  formalized  by  the  following  security  game  between  a  challenger  and  an  adversary  A. 
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Let  F:  1C  x  X  — »  y  be  a  constrained  PRF  with  respect  to  a  circuit  family  C.  The  security  game  consists 
of  three  phases. 

Setup  Phase  The  challenger  chooses  a  random  key  k  ■£-  K,  and  a  random  bit  b  ■£-  {0, 1}. 

Query  Phase  In  this  phase,  A  is  allowed  to  ask  for  the  following  queries: 

•  Evaluation  Query  A  sends  x  £  X,  and  receives  F(k,x). 

•  Key  Query  A  sends  a  circuit  C  £  C1  and  receives  E.constrain(fc,  C). 

•  Challenge  Query  A  sends  x  £  X  as  a  challenge  query.  If  b  =  0,  the  challenger  outputs  F(k,  x).  Else, 
the  challenger  outputs  a  random  element  y  £-  y . 

Guess  A  outputs  a  guess  b'  of  b. 

Let  E  C  T  be  the  set  of  evaluation  queries,  L  C  C  be  the  set  of  constrained  key  queries  and  Z  C  X  the 
set  of  challenge  queries.  A  wins  if  b  =  b'  and  E  n  Z  =  (f>  and  for  all  C  £  L,  z  £  Z ,  C(z)  =  0.  The  advantage 
of  A  is  defined  to  be  Adv^(A)  =  Pr[A  wins]. 

Definition  3.1.  The  PRF  F  is  a  secure  constrained  PRF  with  respect  to  C  if  for  all  PPT  adversaries  A 
Adv^(A)  is  negligible  in  A. 

In  the  above  definition  the  challenge  query  oracle  may  be  queried  multiple  times  on  different  points,  and 
either  all  the  challenge  responses  are  correct  PRF  evaluations  or  they  are  all  random  points.  We  remark  that 
Boneh- Waters  [BW13]  argued  that  such  a  definition  was  equivalent  (via  a  hybrid  argument)  to  a  definition 
where  the  adversary  may  only  submit  one  challenge  query.  In  the  next  section,  the  adversary  may  submit 
only  one  challenge. 


3.2  Puncturable  Pseudorandom  Functions 

In  this  work,  we  will  focus  on  puncturable  pseudorandom  functions,  a  subset  of  constrained  PRFs  where  the 
“circuits”  output  1  on  every  input  except  one  “punctured”  point.  A  PRF  F  :  )C  x  X  y  is  a  puncturable 
pseudorandom  function  if  there  is  an  additional  key  space  1CP  and  three  polynomial  time  algorithms  E.setup, 
F.eval  and  F. puncture  as  follows: 

•  F'.setup(lA)  is  a  randomized  algorithm  that  takes  the  security  parameter  A  as  input  and  outputs  a 
description  of  the  key  space  K.,  the  punctured  key  space  Kv  and  the  PRF  F. 

•  E.puncture(fc,  a:)  is  a  randomized  algorithm  that  takes  as  input  a  PRF  key  k  £  K,  and  x  £  X,  and 
outputs  a  key  kx  £  JCP. 

•  F.eva\(kx,x')  is  a  deterministic  algorithm  that  takes  as  input  a  punctured  key  kx  £  K,p  and  x'  £  X. 
Let  k  £  1C,  x  £  X  and  kx  <—  F.puncture(fc,  x).  For  correctness,  we  need  the  following  property: 


F.eval(fcx,  x') 


F(k,  x')  if  x  x’ 
_L  otherwise 


The  security  game  between  the  challenger  and  the  adversary  A  consists  of  the  following  four  phases. 

Setup  Phase  The  challenger  chooses  uniformly  at  random  a  PRF  key  k  t—  K,  and  a  bit  b  ■£-  {0, 1}. 

Evaluation  Query  Phase  A  queries  for  polynomially  many  evaluations.  For  each  evaluation  query  x, 
the  challenger  sends  F(k,x )  to  A. 
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Challenge  Phase  A  chooses  a  challenge  x*  £  X.  The  challenger  computes  kx*  4—  F.puncture(fc, x*).  If 
6  =  0,  the  challenger  outputs  kx *  and  F(k.  x*).  Else,  the  challenger  outputs  kx*  and  y  4—  y  chosen  uniformly 
at  random. 

Guess  A  outputs  a  guess  b'  of  6. 

Let  E  C  X  be  the  set  of  evaluation  queries.  A  wins  if  6  =  6'  and  x*  (j  E.  The  advantage  of  A  is  defined 
to  be  Adv^(A)  =  Pr[A  wins]. 

Definition  3.2.  The  PRF  F  is  a  secure  puncturable  PRF  if  for  all  probabilistic  polynomial  time  adversaries 
A  Adv^(A)  is  negligible  in  A. 

Recall  that  since  the  adversary  can  compute  any  evaluation  of  F  except  the  punctured  point  using  the  key 
given  during  the  Challenge  Phase,  access  to  the  Evaluation  Query  oracle  is  redundant  and  can  be  removed 
after  the  Challenge  Phase. 


3.2.1  t-Puncturable  Pseudorandom  Functions 

The  notion  of  puncturable  PRFs  can  be  naturally  extended  to  that  of  t-puncturable  PRFs,  where  it  is 
possible  to  derive  a  key  punctured  at  any  set  S  of  size  at  most  t. 

Let  f(-)  be  a  polynomial.  A  PRF  Ft  :  K,  x  X  — »•  y  is  a  t-puncturable  pseudorandom  function  if  there  is 
an  additional  key  space  JCP  and  three  polynomial  time  algorithms  Ft. setup,  iq.eval  and  Ft. puncture  defined 
as  follows. 

•  i7’t.setup(lA)  is  a  randomized  algorithm  that  takes  the  security  parameter  A  as  input  and  outputs  a 
description  of  the  key  space  /C,  the  punctured  key  space  K,p  and  the  PRF  Ft. 

•  F).puncture(fc,  S)  is  a  randomized  algorithm  that  takes  as  input  a  PRF  key  k  £  K,  and  S  C  X,  | S'!  <  t( A), 
and  outputs  a  t-punctured  key  I\s  €  /Cp. 

•  Ft.eva\(ks,  x')  is  a  deterministic  algorithm  that  takes  as  input  a  f-punctured  key  ks  £  ICP  and  x'  £  X. 
Let  k  £  1C,  S  C  X  and  ks  4—  Ft.puncture(fc,  S).  For  correctness,  we  need  the  following  property: 


Ft.e\za\{ks,x') 


Ft(k,  x')  iix'^S 
_L  otherwise 


The  security  game  between  the  challenger  and  adversary  is  similar  to  the  security  game  for  puncturable 
PRFs.  However,  in  this  case,  the  adversary  is  allowed  to  make  multiple  challenge  queries  (as  in  the  security 
game  for  constrained  PRFs).  The  game  consists  of  the  following  three  phases. 

Setup  Phase  The  challenger  chooses  a  random  key  k  4—  K,  and  a  random  bit  6  4—  {0, 1}. 

Query  Phase  In  this  phase,  A  is  allowed  to  ask  for  the  following  queries: 

•  Evaluation  Query  A  sends  x  £  X,  and  receives  Ft(k,x). 

•  Key  Query  A  sends  a  set  S  C  X,  and  receives  Fbpuncture^’,  S). 

•  Challenge  Query  A  sends  x  £  X  as  a  challenge  query.  If  6  =  0,  the  challenger  outputs  Ft(k,  x).  Else, 
the  challenger  outputs  a  random  element  y  4—  y. 

Guess  A  outputs  a  guess  b'  of  6. 
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Let  xi, . . .  ,xqi  £  X  be  the  evaluation  queries,  Si,...,Sq2  C  X  be  the  t-punctured  key  queries  and 
x\,...,x*  be  the  challenge  queries.  A  wins  if  Vi  <  q±,j  <  s,  ij  /  i*,  Vi  <  q2,j  <  s,  x*  £  Si  and  b'  =  b. 
The  advantage  of  A  is  defined  to  be  Adv^*(A)  =  Pr[A  wins]. 

Definition  3.3.  The  PRF  Ft  is  a  secure  f-puncturable  PRF  if  for  all  PPT  adversaries  A  Ad v^‘  (A)  is  negligible 
in  A. 


4  Construction 

We  now  describe  our  puncturable  PRF  family.  It  consists  of  the  PRF  F  :  K,  x  X  —>  y  and  the  three 
algorithms  F.setup,  F.puncture  and  F.eval.  The  input  domain  is  X  =  {0,  l}f,  where  t  =  £(X).  We  define  the 
key  space  JC  and  range  space  y  as  part  of  the  setup  algorithm  described  next. 

F.setup(lA)  F.setup,  on  input  1A,  first  runs  Q  to  compute  (N,p,  q,G,Gp,Gq,  gi,  g2)  <—  f/(lA).  Let  n,9 
be  polynomials  such  that  there  exists  a  ^-admissible  hash  function  h  mapping  £{\)  bits  to  n(A)  bits.  For 
simplicity  of  notation,  we  will  drop  the  dependence  of  l  and  n  on  A. 

The  key  space  is  K.  =  G  x  (Z^)  and  the  range  is  y  =  G.  The  setup  algorithm  chooses  v  £  G,  d^b  £  Zjv, 
for  i  =  1  to  n  and  b  £  {0, 1},  and  sets  k  =  (v,  ((di,0)  dip) , . . . ,  (dn.Oi  dn>i))). 

The  PRF  F  for  key  k  on  input  x  is  then  computed  as  follows.  Let  k  =  ( v ,  ((dyo,  dip) , . . . ,  (dnj0>  dnp)))  £ 
G  x  (Z^)n  and  h(x)  =  (6 1, . . .  ,bn),  where  6*  £  {0, 1}.  Then, 

F(k,  x)  =  v^i=1  dj,bi  ■ 

F.puncture(k,  x')  F.puncture  computes  an  obfuscation  of  the  program  PuncturedKeyfc  x,  defined  in  Figure 
??;  that  is,  Kx>  iO{ A,  PuncturedKeyfc  x,).  The  program  PuncturedKeyfc  /  is  padded  to  be  of  appropriate 
size.  5 


PuncturedKeyfe  x, 

Input:  x  £  {0,  l}e 

Constants  :  The  group  G 

k  =  (■ v ,  ((di.o, dip)  •  •  •  (d„, o, d«p)))  €  G  x  (Z2N)" 
x  £  {0,1}€ 

Compute  h(x)  =  6i . . .  b„  £  {0,  l}n. 

if  x  =  x'  then 

Output  _L. 
else 

Output  Vn?=1  dj'bi  . 

end  if 


Figure  1:  Program  PuncturedKey 


F.eval(Kx/ , x)  The  punctured  key  Kx/  is  a  program  that  takes  an  f-bit  input.  We  define 

F.eva\(Kx/,x)  =  Kx>(x). 

5Looking  ahead,  in  the  proof  of  security,  the  program  PuncturedKey^  x/  will  be  replaced  by  PuncturedKey 'yw^uxr-, 
PuncturedKeyAltn  k  k/  xt  and  Punctured KeyAlt^  w  E  k  x,  in  subsequent  hybrids.  Since  this  transformation  relies  on  iO  be¬ 
ing  secure,  we  need  that  all  programs  have  same  size.  Hence,  all  programs  are  padded  appropriately  to  ensure  that  they  have 
the  same  size. 
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4.1  Proof  of  Security 

We  will  now  prove  that  our  construction  is  a  secure  puncturable  PRF  as  defined  in  Definition  3.2.  Specifically, 
the  claim  we  show  is: 

Theorem  4.1  (Main  Theorem).  Assuming  iO  is  a  a  secure  indistinguishability  obfuscator  and  the  Subgroup 
Hiding  Assumption  holds  for  groups  output  by  G,  the  PRF  F  defined  above,  together  with  algorithms  F.setup, 
F.puncture  and  F.eval,  is  a  secure  punctured  pseudorandom  function  as  defined  in  Definition  3.2. 

Proof.  In  order  to  prove  this,  we  define  the  following  sequence  of  games.  Assume  the  adversary  A  makes 
q  =  q{ A)  evaluation  queries  (where  q(-)  is  a  polynomial)  before  sending  the  challenge  input. 

4.1.1  Sequence  of  Games 

We  underline  the  primary  changes  from  one  game  to  the  next. 

Game  0  This  game  is  the  original  security  game  from  Definition  3.2  between  the  challenger  and  A  in¬ 
stantiated  by  the  construction  under  analysis.  Here  the  challenger  first  chooses  a  random  PRF  key,  then  A 
makes  evaluation  queries  and  finally  sends  the  challenge  input.  The  challenger  responds  by  sending  a  key 
punctured  at  the  challenge  input,  and  either  a  PRF  evaluation  at  the  challenged  point  or  a  random  value. 

1.  Let  (N,p,  <j,G,  Gp,  Gg,  gi,  <72)  <—  <7(1A).  Choose  v  £  G,  di p  £  Z#,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set 
k  =  (v,  ((dqo,  dpi) ,  •  ■  ■ ,  (dn,o,  dn, i)))- 

2.  On  any  evaluation  query  X{  £  {0, 1}^,  compute  h(xf)  =  b\  . .  .b'n  and  output  v  J_1  1,bi . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  Xi  for  all  i  <  q.  Compute  Kx~  4—  iO( A,  PuncturedKeyfc  x.) 

and  h(x*)  =  b\  . . .  fc* .  Let  yo  =  i^J=1  dj’bj  and  y\  £-  G. 

4.  Flip  coin  /3  4—  {0, 1}.  Output  (Kx.,yp). 

5.  A  outputs  f3'  and  wins  if  =  /3' . 

Game  1  This  game  is  the  same  as  the  previous  one,  except  that  we  simulate  a  partitioning  game  while 
the  adversary  operates  and  if  an  undesirable  partition  arises,  we  abort  the  game  and  decide  whether  or 
not  the  adversary  “wins”  by  a  coin  flip.  This  partitioning  game  works  as  follows:  the  challenger  samples 
u  £  {0, 1,  _L}"  using  AdmSample  and  aborts  if  either  there  exists  an  evaluation  query  x  such  that  Pu{x)  =  0 
or  the  challenge  query  x*  satisfies  Pu{x*)  =  1. 

1.  Let  (iV,p,g,G,Gp,Gq,  <71,(72)  <-  Choose  v  £  G,ditb  £  Z n ,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set 

k  (^>  ((dqm  dip) , . . . ,  {dn. 0?  dnp))). 

Choose  u  <-  AdmSample(lA,  q)  and  let  Su  =  {x  :  Pu{x)  =  1}  (recall  Pu{x)  =  0  if  h{ x)j  7^  Uj  VI  <  j  < 
n). 

2.  On  any  evaluation  query  ap  £  {0, 1}^,  check  if  Pu{xi)  =  1. 

If  not,  flip  a  coin  7 j  4—  {0, 1}  and  abort.  A  wins  if  7 i  =  1. 

Else  compute  h{xi)  =  b\...bln  and  output  3’bj . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  a 7  for  all  i  <  q.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  4-  {0,1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx*  4—  iO{ A,  PuncturedKeyfc  a,»)  and  h{x*)  =  &}...  6*  .  Let  y0  =  and  yi  4—  G. 

4.  Flip  coin  /3  4—  {0, 1}.  Output  (. Kx*,yp ). 

5.  A  outputs  j3'  and  wins  if  /3  =  /3'. 

Game  2  In  this  game,  the  challenger  modifies  the  punctured  key  and  outputs  an  obfuscation  of  PuncturedKeyAlt 
defined  in  Figure  ??.  On  inputs  x  such  that  Pu{x)  =  1,  the  altered  punctured  key  uses  the  same  master  key 
k  as  before.  However,  if  Pu{x )  =  0,  the  altered  punctured  key  uses  a  different  master  key  k!  that  is  randomly 
chosen  from  the  key  space. 
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1.  Let  (N,p,  g,  G,  Gp,  Gg,  gp  g2)  <—  f?(lA).  Choose  v  £  G,  diti,  £  ZN,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set 
k  =  (v,  ((dpo,  dpi) ,  ■  ■  ■ ,  (dn, o,  dn,i))). 

Choose  u  <—  AdmSample(lA,  q). 

2.  On  any  evaluation  query  ap  £  {0, 1}£ ,  check  if  Pu{xi )  =  1. 

If  not,  flip  a  coin  7 *  £-  {0, 1}  and  abort.  „4  wins  if  7 *  =  1. 

Else  compute  /i(a;i)  =b\. .  .bln  and  output  u  J=1  3,I,5 . 

3.  A  sends  challenge  input  x*  such  that  x*  ^  Xi  for  all  i  <  q.  Check  if  Pu(x*)  =  0. 

If  not,  flip  a  coin  7*  ■£-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  choose  w  £  G,  ept  £  Z/v,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set  k'  =  (w,  ((epo,  epi), . . . ,  (enio, 
Compute  Kx*  «—  iO(X,  PuncturedKeyAltu  fcfe/ x»)  and  h(x*)  =  6*...  6*.  Let  y0  =  CjG  and 

2/i  £-  G. 

4.  Flip  coin  /3  «—  {0, 1}.  Output  {Kx*,yp). 

5.  .4  outputs  /3'  and  wins  if  /?  =  /?'. 


PuncturedKeyAlt^ 

Input:  x  £  {0,  l}f 

Constants  :  The  group  G 

k  =  (v,  ((di,0,di,i) . . .  (dn,o,  d„,i)))  £  G  x  (Z^)” 
k'  =  ( w ,  ((ei,o,  ei,i) . . .  (eK,o,  en,i)))  £  G  x  (Z|r)" 

®'  £  {0,l}f,u£  {0,l,L}n 

Compute  h(x)  =  bi . .  .b„. 

if  x  =  x'  then 

Output  _L. 

else  if  Pu(x)  =  0  then 

output  w^=1  ej,hi  . 

else 

Output  vn™=1  dj’bi . 

end  if 


Figure  2:  Program  PuncturedKeyAlt 

Game  3  In  this  game,  the  challenger  changes  how  the  master  key  k!  is  chosen  so  that  some  elements 
contain  an  a- factor,  for  use  on  inputs  x  where  Pu(x)  =  0. 

1.  Let  (N,p,  </,G,  Gp,  Gg,</i,  <72)  <-  17  (1A)-  Choose  v  £  G,  di 7  £  Z^r,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set 

k  =  (v,  ((d  1,0,  dpr) , . . . ,  {dn> 0,  dnA))). 

Choose  u  £-  AdmSample(lA,  q). 

2.  On  any  evaluation  query  27  £  {0, 1}^,  check  if  Pu(xi)  =  1. 

If  not,  flip  a  coin  7 /  £-  {0, 1}  and  abort.  A  wins  if  7 *  =  1. 

Else  compute  h(xi)  =  b\..  .bln  and  output  v^3  3,b'i . 

3.  A  sends  challenge  input  x *  such  that  x*  7^  a 7  for  all  i  <  g.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  £-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  choose  w  <—  G,  a  <—  Z*N  and  e'  b  £-  Z;y.  Let  eqb  =  e!i  b  •  a  if  h(x*)i  =  b,  else  ep b  =  e'  b. 

Let  fc'  =  (w,  ((eli0,  epi), . . . ,  (en,0,  e„,i)))  and  Kx,  «-  iO( A,  PuncturedKeyAltU|fc)fc,|a.,). 

Let  /i(x*)  =  6*  ...  6*  and  yo  =  and  yi  ■£-  G. 

4.  Flip  coin  /3  <—  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  j3’  and  wins  if  /3  =  /3'. 
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Game  4  This  game  is  the  same  as  the  previous  one,  except  that  the  altered  punctured  program  contains 

the  constants  {w  }”=0  hardwired.  These  terms  are  used  to  compute  the  output  of  the  punctured  program. 
The  punctured  key  is  an  obfuscation  of  PuncturedKeyAlt'  defined  in  Figure  ??. 


1.  Let  (N,p,  g,G,  Gp,  Gg,yi,  <72)  <—  f/(lA).  Choose  v  £  G,  di p  £  Zjv,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set 
k  =  ( v ,  ((di,0,  dpi) ,  •  •  • ,  (dn, 0,  d„,i))). 

Choose  u  4—  AdmSample(lA,  g). 

2.  On  any  evaluation  query  x i  £  {0, 1}^,  check  if  Pu{xi)  =  1. 

If  not,  flip  a  coin  7 *  «—  {0, 1}  and  abort.  A  wins  if  7 =  1. 

Else  compute  /i(a;,)  =  b\  . . .  bln  and  output  v^3  3,bJ . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  a 7  for  all  i  <  q.  Check  if  Pu(x*)  =  0. 

If  not,  flip  a  coin  7*  <—  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  choose  w  4—  G,  a  4—  Z*N  and  e'  b  4—  Zjq. 


Let  W  =  (w,wa,.. .  ,wa"  '),  E  =  {(e'10,e'hl),.. . ,  (e'n0,  e'nA))  and  K"»  4-  *0(A,  PuncturedKeyAlt^^.,,,)- 


Let  h{x*)  =  6*  ...  6* ,  y 0  =  (ro“  and  yi  ■£-  G. 

4.  Flip  coin  f3  4-  {0, 1}.  Output  (K”,,yp). 

5.  A  outputs  j3r  and  wins  if  /?  =  /?'. 


PuncturedKeyAlt{  tWtE,k,x> 

Input:  x  £  {0, 1}^ 

Constants  :  The  group  G 

k  =  (■ v ,  ((di,o,di,i) . . .  (dn,o,d„,i)))  £  G  x  (Z%)n 
W  =  ( wo , .  • . ,  Wn-i)  £  Gn,  E  =  ((e10,  e'lyl), . . . ,  {en  0,  e'n,ij)  £  (Zn) 
x  £  {0,  l}f,u£  {0, 1,T}" 

Compute  h{x)  =  bi  . . .  b„  and  h(x')  =  b[  . . .  b'n.  Let  txi(x)  =  |{*  :  bi  =  b'}|. 

if  x  =  x'  then 

Output  _L. 

else  if  Pu{x)  =  0  then 
output  (wt^O))^1^- 
else 

Output  dj,bi  . 

end  if 


Figure  3:  Program  PuncturedKeyAlt’ 


Game  5  In  this  game,  we  replace  the  term  wa  with  a  random  element  from  G.  Hence,  both  yo  and  yi 
are  random  elements  of  G,  thereby  ensuring  that  any  adversary  has  zero  advantage  in  this  game. 

1.  Let  (N,p,  g,G,Gp,Gq,  <71,52)  f?(lA)-  Choose  v  £  G ,dpb  £  ZN,  for  i  =  1  to  n  and  b  £  {0, 1},  and  set 

k  —  (tq  ((dqoi  dip) , . . . ,  (dn,o>  dn,i)))- 
Choose  u  £-  AdmSample(lA,  q). 

2.  On  any  evaluation  query  xt  £  {0, 1}^,  check  if  Pu(xi)  =  1. 

If  not,  flip  a  coin  7 *  t—  {0, 1}  and  abort.  A  wins  if  7 i  =  1. 

Else  compute  h(xi)  =  b\  ...  bln  and  output  J,bJ  . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  x-i  for  all  i  <  q.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  4-  {0,1}  and  abort.  A  wins  if  7*  =  1. 
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Else  choose  w  <—  G,  a  <—  Z*N:  and  e'  b  <—  ZN.  Let  W  =  (w,  wa, . . . ,  w;a"  *),  E  =  ((e^  0,  e\  -J, . . . ,  {e'n  0,  e'n  -J) 
and  Kx*  £-  iO( A,  PuncturedKeyAlt^)WB)fc  x,). 

Let  h(x*)  =  b*  . . .  6* .  Choose  T  4—  G  and  let  yo  =  (X1)^-1  J,bj  and  yi  ■£-  G. 

4.  Flip  coin  /3  <—  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  ft'  and  wins  if  /?  =  /?'. 

4.1.2  Adversary’s  Advantage  in  these  Games 

Let  Adv^  denote  the  advantage  of  adversary  A  in  Game  i.  We  will  now  show  that  if  an  adversary  A  has 
non-negligible  advantage  in  Game  i,  then  A  has  non-negligible  advantage  in  Game  i  +  1.  Finally,  we  show 
that  A  has  advantage  0  in  Game  5. 

Claim  4.1.  For  any  adversary  A,  Adv  A  >  Ad v°A/0(q). 

Proof.  This  claim  follows  from  the  ^-admissibility  of  the  hash  function  h.  Recall  h  is  ^-admissible  if  for  all 
xi,...  ,xq,x*,  Pr[  \/i,Pu(xi)  =  1  A  Pu{x*)  =  0]  >  1  /6(q),  where  the  probability  is  only  over  the  choice  of 
u  4—  AdmSample(lA,  q).  Therefore,  if  A  wins  with  advantage  e  in  Game  0,  then  A  wins  with  advantage  at 
least  e/9{q)  in  Game  1.  B 

Claim  4.2.  Assuming  iO  is  a  secure  indistinguishability  obfuscator  and  the  Subgroup  Hiding  Assumption 
holds,  for  any  PPT  adversary  A , 

Adv^  —  Adv^  <  negl(A). 

The  proof  of  this  claim  involves  multiple  intermediate  experiments  and  can  be  found  in  Appendix  A. 

Claim  4.3.  For  any  PPT  adversary  A,  Adv^  =  Adv^. 

Proof.  Game  2  and  Game  3  are  identical,  except  for  the  manner  in  which  the  constants  e^b  are  chosen.  In 
Game  2,  e^b  Zjv,  while  in  Game  3,  the  challenger  first  chooses  e'  b  £-  Zjv,  a  <—  Z*N,  and  sets  =  e  ■  b  ■  a 
if  h(x)i  =  6,  else  sets  e^b  =  e'  b.  Since  a  £  Z*N  (and  therefore  is  invertible),  e'  b  ■  a  is  also  a  uniformly  random 
element  in  Zjv  if  e(  b  is.  Hence  the  two  experiments  are  identical.  | 

Claim  4.4.  If  there  exists  a  PPT  adversary  A  such  that  Adv^  —  Adv^  is  non-negligible  in  A,  then  there 
exists  a  PPT  distinguisher  B  that  breaks  the  security  of  iO  with  advantage  non-negligible  in  A. 

Proof.  Suppose  there  exists  a  PPT  adversary  A  such  that  Adv^  —  Advj^  =  e.  We  will  construct  a  PPT 
algorithm  B  that  breaks  the  security  of  iO  with  advantage  e  by  interacting  with  A.  B  first  sets  up  the 
parameters,  including  u  and  k.  and  answers  the  evaluation  queries  of  A  exactly  as  in  steps  1  and  2  of  Game 
3,  which  are  identical  to  steps  1  and  2  of  Game  4.  When  A  sends  B  a  challenge  input  x*,  B  checks  that 
Pu{x*)  =  0  and  if  not  aborts  (identical  in  both  games). 

Next  B  chooses  further  values  to  construct  the  circuits:  w  4—  G,  a  4—  Z*N  and  e!i  h  4—  Z^.  Let  e^b  =  e'ib- a 

if  h(x*)i  =  6,  else  eijh  =  e'i  b.  Let  k'  =  (w,  ((ei,0,  epi), . . . ,  (en,0,  e„,i))),  W  =  (w,  wa, . . . ,  wa"  *)  and 

=  ((el,0>  el,l)^  •  •  •  >  (era,0;  en, l))- 

B  constructs  circuit  Co  =  PuncturedKeyAltu  fe  k,  x,  and  circuit  C\  =  PuncturedKeyAlt^  WEk  x.,  and  sends 
Co,  Ci  to  the  iO  challenger.  B  receives  Kx .  4—  iO(Cb)  from  the  challenger.  It  computes  h(x*)  =  . .  .  &*, 

yo  =  ej'b*j ,  y  4—  G,  ft  4—  {0, 1},  sends  (. Kx » ,  yp)  to  A  and  receives  ft’  in  response.  If  ft  =  ft' ,  B  outputs  0, 
else  it  outputs  1. 

We  will  now  prove  that  the  circuits  Co  and  Ci  have  identical  functionality.  Consider  any  l  bit  string  x, 
and  let  h(x)  =b\. .  .bn.  Recall  tx*(x)  =  \{i :  bi  =  b*}\. 

For  any  x  £  {0, 1}'  such  that  x  =  x* ,  both  circuits  output  _L. 

For  any  x  £  {0, 1}£  such  that  i/i*  and  Pu{x )  =  1,  both  circuits  output  dj,bj . 

For  any  x  £  {0, 1}'  such  that  x  ^  x*  and  Pu(x)  =  0,  we  have 
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Co(x)  =  PuncturedKeyAltu tk,k',x»(x)  =w^j=iej’s»  =w°  nj-iej,bj  _ 

=  PuncturedKeyAlt/  fe  x»  (x)  =  C^x). 

Since  Co  and  C\  have  identical  functionality,  Pr[B  wins  ]  =  Pr[A  wins  in  Game  3]  -  Pr [A  wins  in  Game  4], 
If  Adv(\  —  Adv^  =  e,  then  B  wins  the  iO  security  game  with  advantage  e. 


Claim  4.5.  If  there  exists  a  PPT  adversary  A  such  that  Adv^  —  Ad is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  Assumption  2  with  advantage  non-negligible  in  A. 

Proof.  Suppose  there  exists  an  adversary  A  such  that  Adv^  —  Adv^  =  e,  then  we  can  build  an  adversary 
that  breaks  Assumption  2  with  advantage  e.  The  games  are  identical  except  that  Game  5  replaces  the  term 
wa  with  a  random  element  of  G.  On  input  an  Assumption  2  instance  (N,  G,  Gp,  G9,  gi,g2,  w,  wa, . . .,  wa  ) 
together  with  challenge  value  T  (which  is  either  wa  or  a  random  element  in  G),  use  these  parameters  as  in 
Game  5  with  A.  If  A  guesses  it  was  in  Game  4,  guess  that  T  =  wa  ,  else  guess  that  T  was  random.  IS 

Observation  4.1.  For  any  adversary  A ,  Adv/:l  =  0. 

Proof.  If  the  challenger  aborts  either  during  the  evaluation  or  challenge  phase,  then  A  has  0  advantage,  since 
A  wins  with  probability  1/2.  If  the  challenger  does  not  abort  during  both  these  phases,  then  A  receives 
(Kx* ,  yp),  and  A  must  guess  (3.  However,  both  yo  and  y\  are  uniformly  random  elements  in  G,  and  therefore, 
Adv^  =  0.  ■ 

4.1.3  Conclusion  of  the  Main  Proof 

Given  Claims  4. 1-4. 5  and  Observation  4.1,  we  can  conclude  that  if  iO  is  a  secure  indistinguishability  obfus- 
cator  and  Assumption  1  holds  (recall  Appendix  A  shows  that  Assumption  1  implies  Assumption  2),  then 
any  PPT  adversary  A  has  negligible  advantage  in  the  puncturable  PRF  security  game  (i.e. ,  Game  0).  jjjj 


5  Construction  of  t-Puncturable  PRFs  from  Puncturable  PRFs 

In  this  section,  we  present  our  construction  of  t-puncturable  PRFs  from  puncturable  PRFs  and  indistin¬ 
guishability  obfuscation.  Let  F:Kxl’->(fbea  puncturable  PRF,  and  F.setup,  F.puncture,  F.eval  the 
corresponding  setup,  puncturing  and  evaluation  algorithms.  We  now  describe  our  t-puncturable  PRF  Ft, 
and  the  corresponding  algorithms  Ft. setup,  Ft. puncture  and  F/.eval. 

5.1  Construction 

Ft.setup(lA)  Ft. setup  is  the  same  as  F.setup. 

Ft.puncture(k,  S)  Fi.puncture(fc,  S)  computes  an  obfuscation  of  the  program  PuncturedKey1^  s  defined  in 
Figure  ??;  that  is,  Ks  <—  iO{ A,  PuncturedKey11^.  s).  As  before,  the  program  PuncturedKeytfc  s  is  padded  to 
be  of  appropriate  size. 


Ft.eval(Ks  ,  x)  The  punctured  key  Kg  is  a  program  that  takes  an  input  in  X .  We  define 


Ft.e\za\(Ks,x)  =  Ks{x). 
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Punctured  Key*,.  s 

Input:  x  £  X 

Constants  :  The  function  description  F 
fc  £  fC 

S  C  X  such  that  |S|  <  t 

if  x £  S then 

Output  _L. 
else 

Output  F(k,  x). 

end  if 


Figure  4:  Program  PuncturedKey* 


5.2  Proof  of  Security 

We  will  now  prove  that  the  above  construction  is  a  secure  f-puncturable  PRF  as  defined  in  Definition  3.3. 

Theorem  5.1.  Assuming  iO  is  a  secure  indistinguishability  obfuscator  and  F,  together  with  F.setup, 
F.puncture  and  F.eval  is  a  secure  puncturable  PRF,  the  PRF  Ft  defined  above,  together  with  Ft. setup, 
Ft. puncture  and  Ft.eval,  is  a  secure  f-puncturable  PRF. 

For  simplicity,  we  will  assume  that  the  adversary  makes  q±  evaluation  queries,  92  punctured  key  queries 
and  1  challenge  query.  As  shown  by  [BW13],  this  can  easily  be  extended  to  the  general  case  of  multiple 
challenge  queries  via  a  hybrid  argument.  We  will  first  define  the  intermediate  hybrid  experiments. 

Game  0  This  game  is  the  original  security  game  between  the  challenger  and  adversary  A ,  where  the 
challenger  first  chooses  a  PRF  key,  then  A  makes  evaluation/f-punctured  key  queries  and  finally  sends  the 
challenge  input.  The  challenger  responds  with  either  the  PRF  evaluation  at  challenge  input,  or  sends  a 
random  element  of  the  range  space. 

1.  Choose  a  key  k  <—  JC. 

2.  A  makes  evaluation/t-punctured  key  queries. 

(a)  If  A  sends  an  evaluation  query  Xi ,  then  output  F(k,Xi). 

(b)  If  A  sends  a  t-punctured  key  query  for  set  Sj,  output  Ksj  <—  iO(X,  PuncturedKey*,. s.). 

3.  A  sends  challenge  query  x*  such  that  x*  7^  Xi  Vi  <  q\  and  x*  £  Sj  Vj  <  q 2.  Choose  /3  <—  {0, 1}.  If 
/3  =  0,  output  y  =  F(k,  x*),  else  output  y  <~y. 

4.  A  sends  /3'  and  wins  if  /3  =  (3'. 

Game  1  This  game  is  the  same  as  the  previous  one,  except  that  the  challenger  introduces  an  abort 
condition.  When  the  first  f-punctured  key  query  Si  is  made,  the  challenger  guesses  the  challenge  query 
x  <r-  Si.  The  challenger  aborts  if  any  of  the  evaluation  queries  are  x.  if  any  of  the  future  t-punctured  key 
queries  does  not  contain  x  or  if  the  challenge  query  x*  7^  x. 

1.  Choose  a  key  k  <—  JC. 

2.  A  makes  evaluation/t-punctured  key  queries. 

Let  Si  be  the  first  t-punctured  key  query.  Choose  x  <—  Si  and  output  Ks1  <—  iO( A,  PuncturedKey*^,  Si ). 
For  all  evaluation  queries  aq  before  Si,  output  F(k,Xi). 

For  all  queries  after  Si,  do  the  following. 

(a)  If  A  sends  an  evaluation  query  xt  and  Xi  =  x,  abort.  Choose  7*  «—  {0, 1}.  A  wins  if  7/  =  1. 

Else  if  Xi  ^  x,  output  F(k,Xi). 
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(b)  If  A  sends  a  f-punctured  key  query  for  set  Sj  and  x  Sj,  abort.  Choose  7?  k-  {0, 1}.  A  wins  if  7?  =  1. 
Else  if  x  £  Sj,  output  R's:i  <—  iO( A,  PuncturedKey11^.  s.). 

3.  A  sends  challenge  query  x*  such  that  x*  7^  Xi  Mi  <  q\  and  x*  £  Sj  Vj  <  <72. 

If  x  7^  x* ,  abort.  Choose  7*  £-  {0, 1}.  yl  wins  if  7*  =  1. 

Else  if  x  =  x*,  choose  (3  k—  {0, 1}.  If  /3  =  0,  output  y  =  F(k,  x*),  else  output  y  k~y. 

4.  A  sends  f3'  and  wins  if  {3  =  f3' . 

Next,  we  define  <72  games,  Game  1;,  1  <  l  <  (72 ■  Let  Game  lo  =  Game  1. 

Game  1;  In  this  game,  the  first  l  punctured  key  queries  use  K %,  while  the  remaining  use  k. 

1.  Choose  a  key  k  k—  1C. 

2.  A  makes  evaluation/t-punctured  key  queries. 

Let  Si  be  the  first  f-punctured  key  query.  Choose  x  k—  Si  and  compute  A'£  k—  E.puncture(/c,  x). 

Output  Kg,  k—  iO( A,  PuncturedKeyAlt1^  s  ),  where  PuncturedKeyAlt*  is  defined  in  Figure  ??. 

For  all  evaluation  queries  Xi  before  Si,  output  F(k,Xi). 

For  all  queries  after  Si,  do  the  following. 

(a)  If  A  sends  an  evaluation  query  x,  and  Xi  =  x,  abort.  Choose  'jj  k-  {0, 1}.  A  wins  if  7/  =  1. 

Else  if  Xi  7^  x,  output  F.eval(Aj,  Xi)  =  F(k,Xi). 

(b)  If  A  sends  a  f-punctured  key  query  for  set  Sj  and  x  £  Sj,  abort.  Choose  7?  k—  {0, 1}.  A  wins  if 

'yf  =  l 

Else  if  a;  £  Sj  and  j  <  l,  output  Kg-  <—  iO{\,  PuncturedKeyAlt1^  ). 

Else  output  Kgj  k—  iG( A,  PuncturedKey1*.^). 

3.  A  sends  challenge  query  x*  such  that  x*  7^  a Vi  <  <71  and  x*  £  Sj  Vj  <  (72. 

If  x  7^  x* ,  abort.  Choose  7*  k—  {0, 1}.  A  wins  if  7*  =  1. 

Else  if  x  =  a:*,  choose  /I  k—  {0, 1}.  If  (3  =  0,  output  y  =  F(k,  x*),  else  output  y  k-  y. 

4.  A  sends  f3'  and  wins  if  (3  =  f3' . 


PuncturedKeyAlt1^.  s 

Input:  x  £  X 

Constants  :  The  function  description  F 
Ks 

S  C  X  such  that  |S|  <  t 

if  x  £  S then 

Output  J_. 
else 

Output  F.e\/a\(Kx,  x). 

end  if 


Figure  5:  Program  PuncturedKeyAlP 


Game  2  In  this  game,  the  challenger  outputs  a  random  element  as  the  response  to  the  challenge  query. 

1.  Choose  a  key  k  k—  1C. 

2.  A  makes  evaluation/t-punctured  key  queries. 

Let  Sj  be  the  first  t-punctured  key  query.  Choose  x  k—  S 1  and  compute  Aj  k—  Apuncture(£;,  x). 
Output  Kg1  X-  iO( A,  PuncturedKeyAlt1^  Si). 
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For  all  evaluation  queries  x,  before  Si,  output  F{k,Xi). 

For  all  queries  after  Si,  do  the  following. 

(a)  If  A  sends  an  evaluation  query  Xi  and  Xi  =  x,  abort.  Choose  7}  t—  {0, 1}.  A  wins  if  7’  =  1. 

Else  if  Xi  7^  x,  output  F.eva\(Kz,Xi)  =  F{k,Xi). 

(b)  If  A  sends  a  f-punctured  key  query  for  set  Sj  and  x  £  Sj,  abort.  Choose  7?  <—  {0, 1}.  A  wins  if 
li  =  1- 

Else  if  x  g  Sj,  output  Ksj  <—  iO( X,  PuncturedKeyAlC^.  Sj). 

3.  A  sends  challenge  query  x*  such  that  x*  7^  Xi  \/i  <  and  x*  G  Sj  Vj  <  q2. 

If  x  7^  x* ,  abort.  Choose  7*  <7-  {0, 1}.  A  wins  if  7*  =  1. 

Else  if  x  =  x* ,  choose  p  <-  {0, 1}  and  output  y  <—  y. 

4.  A  sends  ft'  and  wins  if  p  =  P' . 

5.2.1  Adversary’s  Advantage  in  these  Games 

Let  Adv^  denote  the  advantage  of  adversary  A  in  Game  i. 

Observation  5.1.  For  any  adversary  A,  Adv{t  >  Ad v\/t. 

Proof.  Since  one  of  the  elements  of  Si  will  be  the  challenge  input,  and  |Si|  <  t,  the  challenger’s  guess  is 
correct  with  probability  l/|5i|  >  1/t.  Hence,  Adv^  >  Ad  v^/f.  | 

We  will  now  show  that  Game  1;  and  Game  l;+i  are  computationally  indistinguishable,  assuming  iO  is 
secure. 

Claim  5.1.  If  there  exists  a  PPT  adversary  A  such  that  Adv^J  —  Adv^+1  is  non-negligible  in  A,  then  there 
exists  a  PPT  distinguisher  B  that  breaks  the  security  of  iO  with  advantage  non-negligible  in  A. 

Proof.  Note  that  the  only  difference  between  Game  1;  and  Game  l/+i  is  in  the  response  to  the  (7  +  1  )th 
t-punctured  key  query.  In  Game  1;,  PuncturedKeytfc  Si+i  is  used  to  compute  Ksl+1,  while  in  Game  h+i, 
PuncturedKeyAlt1^  s  is  used.  Suppose  there  exists  a  PPT  adversary  A  such  that  Adv^(  —  Adv^|+1  =  e. 
We  will  construct  a  PPT  algorithm  B  that  interacts  with  A  and  breaks  the  security  of  iO  with  advantage  e. 

B  chooses  k  ■<—  K.  and  for  all  evaluation  queries  Xj  before  the  first  t-punctured  key  query,  outputs  F(k,  xf). 
On  receiving  the  first  t-punctured  key  query  Si,  B  chooses  x  <—  S 1  and  computes  F.puncture(fc, x). 

The  evaluation  queries  are  computed  as  in  Game  1  /  and  l;+i.  The  first  l  t-punctured  key  queries  are 
constructed  using  k,  while  the  last  <72  —  l  —  1  t-punctured  keys  are  constructed  using  Kj,  (as  in  Game  1/ 
and  Game  lz+i)-  For  the  {l  +  l)th  query,  B  does  the  following.  B  sets  Co  =  PuncturedKeytfe  s  and 
Ci  =  PuncturedKeyAlP^.  g  ,  and  sends  Co,Ci  to  the  iO  challenger,  and  receives  Ksl+1  in  response,  which 
it  sends  to  A. 

Finally,  after  all  queries,  the  challenger  sends  the  challenge  query  x*.  B  checks  that  x  =  x* ,  sets 
yo  =  F{k,x*)  and  chooses  yi  <—  y,/3  <—  {0,1}.  It  outputs  yp  and  receives  j3'  in  response.  If  /3  =  ft’,  B 
outputs  0,  else  it  outputs  1. 

From  the  correctness  property  of  puncturable  PRFs,  it  follows  that  F.eval(ivj,  x)  =  F(k,x)  for  all 
x  Si+ 1-  Hence,  the  circuits  Cq  and  C 1  are  functionally  identical.  This  completes  our  proof. 


Next,  we  show  that  Game  lq2  and  Game  2  are  computationally  indistinguishable. 

•  1  9 

Claim  5.2.  If  there  exists  a  PPT  adversary  A  such  that  Adv^j12  —  Adv^  is  non-negligible  in  A,  then  there 
exists  a  PPT  distinguisher  B  that  breaks  the  security  of  puncturable  PRF  F  with  advantage  non-negligible 
in  A. 
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Proof.  We  will  use  A  to  construct  a  PPT  algorithm  B  that  breaks  the  security  of  puncturable  PRF  F  with 
advantage  Adv^2  —  Adv^.  Observe  that  in  Game  192,  the  challenger  requires  the  master  key  k  only  for 
the  evaluation  queries  before  the  first  f-punctured  key  query.  After  the  first  f-punctured  key  query  S\,  the 
challenger  chooses  x  4—  Si,  computes  a  punctured  key  Kx,  and  uses  this  to  compute  all  future  evaluation 
ciueries  and  t-punctured  keys. 

B  begins  interacting  with  A.  For  each  evaluation  query  x,:  before  the  first  t-punctured  key  query,  B 
sends  x.-t  to  the  puncturable  PRF  challenger,  and  receives  yi,  which  it  forwards  to  A.  On  receiving  the 
first  i-punctured  key  query  Si,  B  chooses  x  4—  Si  and  sends  x  as  challenge  input  to  the  puncturable  PRF 
challenger.  B  receives  K~t:  and  y.  It  uses  K%  for  all  remaining  queries.  On  receiving  challenge  x*  from  A ,  B 
checks  x*  =  x  and  sends  y.  B  sends  A’ s  response  to  the  PRF  challenger. 

Note  that  until  the  challenge  query  is  made,  both  games  are  identical  and  B  simulates  them  perfectly.  If 
y  is  truly  random,  then  A  receives  a  response  as  per  Game  2,  else  it  receives  a  response  as  per  Game  lq2. 


Finally,  we  have  the  following  simple  observation. 

Observation  5.2.  For  any  adversary,  Adv^\  =  0. 

From  the  above  claims  and  observations,  we  can  conclude  that  if  iO  is  a  secure  indistinguishability 
obfuscator  as  per  Definition  2.2,  and  F,  together  with  F.setup,  F. puncture,  F.eva I  is  a  secure  puncturable 
PRF  as  per  Definition  3.2,  then  any  PPT  adversary  A  has  negligible  advantage  in  Game  0. 
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A  Proof  of  Claim  4.2  (Adv^  —  Adv^  is  negligible) 

Recall  that  Claim  4.2  states  that  ssuming  iO  is  a  secure  indistinguishability  obfuscator  and  the  Subgroup 

Hiding  Assumption  holds,  for  any  PPT  adversary  A, 

Adv^  —  Adv^  <  negl(A). 

In  order  to  prove  this,  we  establish  a  sequence  of  intermediate  experiments  Game  1A  to  Game  1G  and 

show  that  any  two  consecutive  experiments  are  computationally  indistinguishable.  First,  we  recall  Game  1. 
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Game  1  This  is  Game  1  from  Section  4.1.1. 


1.  Let  (N,p,q,G,Gp,Gq,  gi,  g2) G(lx)-  Choose  u  4—  AdmSample(lA,  q). 

Choose  v  4—  G,  d^b  Zjy.  Set  k  =  ( v ,  ((d^o,  dip)  >  ■  ■  ■  >  (dn,o>  dnp))). 

2.  On  any  evaluation  query  Xi  £  {0, 1}  ,  check  if  Pu(xi)  =  1. 

If  not,  flip  a  coin  7 i  4-  {0, 1}  and  abort.  A  wins  if  7 i  =  1. 

Else  compute  h(xi)  =  b\  ...  bln  and  output  v . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  Xi  for  all  i  <  q.  Check  if  Pu(x*)  =  0. 

If  not,  flip  a  coin  7*  4-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx *  4—  iO( A,  PuncturedKeyfca.,)  and  A(x*)  =  b\  . . .  b*n .  Let  yo  =  dl’b 1  and  yi  4—  G. 

4.  Flip  coin  f3  £-  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  j3'  and  wins  if  /3  =  f3' . 

Game  1A  We  change  the  sampling  procedure  for  the  di ^  values  so  that  some  include  a  factor  of  a. 

1.  Let  (N,p,  q,G,Gp,Gq,  gi,  g2)  <—  17(1A).  Choose  u  4—  AdmSample(lA,  q). 

Choose  v  4—  G,  d[  b  4—  ZN,  a  4—  h*N  and  set  d^b  =  d'  b  if  Uj  =  b,  else  d^  =  d'  b  ■  a.  6. 

Set  k  =  (v,  ((di,0,di,i) , . . . ,  (d„i0,  dn>1))). 

2.  On  any  evaluation  query  27  €  {0, 1}^,  check  if  Pu(xi)  =  1. 

If  not,  flip  a  coin  7 \  «—  {0, 1}  and  abort.  A  wins  if  7 *  =  1. 

Else  compute  A(xj)  =  b\. .  .bln  and  output  v^°  J,b 5 . 

3.  A  sends  challenge  input  2;*  such  that  x*  7^  2;*  for  all  i  <  q.  Check  if  Pu( x*)  =  0. 

If  not,  flip  a  coin  7*  4-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx*  4—  iO( A,  PuncturedKeyfca.,)  and  h{ x*)  =  b\  . . .  6* .  Let  yo  =  and  yi  ■<—  G. 

4.  Flip  coin  f3  f—  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  (3'  and  wins  if  /3  =  fi' . 

Game  IB  We  substitute  an  alternative  method  of  computing  the  punctured  key  program  output  using  a 
differently  formatted  input. 

1.  Let  (N,p,  q,G,Gp, Gq, 51,32)  <—  t?(lA)-  Choose  u  4—  AdmSample(lA,  q).  Let  ru(x)  =  \{j  :  uj  7^  h(x)j}\. 
Choose  v  4—  G,  d'ib  4—  Zjv,  a  4-  1AN  and  set  d^b  =  d'  b  if  u*  =  b,  else  d^b  =  d'ib-  a. 

Let  D  =  ((d'10,d'M),  ■  ■  ■ ,  (d^,0,  d^)),  E  =  (x,  xa, . . . ,  xa"  1)  and  w  =  xa". 

2.  On  any  evaluation  query  27  £  {0, 1}^,  check  if  Pu(xi)  =  1.  7 
If  not,  flip  a  coin  7$  ■£-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  11(27)  =  b\  ...  6^.  Output  3'b 5  =  ^xar“<!C,)^  3  '’bp 

3.  A  sends  challenge  input  2;*  such  that  x*  7^  X,  for  all  i  <  q.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  «—  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx*  <—  iO(A,  PuncturedKey^„,)D)MX»)  and  d(x*)  =  6*...  6*.  Let  yo  =  = 

and  yi  £-  G. 

4.  Flip  coin  /3  £-  {0, 1}.  Output  (. Kx*,yp ). 

5.  A  outputs  /3'  and  wins  if  /?  =  (3'. 


6 If  Ui  =_L,  then  di  b  =  d[.  ,  ■  a  for  b  =  0, 1. 

7Note  that  ru(x)  <  n  if  Pu(x)  =  f,  else  ru(x)  =  n. 
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PuncturedKey'v^,,  D^x, 

Input:  x  G  {0,  l}f 

Constants  :  The  group  G 

V  =  (v0,vi,. .  .,vn-i)  G  Gn,  w  G  G 
D  =  ( (di,o>  di,i)  ■  ■  •  {dn, o,  rfn,i))  G  (Zjv) 
x  G  {0,1}',UG{0,1,1}" 

Compute  /i(a;)  =  6i . . .  bn. 

if  x  =  x'  then 

Output  _L. 

else  if  Pu(x)  =  0  then 
Output  dj'bi . 

else  t 

Compute  r„ (a:).  Output  (ur„(ao)  1  i,bi . 

end  if 


Figure  6:  Program  PuncturedKey, 

Game  1C  In  this  game,  the  term  va  is  replaced  by  a  random  element  of  G. 

1.  Let  (N,p,q^G,Gp,Gq,gi,g2)  G-  <?(1A).  Choose  u  g-  AdmSample(lA, q).  Let  ru(x)  =  |{j  :  Uj  7^  h(x)j}\. 
Choose  v  G-  G,  d!i  b  g-  Zjv,  a  G-  h*N  and  set  di,b  =  d •  b  if  ut  =  b,  else  d^b  =  d'ib-  a. 

Let  D  =  ((d'lj0,  d[A) . . . ,  (d'nfi,  d'n  l)),  V  =  (v,  va, . . . ,  va"  *)  and  w  g-  G. 

2.  On  any  evaluation  query  Xi  G  {0, 1}^,  check  if  Pu(xi)  =  1. 

If  not,  flip  a  coin  7 *  G-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  h{xi)  =  b\. . .  bln.  Output  u^3  3,6 5  =  ^ vaTulx 3  . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  a 7  for  all  i  <  q.  Check  if  Pu(x*)  =  0. 

If  not,  flip  a  coin  7*  G-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx*  g-  iO(X,  PuncturedKey^  D  u  x*)  and  h(  x*)  =  b\...b*n.  Let  ?/o  =  ic^3  3,bl  and 
2/i  4—  G. 

4.  Flip  coin  (3  G-  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  fd'  and  wins  if  (3  =  /31 . 


Game  ID  This  game  is  same  as  the  previous  one,  except  that  v  and  w  are  chosen  from  subgroups  Gp  and 
G9  respectively,  instead  of  G. 


1. 


2. 


Let  (N,p,  q 
Choose  v  G 


vpi 


ip, 

W  <r~ 


3,  gi,  g2)  G-  t/(lA).  Choose  u  1—  AdmSample(lA,  q).  Let  ru(x)  =  |{j  :  Uj  7^  h(x)j}\. 


vq  j  d'i  b  G-  Zjv,  a  ■ 


and  set  ditb  =  d!i  b  if  tq  =  b,  else  ditb  —  d'ib-  a. 
Let  D  =  ((d'h0,d'ltl), . . .  ,(d'nfi,d'ntl)),V  =  (v,  va, . . . ,  v^1). 

On  any  evaluation  query  a 7  G  {0, 1  }f,  check  if  Pu(xi )  =  1. 

If  not,  flip  a  coin  7*  G-  {0, 1}  and  abort.  A  wins  if  7 *  =  1. 


ILd 


j,6l. 


(w“r 


,(®4) 


n, 


Else  compute  /i(xj)  =  b\ . . .  bln.  Output  v 

3.  A  sends  challenge  input  x*  such  that  x*  7^  a 7  for  all  i  <  q.  Check  if  Pu(x*)  =  0. 
If  not,  flip  a  coin  7*  G-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 


Else  compute  Kx .  G-  i(7(A,  PuncturedKey^  ^,  ^,, )  and  /i(a;*)  =  &*...&*.  Let  ?/o 
2/i  G-  G. 

4.  Flip  coin  (3  G-  {0, 1}.  Output  (Kx*,yf 3). 

5.  Al  outputs  f3'  and  wins  if  /3  =  (31 . 


w 


II  d' 

1  1  1 


1 j,b * 


and 
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Game  IE 


1.  Let  (N,p,q,G,Gp,Gg,gi,g2)  <—  f?(lA).  Choose  u  <—  AdmSample(lA,  q).  Choose  v  <—  Gp,  w  <—  Gq, 
di  b  £-  Zjy.  Let  di  t,p  —  mod  p  and  di^,q  =  di ^  mod  q. 

Set  k  —  (x,  ((di^Ojpi  di,i,p))  •  •  • ,  dn, i,p)))  and  /c  (m,  ((dpo^,  dqqg),  •  -  - ,  (dnj o,g,  d^p^))). 

2.  On  any  evaluation  query  x.;  £  {0, 1}^,  check  if  Pu(x j)  =  1. 

If  not,  flip  a  coin  7$  ■£-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  /i(x,)  =b\. .  .bln.  Output  v^3  3,b 5  =  3,bl,p. 

3.  Al  sends  challenge  input  x*  such  that  x*  7^  x,;  for  all  i  <  <7.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  «—  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx,  £-  iO(\,  PuncturedKeyAltu  and  h(x*)  =  b$ . . .  6* .  Let  yo  =  dj,!7  = 

and  2/1  G. 

4.  Flip  coin  /3  £-  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  /3 '  and  wins  if  /?  =  /?'. 

Game  IF 

1.  Let  (N,p,q,G,Gp,Gq,gi,g2)  <—  <?(1A).  Choose  u  <—  AdmSample(lA, q).  Choose  v  <—  Gp,  w  <—  Gq, 

di,b,p  ^  ^p,  &i,b,q  ^  Zq. 

Set  k  —  (u,  ((di5o,p) dpqp) , . . . ,  (dn; o,p,  dn,i,p)) )  and  /c  —  (ip,  ((epo,q,0,pq),  •  •  •  ,  (^n,o,g, dnp^q ) ) ) . 

2.  On  any  evaluation  query  x*  £  {0, 1}^,  check  if  Pu(xi)  =  1. 

If  not,  flip  a  coin  7 *  ■£-  {0, 1}  and  abort.  „4  wins  if  7 *  =  1. 

Else  compute  /i(x/)  =  b\. . .  bln.  Output  =  v^3  1'b)'p . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  x*  for  all  i  <  q.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  £-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx*  «—  i0(A,  PuncturedKeyAltu  fc  fc,  x, )  and  A(x*)  =  6*...  6*.  Let  2/0  =  ej,!7  and 

2/i  £-  G. 

4.  Flip  coin  /3  <—  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  /?'  and  wins  if  /?  =  (3'. 

Game  1G  This  game  is  same  as  the  previous  one,  except  that  the  dt ^  and  e^b  values  are  uniformly  chosen 
from  Ztv  instead  of  Zp  and  Zg,  respectively. 

1.  Let  (N,p,q,G,Gp,Gq,gi,g2)  <—  f?(lA).  Choose  u  <—  AdmSample(lA,  q).  Choose  v  <—  Gp,  w  <—  Gq, 
di,b  "S-  Zn,  ei,b  Z]y. 

Set  k  =  (y,  ((dp0,  dpi),  •  •  • ,  {dn, 0,  dn,  1)))  and  k'  =  (w,  ((eli0,  eM), . . . ,  (e„i0,  dn,i)))- 

2.  On  any  evaluation  query  Xj  £  {0, 1}  ,  check  if  Pu{xi )  =  1. 

If  not,  flip  a  coin  7 *  ■£-  {0, 1}  and  abort.  A  wins  if  71  =  1. 

Else  compute  /i(x* )  =b\. . .  bln.  Output  =  . 

3.  A  sends  challenge  input  x*  such  that  x*  7^  x*  for  all  i  <  q.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  £-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx »  <—  «0(A,  PuncturedKeyAltufe  „)  and  d(x*)  =  6*...  6*.  Let  j/o  =  and 

2/i  £-  G. 

4.  Flip  coin  /3  <—  {0, 1}.  Output  (Kx*,yp). 

5.  A  outputs  /?'  and  wins  if  /?  =  (3'. 

Game  2  This  is  Game  2  from  Section  4.1.1.  This  game  is  same  as  the  previous  one,  except  that  v  and  w 
are  chosen  from  G  instead  of  the  subgroups  Gp  and  Gq  respectively. 
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1.  Let  (N,p,  q,  G,  Gp,  Gq,  gq,  g2)  <—  f?(lA).  Choose  u  <—  AdmSample(lA,  q).  Choose  v  <—  G,  w  <—  G,  diib  <— 
Zjv  j  C*,6  Zjv  . 

Set  fe  =  (v,  ((di,0,  dpi), . .  • ,  (d„,0,  d„,i)))  and  fe'  =  (w,  ((ei,0,  eqi), . . . ,  (e„,0,  dn,i))). 

2.  On  any  evaluation  query  27  £  {0, 1}£ ,  check  if  Pu{xi)  =  1. 

If  not,  flip  a  coin  7 *  ■£-  {0, 1}  and  abort.  A  wins  if  7 *  =  1. 

Else  compute  ^(aq)  =  b\. . .  bln.  Output  =  v^3  3G . 

3.  A  sends  challenge  input  x*  such  that  x*  ^  Xi  for  all  i  <  q.  Check  if  Pu{x*)  =  0. 

If  not,  flip  a  coin  7*  ■£-  {0, 1}  and  abort.  A  wins  if  7*  =  1. 

Else  compute  Kx*  «—  iO(\,  PuncturedKeyAltufc)fc/iX»)  and  h{  x*)  =  b*...b*.  Let  y0  =  w^3^’^  and 
2/1  <r~  G. 

4.  Flip  coin  /3  «—  {0, 1}.  Output  (Kx*,yf 3). 

5.  A  outputs  /?'  and  wins  if  /?  =  /?'. 


We  will  now  prove  that  the  difference  in  advantage  of  any  PPT  adversary  in  two  consecutive  game  is 
negligible  in  A.  Let  Adv}{*  denote  the  advantage  of  adversary  A  in  Game  la. 

Observation  A.l.  For  any  adversary  A,  Adv^  =  Adv^f4. 

Proof.  The  only  difference  between  Game  1  and  Game  1A  is  the  manner  in  which  the  constants  dij,  are 
chosen.  In  Game  1,  the  challenger  chooses  di ^  £-  Z/v-  In  Game  1A,  the  challenger  first  chooses  d!i  b  4—  Z^, 
a  ■£-  h*N  and  then  sets  dj;f,  as  either  d'  b  or  d!i  b  ■  a ,  depending  on  iq.  However,  note  that  in  either  case,  dlb 
is  a  uniformly  random  element  in  Z/v  since  a  £  7j*n.  | 


Claim  A.l.  If  there  exists  a  PPT  adversary  A  such  that  Adv}{4  —  Adv1^  is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  the  security  of  iO  with  advantage  non-negligible  in  A. 

Proof.  Suppose  there  exists  a  PPT  adversary  A  such  that  Adv}{4  —  Adv^8  =  e.  We  will  construct  a  PPT 
algorithm  B  that  breaks  the  security  of  iO  with  advantage  e  by  interacting  with  A.  B  establishes  some 
parameters  that  will  be  needed  to  interact  with  A  and  which  will  be  used  as  part  of  the  circuits  designed 
by  B:  first  it  chooses  v  <—  G,  a  <—  d'ib  «—  Zjv,  u  <—  AdmSample(lA,  q)  and  sets  di ^  =  d'ib  if  Ui  =  6, 
else  d,j,  =  d'ib-  a.  On  receiving  evaluation  query  27,  B  first  checks  that  Pu{xi)  =  1.  If  so,  it  computes 

h{x)  =  b\  . . .  bln  and  sends  3’bj  to  A. 

On  receiving  challenge  query  x*  from  A,  B  checks  Pu(x*)  =  0.  Now,  B  is  ready  to  construct  the  circuits.  It 
sets  k  =  (v,((dli0,d1:1), . . . ,  (dn,o,d„,  1))),  V  =  (v,va,..  .,va"  ),w  =  va "  and  D  =  {{d’10,  d'lx), . . . ,  (d'„0,  d'nl)) 
It  uses  k  to  construct  circuit  Co  =  PuncturedKeyfc  x, ,  uses  V,w,D  to  construct  C\  =  PuncturedKey^^,^* 
and  sends  Co,Ci  to  the  iO  challenger.  B  receives  Kx .  £-  iO(Cb)  from  the  challenger.  It  computes 
h{x*)  =  b\...  6*,  2/0  =  ,  y  <—  G,  /3  <—  {0,1},  sends  {Kx*,yp)  to  A  and  receives  f¥  in  response. 

If  /3  =  P' ,  B  outputs  0,  else  it  outputs  1. 

We  will  now  prove  that  the  circuits  Co  and  C\  have  identical  functionality.  Consider  any  £  bit  string  x , 
and  let  h(x)  =b\. .  .bn.  Recall  ru(x)  =  \{j  :  Uj  ^  bj}\. 


Hence,  vn>  d'C 


Also,  recall  ru(x) 


n  iff  Pu(x)  =  0.  Therefore,  to  compute  dj’bi 


for  some  x  such  that  Pu(x)  =  1,  we  only  need  the  constant  {d'ib\  and  {u,  va,  v°2 , . . . ,  r“”  1}.  Similarly,  if 
Pu( x)  =  0,  we  only  need  the  constants  {d-  &}  and  ua"  to  compute  dj’bi .  Using  this  observation,  we  can 
prove  that  the  programs  PuncturedKeyfc  x,  and  PuncturedKeyy,^  D  ux»  have  identical  functionality. 
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For  any  x  €  {0,  1}*'  such  that  Pu{ x)  =  1, 


PuncturedKey^  WiDiUX»  (x)  =  (V""'*') 
For  any  x  €  {0, 1  }e  such  that  Pu(x)  =  0, 


n3  ftb 


3  n  d  i  b  - 
=  V1  ‘  1  = 


=  PuncturedKeyfc  .(x) 


PuncturedKeyy^^^x)  =  W' 


=  nF-i  d'i’hi  = 


(»*") 


FT  d'- 

1  1.7  3 


j  j’bi  Ylndib 

—  yi  Aj  3 1  °  7  — 


v  =  PuncturedKeyfc  ^.(x) 


Since  Co  and  Ci  have  identical  functionality,  Pr[B  wins  ]  =  Pr[A  wins  in  Game  1A]  -  Pr[A  wins  in  Game  IB] 
If  Adv}j4  —  Adv^j8  =  e,  then  B  wins  the  iO  security  game  with  advantage  e.  0 


Claim  A. 2.  If  there  exists  a  PPT  adversary  A  such  that  Adv^8  —  Adv}p  is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  Assumption  2  with  advantage  non-negligible  in  A. 

Proof.  Suppose  there  exists  a  PPT  adversary  A  such  that  Adv^8  —  Adv}f  =  e.  We  will  construct  a  PPT  algo¬ 
rithm  B  that  uses  A  and  breaks  Assumption  2  with  advantage  at  least  e.  B  receives  the  group  description  G, 
(v,  va, . . . ,  u°"  X)  e  G”  and  T  €  G,  where  T  =  va "  or  T  t—  G.  B  chooses  d ■  b  t—  Zjv,  u  t—  AdmSample(lA,  q). 

B  sets  V  =  {v,..,,va"  *),  w  =  T,  D=  {(d,10,d'ltl),...,(d,nfi,d,nl)). 

On  evaluation  query  aq,  B  first  checks  that  P„(aq )  =  1.  Next,  it  computes  h(x)  =  b\  . . . bln ,  and  hnally 

outputs  3  ''bi .  Note  that  ru(x)  <  n  if  Pu{x)  =  0.  Therefore,  B  can  simulate  the  evaluation  query 

phase  perfectly. 

On  challenge  query  x*,  B  first  checks  that  Pu(x*)  =  0.  Next,  it  computes  h(x)  =  &*...&*,  Kx*  t— 
iO( A,  PuncturedKey^,,,  D  u  x»).  It  sets  yo  =  v^1  dj,bi  and  yi  t—  G. 

Finally,  B  chooses  /3  <—  {0,1},  sends  (Kx*,yft)  from  A,  and  receives  /3b  If  /?  =  ft,  B  outputs  0  (i.e.  it 
guesses  T  =  va  ),  else  it  outputs  1. 

Clearly,  if  Adv^8  —  Advpp1  =  e,  then  B  also  wins  with  advantage  e.  I 

Claim  A. 3.  If  there  exists  a  PPT  adversary  A  such  that  Advpp  —  Advpp3  is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  Assumption  1  with  advantage  non-negligible  in  A. 

Proof.  We  will  prove  this  claim  using  an  intermediate  experiment  Hyb.  Hyb  is  the  same  as  Game  1C,  except 
that  v  t—  G p.  We  will  prove  that  Game  1C  and  Hyb  are  computationally  indistinguishable,  and  similarly, 
Hyb  and  Game  ID  are  computationally  indistinguishable. 

Suppose  there  exists  a  PPT  adversary  A  such  that  Adv}f  —  Adv^yb  =  e.  Using  A,  we  will  construct 
a  PPT  algorithm  B  that  breaks  Assumption  1.  B  receives  G,  Gp,  Gq,  g\  «—  Gp,  g-i  <—  Gq  and  T,  where 
T  Gp  or  T  t—  G.  B  sets  v  =  T,  chooses  a  t—  Z*N,  ft  b  -S—  Zjv,  u  «—  AdmSample,  w  t—  G  and  computes 

V  =  (v,va, . . . ,  u“”  X)  and  dt^  as  in  Game  1C. 

On  receiving  evaluation  query  x,;  from  A,  B  computes  h(xi)  =  b\  . . .  b‘n ,  checks  if  Pu{xi)  =  1  and  responds 


with 


r  ) 


F  djM 


On  receiving  challenge  query  x* ,  B  checks  Pu(x*)  =  0,  and  computes  Kx .  t—  iO( A,  PuncturedKey'y^,  D  M  x,) 
,  yi  «—  G,  /3  {0, 1}  and  outputs  {Kx*,yp).  If  A  outputs  ft  B  guesses  v  €  G,  else  guesses 


/  \Ilj  dj  b 

2/o  =  (w) 


v  £  Gp.  Notice  that  if  Adv^yb  —  Adv}p  =  e,  then  B  breaks  Assumption  1  with  advantage  e. 


In  order  to  prove  our  claim,  we  now  need  to  show  that  the  experiments  Hyb  and  Game  ID  are  com¬ 
putationally  indistinguishable.  Note  that  the  only  difference  between  these  two  experiments  is  the  manner 
in  which  w  is  chosen.  In  Hyb,  w  <—  G,  while  in  Game  ID,  w  t—  Gg.  We  can  show  that  if  Assumption  1 
holds,  then  Hyb  and  Game  ID  are  computationally  indistinguishable.  This  argument  is  exactly  similar  to 
the  step  from  Game  1C  to  Hyb,  the  only  difference  being  that  the  assumption  used  will  be  that  w  t—  G  is 
computationally  indistinguishable  from  w  t—  Gq.  0 
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Claim  A. 4.  If  there  exists  a  PPT  adversary  A  such  that  Adv{j°  —  Adv^f  is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  the  security  of  iO  with  advantage  non-negligible  in  A. 

Proof.  We  will  use  two  intermediate  experiments  Hyb1  and  Hyb2,  and  use  the  security  of  iO  to  prove  that 
(a)  Game  ID  and  Hy^  are  computationally  indistinguishable,  (b)  Hy^  and  Hyb2  are  identical  experiments, 
and  (c)  Hyb2  and  Game  IE  are  computationally  indistinguishable. 

First  we  define  the  experiments  Hybj  and  Hyb2.  In  Hyb^  the  challenger  first  samples  u,v,  w,^  b,a  as  in 
Game  ID,  and  sets  dpt,  =  d't  h  if  ut  =  b,  else  dpt,  =  a  (same  as  before).  The  evaluation  query  responses  are 
also  same  as  in  Game  ID.  For  the  challenge  query  x* ,  the  challenger  first  checks  that  Pu(x*)  =  0.  Next, 

it  sets  w'  =  wl/a  ,  computes  yo  =  w  dj’bj  ,yi  G-  G  as  in  Game  ID.  However,  the  punctured 

key  Kx »  is  computed  using  PuncturedKeyAlt.  The  challenger  sets  k  =  (v,  ((di,o,  rfi.i), . . . ,  (dn>o,  dnp))), 
k!  =  (■ w' ,  ((dqo,  dip), . . . ,  (dn,o,  dnp)))  and  computes  Kx»  G-  iO{ A,  PuncturedKeyAltfc  k>  u  x,). 

Hyb2  is  the  same  as  Hyb^  except  that  it  chooses  dp;,  G-  Z jy  and  uses  w  instead  of  w'  in  the  key  k!  and 
for  computing  2/0  ■ 


Proof  of  (a):  Suppose  there  exists  a  PPT  adversary  A  such  that  Advp  —  Adv^y  1  =  e.  As  in  the 
proof  of  Claim  A.l,  we  will  first  construct  a  PPT  algorithm  B  that  uses  A  to  break  the  security  of  iO. 
B  samples  w,  i>,w,d'  b  and  computes  dt  b  as  in  Game  lD/Hyb.  On  receiving  evaluation  query  x j,  it  checks 

Pu(xi)  =  0  and  outputs  v^3  3,bG  On  receiving  challenge  query  x* ,  B  sets  V  =  (v,  va, . . . ,  va"  *),  D  = 
((dyo,  dip), . . . ,  (d'n  Q,  d'n  i)),  k,  k'  as  in  Hyb,  and  constructs  circuits  Co  =  PuncturedKey'y  ^,  p,  ux,  and  Cp  = 
PuncturedKeyAlt^  k,  u  x*.  It  sends  Co,  Ci  to  the  iO  challenger,  and  receives  Kx«  g-  i0(A,  Cf,).  &  computes 
2/o,  chooses  r/i,/?,  sends  {Kx*,yp)  to  A  and  receives  /?'  in  response.  If  fd  =  /3' ,  B  outputs  0,  else  outputs  1. 

In  order  to  complete  this  proof,  we  show  that  circuits  PuncturedKey^  Dux*  and  PuncturedKeyAltfc  fc,  u  x, 
have  identical  functionality. 

For  any  x  G  {0, 1 Y  such  that  Pu{x)  =  1,  h(x)  =  b\ . . .  bn, 

PuncturedKeyAltfcjfc,>MX,(a;)  =  rA  ^  =  Punctured  Key},,  W,D,U,  x*  (%)■ 

For  any  x  G  {0, 1  }e  such  that  Pu( x)  =  0,  x  ^  x* ,  h(x)  =  b\  . . .  bn, 


PuncturedKey 


k.k' 


,(x)  =  mAj  di’bi  =  (w'a  ^ 


n,< 


n, 

=  w  3 


= 


=  PuncturedKey} 


V,w,D,u 


.(x). 


For  x  =  x* ,  both  programs  outputs  _L.  Therefore,  the  two  programs  are  functionally  equivalent.  Hence, 
B  breaks  the  security  of  iO  with  advantage  e. 


Proof  of  (b):  Note  that  in  both  HyC  and  Hyb2,  di p  is  a  uniformly  random  element  in  Zjv  (since  a  G  Z*N). 
Also,  if  w  G-  Gq,  then  w 1/a  is  a  uniformly  random  element  in  Gq.  From  these  two  observations,  it  follows 
that  the  two  experiments  Hybj  and  Hyb2  are  the  same. 

Proof  of  (c):  Game  IE  is  similar  to  Hyb2,  except  that  the  challenger  chooses  k,k'  differently.  In 
Game  IE,  the  challenger  chooses  v  G-  Gp,w  G-  Gqidi,b  <—  Zjy-  It  sets  dpt,,p  =  di p  mod  p,  dpt,,g  =  dpt, 
mod  (/,  k  —  C,  ((dyo.p,  dip,p),  . . . ,  (dn,o.p,  dnp,p)))  and  k  (re,  ((di,o,g,  dip,g),  •  •  • ,  (dn,o.<j,  dnp,g))).  Suppose 
there  exists  a  PPT  adversary  A  such  that  Adv^yt>2  —  Adv^®  =  e.  Consider  the  following  PPT  algorithm 
B  that  uses  A  to  break  the  security  of  iO.  B  chooses  v,  w,  {dpt,}  and  sets  k  =  ( v ,  ((dp o,  dip),  . . ., 
(dn.o,  dnp))),  k  —  (^?,  ((di,o,  dip),  ...,  (dn, o,  dnp))),  k  — (u,  ((di^o,!?,  dip5p),  •  • .,  (dn) o,j>>  d^p^)))  and 
k'  =  (w,  ((dito,q,  dip)9), . . . ,  (dnfi,q,  dnpi9))).  B  uses  the  constants  v  and  {dp&jpt,  to  respond  to  A’s  eval¬ 
uation  queries.  On  receiving  challenge  query  x* ,  B  constructs  circuits  Co  =  PuncturedKeyAltfc  k,  u  x*  and 
Ci  =  PuncturedKeyAltp.  k,  ,  and  sends  Co,Ci  to  the  iO  challenger.  It  receives  Kx .  in  response.  B  com¬ 
putes  2/o,  J/i,  chooses  /3  g-  {0,1}  and  sends  ( Kx*,yp )  to  A ,  and  receives  jd'  in  response.  If  /?  =  (3',  then  B 
outputs  0,  else  it  outputs  1. 
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Since  v  £  Gp,  =  v^ljdJ.bj^  for  any  sequence  b1...bn.  Similarly,  since  w  £  Gg,  iu^j  di’lj  = 

w^jdj,bj’q.  Therefore  the  circuits  Co,Ci  have  identical  functionality.  Hence,  B  breaks  the  security  of  iO 
with  advantage  e.  H 

Claim  A. 5.  For  any  adversary  A ,  Adv^  =  Adv1/. 

Proof.  We  will  show  that  Game  IE  and  Game  IF  are  identical,  and  therefore,  any  adversary  has  the  same 
advantage  in  both  games.  Note  that  the  only  difference  between  Game  IE  and  Game  IF  is  the  manner 
in  which  the  keys  k,k'  are  chosen.  In  Game  IE,  the  challenger  chooses  v  £  Gp,  w  £  Gq,  £  Zjy  and 
sets  k  =  (v,((di^p,duliP),...,(dnfiiP,dnAiP)))  and  k!  =  (w,  ((di,o,g,  di,i,g),  •  •  • ,  (d„,o,g,  dnXq))).  In  Game 
IF,  the  challenger  chooses  di^,P  <—  Zp,  ei,b,q  <—  Z g  and  sets  fc  =  (u,  ((di,o,P,  di,i,P)>  ••  • ,  (dn,o,p,  dn,i,p)))  and 
k'  =  (w,  ((ei^.g,  epp,),  •  •  • ,  (en,o,9)  en,i>g))).  Using  Chinese  Remainder  Theorem,  it  follows  that  {(x  mod  p ,  a: 
mod  q)  :  x  <r-  Zjy}  =  {(x,  3)  :  a;  ■£-  Zp,  y  <—  Zq},  and  hence,  Game  IE  and  Game  IF  are  identical.  | 

Claim  A. 6.  If  there  exists  a  PPT  adversary  A  such  that  Adv^F  —  Adv^  is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  the  security  of  iO  with  advantage  non-negligible  in  A. 

Proof.  The  proof  of  this  claim  is  similar  to  the  proof  of  Claim  A. 4,  part  (c).  | 

Claim  A. 7.  If  there  exists  a  PPT  adversary  A  such  that  Adv^p  —  Advp  is  non-negligible  in  A,  then  there 
exists  a  PPT  adversary  B  that  breaks  Assumption  1  with  advantage  non-negligible  in  A. 

Proof.  The  proof  of  this  claim  is  similar  to  the  one  for  Claim  A. 3.  | 


B  Reducing  Assumption  2  to  Subgroup  Hiding  Assumption  in 
Composite  Order  DDH-Hard  Groups 

Chase  and  Meiklejohn  [CM14]  showed  that  in  bilinear  groups  of  composite  order,  many  3-type  reductions  are 
implied  by  subgroup  hiding.  The  paper  also  states  that  a  similar  result  holds  in  composite  order  DDH-hard 
groups.  For  completeness,  we  include  a  proof  of  this  implication. 

Theorem  B.l.  Let  (N, p,  g,G,Gp, G9, 51,(72)  •£-  f/(lA).  Then,  Assumption  1  implies  Assumption  2. 

As  in  [CM14],  the  proof  of  this  theorem  uses  the  dual  system  technique  introduced  by  Waters  [Wat09]. 
First,  we  define  4n  +  1  hybrid  experiments  Game  1,  Game  li,  Game  I2,  Game  I3,  . . .,  Game  n  —  1,  Game 
n—  li,  Game  n—  I2,  Game  n  —  I3,  Game  n  and  then  show  that  (a)  no  PPT  adversary  can  distinguish  between 
consecutive  hybrid  experiments  (b)  any  adversary  has  negligible  advantage  in  Game  n. 


B.l  Sequence  of  Games 

We  underline  the  changes  from  one  game  to  the  next. 


Game  0  :  Choose  v  G,  a  ZN,  (3  £  {0,1}  and  set  T0  =  ua",  T}  «—  G. 

Output  (AT, G,GP,G9, gi,5f2,  v,  va ,  ...,va"  \  T0). 


Game  i  :  Choose  v\ 


Gp,  a\, . . .  ai,  r1; . . . ,  r*  <—  ZN,  (3  £  {0, 1}  and  set  T0  =  up3  1  rj°J ,  Ti 


G. 


Output  (A, G, Gp, Gq, 3i, 32,  up3  1<5 ,v{ 


£}=1  rjdf- 

.  ,Ul  3 


,Tp). 
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Game  i\  :  Choose  v\  4—  Gp, 
Ti  «-  G. 


t>2  £-  Gg,  ai, . . .  a,i,  n, . . . ,  r»  -s—  Zjv,  /3  £  {0, 1}  and  set  To  = 


_  E’=i^'o"  < 


Output  (AT, G,Gp,Gg, sfi,5f2,  %  J  1  ^2,^1 


£?=i  riai 


T.V- 


V2  ,•••,«! 


Game  i2  :  Choose  ui  v-  Gp,  t>2  •<—  Gg,  ai, . . .  a^,  aj+i,  ri, . . . ,  r,  ■<—  Z^r,  /3  €  {0, 1}  and  set  To 
Ti  <-  G. 


e;= 


Output  (Ar,G,Gp,Gg,31,32,  ’  1  ,u2,«1 


..£}=i 


juj  Cti  +  1 


71  —  1 

a;+i 


i»). 


£}=i  rial 


Game  73  :  Choose  ui  •<—  Gp,  v2  4—  Gg,  ai ,  ...dj,  a^+i,  ri,...,r,,  r*+i  •<—  Z^r,  /?  £  {0,1}  and  set 

e;+1  ■ 


T0  = 


'3=1  J  Ju2,+1,  Ti 


G. 


Output  (AT, G, Gp, Gg, 3i, 32,  uf 


^TlrJ  Ei  =  lr3°3  Qi  +  l 

U2,t>i  V2 


5  *  *  *  ?  ^1 


£’±{  < 


^r+i1 


i»). 


B.2  Adversary’s  Advantage  in  these  Games 

Let  Adv}(*  denote  the  advantage  of  adversary  .4  in  Game  a.  Note  that  in  Game  0,  a  4-  7jn,  while  in 
Assumption  2,  a  V-  Z*N.  This  results  in  security  loss  that  is  negligible  in  A. 

Claim  B.l.  If  there  exists  a  PPT  adversary  A  such  that  Adv}}1  —  Adv}}  =  e,  then  there  exists  a  PPT  algorithm 
B  that  can  distinguish  between  a  random  element  of  G  and  a  random  element  of  Gp  with  advantage  e. 

Proof.  The  only  difference  between  the  two  games  is  that  in  Game  0,  the  challenger  chooses  v  4—  G,  while 
in  Game  1,  the  challenger  chooses  v\  4—  Gp.  B  receives  N,  G,  Gp,  Gq,  31, 32  and  w  from  the  challenger, 
where  w  4—  G  or  w  V-  Gp.  B  sets  v  =  w,  chooses  a  £  Zjv,  (3  £  {0, 1}  and  sets  T0  =  va  ,  T\  4—  G.  It 
sends  (N,G,Gp,Gq,  gi,  g2,v,va , . . .  ,ua"  ,Tp)  ot  A  and  receives  /3'  in  response.  If  f3'  =  /3,  B  sends  1  to  the 
challenger  (indicating  that  w  £  G),  else  it  sends  0.  Clearly,  if  w  £  G,  then  this  corresponds  to  Game  0,  else 
it  corresponds  to  Game  1.  If  A  wins  Game  0  with  probability  po,  and  wins  Game  1  with  probability  pi,  then 
the  advantage  of  B  in  breaking  Assumption  1  is  po  —  Pi  =  £•  I 


Claim  B.2.  If  there  exists  a  PPT  adversary  A  such  that  Adv^{  —  Ad v^}1  =  e,  then  there  exists  a  PPT 
algorithm  B  that  can  distinguish  between  a  random  element  of  G  and  a  random  element  of  Gp  with  advantage 

e. 


Proof.  The  PPT  algorithm  B  is  defined  as  follows.  First,  B  receives  N,  G,  Gp,  Gq,  31, 32  and  w  from  the 
challenger,  where  w  4—  G  or  w  V-  Gp.  B  chooses  v'  4—  Gp,  01, . . . ,  0,-1,  r\, . . . ,  rj_i  4—  Zjv,  /3  4—  {0,1} 
and  sets  T0  =  v‘ 


1  r,a 
1  1 


, /V'1  !  r,-a,' 


1. 


wu*  and  Ti  4—  G.  It  sends  (AT,  G,  Gp,  Gg,  31, 32,  v'^=1  rjw,  v‘  ur 

TJ3)  to  A  and  receives  /3'  in  response.  If  f3'  =  /3,  it  sends  0  to  the  challenger,  else  it  sends 


If  w  £  G,  then  w  =  for  some  r  £  Zjv,  r>2  £  Gg.  If  £  Gp,  then  w  =  v'r  for  some  r  £  Zjv.  Therefore, 
0  implicitly  sets  r,t  =  r,  and  hence,  if  u>  £  Gp,  A  receives  the  challenge  as  per  Game  i,  otherwise  it  receives 
the  challenge  as  per  Game  A .  9 


Claim  B.3.  For  any  adversary  A,  Adv^}1  =  Adv^2. 

Proof.  This  step  is  information-theoretic.  First,  let  us  recall  the  Chinese  Remainder  Theorem.  For  distinct 
primes  p,  q  and  N  =  pq,  we  have 

{( x  mod  p,  x  mod  q)  :  x  4—  Zjv}  =  {(x  mod  p,  y  mod  q)  :  x  •<—  Zjv,  3  «—  Z^r}  . 
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Hence,  it  follows  that  distributions  Dx  and  D2  are  identical,  where 


D  r 


i  i  I 

rjdj  mod  p, . . . ,  r^a "  mod  p,  a,;  mod  q  :  rx, . . . ,  r*,  Oi, . . . ,  a*  +-  Z^v  > 

j=i  J'=i  J 


^2 


i  i  I 

J2rJaJ  mod  p,...,J2rJa7  mod  p,  ai+ 1  mod  q  :  rx,. . . ,  ri;  ai>,. . . ,  a*,  ai+1  +-  ZN  > 

j=i  J=i  J 


Note  that  since  v  £  Gp,  vx  =  i>x  mod  p.  Similarly,  uiy  =  wy  mod  q.  Hence  it  follows  that  any  adversary  has 
identical  advantage  in  Game  i\  and  Game  i2. 


Claim  B.4.  If  there  exists  a  PPT  adversary  A  such  that  Adv+  —  Adv+  =  e,  then  there  exists  a  PPT 
algorithm  B  that  can  distinguish  between  a  random  element  of  G  and  a  random  element  of  Gq  with  advantage 
e. 


Proof.  The  PPT  algorithm  B  is  defined  as  follows.  First,  B  receives  N,  ( 


challenger,  where  w  4—  G  or  w  4—  Gq. 
sets  Tq  =  i)Gj=irJajW“i+i  and  4— 
,,'ELiT 


B  chooses  v'  4—  G„,  ai, . . . ,  aj,ri, 


vp,Gq,  gx,  g2  and  w  from  the 
.  ,Vi  4—  Zjv,  ft  +-  {0,1}  and 


It  sends  (N,<! 


oi  Gq,  g\ ,  g2 1  v 


ry\  ,  i 
1  =  1 


W,v'^o=irjajWai+1 ,  .  .  ., 


aj  w°i+1  ,Tp)  to  A  and  receives  ft'  in  response.  If  ft'  =  ft,  it  sends  0  to  the  challenger  (i.e.  B 
guesses  that  w  +-  Gg),  else  it  sends  1. 

As  in  the  proof  of  B.2,  if  w  £  G,  then  w  =  v'rv2,  else  w  =  v2  for  some  r,v2.  B  therefore  implicitly  sets 
r,;+ 1  =  r.  If  w  £  G q,  then  A  gets  a  Game  i2  challenge,  else  a  Game  i3  challenge.  IS 


Claim  B.5.  If  there  exists  a  PPT  adversary  A  such  that  Adv+  —  Adv^{+1  =  e,  then  there  exists  a  PPT 
algorithm  B  that  can  distinguish  between  a  random  element  of  G  and  a  random  element  of  Gq  with  advantage 
e. 

Proof.  The  proof  for  this  step  is  similar  to  the  proof  of  Claim  B.4.  || 


Claim  B.6.  For  any  adversary  A,  Adv}}1  <  negl(A). 

Proof.  Let  us  consider  the  following  distributions  (all  operations  are  modulo  p): 


n+1 

n+1 

n+1  \ 

Dx  = 

!fe 

rP  riaP  ■  ■ 

3= 1 

•’£rJ°r 

3  =  1 

^YLriajJ  :ri>- 

•  •  ?  T n+1 1  &1  j  •  ■ 

•  i  O-n+l  £~  / 

j  /n+1  n+1 

n  \ 

d2  = 

,  I 

[  \i=1  J'= i 

-£^rv 

■  •  5  ^  n+1  ?  &1  ?  •  • 

•  ,a„+i,r  <-  Zp  j 

In  order  to  show  that  Adv^+1  <  negl(A),  it  suffices  to  show  that  Di  and  D2  are  statistically  indistinguishable. 
In  fact,  one  can  prove  the  following  stronger  statement. 


Observation  B.l.  Dx  {(ci, . . .  ,cn+i)  :  Ci, . . . , cn+-,  <-  Zp} 
Note  that  Dx  can  also  be  expressed  as 


{(n  .  ..rn+ 1)  •  Vai 

. ..fln+1  *  5  ^  } 
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where  V^..^  is  a  Vandermonde  matrix  of  dimension  (n  +  1)  x  (n  +  1). 


1  Oi  •  •  •  a" 

1  02  • • •  Oj 


1  C(n+1 


a 


n 

n  +  1  J 


If  all  a^s  are  distinct  and  non-zero,  then  is  invertible.  Hence,  if  the  entries  a,;  are  chosen  uniformly 

at  random  from  Zp,  then  with  overwhelming  probability,  V^1...ari  is  invertible.  Thus,  there  is  a  Injection 
between  {(n, . . .  ,r„+ 1)  •  V  :  r*  G  Zp}  and  Z™+1.  This  proves  our  observation.  3 
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CloudSourcing  Cryptography:  Automating  the  Generation  of 
Outsourced  Cryptographic  Algorithms* 
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ABSTRACT 

We  present  CloudSource,  an  automated  tool  for  developing 
“outsourcing-ready”  cryptographic  schemes.  CloudSource  is 
designed  to  programmatically  analyze  existing  pairing-based 
encryption  schemes,  and  to  derive  new  algorithms  that  allow 
users  to  outsource  portions  of  the  cryptographic  work  to  an 
untrusted  server. 

The  CloudSource  tool  addresses  a  growing  need,  as  we  in¬ 
creasingly  deploy  cryptography  in  environments  where  users 
employ  limited  mobile  devices  and  yet  have  ready  access  to 
cloud-based  computing  resources.  The  techniques  we  pro¬ 
pose  form  part  of  a  growing  line  of  work  aimed  towards  the 
automated  analysis  and  engineering  of  cryptographic  proto¬ 
cols,  and  will  help  to  reduce  the  need  for  manual  optimiza¬ 
tion  of  these  constructions. 

1.  INTRODUCTION 

Over  the  past  several  years,  a  number  of  new  crypto¬ 
graphic  technologies  have  entered  the  literature.  These  tech¬ 
nologies  include  improvements  in  existing  schemes  as  well 
as  entirely  new  paradigms  such  as  Identity-Based  Encryp¬ 
tion  [11,42],  Functional  Encryption  [40]  and  Fully  Homomor¬ 
phic  Encryption  [26].  As  a  result,  we  now  have  entirely  new 
capabilities  that  were  not  possible  using  earlier  techniques. 

While  these  technologies  offer  us  new  tools  to  solve  long¬ 
standing  security  problems,  they  have  serious  limitations 
that  have  prevented  their  use  in  practice.  One  notable  limi¬ 
tation  is  the  fact  that  constructions  often  need  to  be  tailored 
to  a  specific  application  before  they  can  be  used.  The  appli¬ 
cation  may  have  specific  requirements,  e.g.,  related  to  the 
efficiency  and  bandwidth  overhead  of  the  scheme.  A  sur¬ 
prising  fraction  of  the  cryptographic  literature  is  devoted  to 
detailing  precisely  these  sorts  of  optimizations,  from  basic 
scheme  optimizations  (e.g. ,  re-writing  cryptographic  oper- 

*This  work  was  partially  supported  by  DARPA  and  the  Air 
Force  Research  Laboratory  (AFRL)  under  contract  FA8750- 
11-2-0211.  This  document  is  a  pre-print  for  DARPA  and  not 
for  public  distribution. 


ations  to  use  different  operations)  [17,  38,  39]  to  advanced 
techniques  such  as  secure  outsourcing  of  cryptographic  op¬ 
erations  [28,33,51]  and  batch  processing  [2,13,24,50]. 

Unfortunately,  it  is  not  possible  for  human  beings  to  cus¬ 
tomize  all  constructions  to  every  possible  application.  More¬ 
over,  safely  applying  these  techniques  is  typically  a  non¬ 
trivial  process;  even  domain  experts  have  been  known  to 
make  important  mistakes  that  can  completely  undermine 
the  security  of  a  construction,  e.g.,  [15,43].  For  most  imple- 
menters  it  is  simply  not  practical  to  obtain  the  resources  to 
make  these  changes,  and  as  a  consequence,  many  schemes 
in  the  literature  remain  undeployed. 

In  this  paper  we  continue  a  line  of  research  that  inves¬ 
tigates  whether  automated  techniques  can  be  developed  for 
the  purpose  of  re-designing  and  implementing  cryptographic 
schemes  [2,3,5,37].  The  general  approach  in  this  work  is  to 
take  an  existing,  provably-secure  cryptographic  scheme  as 
input,  and  to  apply  a  series  of  techniques  in  order  to  arrive 
at  a  new,  secure  cryptographic  scheme.  The  challenge  in 
this  work  is  to  identify  useful  transformations  that  preserve 
security  properties,  and  to  develop  tools  that  can  safely  im¬ 
plement  these  techniques. 

Outsourcing  cryptography.  In  this  work  we  focus  on 
the  specific  problem  of  outsourcing  cryptographic  operations 
to  untrusted  parties.  This  is  an  area  that  has  received  a 
great  deal  of  attention  due  to  the  increasing  availability  of 
cloud  computing  resources.  The  benefits  of  outsourcing  are 
many:  first,  it  can  greatly  reduce  the  computational  burden 
of  cryptographic  operations,  something  that  is  particularly 
relevant  to  mobile  devices  (where  complex  decryption  op¬ 
erations  on  e.g.,  attribute-based  encryption  ciphertexts  can 
take  many  seconds  [28]).  Second,  it  can  dramatically  reduce 
bandwidth  overhead  for  a  decryptor  by  reducing  the  size  of 
complex  ciphertexts  into  a  shorter  “partially  decrypted”  ci¬ 
phertext.  Moreover,  implementers  may  be  able  to  reduce  the 
size  of  a  Trusted  Codebase  (or  the  complexity  of  a  hardware 
device  like  a  smartcard)  by  outsourcing  complex  operations 
to  untrusted  hardware  [28]. 

While  general  techniques  exist  for  the  purpose  of  securely 
outsourcing  arbitrary  computations,  e.g.,  [26],  these  schemes 
are  not  yet  practical  enough  for  the  applications  we  envi¬ 
sion  -  i.e.,  offloading  meaningful  cryptographic  work  to  a 
third  party.  However,  a  separate  line  of  work  has  consid¬ 
ered  more  practical  outsourcing  schemes  for  specific  crypto¬ 
graphic  constructions  [16,28,33,34,36,51].  However,  each  of 
these  proposals  addresses  only  one  individual  scheme.  This 
is  unfortunate,  since  developing  outsourcing-ready  encryp¬ 
tion  schemes  from  scratch  is  a  challenging  and  error-prone 
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task.  Fortunately,  the  previous  work  of  [28,  34]  indicates 
that  it  is  possible  to  modify  certain  classes  of  pairing-based 
encryption  scheme  into  outsourcing-ready  schemes  without 
damaging  the  underlying  construction.  While  these  tech¬ 
niques  are  applied  on  a  per-scheme  basis,  we  believe  that 
they  are  also  amenable  to  automated  techniques. 

Our  contribution.  In  this  work  we  develop  a  new  tech¬ 
nique  for  automatically  generating  outsourcing-ready  encryp¬ 
tion  schemes  for  a  large  class  of  pairing-based  cryptographic 
constructions.  Our  technique,  which  we  call  CloudSource, 
allows  us  to  begin  with  the  description  of  a  secure  encryp¬ 
tion  scheme  in  the  domain-specific  Scheme  Description  Lan¬ 
guage  (SDL)  [2],  then  to  apply  a  series  of  programmatic 
transformations  in  order  to  arrive  at  a  new  scheme  with 
outsourcing  capability.  Once  processed,  we  can  readily  eval¬ 
uate  the  efficiency  of  the  scheme  and  even  translate  it  into 
a  working  C+- 1-  or  Python  implementation.  To  the  best  of 
our  knowledge,  this  is  the  first  such  generalization  of  out¬ 
sourcing  techniques.  We  tested  CloudSource  on  9  different 
pairing-based  encryption  algorithms  from  the  academic  lit¬ 
erature  to  demonstrate  the  ability  of  our  tool  to  produce  an 
outsourced  scheme  and  executable  code  suitable  for  mobile 
devices  with  limited  processing  power. 

The  most  important  aspect  of  our  work  is  that  we  are  able 
to  retain  the  security  guarantees  of  the  original  construction, 
even  in  the  face  of  a  possible  adversarial  outsourcing  service. 
To  ensure  this,  we  apply  a  series  of  blinding  rules  according 
to  a  formula  that  preserves  certain  security  properties  of  the 
underlying  scheme. 

Overview  of  our  techniques.  We  now  provide  an  overview  of 
our  approach.  Without  loss  of  generality  we  will  use  the  ex¬ 
ample  of  public-key  encryption,  but  note  that  our  approach 
can  be  used  with  Identity-Based  encryption  [10,11,14,31,44], 
Attribute-Based  Encryption  [32,  40,  45]  Broadcast  Encryp¬ 
tion  [12,23],  and  Functional  Encryption  [30,49],  along  with 
many  other  scheme  types. 

Let  II  =  (KeyGen,  Enc,  Dec)  be  a  semantically-secure  se¬ 
cure  encryption  scheme.  Our  goal  is  to  construct  three 
new  algorithms:  KeygenOut,  Transform  and  Decout.  The 
new  KeygenOut  algorithm  takes  the  same  inputs  as  KeyGen, 
but  produces  a  pair  of  decryption  keys:  the  Transform  Key 
(TK),  which  can  be  delivered  to  an  untrusted  outsourcing 
party,  and  Secret  Key  (SK)  which  is  held  secret.  Intuitively, 
it  must  be  possible  to  deliver  TK  to  an  untrusted  party  who 
uses  it  to  execute  the  Transform  algorithm  on  a  ciphertext. 
When  this  process  has  completed,  we  use  the  Decout  algo¬ 
rithm  with  SK  in  order  to  reveal  the  plaintext. 

The  challenge  is  to  develop  an  approach  that  guarantees 
three  things.  First,  the  resulting  combination  of  KeygenOut, 
Transform,  Decout  is  correct.  Second,  that  the  resulting 
scheme  retains  its  security,  even  when  the  (possibly  adver¬ 
sarial)  outsourcing  party  learns  TK  (but  not  SK).  Finally, 
we  must  ensure  this  without  requiring  difficult  manual  secu¬ 
rity  analysis  of  the  resulting  scheme. 

We  draw  the  intuition  for  our  approach  from  [28],  which 
explored  a  known  observation  that  in  some  pairing-based 
schemes  it  is  possible  to  modify  the  original  scheme  by  adding 
blinding  factors  to  a  standard  decryption  key  such  that  this 
blinding  can  be  removed  following  decryption.  These  modi¬ 
fied  decryption  keys  serve  admirably  in  the  role  of  Transform 
Key,  while  the  blinding  factors  themselves  can  be  retained 
as  SK. 


While  the  key  blinding  technique  provides  significant  per¬ 
formance  benefits  to  pairing-heavy  algorithms,  applying  the 
technique  generally  is  non-trivial.  For  one,  it  can  be  te¬ 
dious.  There  are  multiple  factors  that  determine  how  to 
choose  blinding  values  for  a  given  scheme  and  searching  this 
space  by  hand  is  quite  daunting.  Second,  it  can  be  error- 
prone.  Mistakes  are  easily  made  when  applying  blinding 
exponents  in  a  way  that  becomes  impossible  to  unblind  in 
the  final  decryption.  Aside  from  correctness,  there  is  a  sep¬ 
arate  issue  of  the  security  of  the  resulting  Transform  key.  In 
some  cases,  choosing  too  few  blinding  factors  for  a  scheme 
may  result  in  an  insecure  Transform  key  that  might  offer 
little  to  no  protection  in  practice,  while  choosing  too  many 
can  lead  to  an  inefficient  outsourcing  scheme.  Generalizing 
the  process  requires  us  to  carefully  balance  efficiency  of  key 
blinding  while  preserving  the  security  of  the  blinded  keys. 

1.1  Our  Approach 

Figure  1  provides  a  brief  overview  of  the  techniques  used 
in  CloudSource.  At  a  high  level,  CloudSource  is  designed  to 
analyze  a  scheme,  extract  the  key  generation  and  decryption 
equations,  and  derive  working  code  for  the  modified  Key¬ 
gen,  Transform  and  final  decryption  (KeygenOut,  Transform, 
Decout)  algorithms.  This  involves  two  main  components: 

1.  The  CloudSource  tool,  which  takes  as  input  an  SDL 
file  describing  an  encryption  scheme.  It  applies  a  se¬ 
ries  of  programmatic  transformations  and  derives  the 
outsourced  encryption  scheme.  The  output  of  this  is 
a  second  SDL  file  containing  the  modified  KeygenOut, 
Transform  and  Decout  algorithms. 

2.  A  Code  Generator,  which  takes  the  output  of  the  Cloud¬ 
Source  tool  and  generates  working  source  code  to  im¬ 
plement  the  outsourced  encryption  scheme.  The  user 
can  choose  either  Python  or  C++  as  the  output  lan¬ 
guage. 

The  CloudSource  tool  outputs  a  human-readable  file  written 
in  LaTeX  describing  the  new  algorithms,  and  containing  a 
security  proof  of  the  construction  that  these  maintain  the 
semantic  security  of  the  original  scheme.  The  following  sec¬ 
tions  describe  the  architecture  in  detail. 

2.  PRELIMINARIES 

Before  we  give  details  of  our  approach,  we  first  provide 
some  background  on  bilinear  maps  and  discuss  the  tools 
and  techniques  utilized  in  developing  the  CloudSource  tool. 
We  also  provide  definitions  for  the  type  of  cryptographic 
schemes  we  address  in  this  work. 

A  bilinear  map  (or  pairing)  is  an  efficiently  computable 
mapping  e  :  Gi  x  G2  — >  Gt  over  three  multiplicative  cyclic 
groups  Gi ,  G2  and  Gt  of  prime  order,  p.  Pairings  have 
two  central  properties.  The  first  is  bilinearity:  let  (g  1)  = 
Gi,(</2)  =  G2  and  a,  6  £  Zp,  it  holds  that  e(gia,g2b)  = 
e(gi,  92) ab-  The  second  property  is  non-degeneracy,  which 
guarantees  that  e(pi ,  <72)  7^  1-  Pairing-friendly  groups  come 
in  two  forms:  symmetric  groups,  where  Gi  =  G2  (or  can  be 
effectively  due  to  an  efHciently-computable  isomorphism), 
and  asymmetric  groups  where  Gi  ^  G2. 

As  a  starting  point  for  our  automation,  we  rely  on  a 
high-level  description  of  the  encryption  scheme  in  a  domain- 
specific  SDL.  SDL  was  first  introduced  as  part  of  the  Auto- 
Batch  framework  [2]  to  abstractly  represent  various  types  of 
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Figure  1:  The  flow  of  CloudSource.  CloudSource  takes  as  input  a  high-level  description  of  an  encryption 
algorithm  in  SDL.  It  processes  the  SDL  for  certain  metadata.  In  particular,  KeygenSynth  analyzes  the  inputs 
and  observes  how  the  secret  key  is  constructed  in  the  Keygen  algorithm.  This  information  is  passed  to  the 
BFSolver  which  utilizes  an  SMT  solver  to  determine  how  the  user’s  decryption  key  should  be  protected. 
BFSolver  returns  a  mapping  of  secret  key  variables  to  blinding  factors  needed  to  construct  a  Transform  key 
securely.  KeygenSynth  uses  the  mapping  to  construct  the  outsourced  keygen  algorithm  in  SDL.  Similarly, 
the  TransformSynth  components  use  the  mapping  to  construct  the  computation  of  the  cloud  in  Transform 
and  the  client  in  Decout.  CloudSource  produces  a  new  SDL  file  of  the  outsourced  algorithm  and  utilizes  the 
code  generator  to  produce  executable  code  in  Python  or  C-j — (-. 


pairing-based  signature  schemes.  We  extend  it  to  support 
encryption. 

Boolean  Satisfiability  (or  SAT)  is  the  problem  of  deter¬ 
mining  whether  boolean  assignments  exist  for  variables  in  a 
logical  formula  such  that  the  formula  is  evaluated  to  true. 
Satisfiability  Modulo  Theories  (SMT)  problem  is  a  decision 
problem  for  first-order  logical  formulas.  SMT  is  a  generaliza¬ 
tion  of  SAT  to  support  richer  logic  such  as  with  arithmetic, 
bit- vectors,  quantifiers,  arrays,  and  several  other  useful  first- 
order  theories  [22].  High-performing  state-of-the-art  SMT 
Solvers  ( e.g Yices,  Z3,  CVC,  MathSAT)  have  been  devel¬ 
oped  over  the  years  to  address  these  problems.  In  practice, 
these  tools  form  the  building  block  for  a  variety  of  verifi¬ 
cation  tools  to  perform  bounded  model  checking,  symbolic 
execution,  static  program  analysis,  and  various  constraint- 
satisfication  problems  in  computer  science.  Similarly,  we 
utilize  SMT  solvers  as  a  core  building  block  of  the  Cloud¬ 
Source  framework. 

3.  THE  CLOUDSOURCE  TOOLCHAIN 

Overview  of  the  approach. 

At  a  high-level,  CloudSource  works  by  altering  the  struc¬ 
ture  of  a  scheme  decryption  key,  adding  blinding  factors  to 
the  key  such  that  an  untrusted  party  can  partially  decrypt  a 
ciphertext  using  the  blinded  key.  This  procedure  forms  the 
backbone  of  our  new  Transform  algorithm,  and  the  blinded 
key  itself  is  the  Transform  key.  We  require  that  the  structure 
of  the  key  remain  sufficiently  intact  that  the  original  plain¬ 
text  can  be  recovered  from  the  output  of  Transform,  given 
knowledge  of  the  blinding  factors. 

We  will  now  give  an  example  of  how  the  process  works. 
For  consistency  with  previous  work,  we  will  use  the  exam¬ 
ple  of  the  Waters  Ciphertext-Policy  ABE  scheme,  which 
was  manually  outsourced  by  Green,  Hohenberger  and  Wa¬ 
ters  [28] .  For  a  given  set  of  attributes  S,  the  Waters  scheme 
produces  a  master  secret  ga  and  uses  this  to  generate  de¬ 
cryption  keys  of  the  following  form.  Note  that  t  Er  TLq  and 
g,ga,S  and  the  function  F  are  public: 

K  =  ga  ■  gat,L  =  g\  {Kx  =  F(x)%eS 

The  intuition  behind  the  blinding  process  stems  from  the 
observation  that  of  all  the  elements  referenced  above,  only 


the  value  ga  is  actually  a  secret.  In  principle,  any  party  can, 
without  access  to  the  master  secret  value,  select  a  random 
a'  and  generate  a  random  pseudo-key  (K' ,  L' ,  {Kx})  with 
this  value.  Since  the  resulting  key  can  be  generated  by  any 
party  it  clearly  offers  no  benefit  to  the  attacker. 

This  observation  alone  would  be  of  limited  use,  except  for 
the  observation  that  one  can  blind  a  valid  key  ( K ,  L,  {Kx}) 
such  that  it  has  the  same  distribution  as  the  above  pseudo¬ 
key.  This  is  accomplished  by  selecting  a  random  z  £  7Lq  and 
computing: 

(K,,L\{KIX})  =  (KZ,LZ,  {IC}) 

If  one  expresses  ol  =  (a  •  z)  and  t'  =  (t  •  z)  then  clearly 
the  distribution  of  the  new  key  is  identical  to  the  pseudo¬ 
key  described  above.  However,  the  important  aspect  of  this 
scheme  is  that  the  blinding  factor  2  can  actually  be  removed 
following  the  decryption  procedure,  giving  the  identical  re¬ 
sult  as  if  the  original  decryption  key  had  been  used  on  a 
ciphertext. 

Of  course,  the  above  scheme  (from  the  work  of  Green  et 
al.)  proves  to  be  a  relatively  simple  example.  This  is  be¬ 
cause  the  master  secret  contains  only  a  single  secret  ele¬ 
ment,  whereas  many  modern  encryption  schemes  can  con¬ 
tain  larger  secrets.  Moreover,  when  multiple  secrets  are  used 
together  within  a  given  term,  it  can  be  difficult  to  repeat 
the  process  above.  Of  course,  one  solution  is  to  simply  ap¬ 
ply  a  separate  blinding  factor  to  each  element  of  the  key 
-  however,  this  can  prove  tricky  to  invert,  unless  each  ele¬ 
ment  is  treated  separately  as  part  of  the  resulting  partially- 
decrypted  ciphertext. 

The  challenge  in  our  approach  is  therefore  threefold:  (1) 
to  identify  which  elements  of  a  valid  decryption  key  contain 
secret  values  that  can  be  simulated  (i.e.,  replaced  with  non¬ 
secret  values  via  blinding),  (2)  to  determine  whether  this 
blinding  can  survive  the  decryption  process  and  be  inverted, 
and  (3)  to  minimize  the  number  of  blinding  factors  and  val¬ 
ues  that  must  be  returned  by  the  Transform  algorithm.  We 
accomplish  these  tasks  using  the  following  components. 

1.  SDL  Parser.  This  component  parses  the  SDL  into  an 
intermediate  representation,  then  uses  this  represen¬ 
tation  to  identify  the  key  generation  and  decryption 
algorithms. 
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2.  KeyGen  Synthesizer.  Once  the  scheme  has  been 
parsed,  this  module  analyzes  the  scheme  to  identify 
the  Key  Generation  and  Decryption  algorithms,  de¬ 
composes  the  secret  keys,  then  traces  the  components 
of  these  keys  to  determine  which  are  secret,  which  are 
public,  and  which  are  generated  randomly. 

3.  BFSolver.  Once  the  key  has  been  successfully  decom¬ 
posed,  this  portion  of  the  toolchain  employs  an  SMT 
solver  to  determines  how  to  blind  the  individual  com¬ 
ponents  of  the  key  to  ensure  that  (a)  all  secret  key 
elements  are  correctly  blinded,  and  (6)  the  minimal 
number  of  blinding  factors  is  used  (in  order  to  ensure 
the  most  efficient  algorithm). 

4.  Transform  Synthesizer.  Given  an  assignment  of 
blinding  factors,  this  module  generates  the  new  KeygenOut, 
Transform  and  Decout  algorithms  to  produce  the  final 
outsourcing  equations  in  an  SDL  representation. 

5.  Code  Generator.  Users  can  output  the  resulting 
scheme  as  an  SDL  file,  or  they  can  optionally  convert 
the  scheme  into  a  working  implementation  in  Python 
or  C++  using  the  Code  Generator  component. 

We  now  expand  on  each  of  the  above  components. 

SDL  Parser. 

The  input  to  our  toolchain  is  a  cryptosystem  written  in 
SDL,  which  was  initially  developed  by  Akinyele  et  al.  [2] 
and  we  extend  the  SDL  parser  for  CloudSource.  The  parser 
component  processes  a  given  SDL  file,  converting  each  line 
(a  string)  into  a  binary-tree  node  with  all  of  the  relevant 
information.  In  addition,  the  parser  collects  the  following 
metadata: 

1.  Types  of  all  variables.  SDL  is  a  typed  language 
but  we  relieve  the  SDL  designer  by  automatically  inferring 
some  types  based  on  the  computation.  This  information 
is  used  for  type  checking  and  for  automatically  generating 
C++  code  (a  statically-typed  language). 

2.  Variable  dependency  list.  This  is  a  list  of  all  vari¬ 
ables  upon  which  a  given  variable  depends  for  its  value.  For 
example,  if  we  have  the  two  statements  x  =  a  +  b  and 
y  =  x  +  c,  the  variable  dependency  list  for  y  would  be  x, 
c,  a ,  and  b. 

3.  Variable  influence  list.  This  is  a  list  of  variables 
whose  values  are  influenced  by  a  given  variable.  If  we  con¬ 
sider  the  example  above,  the  variable  influence  list  of  a  is  x 
and  y.  Both  the  variable  dependency  list  and  variable  influ¬ 
ence  list  are  useful  in  helping  us  map  relationships  between 
variables. 

Additionally,  this  first  phase  of  the  process  collects  a  list  of 
all  variables  referenced  in  a  given  function  and  distinguishes 
between  public  and  secret  variables  in  the  KeyGen  function. 

In  addition,  the  SDL  parser  performs  type  checking  as  it 
reads  in  each  line  of  SDL  to  ensure  that  all  mathematical 
rules  are  followed.  For  example,  the  type  checker  ensures 
that  the  input  to  pairings  has  the  right  group  type  (based  on 
whether  the  setting  is  symmetric  or  asymmetric) ;  arguments 
to  addition,  subtraction,  multiplication,  and  division  are  of 
the  same  group  type;  etc. 


KeyGen  Synthesizer. 

The  KeygenSynth  component  is  responsible  for  producing 
SDL  code  to  blind  each  secret-key  element  with  the  proper 
blinding  factor.  KeygenSynth  first  extracts  all  master  secrets 
and  secret-key  elements  from  the  user’s  SDL  file  by  examin¬ 
ing  the  output  of  the  Setup  and  KeyGen  routines.  Next,  for 
each  secret-key  element,  KeygenSynth  extracts  all  exponents 
used  in  the  calculation  of  the  element,  as  well  as  the  rela¬ 
tionship  between  exponents.  To  ensure  that  all  exponents  in 
the  element’s  calculation  are  extracted  (even  across  multi¬ 
ple  layers  of  assignments),  KeygenSynth  performs  a  recursive 
traversal  on  the  base-element  representation  of  the  element, 
extracting  all  exponents  found  during  the  traversal. 

In  addition  to  extracting  all  exponents,  KeygenSynth  must 
record  the  relationship  between  exponents.  This  relation¬ 
ship  determines  how  blinding  factors  are  applied  to  the  ex¬ 
ponents  of  a  given  secret-key  element.  For  example,  suppose 
a  secret-key  element  x  is  calculated  as  follows: 

x  =  ab  ■  cd 

As  in  several  previous  works,  our  current  blinding  method¬ 
ology  is  to  exponentiate  the  secret-key  element  to  a  random 
element  in  Zp.  Blinding  x  by  y  gives  us  the  following  ex¬ 
pression: 

x  =  aby  ■  cdy 

Note  that  it  is  required  that  both  exponents  in  the  calcu¬ 
lation  of  x  (i.e. ,  b  and  d)  be  blinded  with  the  blinding  factor 
y.  In  our  input  to  the  SMT  solver,  we  label  this  as  addition 
between  the  exponents.  Addition  requires  that  both  expo¬ 
nents  in  the  calculation  be  blinded  by  the  blinding  factor. 

In  contrast,  suppose  x  is  calculated  as  follows: 

x  =  e*9 

When  we  blind  x  by  exponentiating  it  to  y,  we  can  re¬ 
arrange  the  blinding  factor  in  either  of  the  following  two 
ways: 

x  =  e^v  9  or  *  =  '  9V 

In  other  words,  the  blinding  factor  y  can  blind  either  the 
exponent  /  or  the  exponent  g.  In  our  input  to  the  SMT 
solver,  we  label  this  as  multiplication  between  the  expo¬ 
nents.  Multiplication  allows  either  one  of  the  exponents 
to  be  blinded  by  the  blinding  factor  (but  not  both).  We 
note  that  while  these  example  expressions  are  simple,  many 
expressions  of  secret-key  elements  in  the  schemes  we  have 
considered  are  very  complex.  This  calls  for  an  automated 
approach  that  is  fast  and  less  likely  to  produce  errors,  in 
addition  to  providing  programmatic  access  to  the  exponents 
and  relationships  produced. 

Next,  KeygenSynth  classifies  each  exponent  extracted  as 
either  a  master-secret  element,  or  a  random  element  gener¬ 
ated  during  the  Keygen  routine.  KeygenSynth  then  prepares 
all  of  this  information  for  input  to  BFSolver  and  waits  for  a 
response.  The  response  received  will  be  the  blinding  factor 
to  be  associated  with  each  secret-key  element.  As  discussed 
in  Section  3.1,  BFSolver  attempts  to  reduce  the  number  of 
blinding  factors  as  much  as  possible  without  reducing  the 
security  of  the  outsourced  scheme. 

Furthermore,  our  toolchain  offers  a  limited  form  of  term 
rewriting  for  easily  understanding  how  a  given  variable  was 
calculated,  regardless  of  the  number  of  expressions  used  in 
the  final  calculation.  It  is  often  necessary  to  determine  all 
of  the  expressions  used  to  calculate  a  variable,  going  all  the 
way  back  to  the  base  elements.  For  example,  in  determin¬ 
ing  how  best  to  blind  the  elements  of  the  secret  key,  we 
must  first  extract  all  exponents  used  in  the  calculations  of 
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the  secret-key  elements,  as  well  as  the  relationships  between 
these  exponents.  A  naive  approach  is  to  simply  find  the 
assignment  node  of  that  variable  and  extract  the  exponents 
from  the  expression.  This  can  lead  to  an  incomplete  result  in 
the  case  where  there  are  multiple  expressions  that  determine 
a  variable’s  value. 

Suppose  that  we  need  to  extract  the  exponents  and  expo¬ 
nent  relationships  of  a  variable  a,  and  that  the  assignment 
node  of  a  is  the  following: 

a  =  bx 

x  is  the  only  exponent  in  this  expression,  but  there  may 
be  other  exponents  that  we  need  to  consider.  Suppose  the 
variable  b  is  calculated  as  follows: 

b  =  cv 

Consequently,  we  also  need  to  extract  the  exponent  y  in 
identifying  the  exponents  that  contribute  to  the  value  of  a. 
Furthermore,  we  need  to  understand  the  relationship  be¬ 
tween  the  exponents  x  and  y  (specifically,  the  fact  that  y  is 
exponentiated  to  x ). 

To  address  situations  such  as  this,  our  toolchain  offers  a 
term  rewriting  engine  that  rewrites  expressions  using  their 
base  values  only.  In  our  current  instantiation,  we  define  the 
base  values  to  be  random  elements  and  hashed  elements. 
Our  term  rewriting  engine  unfolds  all  expressions  until  the 
base  elements  are  reached.  This  is  performed  during  the 
initial  parsing  of  the  SDL  file.  As  each  assignment  node  is 
read  in,  each  variable  on  the  right  side  of  the  assignment 
node  is  replaced  with  its  base-element  form.  In  the  exam¬ 
ple  above,  the  expression  of  a  would  be  rewritten  as  follows: 
a  :=  cyx  where  c,  y ,  and  x  are  all  randomly  generated  or 
hashed  elements.  Note  that  while  this  example  is  (purpose¬ 
fully)  simple,  expressions  for  elements  in  modern  cryptosys¬ 
tems  can  become  highly  complex  and  dependent  on  several 
other  elements.  Performing  this  term  rewriting  manually 
can  become  tedious,  time-consuming,  and  error-prone.  Fur¬ 
thermore,  programmatic  access  to  these  base  expressions  is 
often  required,  as  in  the  case  of  exponent  and  exponent- 
relationship  extraction.  Our  term  rewriting  engine  provides 
base  expressions  in  binary  trees  that  are  convenient  to  nav¬ 
igate  programmatically. 

BFSolver. 

At  a  high-level,  BFSolver  takes  as  input  a  configuration  file 
that  consists  of  the  master  secret  key  (MSK)  exponents  and 
random  exponents  selected  in  Keygen.  In  addition,  the  file 
includes  the  relationship  between  variables  in  each  secret- 
key  element  of  the  decryption  key.  As  mentioned  before, 
these  are  extracted  by  the  term  writing  engine  as  part  of 
the  KeygenSynth  routine.  The  BFSolver  processes  these  in¬ 
puts  and  determines  the  possible  space  of  blinding  factors 
that  can  be  assigned  to  the  given  key  according  to  our  blind¬ 
ing  rules  (see  section  3.1  for  more  details).  For  instance, 
one  rule  states  that  all  master  secret  variables  must  have 
unique  blinding  factors.  We  encodes  these  rules  for  the  given 
decryption  key  as  a  series  of  constraints  over  the  variables 
to  the  SMT  solver.  These  constraints  guide  the  solver  in 
searching  for  a  satisfiable  solution  that  also  meets  our  de¬ 
sired  level  of  security.  Once  we  apply  these  rules  and  derive 
the  appropriate  constraints,  we  execute  the  solver  to  check 
for  a  solution.  If  a  solution  is  found,  BFSolver  immediately 
returns  a  mapping  of  blinding  factors  to  secret-key  elements 
to  KeygenSynth. 


1  KeygenOut  Proof 

Let  a,ai  be  the  MSK  variable(s)  and  r\,r2,  Z2,  z\,id,tagk  be  randomness  selected  in  the  Keygen 
algorithm.  The  Keygen  algorithm  runs  to  obtain  the  secret  key, 

SK  =  {D\ ,  D2,  -D3 ,  D4 ,  D$,  Dq,  £>7,  K,  tagk}  and  is  computed  as  follows: 


Du  =  gb  T2 ,  D7  =  gri ,  K  =  («“'  •  wtasi  -hf1,  tagt  =  tagk 

The  KeygenOut  algorithm  selects  blinding  factors,  ufo,  bfo,  ufi  G  Z*.  Let  the  new  TK  be  computed 
as  follows: 


D[  =  Diuf°.D2  =  D2bm,D'3  =  D3m,D\  =  D4bf0,D^  =  D5bm,D'6  =  D6bro, 

D'i  =  Dbm,K’  =  K“h,tag'k  =  tagkb’° 

Note  that  a  simulator  given  only  public  parameters  (PK)  can  formulate  a  simulated  TKsjm  by 
randomly  selecting  Ri,  R2,  R3,  R4,  Rq,  Rq,  R7,  RK ,  Rtagf.  and  computing: 


D\  —  i?iU  °,  D2  —  5  D3  —  i?3  ,  D4  —  i?4  ,  Dq  —  ,  Dq  —  Rq  , 

D7  =  i?7bf0,  K  =  RKufl ,  tagk  =  Rtagkbf° 

Observe  that  this  simulated  TKsjm  has  an  identical  distribution  to  TK.  Let  D[  —  (Di)uf° ,  a'  — 
a.  ■  bfo,  z[  —  zi  •  bfo,  r2  —  7*2  ■  bfo ,  r[  —  ri  ■  bfo,  z2  —  22  •  bfo,  K'  —  (K)ufl ,  tag'k  —  tagk  •  bfo  be  the  new 
MSK  variables  and  random  values  selected  in  KeygenOut,  and  TK  is  computed  as  follows: 


D[  =  (g^-v^+nY°,D'2  =  g-a'-v^+^yi,D'3  =  gb-‘\D't  = 

D'3  =  gb'4,D'7  =  A"  =  (uid  ■  ro*““  •  hT'f\tag'k  =  tag'k 


Figure  2:  A  fragment  of  the  proof  of  security  which 
argues  that  the  KeygenOut  algorithm  preserves  the 
security  of  the  secret  key.  The  proof  shows  that  the 
constructed  transform  key  is  identically  distributed 
to  a  randomly  generated  pseudo-key. 


Transform  Synthesizer. 

TransformSynth  is  responsible  for  producing  a  Transform 
and  a  Decout  routine  in  the  new  outsourced  scheme.  To  en¬ 
sure  correctness  and  efficiency,  TransformSynth  determines 
how  to  divide  the  computation  of  the  original  decryption 
routine  into  which  components  can  be  performed  by  the 
powerful,  untrusted  Transform  routine,  and  which  compo¬ 
nents  can  be  performed  by  the  lightweight,  trusted  Decout 
routine.  There  are  three  stages  to  TransformSynth:  pre¬ 
processing,  the  main  loop,  and  post-processing. 

TransformSynth  is  given  as  input  the  secret-key  element 
to  blinding  factor  mapping  produced  by  BFSolver.  Dur¬ 
ing  the  pre-processing  phase,  TransformSynth  sets  up  the 
input  parameters  for  the  Transform  and  Decout  routines. 
The  Transform  routine  receives  as  input  the  same  param¬ 
eters  that  the  original  decryption  routine  received,  which 
usually  consists  of  the  ciphertext  and  secret  key  (in  the  case 
of  the  Transform  routine,  the  secret  key  is  blinded).  During 
the  Transform  routine,  certain  values  that  Decout  needs  are 
cached  and  stored  in  two  data  structures  that  are  passed 
to  Decout  as  input.  One  data  structure  is  for  cached  val¬ 
ues  outside  for  loops,  and  the  other  is  for  cached  values 
inside  for  loops,  but  the  latter  is  not  always  sent  (indeed, 
performance  is  improved  when  it  is  not  sent).  These  data 
structures  represent  the  partially  decrypted  ciphertext  that 
is  fully  decrypted  in  Decout.  Decout  also  receives  as  input 
the  blinding  factors  produced  by  KeygenSynth.  Note  that 
Decout  does  not  receive  the  full  ciphertext  or  blinded  se- 
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cret  key  as  input  parameters,  as  these  are  unnecessary  for 

Decout. 

In  the  main  loop,  TransformSynth  loops  over  the  lines 
of  code  in  the  original  decryption  routine.  For  each  line, 
TransformSynth  determines  how  the  computation  should  be 
divided  between  the  Transform  routine  and  the  Decout  rou¬ 
tine.  First,  the  SDL  node  representing  the  current  line  of 
code  is  simplified  using  algorithms  developed  in  previous 
research  by  Akinyele  et  al.  [2],  This  includes  splitting  all 
pairings  as  much  as  possible,  unrolling  dot  products  if  the 
range  values  are  known,  converting  all  division  into  multi¬ 
plication  by  inverses,  and  moving  exponents  inside  the  pair¬ 
ings.  This  improves  efficiency  and  our  ability  to  efficiently 
unblind  pairings  whose  input  is  blinded.  As  we  discuss  later, 
we  wish  to  organize  the  pairings  into  groups  of  pairings  that 
are  blinded  by  the  same  blinding  factor.  Doing  so  reduces 
processing  time  and  the  size  of  the  data  structures  passed 
from  Transform  to  Decout. 

Any  line  of  code  that  has  at  least  one  pairing  goes  through 
the  following  process.  We  recall  from  earlier  sections  on 
KeygenSynth  that  BFSolver  returns  a  mapping  between  all 
secret-key  elements  and  the  blinding  factors  associated  with 
each.  KeygenSynth  then  blinds  each  element  of  the  secret 
key  by  the  appropriate  blinding  factor  by  exponentiating  the 
former  to  the  inverse  of  the  latter.  The  blinded  elements  of 
the  secret  key  form  the  blinded  secret  key  that  is  passed  to 
the  Transform  routine. 

Suppose  a  line  of  code  from  the  original  decryption  rou¬ 
tine  has  at  least  one  pairing  in  it.  The  first  step  is  to  use  the 
automated  techniques  developed  in  AutoBatch  [2]  to  com¬ 
bine  pairings  wherever  possible.  By  combining  pairings,  we 
reduce  the  number  of  pairings  that  the  Transform  routine 
has  to  perform.  This  can  lead  to  substantial  cost  savings 
due  to  the  resource-intensive  nature  of  pairings.  Next,  we 
group  together  all  pairings  that  have  input  elements  that  are 
blinded  by  the  same  blinding  factors.  These  pairings  can  be 
safely  computed  and  then  multiplied  together  in  Transform, 
and  then  successfully  unblinded  in  Decout  by  exponentiating 
the  entire  pairing  product  to  the  common  blinding  factor. 
While  this  does  not  reduce  the  processing  time  required  in 
Transform,  it  does  reduce  the  processing  time  required  in 
Decout  (which  is  more  important),  as  well  as  reduce  the  size 
of  the  partially  decrypted  ciphertext  that  must  be  passed 
from  Transform  to  Decout  for  Decout  to  fully  decrypt  (as 
fewer  entries  need  to  be  stored  there).  Rather  than  naively 
computing  all  pairings  and  storing  each  individual  result  to 
the  partially  decrypted  ciphertext  structure,  we  determine 
in  TransformSynth  which  pairings  can  be  safely  multiplied  to¬ 
gether  in  the  Transform  routine  to  save  network  bandwidth 
and  processing  time  in  Decout.  It  is  for  this  reason  that 
we  endeavor  to  group  together  as  many  pairings  based  on 
common  blinding  factors  as  possible. 

If  the  line  of  code  does  not  have  any  pairings,  but  the 
line  of  computation  can  be  performed  by  Transform  (i.e., 
Transform  has  access  to  the  variables  used),  we  have  the 
Transform  routine  perform  the  calculation  and  store  the  re¬ 
sult  in  the  patially  decrypted  ciphertext  structure.  Decout 
can  later  retrieve  the  result  from  this  structure  and  use  it 
in  future  calculations.  We  note  that  an  optimization  is  to 
determine  which  variables  Decout  needs  at  any  line  of  code 
to  complete  its  subsequent  calculations,  and  only  store  com¬ 
puted  values  from  Transform  if  Decout  actually  requires  them 
at  some  later  point.  This  reduces  both  the  partially  de¬ 


crypted  ciphertext  size  and  processing  time  in  Decout. 

In  the  post-processing  step,  we  finalize  the  output  of  Transform 
and  the  input  of  Decout.  If  there  are  any  variables  that 
Decout  needs  for  its  calculations  that  are  not  stored  in  the 
partially  decrypted  ciphertext  structure,  these  variables  are 
passed  from  Transform  to  Decout  as  separate  parameters. 

In  certain  cases,  we  may  apply  optimizations  to  improve 
the  running  time  of  Decout  and  decrease  the  partially  de¬ 
crypted  ciphertext  size.  For  example,  certain  for  loops  may 
not  need  to  be  written  to  Decout.  This  is  the  case  if  1)  the 
for  loop  is  used  to  calculate  a  dot  product;  2)  the  pairings 
in  the  for  loop  all  share  the  same  blinding  factor;  and  3)  all 
pairings  in  the  for  loop  have  at  least  one  blinded  variable  in 
them.  If  this  is  the  case,  we  only  need  to  take  the  result  of 
the  for  loop  calculation  from  Transform  and  unblind  it  with 
the  single  blinding  factor  in  Decout.  This  is  the  equivalent  of 
computing  the  blinded  dot  product  in  Transform,  then  sim¬ 
ply  performing  one  exponentiation  in  Decout  to  unblind  the 
result.  Similarly,  if  the  for  loop  is  used  to  calculate  a  dot 
product,  and  none  of  the  pairings  in  the  for  loop  has  blinded 
variables,  we  do  not  need  to  write  the  for  loop  to  Decout.  In 
this  case,  we  can  simply  save  the  result  of  the  dot-product 
for  loop  to  our  cached  data  structures  that  are  passed  from 
Transform  to  Decout  (i.e.,  the  partially  decrypted  cipher- 
text). 

If  the  criteria  discussed  above  do  not  hold  for  a  given  for 
loop,  we  need  to  store  the  results  of  each  run  through  the 
for  loop  to  our  data  structures  in  Transform  so  they  can  be 
unblinded  properly  in  Decout.  In  this  case,  we  must  pass  the 
data  structure  that  stores  cached  values  from  the  for  loops 
from  Transform  to  Decout  (which  increases  the  size  of  the 
partially  decrypted  ciphertext);  otherwise,  we  do  not  need 
to  do  so. 

Code  Generator. 

The  last  step  of  the  CloudSource  toolc.hain  is  executable 
code  generation.  Up  unti  this  point,  the  internal  components 
of  our  toolchain  have  been  manipulating  the  input  pairing- 
based  encryption  scheme  in  SDL.  SDL  is  the  intermediate 
representation  (IR)  upon  which  our  tools  are  designed  to  op¬ 
erate.  This  enables  a  higher  level  of  interoperability  among 
disparate  frontend  input  types,  as  is  the  case  in  many  com¬ 
piler  designs.  Rather  than  having  to  rewrite  our  tools  for 
each  frontend  type  of  input  we  wish  to  support,  we  would 
only  need  to  write  a  small  translation  engine  that  converts 
that  type  of  input  to  SDL.  Our  tools  would  then  be  able 
to  operate  on  the  input  scheme  from  there.  In  addition,  by 
using  an  abstract,  cryptography-centric  high-level  language 
such  as  SDL  for  our  IR,  our  fundamental  understanding 
of  the  cryptographic  scheme  is  simpler  and  more  accurate, 
rather  than  having  to  navigate  through  tedious  and  unnec¬ 
essary  details  of  a  lower-level,  non-cryptographic  language. 
This  cryptographic  compiler  approach  often  shows  up  in  the 
literature  [6,7]. 

However,  SDL  itself  is  not  executable.  We  clearly  need 
the  ability  to  execute  the  SDL  that  we  generate  (e.g.,  ac¬ 
curacy  checks,  benchmarking,  proof-of-concept  demonstra¬ 
tions,  etc.)  As  a  result,  we  extend  the  automated  code¬ 
generation  modules  developed  by  Akinyele  et  al.  [2]  to  trans¬ 
late  SDL  into  Python  and  C-) — |-  executable  code  on  the 
backend.  We  make  use  of  these  modules  in  CloudSource  to 
produce  Python  and  C++  code  of  the  outsourced  schemes 
we  create,  as  well  as  the  original  non-outsourced  schemes. 
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While  we  currenly  support  Python  and  C++  only,  we  feel 
that  our  methods  are  sufficiently  general  to  be  able  to  sup¬ 
port  additional  programming  lanugages  in  the  future  with¬ 
out  extreme  burden  or  without  having  to  redesign  any  part 
of  our  system. 

3.1  Details  of  BFSolver 

Given  a  secret  key  (SK),  the  goal  of  BFSolver  is  to  deter¬ 
mine  which  blinding  factors  to  choose  for  each  element  in 
the  key.  There  are  a  few  approaches  to  blinding  the  secret 
key.  One  approach  would  be  to  choose  a  separate  blinding 
factor  for  each  element  in  the  secret  key.  This  approach  is 
always  secure  but  could  result  in  inefficient  decryption,  espe¬ 
cially  when  there  are  lists  of  group  elements  in  the  SK  ( e.g 
in  ABE).  Alternatively,  we  could  choose  a  separate  blind¬ 
ing  factor  for  each  master  secret  key  (MSK)  value.  While 
this  approach  is  also  secure,  it  can  be  hard  to  accomplish 
in  practice  and  depends  on  how  the  decryption  key  is  con¬ 
structed.  One  major  issue  is  that  in  some  instances  blinding 
a  SK  with  only  this  approach  might  make  it  impossible  to 
unblind  in  decryption.  However,  there  are  rules  that  govern 
when  we  can  securely  share  blinding  factors  among  SK  el¬ 
ements.  Furthermore,  as  shown  in  previous  work  [28],  the 
more  blinding  factors  that  are  shared  among  secret-key  el¬ 
ements,  the  more  efficient  decryption  becomes,  thereby  re¬ 
ducing  ciphertext  size. 

Our  approach  is  to  first  convert  the  aforementioned  ap¬ 
proaches  to  blinding  into  a  series  of  general  rules  that  can 
be  systematically  applied  to  a  given  secret  key.  At  a  high- 
level,  they  consist  the  following: 

1.  all  MSK  values  must  be  assigned  unique  blinding  ex¬ 
ponents. 

2.  all  elements  of  SK  must  be  blinded. 

3.  random  values  can  share  blinding  factors  with  MSK  val¬ 
ues  provided  that  they  always  share  that  value  with  the 
MSK  value  in  SK. 

The  above  rules  form  the  bulk  of  what  is  involved  when 
selecting  blinding  factors  for  a  secret  key.  Once  the  blinding 
factor  mapping  satisfies  these  rules,  a  separate  challenge  is 
determining  a  lower  bound  for  the  mappings  that  does  not 
violate  the  rules.  Our  central  goal  is  to  find  such  a  lower 
bound  for  blinding  factors  to  secret-key  elements  such  that 
we  preserve  the  security  of  the  Transform  key,  TK.  BFSolver 
utilizes  the  high-performance  Z3  SMT  Solver  [21]  as  a  core 
component  to  automate  the  selection  of  blinding  factors  for 
a  given  secret  key  and  simultaneously  obtain  a  lower  bound. 

3.2  Assigning  Blinding  Factors 

At  a  high-level,  BFSolver  takes  as  input  a  configuration  file 
that  consists  of  the  master  secret  key  (MSK)  exponents  and 
random  exponents  selected  in  keygen.  In  addition,  the  file 
includes  details  of  how  each  secret-key  (SK)  element  is  com¬ 
puted  in  SK.  This  is  extracted  by  the  term  writing  engine  in 
KeygenSynth.  BFSolver  processes  these  inputs,  instantiates 
the  SMT  solver  and  applies  the  above  rules  to  the  SK  ele¬ 
ments  and  expresses  them  as  constraints  over  the  variables 
in  each  SK  element.  We  execute  the  solver  with  these  inputs 
and  check  for  a  satisfiable  solution. 

While  our  implementation  is  tied  to  Z3,  our  architecture 
can  support  any  compatible  SMT  Solver.  In  fact,  our  solu¬ 
tion  relies  on  a  few  basic  features  supported  by  many  solvers 


in  practice.  In  particular,  we  require  the  ability  to  define  al¬ 
gebraic  datatypes,  define  possible  values  for  those  datatypes, 
specify  constraints  around  variables  of  that  type  and  allow 
the  solver  to  search  for  a  satisfiable  solution  under  specified 
constraints.  We  also  require  the  ability  to  isolate  unsatisfi- 
able  constraints  inside  the  solver  via  an  unsatisfiable  core, 
which  is  a  common  feature  of  many  solvers.  We  will  explain 
how  we  utilize  these  features  in  the  sections  to  follow. 

BFSolver  is  implemented  in  three  phases.  As  we  describe 
BFSolver,  we  will  show  how  it  applies  to  the  Watersll  [48] 
CP-ABE  keygen  algorithm.  In  addition,  we  show  how  we 
automatically  reproduce  the  solution  described  in  previous 
work  [28].  To  recap,  the  Watersll  [48]  SK  is  computed  as 
follows: 

K  =  ga  ■  gat ,  L  =  g* ,  {Kx  =  F(xY}xeS 

where  S  is  the  user’s  attributes;  a  is  the  MSK;  g,  ga  are 
public  parameters;  F  is  a  collision  resistant  hash  function 
that  maps  {0, 1}*  — >  G;  and  t  is  a  random  exponent  selected 
in  keygen.  We  proceed  to  the  first  phase. 

3.2.1  Phase  1:  Setup  Solver  Input 

The  first  phase  is  processing  the  secret  key  provided  by 
KeygenSynth  and  setting  up  the  search  domain  for  the  SMT 
Solver.  This  involves  defining  the  algebraic  datatype  for 
blinding  factors,  declaring  all  exponents  in  SK  element  as 
blinding  factor  types,  and  declaring  the  nil  value  to  indi¬ 
cate  no  blinding  factor  assigned.  Next,  we  determine  the 
upper  bound  on  blinding  factors  for  SK.  Doing  this  appro¬ 
priately  for  each  SK  is  imperative  for  narrowing  the  solver’s 
search  space.  By  default,  we  compute  the  upper  bound  as 
the  SK  size.  This  indicates  the  least  efficient  solution  of  a 
unique  blinding  factor  for  each  element  in  SK.  In  the  Wa¬ 
tersll  [48]  example,  we  have  three  possible  blinding  factors 
in  the  worst  case.  All  of  this  information  is  provided  as  in¬ 
put  to  the  solver.  The  goal  is  to  find  the  lower  bound  on 
blinding  factors,  as  that  leads  to  the  most  savings  in  terms 
of  decryption  time  and  ciphertext  size. 

3.2.2  Phase  2:  Specify  Constraints 

The  next  phase  is  to  first  encode  our  general  rules  for 
blinding  as  constraints  into  the  solver.  The  first  rule  spec¬ 
ifies  that  each  MSK  variable  must  be  assigned  a  unique 
blinding  factor.  We  derive  a  constraint  represented  as  a 
logical  formula  using  A  and  V  connectors.  For  instance, 
given  MSK  variables  a,  b,  c,  we  express  this  constraint  as 
afbAbfcAaf  nil  A  b  f  nil  A  c  /  nil.  1  For  the 
Watersll  scheme,  this  translates  to  just  a  f  nil  because  we 
have  one  MSK  variable. 

As  mentioned  before,  the  term  rewriting  engine  in  KeygenSynth 
outputs  the  relationships  between  exponents  (or  expressions) 
for  each  SK  element.  For  example,  for  ga-gb,  the  term  rewrit¬ 
ing  engine  outputs  a  +  b  as  the  expression  in  the  exponent. 

The  second  and  third  rules  are  applied  by  encoding  the  ex¬ 
pressions  associated  with  each  SK  element  as  constraints. 

As  described  in  section  3,  we  describe  all  expressions  as 
either  multiplication  or  addition2.  Our  rules  for  these  op¬ 
erations  are  fundamentally  simple,  but  when  combined  can 

In  our  implementation,  we  utilize  the  Distinct  macro  in  Z3 
to  specify  that  each  MSK  variable  should  be  given  a  unique 
blinding  factor. 

2  Note  that  division  and  subtraction  can  always  be  rewritten 
in  terms  of  multiplication  and  addition,  respectively. 
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Figure  3:  Time  in  seconds  required  by  the  KeygenSynth,  TransformSynth,  Python  Code  Generator,  and  C+  + 
Code  Generator  routines  to  process  a  variety  of  encryption  schemes  (averaged  over  10  test  runs).  The  running 
time  for  KeygenSynth  includes  the  running  time  for  BFSolver.  In  all  cases,  the  standard  deviation  in  the 
results  were  within  ±1%  of  the  average.  We  note  that  in  each  case,  running  times  were  directly  proportional 
to  the  number  of  elements  in  the  secret  key.  In  addition,  the  Python  Code  Generator  was  slightly  faster  than 
the  C-\ — |-  Code  Generator  due  to  the  additional  type  checking  that  is  required  for  statically-typed  languages 
such  as  C+  +  . 


produce  complex  constraints  leading  to  many  cases.  The 
rules  are  as  follows: 

a  +  b  — >  a  =  b 

An  addition  operator  represents  the  constraint  that  what¬ 
ever  blinding  factor  the  solver  assigns  to  a  must  also  be 
assigned  to  b. 

a  ■  b  — >  (a  7^  nil  A  b  =  nil)  V  (a  =  nil  A  b  ^  nil) 

A  multiplication  operator  represents  the  constraint  that  the 
solver  can  assign  either  variable  a  or  6  a  blinding  factor  (but 
not  both).  Finally,  when  a  single  exponent  appears  in  a  SK 
expression  ( e.g SKo  «—  a),  it  indicates  that  it  should  be 
blinded  due  to  the  second  rule  (i.e.,  all  SK  elements  must 
be  blinded).  The  constraint  for  this  type  of  expression  is 
simply,  a  ^  nil. 

For  our  Watersll  example,  the  term  rewriter  extracts 
three  expressions:  K  <—  a  +  t,  L  t—  t,  Kx  t—  t.  The  cor¬ 
responding  constraints  in  the  solver  are  a  =  t  A  t  ^  nil  in 
addition  to  the  previous  constraint  that  a  ^  nil  for  the  MSK 
value.  Upon  constructing  and  specifying  the  constraints  in 
the  solver  for  SK,  the  next  step  is  to  execute  the  solver  to 
check  for  a  satisfiable  solution. 

3.2.3  Phase  3:  Run  Solver 

The  previous  sections  have  shown  how  we  describe  the 
problem  of  choosing  blinding  factors  to  the  solver  as  a  series 
of  constraints  over  a  large  space  of  possible  variable  map¬ 
pings.  Ultimately,  the  real  challenge  is  finding  the  minimum 
number  of  blinding  factors  that  meets  our  desired  level  of 
security.  Once  the  constraints  have  been  specified,  the  next 
phase  is  to  check  the  solver  for  such  a  solution. 

If  a  solution  exists  that  satisfies  all  of  the  constraints, 
the  solver  returns  a  variable  mapping  of  SK  variables  to 
blinding  factors.  In  the  Watersll  example,  for  instance, 
the  solver  determined  that  our  constraints  described  earlier 
were  satisfiable  with  respect  to  the  blinding  factor  space  of 
three.  The  variable  mappings  are  as  follows:  a  <—  bfo,  and 
t  «—  bfo.  This  essentially  means  that  a  and  t  can  share  one 
single  blinding  factor. 

If  the  solver  does  not  find  a  satisfiable  solution  for  the 
given  constraints,  we  utilize  the  ability  of  Z3  to  track  and 
isolate  the  unsatisfiable  constraints  in  the  solver.  In  gen¬ 
eral,  identifying  unsatisfiable  constraints  are  a  fundamental 
feature  of  SMT  solvers  and  we  leverage  this  in  BFSolver  to 
determine  the  lower  bound. 

As  described  previously,  constraints  are  linked  to  SK  el¬ 
ements.  When  a  solution  cannot  be  obtained  with  the  cur¬ 
rently  specified  constraints,  we  determine  which  SK  expres¬ 
sion  is  associated  with  the  unsatisfiable  constraint  using  Z3’s 
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Figure  4:  The  number  of  blinding  factors  and  secret- 
key  elements  for  each  of  the  nine  schemes  we  tested. 
a  is  the  number  of  attributes  in  the  secret  key,  n  is 
the  number  of  users  in  the  system,  t  is  the  number 
of  transitions,  s  is  the  number  of  accept  states,  and 
£  is  the  length  of  the  hashed  identities. 

tracking  mechanism.  We  remove  the  constraint  associated 
with  this  expression  in  the  solver  and  assign  the  correspond¬ 
ing  SK  element  a  unique  blinding  factor  that  is  not  shared 
thereafter.  We  then  exclude  the  unsatisfiable  constraint 
from  the  set  of  constraints  and  rerun  the  solver.  If  a  solution 
is  obtained,  we  return  the  mappings  for  the  remaining  SK 
elements  in  addition  to  the  SK  elements  we  have  previously 
assigned  unique  blinding  factors.  Otherwise,  we  repeat  the 
process  of  isolating  the  unsatisfiable  constraint,  assign  the 
SK  element  another  unique  blinding  factor,  exclude  it  from 
the  set  of  remaining  constraints,  and  rerun  the  solver.  This 
continues  until  we  are  without  constraints,  and  at  this  point, 
we  have  reached  the  worst  case  solution  of  a  unique  blinding 
factor  for  each  SK  element.  For  instance,  this  was  indeed 
the  case  for  the  CKRS09  scheme  [14]  (Blind  and  Anonymous 
IBE  scheme).  Figure  4  shows  the  number  of  secret-key  el¬ 
ements  and  the  number  of  blinding  factors  required  for  the 
nine  schemes  we  tested. 

4.  GROUP  SHARING  OPTIMIZATIONS 

Our  techniques  build  on  the  exponent  blinding  approach 
employed  in  previous  works.  This  approach  has  some  limi¬ 
tations  from  the  point  of  view  of  efficiency:  in  some  cases  it 
may  be  necessary  to  separately  blind  different  components 
of  the  secret  key,  which  increases  the  number  of  pairings 
required  to  compute  the  outsourced  encryption  scheme.  It 
also  leads  to  a  similar  increase  in  bandwidth. 

In  these  circumstances  it  would  be  ideal  if  we  could  col¬ 
lapse  several  distinct  blinding  factors  into  a  single  blinding 
factor.  Our  observation  is  that  in  certain  types  of  group 
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where  the  XDH  or  SXDH  assumptions  holds  (he.,  the  DDH 
problem  is  hard  in  Gi  or  both  Gi,G2),  it  may  be  possi¬ 
ble  to  reduce  the  number  of  blinding  factors.  We  base  this 
observation  on  the  fact  that  for  specific  elements  of  the  se¬ 
cret  key  (where  the  element  appears  only  in  one  group,  and 
has  a  random  distribution),  we  can  re-use  the  same  blinding 
factor,  based  on  the  fact  that  an  adversarial  server  should 
be  unable  to  distinguish  (g,  h,  ga ,  ha)  from  (g,  h,  ga ,  gb)  for 
random  g,  h  £  Gi,o,  b  £  Z9.  This  optimization  requires  us 
to  identify  certain  features  of  the  key.  We  explore  this  op¬ 
timization  more  fully  and  offer  a  proof  of  the  statement  in 
the  full  version  of  this  work. 

5.  PERFORMANCE  EVALUATION 

In  order  to  prove  the  soundness  and  efficiency  of  our  out¬ 
sourcing  transformations,  we  conducted  a  series  of  bench¬ 
marks  against  all  of  the  nine  schemes  that  we  cover  in  this 
paper.  As  previously  discussed,  CloudSource  outputs  exe¬ 
cutable  code  in  both  Python  and  C++  for  the  outsourced 
and  non-outsourced  versions  of  the  scheme.  In  all  cases,  the 
automatically-generated  Python  and  C++  code  was  imple¬ 
mented  within  Charm  [1] .  All  of  our  tests  were  conducted  on 
the  C++  code  due  to  its  performance  benefits  over  Python 
code  of  the  same  functionality. 

System  and  Software  Configuration.  We  conducted 
our  benchmarks  on  two  identical  systems  to  ensure  consis¬ 
tency.  These  systems  were  2  x  2.66GHz  6-core  Intel  Xeon 
Macintosh  Pro  with  10GB  of  RAM  and  running  Mac  OS  X 
Version  10.8.3.  All  of  our  tests  were  conducted  in  a  single- 
threaded  environment.  We  used  Z3  v4.3  in  our  implemen¬ 
tation  of  BFSolver.  We  utilized  Charm  v0.43  in  C++  for 
our  benchmarks  against  the  MIRACL  (v5.5.4)  and  RELIC 
(vO.3.4)  libraries.  We  implement  our  schemes  against  Barreto- 
Naehrig  (BN)  curves  due  to  their  efficiency  and  measure  our 
schemes  on  both  Intel  and  limited  ARM  processors.  In  par¬ 
ticular,  we  executed  our  schemes  on  a  Motorola  Droid  1  with 
a  ARM  Cortex  A8  600  MHz  processor,  256  SDRAM,  512MB 
flash  memory,  and  runs  Android  v2.3.3 4  Our  approach  and 
results  are  discussed  in  the  following  sections. 

5.1  Measurement  Approach 

For  each  test  case,  we  perform  three  detailed  experiments. 
First,  we  measure  the  cost  of  key  generation  and  decryp¬ 
tion  in  the  original  scheme  compared  to  the  outsourced  key 
generation  and  decryption.  Second,  we  compare  the  perfor¬ 
mance  of  a  subset  of  the  schemes  on  a  limited  mobile  device 
to  measure  the  effectiveness  of  outsourcing.  Third,  we  com¬ 
pare  the  size  of  the  full  ciphertext  produced  by  the  original 
encryption  to  the  size  of  the  partially  decrypted  ciphertext 
returned  by  Transform.  In  both  experiments,  we  observe 
that  some  schemes  obtain  a  significant  reduction  in  cipher- 
text  size  and  decryption  time  while  others  benefit  in  one  and 
not  the  other.  We  show  the  results  of  these  experiments  in 
Figures  5,  6  and  7. 

Efficiency  and  Bandwidth  of  Schemes.  4  For  the  ABE 

and  Fuzzy-IBE  schemes,  we  measure  running  time  for  all  al¬ 
gorithms  and  ciphertext  sizes  at  100  attributes  in  the  policy 
tree.  Similarly,  for  the  functional  encryption  (FE)  schemes, 

3We  ran  benchmarks  on  a  rooted  Droid  device. 

4Unless  otherwise  noted,  our  results  were  averaged  over  100 
iterations  in  all  cases. 


we  construct  a  Deterministic  Finite  Automata  (DFA)  for  ac¬ 
cepting  a  string  that  contains  hexadecimal  characters.  We 
also  measure  the  running  time  and  ciphertext  size  for  a  1000- 
byte  string,  w,  and  a  random  message,  m  £  Gt-  We  refer 
to  the  DFA  functional  encryption  paper  for  more  details  of 
the  scheme  [49].  In  all  the  IBE  schemes,  we  measure  run¬ 
ning  time  and  ciphertext  size  at  100-bytes  for  the  public 
key  string.  Finally,  for  Broadcast  Encryption  (BE)  [12],  we 
measure  the  running  times  and  ciphertext  sizes  at  100  users 
in  a  broadcast.  In  terms  of  bandwidth,  in  the  cases  where 
there  were  multiple  binding  factors  needed  to  secure  the  se¬ 
cret  key,  there  was  a  corresponding  loss  in  the  outsourced 
ciphertext  size. 

Efficiency  of  CloudSource.  In  Figure  3,  we  show  the 
running  time  for  the  CloudSource  toolchain.  Our  results 
indicate  our  ability  to  generate  outsourced  versions  of  cryp¬ 
tosystems  in  a  reasonable  amount  of  time.  Furthermore, 
our  utilization  of  the  Z3  SMT  solver  enables  us  to  avoid  an 
inefficient  approach  for  determining  the  number  of  blinding 
factors  necessary  to  secure  a  transformation  key. 
Outsourcing  for  Mobile.  Our  results  on  the  Droid  1 
indicate  that  outsourcing  is  a  useful  tool  for  optimizing  en¬ 
cryption  schemes.  The  round  trip  time  for  Transform  with  a 
powerful  server  and  Decout  on  a  slow  client  still  outperform 
decryption  on  a  mobile  device.  These  results  are  promising 
and  show  that  having  a  tool  like  CloudSource  that  can  auto¬ 
matically  produce  an  outsource-ready  cryptographic  scheme 
is  useful  for  everyday  applications. 


Scheme 

Scheme 

Type 

Model 

Full  CT 
Size  (KB) 

Out  CT 
Size  (KB) 

Waters  11  [48] 

CP-ABE 

RO 

30.73 

1.72 

BSW  [8] 

CP-ABE 

RO 

30.80 

1.72 

LW  [32] 

MA-ABE 

RO 

96.05 

62.48 

DSE09  [47] 

IBE 

RO 

1.49 

3.42 

HIBE04  [10] 

HIBE 

SM 

1.14 

1.72 

CKRS09  [14] 

Blind-IBE 

SM 

1.05 

3.37 

SW05  [40] 

Fuzzy-IBE 

RO 

20.25 

53.27 

BGW05  [12] 

BE 

SM 

0.75 

1.70 

DFA-FE12  [49] 

FE 

SM 

20.61 

8.53 

Figure  6:  A  summary  of  our  outsourcing  results. 
We  show  the  differences  between  full  ciphertext  and 
outsourced  ciphertext  sizes  for  all  of  our  test  cases. 

6.  RELATED  WORK 

Our  research  involves  the  intersection  of  secure  and  effi¬ 
cient  outsourcing  in  pairing-based  encryption  schemes  and 
automated  cryptographic  optimizations.  We  therefore  sur¬ 
vey  both  of  these  topics  in  this  section. 

With  respect  to  the  former,  Green  et  al.  [28]  established  a 
new  technique  for  outsourcing  decryption  of  attribute-based 
encryption  (ABE).  The  authors  showed  how  this  technique 
could  be  manually  developed  for  both  CP- ABE  [48]  and  KP- 
ABE  [27].  In  our  work,  we  show  how  this  manual  approach 
can  be  automated  in  a  generalized  fashion. 

There  have  been  further  research  efforts  in  outsourcing 
ABE.  Zhou  et  al.  [51]  presented  a  framework  whereby  resource- 
constrained  mobile  devices  can  securely  outsource  ABE  en¬ 
cryption  and  decryption  to  cloud  service  providers  (CSPs). 

Li  et  al.  [33]  designed  a  secure  outsourced  ABE  system  in 
which  both  key  generation  and  decryption  are  outsourced  to 
an  untrusted  provider. 
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BN 256  on  Intel 


Schemes 

Keygen 

KeygenOut 

Decrypt 

Transform 

Decout 

Attribute- Based  Encryption  (ABE) 

1 

BSW07  [8]  Ciphertext-Policy  ABE 

0.25  s 

0.48  s 

3.30  s 

3.06  s 

0.01  s 

Watersll  [48]  Ciphertext- Policy  ABE 

0.09  s 

0.16  s 

3.36  s 

2.86  s 

0.01  s 

LW10  [32]  Decentralized  ABE 

0.14  s 

0.21  s 

4.30  s 

3.85  s 

0.67  s 

ID-Based  Encryption 

1 

DSE09  [47]  Dual-System 

0.02  s 

0.03  s 

0.13  s 

0.12  s 

0.04  s 

HIBE04  [10]  Hierarchical-ID 

0.02  s 

0.03  s 

0.09  s 

0.08  s 

0.01  s 

CKRS09  [14]  Blind  and  Anonymous-ID 

0.02  s 

0.03  s 

0.07  s 

0.06  s 

0.02  s 

SW05  [40]  Fuzzy-ID 

30.54ms 

20.65  s 

3.47  s 

3.06  s 

1.18  s 

Broadcast  and  Functional  Encryption 

1 

BGW05  [12]  Broadcast  Encryption 

0.16  s 

0.31  s 

0.03  s 

0.05  s 

0.007  s 

DFA-FE12  [49]  Regular  Language  Functional  Encryption 

2.58  s 

5.10  s 

21.45  s 

20.67  s 

2.95  s 

Figure  5:  Average  running  times  over  100  iterations.  We  compare  Keygen  vs.  KeygenOut,  Decrypt  vs. 
Transform  and  Decout  for  each  of  the  nine  pairing-based  cryptosystems  we  cover  in  this  paper.  These 
benchmarks  were  executed  against  the  MIRACL  library  on  a  server  platform.  In  all  test  runs  the  standard 
deviation  of  the  timing  results  were  within  ±1%  of  the  average. 


BN 256  on  Intel  and  ARM 


Schemes 

ARM 

Decrypt 

Intel 

Transform 

ARM 

Decout 

Combined 

Speedup  Factor 

Attribute- Based  Encryption  (ABE) 

BSW07  [8]  Ciphertext-Policy  ABE 

73.6s 

9.90s 

0.20s 

10.10s 

7.3x 

Watersll  [48]  Ciphertext-Policy  ABE 

74.8s 

5.93s 

0.19s 

6.12s 

12. 2x 

LW10  [32]  Decentralized  ABE 

85.8s 

5.7s 

10.5s 

16.2s 

5.3x 

ID-Based  Encryption 

HIBE04  [10]  Hierarchical-ID 

1.9s 

0.10s 

0.19s 

0.29s 

6.6x 

CKRS09  [14]  Blind  and  Anonymous-ID 

1,6s 

0.08s 

0.45s 

0.53s 

3. Ox 

SW05  [40]  Fuzzy-ID 

7.1s 

0.88s 

1.90s 

2.78s 

2.6x 

Broadcast  and  Functional  Encryption 

BGW05  [12]  Broadcast  Encryption 

0.94s 

0.07s 

0.11s 

0.18s 

5.2x 

Figure  7:  We  compare  the  running  times  of  Decrypt  on  a  mobile  phone  (ARM  processor)  with  that  of 
Transform  on  our  MacPro  server  (Intel  processor)  plus  Decout  on  the  mobile  phone.  Note  that  only  the  SW 
scheme  was  measured  with  10  attributes  over  10  iterations. 


Outsourcing  of  encryption  schemes  has  taken  other  forms 
in  the  literature.  Hohenberger  et  al.  [29]  formally  mod¬ 
eled  the  security  of  a  resource-constrained  client  outsourcing 
computation  to  an  untrusted  helper  with  quantifications  for 
efficiency  and  checkability. 

Gennaro  et  al.  [25]  focused  on  verifiable  computation  us¬ 
ing  fully  homomorphic  encryption,  in  which  a  trusted  but 
resource-constrained  client  can  outsource  the  evaluation  of 
a  function  with  dynamic  inputs  to  a  set  of  workers.  Chung 
et  al.  [19]  extend  the  research  by  Gennaro  et  al.  by  reducing 
either  the  computational  burden  or  the  communication  costs 
of  the  client  in  the  offline  processing  phase  of  the  protocol  by 
Gennaro  et  al.  Pirretti  et  al.  [?]  designed  secure  attribute- 
based  systems  using  new  constructions  of  ABE.  Pirretti  et 
al.  also  show  how  decryption  in  the  scheme  by  Sahai  and 
Waters  [40]  can  be  optimized  to  reduce  the  number  of  pair¬ 
ings,  at  the  cost  of  increasing  the  number  of  exponentiations. 

In  this  paper,  we  focus  on  pairing-based  cryptosystems. 
Chevallier-Mames  et  al.  [18]  introduced  a  method  whereby  a 
resource-constrained  client  can  securely  outsource  a  pairing 
to  a  more  computationally  powerful  entity. 

There  has  been  a  large  body  of  research  on  automating 
various  cryptographic  optimizations.  MacKenzie  et  al.  [35] 
designed  a  compiler  that  automatically  generates  protocols 
and  source  code  for  two-party  function-sharing  computa¬ 
tion.  Almeida  et  al.  [3]  created  a  zero-knowledge,  certify¬ 
ing  compiler  that  automatically  translates  an  abstract  proof 
goal  written  in  the  authors’  Protocol  Specification  Language 


(PSL)  to  a  C  implementation.  Barbosa  et  al.  [7]  explored 
the  use  of  CAO,  a  cryptographic  domain-specific  language 
and  compiler,  to  improve  the  ability  of  cryptographic  soft¬ 
ware  engineers  to  write  code  for  elliptic  curve  cryptography 
(ECC). 

In  addition,  our  research  is  close  in  nature  to  server-aided 
computation.  Liu  et  al.  [34]  introduced  Identity-Based  Server- 
Aided  Decryption  (IBS  AD).  IBS  AD  is  an  identity-based  en¬ 
cryption  (IBE)  scheme  in  which  decryption  is  performed  on  a 
trusted  client  with  the  help  of  an  external,  untrusted  server. 


7.  CONCLUSION 

This  paper  investigated  the  problem  of  automating  the 
process  of  designing  outsourcing-ready  cryptographic  schemes. 
We  believe  that  our  results  demonstrate  that  the  problem 
is  tractable  and  useful,  and  that  these  techniques  could  be 
useful  amongst  the  growing  collection  of  automated  scheme 
design  and  analysis  tools. 

Our  work  leaves  several  open  problems:  first,  our  pro¬ 
posal  uses  a  secure  transformation  that  we  have  manually 
analyzed.  However,  to  improve  confidence  in  our  results, 
we  would  like  to  output  full  reduction  proofs  that  can  be 
machine-verified  using  a  proof  checking  tool,  e.g.,  Cryp- 
toVerif  [9] .  Secondly,  we  believe  that  there  may  be  addi¬ 
tional  optimizations  that  we  have  not  yet  discovered,  per¬ 
haps  by  re-writing  schemes  from  one  setting  (symmetric 
pairings)  to  another. 
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Abstract 

In  tandem  with  recent  progress  on  computing  on  encrypted  data  via  fully  homomorphic 
encryption,  we  present  a  framework  for  computing  on  authenticated  data  via  the  notion  of 
slightly  homomorphic  signatures,  or  P-homonrorphic  signatures.  With  such  signatures,  it  is 
possible  for  a  third  party  to  derive  a  signature  on  the  object  in'  from  a  signature  of  m  as  long  as 
P(m,m')  =  1  for  some  predicate  P  which  captures  the  “authenticatable  relationship”  between 
m!  and  m.  Moreover,  a  derived  signature  on  m!  reveals  no  extra  information  about  the  parent 
m. 

Our  definition  is  carefully  formulated  to  provide  one  unified  framework  for  a  variety  of  dis¬ 
tinct  concepts  in  this  area,  including  arithmetic,  homomorphic,  quotable,  redactable,  transitive 
signatures  and  more.  It  includes  being  unable  to  distinguish  a  derived  signature  from  a  fresh 
one  even  when  given  the  original  signature.  The  inability  to  link  derived  signatures  to  their 
original  sources  prevents  some  practical  privacy  and  linking  attacks,  which  is  a  challenge  not 
satisfied  by  most  prior  works. 

Under  this  strong  definition,  we  then  provide  generic  constructions  for  all  univariate  and 
closed  predicates,  and  specific  efficient  constructions  for  a  broad  class  of  natural  predicates  such 
as  quoting,  subsets,  weighted  sums,  averages,  and  Fourier  transforms.  To  our  knowledge,  these 
are  the  first  efficient  constructions  for  these  predicates  (excluding  subsets)  that  provably  satisfy 
this  strong  security  notion. 
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1  Introduction 


In  tandem  with  recent  progress  on  computing  any  function  on  encrypted  data,  e.g.,  [29,  55,  52],  this 
work  explores  computing  on  unencrypted  signed  data.  In  the  past  few  years,  several  independent 
lines  of  research  touched  on  this  area: 

•  Quoting/redacting:  [54,  35,  1,  42,  32,  19,  18,  20]  Given  Alice’s  signature  on  some  message 
m  anyone  should  be  able  to  derive  Alice’s  signature  on  a  subset  of  m.  Quoting  typically 
applies  to  signed  text  messages  where  one  wants  to  derive  Alice’s  signature  ou  a  substring 
of  m.  Quoting  can  also  apply  to  signed  images  where  one  wants  to  derive  a  signature  on  a 
subregion  of  the  image  (say,  a  face  or  an  object)  and  to  data  structures  where  one  wants  to 
derive  a  signature  of  a  subset  of  the  data  structure  such  as  a  sub-tree  of  a  tree. 

•  Arithmetic:  [36,  61,  24,  15,  28,  14,  13,  59]  Given  Alice’s  signature  on  vectors  Vi, . . . ,  vfc  £  F” 

anyone  should  be  able  to  derive  Alice’s  signature  on  a  vector  v  in  the  linear  span  of  vi, ,  V&. 

Arithmetic  on  signed  data  is  motivated  by  applications  to  secure  network  coding  [27].  We  show 
that  these  schemes  can  be  used  to  compute  authenticated  linear  operations  such  as  computing 
an  authenticated  weighted  sum  of  signed  data  and  an  authenticated  Fourier  transform.  As  a 
practical  consequence  of  this,  we  show  that  an  untrusted  database  storing  signed  data  (e.g., 
employee  salaries)  can  publish  an  authenticated  average  of  the  data  without  leaking  any 
other  information  about  the  stored  data.  Recent  constructions  go  beyond  linear  operations 
and  support  low  degree  polynomial  computations  [13]. 

•  Transitivity:  [47,  41,  6,  33,  7,  50,  60,  46]  Given  Alice’s  signature  on  edges  in  a  graph  G  anyone 
should  be  able  to  derive  Alice’s  signature  on  a  pair  of  vertices  (it,  v)  if  and  only  if  there  is  a 
path  in  G  from  u  to  v.  The  derived  signature  on  the  pair  ( u ,  v)  must  be  indistinguishable 
from  a  fresh  signature  on  ( u ,  v )  had  Alice  generated  one  herself  [41],  This  requirement  ensures 
that  the  derived  signature  on  ( u ,  v )  reveals  no  information  about  the  path  from  u  to  v  used 
to  derive  the  signature. 

In  this  paper,  we  put  forth  a  general  framework  for  computing  on  authenticated  data  that 
encompasses  these  lines  of  research  and  much  more.  While  prior  definitions  mostly  contained 
artifacts  specific  to  the  type  of  malleability  they  supported  and,  thus,  were  hard  to  compare  to  one 
another,  we  generalize  and  strengthen  these  disparate  notions  into  a  single  definition.  This  definition 
can  be  instantiated  with  any  predicate,  and  we  allow  repeated  computation  on  the  signatures 
(e.g.,  it  is  possible  to  quote  from  a  quoted  signature.)  During  our  study,  we  realized  that  the 
“privacy”  notions  offered  by  many  existing  definitions  are,  in  our  view,  insufficient  for  some  practical 
applications.  We  therefore  require  a  stronger  (and  seemingly  a  significantly  more  challenging  to 
achieve)  property  called  context  hiding.  Under  this  definition,  we  provide  two  generic  solutions 
for  computing  signatures  on  any  univariate,  closed  predicate;  however,  these  generic  constructions 
are  not  efficient.  We  also  present  efficient  constructions  for  three  problems:  quoting  substrings  in 
Section  4,  a  subset  predicate  in  Section  5,  and  a  weighted  average  over  data  in  Section  6  (which 
captures  weighted  sums  and  Fourier  transforms).  Our  quoting  substring  construction  is  novel  and 
significantly  more  efficient  than  the  generic  solutions.  For  the  problems  of  subsets  and  weighted 
averages,  we  show  somewhat  surprising  connections  to  respective  existing  solutions  in  attribute- 
based  encryption  and  network  coding  signatures. 
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1.1  Overview 


A  general  framework.  Let  M.  be  some  message  space  and  let  2M  be  its  powerset.  Consider 
a  predicate  P  :  2M  x  M.  — >  {0, 1}  mapping  a  set  of  messages  and  a  message  to  a  bit.  Loosely 
speaking  we  say  that  a  signature  scheme  supports  computations  with  respect  to  P  if  the  following 
holds: 


Let  M  C  M.  be  a  set  of  messages  and  let  m!  be  a  derived  message,  namely  m!  satisfies 
P(M,  m!)  =  1.  Then  there  exists  an  efficient  procedure  that  can  derive  Alice’s  signature 
on  m!  from  Alice’s  independent  signatures  on  all  of  the  messages  in  M . 

For  the  quoting  application,  the  predicate  P  is  defined  as  P(M ,  m ')  =  1  iff  m!  is  a  quote  from  the 
set  of  messages  M.  Here  we  focus  on  quoting  from  a  single  message  m  so  that  P  is  false  whenever 
M  contains  more  than  one  component1,  and  thus  use  the  notation  P(m,m')  as  shorthand  for 
P({m},  in').  The  predicate  P  for  arithmetic  computations  is  defined  in  Appendix  A  and  essentially 
says  that  P(  (vi, . . . ,  v*.),  v)  is  true  whenever  v  is  in  the  span  of  Vi, . . . ,  v*.. 

We  emphasize  that  signature  derivation  can  be  iterative.  For  example,  given  a  message-signature 
pair  ( m,a )  from  Alice,  Bob  can  publish  a  derived  message-signature  pair  (m/,cr/)  for  an  m!  where 
P(m,m')  holds.  Charlie,  using  (m/,a/),  may  further  derive  a  signature  a"  on  m" .  In  the  quoting 
application,  Charlie  is  quoting  from  a  quote  which  is  perfectly  fine. 

Security.  We  give  a  clean  security  definition  that  captures  two  properties:  unforgeability  and 
context  hiding.  We  briefly  discuss  each  in  turn  and  give  precise  definitions  in  the  next  section. 

•  Unforgeability  captures  the  idea  that  an  attacker  may  be  given  various  derived  signatures 

(perhaps  iteratively  derived)  on  messages  of  his  choice.  The  attacker  should  be  unable  to 
produce  a  signature  on  a  message  that  is  not  derivable  from  the  set  of  signed  messages  at 
his  possession.  E.g.,  suppose  Alice  generates  ( m,cr )  and  gives  it  to  Bob  who  then  publishes 
a  derived  signature  Then  an  attacker  given  ( m',a ')  should  be  unable  to  produce  a 

signature  on  m  or  on  any  other  message  rn"  such  that  P(m',m ")  =  0. 

•  Context  hiding  captures  an  important  privacy  property:  a  signature  should  reveal  nothing 
more  than  the  message  being  signed.  In  particular,  if  a  signature  on  m!  was  derived  from 
a  signature  on  m,  an  attacker  should  not  learn  anything  about  m  other  than  what  can  be 
inferred  from  rn' .  This  should  be  true  even  if  the  original  signature  on  m  is  revealed.  For 
example,  a  signed  quote  should  not  reveal  anything  about  the  message  from  which  it  was 
quoted,  including  its  length,  the  position  of  the  quote,  whether  its  parent  document  is  the 
same  as  another  quote,  whether  it  was  derived  from  a  given  signed  message  or  generated 
freshly,  etc. 

Defining  context  hiding  is  an  interesting  and  subtle  task.  In  the  next  section,  we  give  a  definition 
that  captures  a  very  strong  privacy  requirement.  We  discuss  earlier  attempts  at  defining  privacy 
following  our  definition  in  Section  2.3;  while  many  prior  works  use  a  similar  sounding  intuition  as 
we  give  above,  most  contain  a  fundamental  difference  to  ours  in  their  formalization. 

We  note  that  notions  such  as  group  or  ring  signatures  [25,  5,  21,  11,  49]  have  considered  the 
problem  of  hiding  the  identity  of  a  signer  among  a  set  of  users.  Context  hiding  ensures  privacy  for 
the  data  rather  than  the  signer.  Our  goal  is  to  hide  the  legacy  of  how  a  signature  was  created. 

1We  leave  it  for  future  work  to  construct  systems  for  securely  quoting  from  two  messages  (or  possibly  more)  as 
defined  next. 
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Efficiency.  We  require  that  the  size  of  a  signature,  whether  fresh  or  derived,  depend  only  on 
the  size  of  the  object  being  signed.  This  rules  out  solutions  where  the  signature  grows  with  each 
derivation. 

Generic  Approaches.  We  begin  with  two  generic  constructions  that  can  be  inefficient.  They 
apply  to  closed,  univariate  predicates,  namely  predicates  P(M ,  rn')  where  M  contains  a  single 
message  (P  is  false  when  \M\  >  1)  and  where  if  P(a,b)  =  P(b,c)  =  1  then  P(a,c )  =  1.  The  first 
construction  uses  any  standard  signature  scheme  S  where  the  signing  algorithm  is  deterministic. 
(One  can  enforce  determinism  using  PRFs  [30].)  To  sign  a  message  m  €  A4,  one  uses  S  to  sign 
each  message  m!  such  that  P(m,  ml)  =  1.  The  signature  consists  of  all  these  signature  components. 
To  verify  a  signature  for  m ,  one  checks  the  signature  component  corresponding  to  the  message 
m.  To  derive  a  signature  m'  from  m ,  one  copies  the  signature  components  for  all  rn"  such  that 
P(m',m")  =  1.  Soundness  of  the  construction  follows  from  the  security  of  the  underlying  standard 
scheme  S  and  context  hiding  from  the  fact  that  signing  in  S  is  deterministic. 

Unfortunately,  these  signatures  may  become  large  consisting  up  to  \M\  signature  components 
-  effecting  both  the  signing  time  and  signature  size.  Our  second  generic  construction  alleviates 
the  space  burden  by  using  an  RSA  accumulator.  The  construction  works  in  a  similar  brute  force 
fashion  where  a  signature  on  m  is  an  accumulator  value  on  all  m!  such  that  P(m.,m')  =  1.  While 
this  produces  short  signatures,  the  time  component  of  both  verification  and  derivation  are  even 
worse  than  the  first  generic  approach.  Thus,  these  generic  approaches  are  too  expensive  for  most 
interesting  predicates.  We  detail  these  generic  approaches  and  proofs  in  Section  3,  where  we  also 
discuss  a  generic  construction  using  NIZK. 

Our  Quoting  Construction.  We  turn  to  more  efficient  constructions.  First,  we  set  out  to 
construct  a  signature  for  quoting  substrings2 ,  which  although  conceptually  simple  is  non-trivial  to 
realize  securely.  As  an  efficiency  baseline,  we  note  that  the  brute  force  generic  construction  of  the 
quoting  predicate  would  result  in  n2  components  for  a  signature  on  n  characters.  So  any  interesting 
construction  must  perform  more  efficiently  than  this.  We  prove  our  construction  selectively  secure.3 
In  addition,  we  give  some  potential  future  directions  for  achieving  adaptive  security  and  removing 
the  use  of  random  oracles. 

Our  construction  uses  bilinear  groups  to  link  different  signature  components  together  securely, 
but  in  such  a  way  that  the  context  can  be  hidden  by  a  re-randomizing  step  in  the  derivation 
algorithm.  A  signature  in  our  system  on  a  message  of  length  n  consists  of  n  lg  n  group  elements; 
intuitively  organized  as  lg  n  group  elements  assigned  to  each  character.  To  derive  a  new  signature 
on  a  substring  of  £  characters,  one  roughly  removes  the  group  elements  not  associated  with  the 
new  substring  and  then  re-randomizes  the  remaining  part  of  the  signature.  This  results  in  a  new 
signature  of  t\gl  group  elements.  The  technical  challenge  consists  in  simultaneously  allowing  re¬ 
randomization  and  preserving  the  “linking”  between  successive  characters.  In  addition,  there  is  a 
second  option  in  our  derive  algorithm  that  allows  for  the  derivation  of  a  short  signature  of  lg  i  group 
elements;  however  the  derive  procedure  cannot  be  applied  again  to  this  short  signature.  Thus,  we 
support  quoting  from  quotes,  and  also  provide  a  compression  option  which  produces  a  very  short 
quote,  but  the  price  for  this  is  that  it  cannot  be  quoted  from  further. 

2  A  substring  of  xi  ...  x„  is  some  Xi . . .  Xj  where  i,j  £  [1,  n]  and  i  <  j.  We  emphasize  that  we  are  not  considering 
subsequences.  Thus,  it  is  not  possible,  in  this  setting,  to  extract  a  signature  on  “I  like  fish”  from  one  on  “I  do  not 
like  fish”. 

3Following  an  analog  of  [22],  selective  security  for  signatures  requires  the  attacker  to  give  the  forgery  message 
before  seeing  the  verification  key. 
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Computing  Signatures  on  Subsets  and  Weighted  Averages.  Our  final  two  contributions 
are  schemes  for  deriving  signatures  on  subsets  and  weighted  averages  on  signatures.  Rather  than 
create  entirely  new  systems,  we  show  connections  to  existing  Attribute-Based  Encryption  schemes 
and  Network  Coding  Signatures.  Briefly,  our  subset  construction  extends  the  concept  of  Naor  [12] 
who  observed  that  every  IBE  scheme  can  be  transformed  into  a  standard  signature  scheme  by 
applying  the  IBE  KeyGen  algorithm  as  a  signing  algorithm.  Here  we  show  an  analog  for  known 
Ciphertext-Policy  (CP)  ABE  schemes.  The  KeyGen  algorithm  which  generates  a  key  for  a  set  S  of 
attributes  can  be  used  as  a  signing  algorithm  for  the  set  S.  For  known  CP-ABE  systems  [8,  37,  58] 
it  is  straightforward  to  derive  a  key  for  a  subset  S'  of  S  and  to  re-randomize  the  signature/key.  To 
verify  a  signature  on  S  we  can  apply  Naor’s  signature- from-IBE  idea  and  encrypt  a  random  message 
A  to  a  policy  that  is  an  AND  of  all  the  attributes  in  S  and  see  if  the  signature  can  be  used  as  an 
ABE  key  to  decrypt  to  X.  Signatures  for  subsets  have  been  previously  considered  in  [33,  §6.4],  but 
without  context  hiding  requirements.  We  provide  further  details  in  Section  5.  Our  construction  for 
weighted  sums  is  presented  in  Section  6,  where  we  discuss  how  this  applies  to  Fourier  transforms. 

2  Definitions 

Definition  2.1  (Derived  messages)  Let  M.  be  a  message  space  and  let  P  :  2M  x  M.  — >  {0, 1}  be 
a  predicate  from  sets  over  A4  and  a  message  in  M.  to  a  bit.  We  say  that  a  message  m!  is  derivable 
from  the  set  M  C  Jvl  if  P(M,  m!)  =  1.  We  denote  by  P*(M)  the  set  of  messages  derivable  from  M 
by  repeated  derivation.  That  is,  let  P°(M)  be  the  set  of  messages  derivable  from  M  and  for  i  >  0 
let  Pl(M)  be  the  set  of  messages  derivable  from  P1~1(M).  Then  P*(M)  :=  U f^0Pl(M). 

We  define  the  closure  of  P,  denoted  P* ,  as  the  predicate  defined  by  P*(M,m )  =  1  iff  m  € 
P*(M). 

A  P-hornornorphic  signature  scheme  n  for  message  space  At  and  predicate  P  is  a  triple  of  PPT 
algorithms: 

KeyGen(lA):  the  key  generation  algorithm  outputs  a  key  pair  ( pk,sk ).  We  treat  the  secret  key 
sk  as  a  signature  on  the  empty  tuple  e  £  M* .  We  also  assume  that  pk  is  embedded  in  sk. 

SignDerive(pfc,  ({am}meM ,  M),  m' ,  w):  the  algorithm  takes  as  input  the  public  key,  a  set  of  mes¬ 
sages  M  C  M.  and  corresponding  signatures  {am}m£M,  a  derived  message  m!  £  A4,  and  possibly 
some  auxiliary  information  w.  It  produces  a  new  signature  a'  or  a  special  symbol  J_  to  repre¬ 
sent  failure.  For  complicated  predicates  P,  the  auxiliary  information  w  serves  as  a  witness  that 
P(M,m')  =  1.  To  simplify  the  notation  we  often  drop  w  as  an  explicit  argument. 

As  shorthand  we  write  Sign (sk,m)  :=  SignDeri ve(pk,  (sk,e),m.,  ■)  to  denote  that  any  mes¬ 
sage  can  be  derived  when  the  original  signature  is  the  signing  key.  For  a  set  of  messages  M  = 
{mi, . . . ,  mk}  C  M*  it  is  convenient  to  let  Sign(sA;,M)  denote  independently  signing  each  of  the 
k  messages,  namely: 


Sign (sk,M)  :=  (  Sign(sA;,  mi), . . . ,  Sign(sfc,  mk)  )  ■ 

Verify (pk,m,a):  given  a  public  key,  message,  and  purported  signature  <r,  the  algorithm  returns  1 
if  the  signature  is  valid  and  0  otherwise. 

We  assume  that  testing  m  £  M  can  be  done  efficiently,  and  that  Verify  returns  0  if  m  ^  M. 
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Correctness.  We  require  that  for  all  key  pairs  ( sk,pk )  generated  by  KeyGen(ln)  and  for  all 
M  €  .M*  and  m!  £  M.  we  have: 

•  if  P(M,m!)  =  1  then  SignDerive(pA;,  (Sign (sk,  M),  M),m')  A  _L,  and 

•  for  all  signature  tuples  {om}meM  such  that  o'  <—  SignDerive(pA;,  ({crm}m6Mj  M),  m!)  /  _L, 
we  have  Verify  (pk,  m' ,  o')  =  1. 

In  particular,  correctness  implies  that  a  signature  generated  by  SignDerive  can  be  used  as  an 
input  to  SignDerive  so  that  signatures  can  be  further  derived  from  derived  signatures,  if  allowed 
by  P. 

Derivation  efficiency.  In  many  cases  it  is  desirable  that  the  size  of  a  derived  signature  depend 
only  on  the  size  of  the  derived  message.  This  rules  out  signatures  that  expand  as  one  iteratively 
calls  SignDerive.  All  the  constructions  in  this  paper  are  derivation  efficient  in  this  sense. 

Definition  2.2  (Derivation-Efficient)  A  signature  scheme  is  derivation-efficient  if  there  exists 
a  polynomial  p  such  that  for  all  (pk,  sk)  <—  KeyGen(lA),  set  M  C  M* ,  signatures  {crm}meM  t— 
Sign (sk,M)  and  derived  messages  m!  where  P(M,m')  =  l,  we  have 

|SignDerive(pA;,  { om}meM ,  M,  m')\  =  p( A,  \m'\). 

2.1  Security:  Unforgeability 

To  define  unforgeability,  we  extend  the  basic  notion  of  existential  unforgeability  with  respect  to 
adaptive  chosen-message  attacks  [31].  The  definition  captures  the  idea  that  if  the  attacker  is  given  a 
set  of  signed  messages  (either  primary  or  derived)  then  the  only  messages  he  can  sign  are  derivations 
of  the  signed  messages  he  was  given.  This  is  defined  using  a  game  between  a  challenger  and  an 
adversary  A  with  respect  to  scheme  II  over  message  space  M . 

—  Game  Unforg(II,  A,  A,  P): 

Setup:  The  challenger  runs  KeyGen(lA)  to  obtain  (pk,  sk)  and  sends  pk  to  A.  The  challenger 
maintains  two  sets  T  and  Q  that  are  initially  empty. 

Queries:  Proceeding  adaptively,  the  adversary  issues  the  following  queries  to  the  challenger: 

•  Sign(m  £  M):  the  challenger  generates  a  unique  handle  h,  runs  Sign(sk,  m )  -»  o  and  places 
(h,  m,  o)  into  a  table  T.  It  returns  the  handle  h  to  the  adversary. 

•  SignDerive(h  =  (hi, . . . ,  hk),  m'):  the  oracle  retrieves  the  tuples  (hi,Oi,mf)  in  T  for  i  = 
1, . . . ,  k,  returning  _L  if  any  of  them  do  not  exist.  Let  M  :=  (mi, . . . ,  rrq;)  and  {am}meM  := 
{o\, . . . ,  Ok}-  If  P(M,m')  holds,  then  the  oracle  generates  a  new  unique  handle  If,  runs 
SignDerive (pfc,  ({om}meM,  M),m ')  — >  o'  and  places  (h',m',o')  into  T,  and  returns  h!  to 
the  adversary. 

•  Reveal(h):  Returns  the  signature  a  corresponding  to  handle  h,  and  adds  (o' ,m')  to  the  set 

Q- 

Output:  Eventually,  the  adversary  outputs  a  pair  (o' ,m').  The  output  of  the  game  is  1  (i.e.,  the 
adversary  wins  the  game)  if: 

•  Verify  (pk,m'  ,o')  =  1  and, 
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•  let  M  C  Af  be  the  set  of  messages  in  Q  then  P*  (M,m')  =  0  where  P*  is  the  closure  of 
P  from  Definition  2.1. 

Else,  the  output  of  the  game  is  0.  Define  Forg  4  as  the  probability  that  Pr[Unforg(II,  A,  A,  P)  = 

1], 

Interestingly,  for  some  predicates  it  may  be  difficult  to  test  if  the  adversary  won  the  game.  For  all 
the  predicates  we  consider  in  this  paper,  this  will  be  quite  easy. 

Definition  2.3  (Unforgeability)  A  P -homomorphic  signature  scheme  II  is  unforgeable  with 
respect  to  adaptive  chosen-message  attacks  if  for  all  PPT  adversaries  A,  the  function  Forg ^  is 
negligible  in  A. 

A  P -homomorphic  signature  scheme  II  is  selective  unforgeable  with  respect  to  adaptive 
chosen-message  attacks  if  for  all  PPT  adversaries  A  who  begin  the  above  game  by  announcing 
the  message  m!  on  which  they  will  forge ,  Forg 4  is  negligible  in  A. 

Properties  of  the  definition.  By  taking  P  to  be  the  equality  oracle,  namely  P(x,  y)  =  1  iff 
x  =  y,  we  obtain  the  standard  unforgeability  requirement  for  signatures. 

Notice  that  Sign  and  SignDerive  queries  return  handles,  but  do  not  return  the  actual  signatures. 

A  system  proven  secure  under  this  definition  adequately  rules  out  the  following  attack:  suppose 
(m,  o)  is  a  message  signature  pair  and  (m! ,  o')  is  a  message-signature  pair  derived  from  it,  namely 
o'  =  SignDerive(pfc,  o ,  m,m').  For  example,  suppose  rn!  is  a  quote  from  m.  Then  given  ( m',o ') 
it  should  be  difficult  to  produce  a  signature  on  m  and  indeed  our  definition  treats  a  signature  on 
m  as  a  valid  forgery. 

The  unforgeability  game  imposes  some  constraints  on  P:  (1)  P  must  be  reflexive,  i.e.  P(m,  rn)  = 

1  for  all  m  G  At,  (2)  P  must  be  monotone,  i.e.  P(M ,  m')  =>  P(M' ,  rn1)  where  M  C  M' .  It  is  easy  to 
see  that  predicates  that  do  not  satisfy  these  requirements  cannot  be  realized  under  Definition  2.3. 

2.2  Security:  Context  Hiding  (a.k.a.,  Privacy) 

Let  M  be  some  set  and  let  m'  be  a  derived  message  from  M  (i.e.,  P(M,m' )  =  1).  Context  hiding 
captures  the  idea  that  a  signature  on  m'  derived  from  signatures  on  M  should  reveal  no  information 
about  M  beyond  what  is  revealed  by  rn! .  For  example,  in  the  case  of  quoting,  a  signature  on  a 
quote  from  m  should  reveal  nothing  more  about  m:  not  the  length  of  m,  not  the  position  of  the 
quote  in  m,  etc.  The  same  should  hold  even  if  the  attacker  is  given  signatures  on  multiple  quotes 
from  m. 

We  put  forth  the  following  powerful  statistical  definition  of  context  hiding  and  discuss  its  im¬ 
plications  following  the  definition.  We  were  most  easily  able  to  leverage  a  statistical  definition  for 
our  proofs,  although  we  also  give  an  alternative  computational  definition  in  Appendix  A. 

Definition  2.4  (Strong  Context  Hiding)  Let  M  C  A i*  and  m!  G  At  be  messages  such  that 
P(M ,  m')  =  1.  Let  ( pk ,  sk)  •(—  KeyGen(lA)  be  a  key  pair.  A  signature  scheme  (KeyGen,  SignDerive,, 
Verify)  is  strongly  context  hiding  (for  predicate  P)  if  for  all  such  triples  ((pk,  sk),  the  fol¬ 

lowing  two  distributions  are  statistically  close: 

{(sk,{om}meM  •<—  Sign  (sk,M),  Sign(sk,  m!)) }  skMm, 

{  (sk,  {om}meM  G-  Sign  (sk,  Af),  SignDeri  ve(pk,  ({om}m£M,  Af),  m!)) }  skMm, 

The  distributions  are  taken  over  the  coins  of  Sign  and  SignDerive.  Without  loss  of  generality, 
we  assume  that  pk  can  be  computed  from  sk. 
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The  definition  states  that  a  derived  signature  on  m! ,  from  an  honestly- generated  original  sig¬ 
nature,  is  statistically  indistinguishable  from  a  fresh  signature  on  m! .  This  implies  that  a  derived 
signature  on  m!  is  indistinguishable  from  a  signature  generated  independently  of  M.  Therefore, 
the  derived  signature  cannot  (provably)  reveal  any  information  about  M  beyond  what  is  revealed 
by  m' .  By  a  simple  hybrid  argument  the  same  holds  even  if  the  adversary  is  given  multiple  derived 
signatures  from  M. 

Moreover,  Definition  2.4  requires  that  a  derived  signature  look  like  a  fresh  signature  even  if  the 
original  signature  on  M  is  known.  Hence,  if  for  example  someone  quotes  from  a  signed  recommen¬ 
dation  letter  and  somehow  the  original  signed  recommendation  letter  becomes  public,  it  would  be 
impossible  to  link  the  signed  quote  to  the  original  signed  letter.  The  same  holds  even  if  the  signing 
key  sk  is  leaked. 

Thus,  Definition  2.4  captures  a  broad  range  of  privacy  requirements  for  derived  signatures. 
Earlier  work  in  this  area  [35,  18,  20,  17]  only  considered  weaker  privacy  requirements  using  more 
complex  definitions.  The  simplicity  and  breadth  of  Definition  2.4  is  one  of  our  key  contributions. 

Definition  2.4  uses  statistical  indistinguishability  meaning  that  even  an  unbounded  adversary 
cannot  distinguish  derived  signatures  from  newly  created  ones.  In  Appendix  A,  we  give  a  definition 
using  computational  indistinguishability  which  is  considerably  more  complex  since  the  adversary 
needs  to  be  given  signing  oracles.  In  the  unbounded  case  of  Definition  2.4  the  adversary  can  simply 
recover  a  secret  key  sk  from  the  public  key  and  answer  its  own  signature  queries  which  greatly 
simplifies  the  definition  of  context  hiding.  All  the  signature  schemes  in  this  paper  satisfy  the 
statistical  Definition  2.4. 

As  mentioned  above,  the  context-hiding  guarantee  applies  to  all  derivations  that  begin  with 
an  honestly-generated  signature.  One  might  imagine  a  scenario  where  a  malicious  signer  creates  a 
signature  that  passes  the  verification  algorithm,  but  contains  a  “watermark”  that  allows  the  signer 
to  detect  if  other  signatures  are  derived  from  it.  To  prevent  such  attacks  from  malicious  signers, 
we  could  alter  the  definition  so  that  indistinguishability  holds  for  any  derivative  that  results  from 
a  signature  that  passed  the  verification  algorithm. 

A  simpler  approach  to  proving  unforgeability.  For  systems  that  are  strongly  context  hiding, 
unforgeability  follows  from  a  simpler  game  than  that  of  Section  2.1.  In  particular,  it  suffices  to 
just  give  the  adversary  the  ability  to  obtain  top  level  signatures  signed  by  sk.  In  Appendix  A,  we 
define  this  simpler  unforgeability  game  and  prove  equivalence  to  Definition  2.3  using  strong  context 
hiding. 

2.3  Related  Work 

Early  work  on  quotable  signatures  [54,  35,  44,  43,  32,  19,  23,  17]  supports  quoting  from  a  single 
document,  but  does  not  achieve  the  privacy  or  unforgeability  properties  we  are  aiming  for.  For 
example,  if  simple  quoting  of  messages  is  all  that  is  desired,  then  the  following  folklore  solution 
would  suffice:  simply  sign  the  Merkle  hash  of  a  document.  A  quote  represents  some  sub-tree  of 
the  Merkle  hash;  so  a  quoter  could  include  enough  intermediate  hash  nodes  along  with  the  original 
signature  in  any  quote.  A  verifier  could  simply  hash  the  quote,  and  then  build  the  Merkle  hash  tree 
using  the  computed  hash  and  the  intermediate  hashes,  and  compare  with  the  original  signature. 
Notice,  however,  that  every  quote  in  this  scheme  reveals  information  about  the  original  source 
document.  In  particular,  each  quote  reveals  information  about  where  in  the  document  it  appears. 
Thus,  this  simple  quoting  scheme  is  not  context  hiding  in  our  sense. 

The  work  whose  definition  is  closest  to  what  we  envision  is  the  recent  work  on  redacted  signatures 
of  Chang  et  al.  [23]  and  Brzuska  et  al.  [17]  (see  also  Naccache  [45,  p.  63]  and  Boneh-Freeman  [14, 
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13]  4).  However,  there  is  a  subtle,  but  fundamental  difference  between  their  definition  and  the 
privacy  notion  we  are  aiming  for.  In  our  formulation,  a  quoted  signature  should  be  indistinguishable 
from  a  fresh  signature,  even  when  the  distinguisher  is  given  the  original  signature.  (We  capture 
this  by  an  even  stronger  game  where  a  derived  signature  is  distributed  statistically  close  to  a  fresh 
signature.)  In  contrast,  the  definitions  of  [23,  17,  14,  13]  do  not  provide  the  distinguisher  with  the 
original  signature.  Thus,  it  may  be  possible  to  link  a  quoted  document  to  its  original  source  (and 
indeed  it  is  in  the  constructions  of  [23,  17,  14,  13]),  which  can  have  negative  privacy  implications. 
Overcoming  such  document  linkage  while  maintaining  unforgeability  is  a  real  technical  challenge. 
This  requires  moving  beyond  techniques  that  use  nonces  to  link  parts  of  messages. 

Indeed,  in  most  prior  constructions,  such  as  [23,  17],  nonces  are  used  to  prevent  “mix-and- 
match”  attacks  (e.g.,  forming  a  “quote”  using  pieces  of  two  different  messages.)  Unfortunately, 
these  nonces  reveal  the  history  of  derivation,  since  they  cannot  change  during  each  derivation 
operation.  Arguably,  much  of  the  technical  difficulty  in  our  current  work  comes  precisely  from  the 
effort  to  meet  our  definition  and  hide  the  lineage.  We  introduce  new  techniques  in  this  work  which 
link  pieces  together  using  randomness  that  can  be  re-randomized  in  controlled  ways. 

Another  line  of  work  studies  computing  on  authenticated  data  by  holders  of  secret  information. 
Examples  include  sanitizable  signatures  [44,  1,  42,  20,  18]  that  allow  a  proxy  to  compute  signatures 
on  related  messages,  but  requires  the  proxy  to  have  a  secret  key,  and  incremental  signatures  [4], 
where  the  signer  can  efficiently  make  small  edits  to  his  signed  data.  In  contrast,  our  proposal  is  more 
along  the  lines  of  homomorphic  encryption  and  Rivest’s  vision  [47],  where  anyone  can  compute  on 
the  authenticated  data. 

3  Generic  Constructions  for  Simple  Predicates 

Let  M.  be  a  finite  message  space.  We  say  that  a  predicate  P  :  M*  x  A4  — >  {0, 1}  is  a  simple 
predicate  if  the  following  properties  hold: 

1 .  P  is  false  whenever  its  left  input  is  a  tuple  of  length  greater  than  1 , 

2.  P  is  a  closed  predicate  (i.e.,  P  is  equal  to  its  closure  P*\  see  Section  2.1.) 

3.  For  all  m  E  At,  P(m.,m )  =  1. 

In  this  section,  we  present  and  discuss  generic  approaches  to  computing  on  authenticated  data 
with  respect  to  any  simple  predicate  P.  Note  that  the  quoting  of  substrings  or  subsequences  (i.e., 
redacting)  are  examples  of  simple  predicates. 

We  begin  with  two  inefficient  constructions.  The  first  takes  a  brute  force  approach  that  con¬ 
structs  long  signatures  that  are  easy  to  verify.  The  second  takes  an  accumulator  approach  that 
constructs  shorter  signatures  at  the  cost  of  less  efficient  verification.  We  conclude  by  discussing  the 
limitations  of  a  generic  NIZK  proof  of  knowledge  approach. 

4  As  acknowledged  in  Section  2.2  of  Boneh-Freeman  [13],  our  definitional  notion  is  stronger  than  and  predates  the 
“weak  context  hiding”  notion  of  [13].  Indeed,  the  fact  that  [13]  uses  our  framework  lends  support  to  its  generality,  and 
the  fact  that  they  could  not  achieve  our  context  hiding  notion  highlights  its  difficulty.  Their  “weak”  definition,  which 
is  equivalent  to  [17],  only  ensures  privacy  when  the  original  signatures  remain  hidden.  In  their  system,  signature 
derivation  is  deterministic  and  therefore  once  the  original  signatures  become  public  it  is  easy  to  tell  where  the  derived 
signature  came  from.  Our  signatures  achieve  full  context  hiding  so  that  derived  signatures  remain  private  no  matter 
what  information  is  revealed.  This  is  considerably  harder  and  is  not  known  how  to  do  for  the  lattice-based  signatures 
in  Boneh-Freeman. 
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3.1  A  Brute  Force  Construction  From  Any  Signature  Scheme 

Let  (G,  S,  V)  be  a  signature  scheme  with  a  deterministic  signing  algorithm.5  One  can  construct  a 
P- homomorphic  signature  scheme  for  any  simple  predicate  P  as  follows: 

KeyGen(lA)  :  The  setup  algorithm  runs  G(1A)  —>  ( pk ,  sk)  and  outputs  this  key  pair. 

Sign(sfc,m  £  At)  :  While  Sign  is  simply  a  special  case  of  the  SignDerive  algorithm,  we  will 
explicitly  provide  both  algorithms  here  for  clarity  purposes. 

The  signature  a  is  the  tuple  ( S(sk,m),U  =  {S(sk,m')  \  m'  £  P°({m})}). 

SignDerive(pfc,  a,  m,  m')  :  The  derived  signature  is  computed  as  follows.  First  check  that  P(m,  m!) 
1.  If  not,  then  output  _L.  Otherwise,  parse  a  =  (<ti,  . . . ,  cq;)  where  cq  corresponds  to  message 
mi.  If  for  any  i,  V(pk,rrii,  ai)  =  0,  then  output  _L.  Otherwise,  the  signature  is  comprised 
as  the  set  containing  cr,;  for  all  m*  such  that  P(m',mi )  =  1.  Again,  by  default,  let  the  first 
sub-signature  of  the  output  be  the  signature  on  m' . 

Verify  (pk,7n,a)  :  Parse  a  =  (<ti,  ...,  a^).  Output  V(pk,  m,  a\). 

Efficiency  Discussion  The  efficiency  of  the  above  approach  depends  on  the  message  space  and 
the  predicate  P.  For  instance,  the  brute  force  approach  for  signing  a  message  of  n  characters,  where 
P(m,m')  outputs  1  if  and  only  if  m'  is  a  substring  of  m,  will  result  in  0{n 2)  sub-signatures  (one 
for  each  of  the  0{n 2)  substrings).  If  one  wanted  to  “quote”  subgraphs  from  a  graph,  this  approach 
is  intractable,  as  a  graph  of  n  nodes  will  generate  an  exponential  in  n  number  of  subgraphs. 

Theorem  3.1  (Security  from  Any  Signature)  If  (G,  S,V)  is  a  secure  deterministic  signature 
scheme,  then  the  above  signature  scheme  is  unforgeable  and  context-hiding. 

Proof  of  the  above  theorem  is  rather  straightforward.  The  context-hiding  property  follows  from 
the  uniqueness  of  the  signatures  generated  by  the  honest  signing  algorithms.  The  unforgeability 
property  follows  from  the  fact  that  an  adversary  cannot  obtain  a  signature  on  any  message  not 
derivable  from  those  she  queried  or  one  could  use  this  signature  to  directly  break  the  regular 
unforgeability  of  the  underlying  signature  scheme.  The  correctness  property  is  actually  the  most 
complex  to  verify:  it  requires  the  two  restrictions  on  the  predicate  P  made  above. 

3.2  An  Accumulator-based  Construction 

Assumption  3.2  (RSA  [48])  Let  k  be  the  security  parameter.  Let  a  positive  integer  N  be  the 
product  of  two  random  k-bit.  primes  p,  q.  Let  e  be  a  randomly  chosen  positive  integer  less  than  and 
relatively  prime  to  4>(N)  =  (jp  —  \){q  —  1).  Then  no  PPT  algorithm  given  (N,  e)  and  a  random 
y  £  7Tn  as  input  can  compute  x  such  that  xe  =  y  mod  N  with  non-negligible  probability. 

Lemma  3.3  (Shamir  [51])  Given  x,y  £  Zn  together  with  a,b  £  Z  such  that  xa  =  yb  and 
gcd(a,  b )  =  1,  there  is  an  efficient  algorithm  for  computing  z  £  Zn  such  that  za  =  y. 

5Given  a  signature  scheme  with  a  probabilistic  signing  algorithm,  one  can  convert  it  to  a  scheme  with  a  determin¬ 
istic  signing  algorithm  by:  (1)  including  a  pseudorandom  function  (PRF)  seed  as  part  of  the  secret  key  and  (2)  during 
the  signing  algorithm,  applying  this  PRF  to  the  message  and  using  the  output  as  the  randomness  in  the  signature. 
Given  any  signature  scheme,  one  can  also  construct  a  PRF. 
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Theorem  3.4  (Prime  Number  Theorem)  Define  tt(x)  as  the  number  of  primes  no  larger  than 
x.  For  x  >  1, 


n(x)  > 


x 

lg  x 


Consider  the  following  RSA  accumulator  solution  which  supports  short  signatures,  but  the 
computation  required  to  derive  a  new  signature  is  expensive.  Let  P  be  any  univariate  predicate 
with  the  above  restrictions. 

We  now  describe  the  algorithms.  While  Sign  is  simply  a  special  case  of  the  SignDerive 
algorithm,  we  will  explicitly  provide  both  algorithms  here  for  clarity  purposes. 


KeyGen(lA)  :  The  setup  algorithm  chooses  N  as  a  20A-bit  RSA  modulus  and  a  random  value 
a  £  Zjy.  It  also  chooses  a  hash  function  Hp  that  maps  arbitrary  strings  to  2A-bit  prime 
numbers,  e.g.,  [34],  which  we  treat  as  a  random  oracle.6  Output  the  public  key  pk  =  (Hp,  N,  a) 
and  keep  as  the  secret  key  sk.  the  factorization  of  N. 


Sign (sk,m  G  M)  :  Let  U  =  P°({m})  =  {m!  \  rn'  G  M.  and  P(m,m') 
the  signature  as 


cr  :=  a1//(^“ 


mHvM)  mod  AT. 


1}.  Compute  and  output 


SignDerive (pfc,  a,  m,  m')  :  The  derivation  is  computed  as  follows.  First  check  that  P(m,m ')  =  1. 
If  not,  then  output  _L.  Otherwise,  let  U'  =  P°({m'}).  Compute  and  output  the  signature  as 

o'  :=  o^uiel J-a' hp(Ui)  mod  N. 

Thus,  the  signature  is  of  the  form  al^uieu'  Hp(u^  mod  N. 

Verify (pk,7n,o)  :  Accept  if  and  only  if  a  =  o^u*eu  Hp^u'll  mod  N  where  JJ  =  P°(m). 


Efficiency  Discussion  In  the  above  scheme,  signatures  require  only  one  element  in  Z?N.  However, 
the  cost  of  signing  depends  on  P  and  the  size  of  the  message  space.  For  example,  computing  an 
Asymbol  quote  from  an  n-symbol  message  requires  0(n(n  —  £))  evaluations  of  Hp()  and  0(n(n  —  £)) 
modular  exponentiations.  The  prime  search  component  of  Hp  will  likely  be  the  dominating  factor. 
Verification  requires  0(£2)  evaluations  of  HpQ  and  0(l2)  modular  exponentiations,  for  an  f-symbol 
quote.  Thus,  this  scheme  optimizes  on  space,  but  may  require  significant  computation. 

Theorem  3.5  (Security  under  RSA)  If  the  RSA  assumption  holds,  then  the  above  signature 
scheme  is  unforgeable  and  context-hiding  in  the  random  oracle  model. 

We  provide  a  proof  of  above  theorem  by  showing  the  following  lemmas. 

Lemma  3.6  (Context-Hiding)  The  homomorphic  signature  scheme  from  §5. 2  is  strongly  context¬ 
hiding. 

Proof.  This  property  is  derived  from  the  fact  that  a  signature  on  any  given  message  is  deterministic. 
Let  the  public  key  PK  be  ( Hp,N,a )  and  challenge  be  any  m,m!  where  P(m,m!)  =  1.  Let  U  = 

6 We  choose  our  modulus  and  hash  output  lengths  to  obtain  A-bit  security  based  on  the  recent  estimates  of  [53]. 
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P°(m)  and  U'  =  P°(m/).  Observe  that 


Sign(sA;,  m) 
Sign(sfc,  rri) 
SignDerive(p/c,  (er,  m),m) 


a  =  a1/n^Hp(u)  mod  N 
a0  =  al/  nu'ec/'  hpW  mod  N 
tjUusu-u'  hp(u)  mod  N 

0!/n  ueuHAn^ueU-u'HvW 

al/Ylu'eu'  hp(u  )  mod  N 


mod  N 


=  (TO 


Because  Sign (sk,  m!)  and  SignDerive(p/c,  (er,  m ),  m!)  are  identical,  for  any  adversary  A,  the  prob¬ 
ability  that  A  distinguishes  the  two  is  exactly  1/2,  and  so  the  advantage  in  the  strong  context 
hiding  game  is  0.  □ 

Lemma  3.7  (Unforgeability)  If  the  RSA  assumption  holds,  then  the  Section  3.2  homomorphic 
signature  scheme  is  unforgeable  in  the  Unforg  game  in  the  random  oracle  model. 

Proof.  Our  reduction  only  works  on  certain  types  of  RSA  challenges,  as  in  [34] .  In  particular,  this 
reduction  only  attempts  to  solve  RSA  challenges  ( N,e*,y )  where  e*  is  an  odd  prime.  Fortunately, 
good  challenges  will  occur  with  non-negligible  probability.  We  know  that  e*  is  less  than  and 
relatively  prime  to  f>(N)  <  N,  which  implies  it  cannot  be  2.  We  also  know,  by  Theorem  3.4,  that 
the  number  of  primes  that  are  less  than  N  is  at  least  Thus,  a  loose  bound  on  the  probability 
of  e*  being  a  prime  is  >  (^)/N  =  ^ 

Now,  we  describe  the  reduction.  Our  proof  first  applies  Lemma  A. 4,  which  allows  us  to  only 
consider  adversaries  A  that  ask  queries  to  Sign  oracle  in  the  NHU  game.  Moreover,  suppose 
adversary  A  queries  the  random  oracle  Hp  on  at  most  s  unique  inputs.  Without  loss  of  generality, 
we  will  assume  that  all  queries  to  this  deterministic  oracle  are  unique  and  that  whenever  Sign  is 
called  on  message  M ,  then  Hp  is  automatically  called  with  all  unique  substrings  of  M.  Suppose  an 
adversary  A  can  produce  a  forgery  with  probability  e  in  the  NHU  game;  then  we  can  construct 
an  adversary  B  that  breaks  the  RSA  assumption  (with  odd  prime  e*)  with  probability  e/s  minus  a 
negligible  amount  as  follows. 

On  input  an  RSA  challenge  (N,e*,y),  B  proceeds  as  follows: 

Setup  B  chooses  2A-bit  distinct  prime  numbers  ei,  e2, . . . ,  es_i  at  random,  where  all  e*  /  e*. 
Denote  this  set  of  primes  as  E.  Next,  B  makes  a  random  guess  of  i*  G  [l,s]  and  saves  this  value 
for  later.  Then  it  sets 

a  ■=  yn«i£Bei. 

Finally,  B  give  the  public  key  PK  =  (N,  a)  to  A  and  will  answer  its  queries  to  random  oracle 
Hp  interactively  as  described  below. 

Queries  Proceeding  adaptively,  B  answers  the  oracle  and  sign  queries  made  by  A  as  follows: 

1.  Hp(x )  :  When  A  queries  the  random  oracle  for  the  jth  time,  B  responds  with  e*  if  j  =  i* ,  with 
Cj  if  j  <  i*  and  ej-i  otherwise.  Recall  that  we  stipulated  that  each  call  to  Hp  was  unique. 
Denote  x*  as  the  input  where  Hp[x*)  =  e*. 
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2.  Sign(M):  Let  U  =  P°(M).  If  x*  £  U,  then  B  aborts  the  simulation.  Otherwise,  B  calls 
Hp  on  all  elements  of  U  not  previously  queried  to  Hp.  Let  primes(tf)  denote  the  set  of 
primes  derived  by  calling  Hp  on  the  strings  of  U.  Then,  it  computes  the  signature  as  a  := 
yneis(B-primes(c/)) e*  mod  N  and  returns  (Af,  a). 

Response  Eventually,  A  outputs  a  valid  message-signature  pair  (Af,  a),  where  Af  is  not  a  deriva¬ 
tive  of  an  element  returned  by  Sign.  If  Af  was  not  queried  to  Hp  or  if  Af  ^  x* ,  then  B  aborts  the 
simulation.  Otherwise,  let  U  =  P°(x*)  —  {x*|  and  primes(C7)  denote  the  set  of  primes  derived  by 
calling  Hp  on  the  strings  of  U.  It  holds  that  a1//^eiSprimes(C7)  e‘  =  _  ae*  mod  N. 

Since  y,a  £  Z n  and  gcd(e*,  FL  !e£-Primes(t/)  e*)  =  1  (recall,  they  are  all  distinct  primes),  then 
B  can  apply  the  efficient  algorithm  from  Lemma  3.3  to  obtain  a  value  z  £  Z^r  such  that  ze*  =  y 
mod  N.  B  outputs  z  as  the  solution  to  the  RSA  challenge. 

Analysis  We  now  argue  that  any  successful  adversary  A  against  our  scheme  will  have  success 
in  the  game  presented  by  B.  To  do  this,  we  first  define  a  sequence  of  games,  where  the  first 
game  models  the  real  security  game  and  the  final  game  is  exactly  the  view  of  the  adversary  when 
interacting  with  B.  We  then  show  via  a  series  of  claims  that  if  A  is  successful  against  Game  j,  then 
it  will  also  be  successful  against  Game  j  +  1. 

Game  1:  The  same  as  Game  NHU,  with  the  exception  that  at  the  beginning  of  the  game  B 
guesses  an  index  1  <  i*  <  s  and  e*  is  the  response  of  the  z*tli  query  to  Hp. 

Game  2:  The  same  as  Game  1,  with  the  exception  that  A  fails  if  any  output  of  Hp  is  repeated. 

Game  3:  The  same  as  Game  2,  with  the  exception  that  A  fails  if  it  outputs  a  valid  forgery  (Af,  a) 
where  Af  was  not  queried  to  Hp. 

Game  4:  The  same  as  Game  3,  with  the  exception  that  A  fails  if  it  outputs  a  valid  forgery  (Af,  a) 
where  Af  A  x*  ■ 

Notice  that  Game  4  is  exactly  the  view  of  the  adversary  when  interacting  with  B.  We  complete 
this  argument  by  linking  the  probability  of  A’s  success  in  these  games  via  a  series  of  claims.  The 
only  non-negligible  probability  gap  comes  between  Games  3  and  4,  where  there  is  a  factor  1/s  loss. 
Define  Adv_4[Ganre  x\  as  the  advantage  of  adversary  A  in  Game  x. 

Claim  3.8  If  Hp  is  a  truly  random  function,  then 

Adv_4 [Game  1]  =  Adv_4 [Game  NHU]. 

Proof.  The  value  e*  was  chosen  independently  at  random  by  the  RSA  challenger,  just  as  Hp  would 
have  done.  □ 


Claim  3.9  If  Hp  is  a  truly  random  function,  then 

2S^\ 

Adv_4  [Game  2]  =  Adv_4[Ganre  1]  — 

Proof.  Consider  the  probability  of  a  repeat  occurring  when  s  2A-bit  primes  are  chosen  at  random. 
By  Theorem  3.4,  we  know  that  there  are  at  least  22A/ (2A)  2A-bit  primes.  Thus,  a  repeat  will  occur 
with  probability  <  s/( 22^/2A)  =  2s2A/22A,  which  is  negligible  since  s  must  be  polynomial  in  A. 

□ 
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Claim  3.10  If  Hp  is  a  truly  random  function,  then 


Adv_4  [Game  3]  =  Adv_4  [Game  2]  — 

Proof.  If  M  was  never  queried  to  Hp,  then  a  can  only  be  a  valid  forgery  if  A  guessed  the  2A-bit 
prime  that  Hp  would  respond  with  on  input  M.  By  Theorem  3.4,  there  are  at  least  22A/2A  such 
primes  and  thus  the  probability  of  A’s  correct  guess  is  at  most  2A/22A,  which  is  negligible.  □ 

Claim  3.11 

.  ,  r„  .,  AdvHGame  3] 

Adv_4  [Game  4]  =  - — - 1. 

Proof.  At  this  point  in  our  series  of  games,  we  conclude  that  A  forges  on  one  of  the  s  queries  to  Hp 
and  that  1  <  i*  <  s  was  chosen  at  random.  Thus,  the  probability  that  A  forges  on  the  i*th  query 
is  1/s.  □ 

This  completes  our  proof.  □ 

3.3  On  the  Limitations  of  Using  a  Generic  NIZK  Proof  of  Knowledge  Approach 

Another  general  approach  that  one  might  be  tempted  to  try  is  to  use  an  NIZK  [9]  proof  of  knowledge 
system  to  generate  a  signature  on  m!  by  proving  that  one  knows  a  signature  on  some  m  such  that 
P(m,  m!)  holds.  Unfortunately,  this  approach  has  the  standard  drawback  of  generality  in  that  it 
requires  circuit-based  (non  black-box)  reductions.  In  particular,  the  statements  to  prove  in  non¬ 
interactive  zero-knowledge  require  transforming  the  circuits  of  the  signature  scheme  and  the  quoting 
predicate  into  an  instance  of  Hamiltonian  circuit  or  3-SAT.  Even  if  one  were  to  tailor  an  NIZK  proof 
of  knowledge  for  these  specific  statements  and  therefore  avoid  costly  reductions,  another  problem 
emerges  with  re-quoting.  When  a  quote  is  re-quoted,  then  the  same  process  happens  for  both  the 
original  signature  scheme  circuit,  the  predicate,  and  the  proof  system.  Aside  from  the  inefficiency, 
using  standard  NIZKPoK  systems  would  leak  information  about  the  size  of  the  original  message 
and  quotes,  and  therefore  would  not  satisfy  our  context  hiding  property7. 

4  A  Powers-of-2  Construction  for  Quoting  Substrings 

We  begin  by  describing  our  algebraic  setting. 

4.1  Bilinear  Groups  and  the  CDH  Assumption 

Bilinear  Groups  and  the  CDH  Assumption.  Let  G  and  G t  be  groups  of  prime  order  p.  A 
bilinear  map  is  an  efficient  mapping  e:GxG->  G  t  which  is  both:  ( bilinear )  for  all  g  E  G  and 
a,  b  4-  Zp,  e(ga,gb )  =  e(g,g)ab-,  and  (non- degenerate)  if  g  generates  G,  then  e(g,g)  A  L  We  will 
focus  on  the  Computational  Diffie-Hellman  assumption  in  these  groups. 

Assumption  4.1  (CDH  [26])  Let  g  generate  a  group  G  of  prime  order  p  £  0(2A).  For  all  PPT 
adversaries  A,  the  following  probability  is  negligible  in  A:  Pr[a,  6,  <—  Zp;  z  X—  A(g,  ga,  gb )  :  z  =  gab\. 

7Using  non-interactive  CS-proofs  [40]  in  the  random  oracle  model  may  reduce  the  size  of  the  proof,  but  we  do  not 
know  how  to  avoid  leaking  the  size  of  the  theorem  statement  which  also  violates  the  context  hiding  property. 
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4.2  The  Quoting  Construction 

We  now  provide  our  main  construction  for  quoting  substrings  in  a  text  document.  It  achieves  the 
best  time/space  efficiency  trade-off  to  our  knowledge  for  this  problem.  We  will  have  two  different 
types  of  signatures  called  Type  I  and  Type  II,  where  a  Type  I  signature  can  be  quoted  down  to 
another  Type  I  or  Type  II  signature.  A  Type  II  signature  cannot  be  quoted  any  further,  but  will 
be  a  shorter  signature.  The  quoting  algorithm  will  allow  us  to  quote  anything  that  is  a  substring 
of  the  original  message.  We  point  out  that  the  Type  I,  II  signatures  of  this  system  conform  to 
the  general  framework  given  in  Section  2.  In  particular,  we  can  view  a  message  M  as  a  pair 
(t,  m)  6  {0, 1},  {0, 1}*.  The  bit  t  will  identify  the  message  as  being  Type  I  or  Type  II  (assume  t  =  1 
signifies  Type  I  signatures)  and  m  will  be  the  quoted  substring.  The  predicate 


P(M  =  (: t,m),M '  =  (t'  ,m!)) 


1  if  t  =  1  and  m!  is  a  substring  of  m; 
0  otherwise. 


The  bit  t'  will  indicate  whether  the  new  message  is  Type  I  or  II  (i.e.,  whether  the  system  can 
quote  further.)  We  note  that  this  description  allows  an  attacker  to  distinguish  between  any  Type 
I  signature  from  any  Type  II  signature  since  the  “type  bit”  of  the  messages  will  be  different  and 
thus  they  will  technically  be  two  different  messages  even  if  the  substring  components  are  equal. 
For  this  reason  we  will  only  need  to  prove  context  hiding  between  messages  of  Type  I  or  Type  II, 
but  not  across  types.  In  general,  flipping  the  bit  t  will  not  result  in  a  valid  signature  of  a  different 
type  on  the  same  core  message,  because  the  format  will  be  wrong;  however,  moving  from  a  Type  I 
to  a  Type  II  on  the  same  core  message  is  not  considered  a  forgery  since  Type  II  signatures  can  be 
legally  derived  from  Type  I. 

For  presentational  clarity,  we  will  split  the  description  of  our  quoting  algorithm  into  two  quoting 
algorithms  for  quoting  to  Type  I  and  to  Type  II  signatures;  likewise  we  will  split  the  description  of 
our  verification  algorithm  into  two  separate  verification  algorithms,  one  for  each  type  of  signature. 
The  type  of  signature  used  or  created  (i.e.,  bit  t)  will  be  implicit  in  the  description. 

Notation:  We  use  notation  niij  to  denote  the  substring  of  m  of  length  j  starting  at  position  i. 

Intuition:  We  begin  by  giving  some  intuition.  We  design  Type  I  signatures  that  allow  re-quoting 
and  Type  II  signatures  that  cannot  be  further  quoted,  but  are  ultra-short.  For  an  original  message  of 
length  n,  our  signature  structure  should  be  able  to  accommodate  starting  at  any  position  1  <  i  <  n 
and  quoting  any  length  l<£<(n  —  i+1)  substring.8 

To  (roughly)  see  how  this  works  for  a  message  of  length  n,  visualize  (n  +  1)  columns  with 
(|_lgnj  +2)  rows  as  in  Figure  1.  The  columns  correspond  to  the  characters  of  the  message,  so  if  the 
14-character  message  is  “abcdefghijklmn”  then  there  are  15  columns,  with  a  character  in  between 
each  column.  The  rows  correspond  to  the  numbers  lg  n  down  to  0,  plus  an  extra  row  at  the  bottom.9 
Each  location  in  the  matrix  (except  along  the  bottom-most  row)  contains  one  or  more  out-going 
arrows.  We’ll  establish  rules  for  when  these  arrows  exist  and  where  each  arrow  ends  shortly. 

A  Type  II  quote  will  trace  a  (lgn+1  (-length  path  on  these  arrows  through  this  matrix  starting 
in  a  row  (with  outgoing  arrows)  of  the  column  that  begins  the  quote  and  ending  in  the  lowest  row 
of  the  first  column  after  the  quote  ends.  The  starting  row  corresponds  to  the  largest  power  of 
two  less  than  or  equal  to  the  length  of  the  desired  quote.  E.g.,  to  quote  “bcdef”,  start  in  row  2 
immediately  to  the  left  of  ‘b’  (because  22  =  4  is  the  largest  power  of  two  less  than  5)  and  end  in 

technically,  our  predicate  P{m,  m!)  will  take  the  quote  from  the  first  occurrence  of  substring  m!  in  m,  but  for 
the  moment  imagine  that  we  allowed  quoting  from  anywhere  in  m. 

the  lowest  row  is  intentionally  not  assigned  a  number.  The  second  lowest  row  is  row  0.  We  do  this  so  that  row 
i  can  correspond  to  a  jump  of  length  21 . 
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>  zero  arrow 


a  path  which  represents 
the  substring  “defgh” 


-t+i- 


Figure  1:  The  top  diagram  represents  a  signature  on  “abcdefghijklmn”  with  length  N  =  14.  Each 
arrow  corresponds  to  some  group  elements  in  the  construction.  Logically,  whenever  the  elements 
corresponding  to  an  arrow  are  included  in  a  quoted  signature,  the  characters  underneath  this  arrow 
are  included  in  the  quoted  message.  The  bold  path  through  the  top  diagram  shows  how  to  construct 
a  Type  II  signature  on  “defgh”;  it  is  very  short,  but  cannot  be  re-quoted.  The  gray  box  in  this 
figure  shows  how  to  construct  a  Type  I  signature  on  “cdefghi”  of  length  t  =  7;  it  includes  all  the 
arrows  in  the  lower  figure  and  can  be  re-quoted.  A  technical  challenge  is  to  enforce  that  following 
the  arrows  is  the  only  way  to  form  a  valid  signature.  Details  are  below. 


row  0  immediately  to  the  right  of  T.  Intuitively,  taking  an  arrow  over  a  character  includes  it  in 
the  quote.  A  Type  II  quote  on  “defgh”  is  illustrated  in  Figure  1. 

A  technical  challenge  is  to  make  this  a  0(lgn)-length  path  rather  than  a  0(n)-length  path.  To 
do  this,  the  key  insight  is  to  view  the  length  of  any  possible  quote  as  the  sum  of  powers  of  two 
and  to  allow  arrows  that  correspond  to  covering  the  quote  in  pieces  of  size  corresponding  to  one 
operand  of  the  sum  at  a  time.  Each  location  (ic,  ir)  in  the  matrix  (except  the  bottom-most  row) 
contains: 

•  a  “start"  arrow:  an  arrow  that  goes  down  one  row  and  over  2lr  columns  ending  in  (ic  +  2lr ,  ir  — 
1),  if  this  end  point  is  in  the  matrix.  This  adds  all  characters  from  position  ic  to  ic  +  2lr  —  1 
to  the  quoted  substring;  effectively  adding  the  largest  power-of-two-length  prefix  of  the  quote 
characters.  This  arrow  indicates  that  the  quote  starts  here.  These  are  represented  as  Stj,  Sij 
pairs  in  our  construction. 

•  a  “one”  arrow:  operate  similarly  to  start  arrows  and  used  to  include  characters  after  a  start 
arrow  includes  the  quote  prefix.  These  are  represented  as  Aj  j ,  Ajj  pairs  in  our  construction. 
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•  a  “zero”  arrow :  an  arrow  that  goes  straight  down  one  row  ending  in  (ic,ir  ~  1)-  This  does 
not  add  any  characters  to  the  quoted  substring.  These  are  represented  as  Dij,  Dtg  pairs  in 
our  construction. 

A  Type  II  quote  always  starts  with  a  start  arrow  and  then  contains  one  and  zero  arrows 
according  to  the  binary  representation  of  the  length  of  the  quote.  In  our  example  of  original 
message  “abcdefghijklmn” ,  we  have  15  columns  and  5  rows.  We  will  logically  divide  our  desired 
substring  of  “bcdef ’  (length  5  =  22  +  2°  =  4  +  l)  into  its  powers-of-two  components  “bcde” (length 
4  =  22)  and  “f”  (length  1  =  2°).  To  form  the  Type  II  quote,  we  start  in  row  2  (since  4  =  22)  of 
column  2  (to  the  left  of  ’b’)  and  take  the  start  arrow  (£2,2)  to  row  1  °f  column  7,  take  the  zero 
arrow  (Dj, i)  to  row  0  of  column  7,  and  then  take  the  one  arrow  (A7  o)  to  the  lowest  row  of  column 
8.  The  arrows  “pass  over”  the  characters  “bcdef”.  Figure  1  illustrates  this  for  quote  “defgh”. 

For  a  quote  of  length  £,  the  elements  on  this  0(lg  7)-length  path  of  arrows  form  a  very  short  Type 
II  signature.  For  Type  I  signatures,  we  include  all  the  elements  corresponding  to  all  arrows  that 
make  connections  within  the  columns  corresponding  to  the  quote.  We  illustrate  this  in  Figure  1. 
This  allows  quoting  of  quotes  with  a  signature  size  of  0(£lg£). 

It  is  essential  for  security  that  the  signature  structure  and  data  algorithm  enforce  that  the 
quoting  algorithm  be  used  and  not  allow  an  attacker  to  “splice”  together  a  quote  from  different 
parts  of  the  signature.  We  realize  this  by  adding  in  random  “chaining”  variables.  In  order  to 
cancel  these  out  and  get  a  well  formed  Type  II  quote  a  user  must  intuitively  follow  the  prescribed 
procedure  (i.e.,  following  the  arrows  is  the  only  way  to  form  a  valid  quote.) 

The  Construction:  We  now  describe  our  algorithms.  While  Sign  is  simply  a  special  case  of  the 
SignDerive  algorithm,  we  will  explicitly  provide  both  algorithms  here  for  clarity  purposes. 

KeyGen(lA)  :  The  algorithm  selects  a  bilinear  group  G  of  prime  order  p  >  2X  with  generator  g. 
Let  L  be  the  maximum  message  length  supported  and  denote  n  =  |_lg(L)J .  Let  H  :  {0, 1}*  — > 
G  and  Hs  :  {0, 1}*  — >  G  be  the  description  of  two  hash  functions  that  we  model  as  random 
oracles.  Choose  random  zq,  . . . ,  zn-\,a  £  Zp.  The  secret  key  is  (zq,  • . . ,  zn_i,  a)  and  the 
public  key  is: 

PK  =  ( H ,  Hs,  g,gzo,...,  gz"~' ,  e(g,  g)a). 

Sign(sfc,  M  =  (t,  m)  £  {0, 1}  x  Ef-L)  :  If  t  =  1,  signatures  produced  by  this  algorithm  are  Type  I 
as  described  below.  If  t  =  0,  the  Type  II  signature  can  be  obtained  by  running  this  algorithm 
and  then  running  the  Quote-Type  II  algorithm  below  to  obtain  a  quote  on  the  entire  message. 
The  message  space  is  treated  as  £  <  L  symbols  from  alphabet  E. 

Recall:  we  use  notation  rri^j  to  denote  the  substring  of  m  of  length  j  starting  at  position  i. 

For  i  =  3  to  £  +  1  and  j  =  0  to  [lg(7  —  1)  —  lj ,  choose  random  values  xtg  £  Zp.  These  will 
serve  as  our  random  “chaining”  variables,  and  they  should  all  “cancel”  each  other  out  in  our 
short  Type  II  signatures.  By  definition,  set  Xi- 1  :=  0  for  all  i  =  1  to  £  +  1. 

A  signature  is  comprised  of  the  following  values  for  i  =  1  to  £  and  j  =  0  to  \\g{£  —  i  +  1)J ,  for 
randomly  chosen  values  rtj  £  Zp: 

[start  arrow:  start  and  include  power  j] 

Sij  =  g"g  GL(m, .2, 1'-  ,  S~j  = 
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Together  with  the  following  values  for  i  =  3  to  l  and  j  =  0  to  min(Llg(i  —  1)  —  lj ,  |_lg(-£ — « +  1)J ) , 
for  randomly  chosen  values  r[  ■  G  Zp: 


[one  arrow:  include  power  j  and  decrease  j] 

A,j  =  ,  Aid  =  gr ^ 


Together  with  the  following  values  for  i  =  3  to  1+  1  and  j  =  0  to  Llg(i  —  1)  —  lj ,  for  randomly 
chosen  values  r'P  G  Zp: 


[zero  arrow:  decrease  j] 
Did  =  gn-g 


Dij  = 


We  provide  an  example  of  how  to  form  Type  II  signatures  from  this  construction  shortly.  To 
see  why  our  and  values  start  at  i  =  3,  note  that  Type  II  quotes  at  position  i  of 
length  2°  =  1  symbol  include  only  the  Sho  value,  where  the  x.g-\  term  is  0  by  definition. 
Type  II  quotes  at  position  i  of  length  21  =  2  symbols  include  the  Slti  value  plus  an  additional 
Th+2,o  term  to  cancel  out  the  Xi+2,0  value  (leaving  only  Xj+2,-1  =  0.)  Quotes  at  position  i  of 
length  21  +  1  =  3  symbols  include  the  5'j.i  value  plus  an  additional  A*+ 2,0  term  to  cancel  out 
the  Xi+ 2,0  value  (leaving  only  Xi+3-1  =  0.)  Since  we  index  strings  from  position  1,  the  first 
position  to  include  an  At  j  or  Ditj  value  is  i  +  2  =  3. 

SignDerive(pfc,  a,  M  =  ( t,m),M '  =  ( t',m '))  :  If  P(M,M')  =  0,  output  _L.  Otherwise,  if  t!  =  1, 
output  Quote-Type  l(PK,a,7n,7n');  if  t'  =  0,  output  Quote-Type  11(PK,  cr,  m,  tu'),  where 
these  algorithms  are  defined  below. 

Quote- Type  I (pk,  a,  m,  rri’)  :  The  quote  algorithm  takes  a  Type  I  signature  and  produces  another 
Type  I  signature  that  maintains  the  ability  to  be  quoted  again.  Intuitively,  this  operation 
will  simply  find  a  substring  m'  in  m,  keep  only  the  components  associated  with  this  substring 
and  re-randomize  them  all  (both  the  Xij  and  terms  in  every  component.) 

If  w!  is  not  a  substring  of  to,  then  output  _L.  Otherwise,  let  i'  =  |  m/ 1 .  Determine  the  first  index 
k  at  which  substring  to'  occurs  in  7n.  Parse  a  as  a  collection  of  Sh] ,  5)^ ,  Atj ,  AtJ ,  D,  j ,  Di  j 
values,  exactly  as  would  come  from  Sign  with  i  =  |m|. 

First,  we  choose  re-randomization  values  (to  re-randomize  the  xtj  terms  of  a.)  For  i  =  2  to 
P  +  1  and  j  =  0  to  |_lg(z  —  1)  —  lj ,  choose  random  values  yij  G  Z p.  Set  yi~i  :=  0  for  all  i  =  1 
to  P  +  1.  Later,  we  will  choose  values  to  re-randomize  the  Tij  terms  of  a. 

The  quote  signature  a'  is  comprised  of  the  following  values: 

For  i  =  1  to  P  and  j  =  0  to  [lg (P  —  i  +  1)J ,  for  randomly  chosen  tt,j  G  Zp: 

-S ij  =  Si+k_ ij  •  g~Vi+2j’j-1Hs(mi+k_12j)ti’p  SP  =  Si+k_ ij  •  gPi 


Together  with  the  following  values  for  i  =  3  to  P  and  j  =  0  to  min  ( [lg(z — 1)  —  lj ,  \\g(P — i+l)J ), 
for  randomly  chosen  t\  j  G  Zp: 


=  Ai+k-i,j  ■  9Vi'j9  Vi+2i 'j-xH {mi+k_12j  p’i , 


A'i,j  -  Ai+k- 1,. 


t'  ■ 

9 
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Together  with  the  following  values  for  i  =  3  to  £'  + 1  and  j 
chosen  t” 3  £  Zp: 


d'.j  oi+k  ViJ  xgZjtix 


D' 


h3 


0  to  [lg(*  —  1 )  —  lj ,  for  randomly 


Di+k—l,j  '  9  *’■* 


Quote- Type  II (pk,  a,  m,  ml)  :  The  quote  algorithm  takes  a  Type  I  signature  and  produces  a 
Type  II  signature.  If  P(m,m')  ^  1,  then  output  _L. 

A  quote  is  computed  from  one  start  value  and  logarithmically  many  subsequent  pieces  depend¬ 
ing  on  the  bits  of  \m!\.  All  signature  pieces  must  be  re-randomized  to  prevent  content-hiding 
attacks. 

Consider  the  length  £1  written  as  a  binary  string.  Let  fi’  be  the  largest  index  of  £'  =  \m'\ 
that  is  set  to  1,  where  we  start  counting  with  zero  as  the  least  significant  bit.  That  is,  set 
fi'  =  [lgCOJ-  Select  random  values  v,  ug/_i, . . . ,  vq  G  Zp.  Set  the  start  position  as  B  :=  Skfi/ 
and 

k!  :=  k  +  2 P  .  Then,  from  j  =  j3'  —  1  down  to  0,  proceed  as  follows: 

•  If  the  jth  bit  of  £'  is  1,  set  B  :=  B ■  Ak,  j  ■  H (mk, }2i)Vj ,  set  k'  :=  k'+ 2J  ,  and  Zj  :=  Atf  j  ■  gVj 

•  If  the  jth  bit  of  l'  is  0,  set  B  :=  B  ■  B>k' ,j  ■  gZjVj  and  Zj  :=  D^  j  ■  gV] . 

To  end,  re-randomize  as  B  :=  B  ■  Hs(mk  2p)v  and  S  :=  S^p  ■  gv ;  output  the  quote  as 

o'  =  (B,S,Zp_u...,Z0) 


Verify (pk,M  =  ( t,m),a )  :  If  t  =  1,  output  Verify-Type  I (pk,m,a).  Otherwise,  output  Verify- 
Type  II (pk,m,a),  where  these  algorithms  are  defined  immediately  below. 

Verify— Type  I  (pk,  m,  a)  :  Parse  a  as  the  set  of  Stj,  Sij ,  Ajj,  Dtj.  Dij.  Let  l  =  \m\. 

Let  Xij  denote  e(g,g)Xi’j.  We  can  compute  these  values  as  follows.  The  value  =  1, 

since  for  all  i  =  1  to  £  +  1,  Xi- \  =  0.  For  i  =  3  to  £  +  1  and  j  =  0  to  [lg(z  —  1)  —  lj , 
we  compute  Xj  j  in  the  following  manner:  Let  I  =  i  —  2^+l  and  J  =  j  +  1.  Next,  compute 
Xi,j  =  (e(g,g)a  ■  pj),  /  e(Si,J,  9)-  The  verification  accepts  if  and  only  if  all  of 

the  following  hold: 

•  for  i  =  3  to  £  and  j  =  0  to  min(|_lg(i  —  1)  —  lj ,  ~  i  +  1)J), 

e(A ij,g)  =  Xij/Xi+2jJ_  1  ■  e(H (mij2j) ,  Aid) 

•  and  for  i  =  3  to  £  +  1  and  j  =  0  to  |_lg(*  —  1)  —  lj,  e(Dij,g)  =  Xij/Xij- 1  •  e(gZj ,  Dij). 

Verify-Type  II (pk,  m,  a)  :  We  give  the  verification  algorithm  for  Type  II  signatures.  Parse  a  as 
( B ,  S ,  Z/3_i, . . . ,  Zq).  Let  £  =  \m\  and  /3  be  the  index  of  the  highest  bit  of  l  that  is  set  to  1. 

If  a  does  not  include  exactly  /3  Z \  values,  reject.  Set  C  :=  1  and  k  =  1.  From  j  =  fi  —  1  down 

to  0,  proceed  as  follows: 

•  If  the  jth  bit  of  £  is  1,  set  C  :=  C  •  e{H{rnk  2j ),  Zj)  and  k  :=  k  +  2J  ; 

•  If  the  jth  bit  of  £  is  0,  set  C  :=  C  ■  e{gZj ,  Zj). 

Accept  if  and  only  if  e(B,  g)  =  e(g,  g)a  ■  e(Hs(m1  2p),S)  •  C. 

Theorem  4.2  (Security  under  CDH)  If  the  CD H  assumption  holds  inG,  then  the  above  quotable 
signature  scheme  is  selectively  quote  unforgeable  and  context-hiding  in  the  random  oracle  model. 
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Efficiency  Discussion  This  construction  presents  the  best  known  balance  between  time  and 
space  complexity.  The  quotable  (Type  I)  signatures  require  0(£lg£)  elements  in  G  for  a  message 
of  length  £.  The  group  elements  in  both  types  of  signatures  are  elements  of  G,  and  not  the  target 
group  G t-  Typically,  elements  of  the  base  group  are  significantly  smaller  than  elements  of  the 
target  group.  Computing  quotes  requires  0(£  \gl)  modular  exponentations  for  a  quote  of  length  £ 
for  re-randomization.  Similarly,  verification  also  requires  0(£\g£)  pairings. 

The  non-quotable  (Type  II)  signatures  require  only  0(\g£)  elements  in  G.  Computing  quotes 
is  very  efficient  as  it  requires  only  0{\g£)  modular  exponentiations  for  a  quote  of  length  l  for 
re-randomization.  Similarly,  verification  requires  only  0(\g£)  pairings. 

On  Removing  the  Random  Oracle  and  Obtaining  Full  Security  The  quoting  construction 
above  is  provably  selectively  secure  in  the  random  oracle  model.  We  now  suggest  a  few  potential 
avenues  for  adapting  the  above  construction  to  full  security  in  the  standard  model.  First,  with 
an  eye  to  remove  the  random  oracle,  we  observe  that  our  signatures  share  many  properties  with 
the  private  keys  of  hierarchical  identity-based  encryption  (HIBE)  schemes.  To  remove  the  random 
oracle,  while  remaining  under  a  selective  definition,  one  might  use  the  Boneh-Boyen  techniques  [10] 
to  instantiate  H(m )  =  gmh ,  where  h  E  G  is  added  to  the  public  key  and  there  is  a  method  for 
mapping  the  message  space  to  Zp.  Similarly,  one  might  remove  the  random  oracle  by  instantiating 
H  with  the  Waters  hash  [56]  and  applying  his  proof  techniques.  This  can  be  viewed  as  a  full 
security  construction  with  a  reduction  to  the  concrete  security  parameter  by  roughly  a  factor  of 
(l/0(g))lg^,  where  q  is  the  number  of  signing  queries  and  £  is  the  length  of  the  quote.  A  direction 
for  achieving  full  security  could  be  the  recent  “Dual  System”  techniques  introduced  by  Waters  [57] . 
One  obstacle  in  adapting  the  Waters  system  is  that  it  contains  “tags”  in  the  private  key  structure, 
which  would  likely  make  our  re-randomization  step  difficult  for  our  context  hiding  property.  Lewko 
and  Waters  [38]  recently  removed  the  tags,  which  may  make  their  techniques  and  construction  more 
suitable  for  our  application.  One  drawback  in  using  their  HIBE  techniques  to  construct  signatures  is 
that  even  the  signatures  resulting  from  their  construction  require  (slightly  non-standard)  decisional 
complexity  assumptions.  Thus,  it  is  unknown  how  to  balance  time/space  efficiently  while  achieving 
full  security  in  the  standard  model  from  a  simple  computational  assumption  such  as  CDH. 

4.3  Security  Analysis 

We  now  provide  a  proof  of  Theorem  4.2  by  showing  the  following  lemmas. 

Lemma  4.3  (Strong  Context-Hiding)  The  Section  4  quotable  signature  scheme  is  strongly  context¬ 
hiding. 

Proof.  Given  any  two  challenge  messages  M  =  ( t,m),M '  =  ( t',m /)  such  that  P(M,M')  =  1,  we 
claim  that  whether  tf  =  1  or  0,  SignDeri ve(pk,cr,  M' ,  M)  has  an  identical  distribution  to  that  of 
Sign (sk,M),  which  implies  that  the  two  distributions  are  statistically  close. 

{{SK,  a  <-  Sign (SK,  M),  Sign(S7t,  M')}skmm, 

{( SK ,  a  <-  Sign  (SK,  M ),  SignDerive(T>/y  a ,  M,  M')}skmm, 

Let  £,£'  denote  |m|  and  \m'\  respectively.  Let  T  =  min(|_lg(*  — 1)  —  lj,  \\g(£  —  i  +  l)\).  Sign (SK,M) 
is  composed  of  the  following  values: 

Sij  =  gag-Xi+2i’i-1Hs(mi2j)ri’i,  Sij  =  gr ^  ,  for  i  =  1  to  t  and  j  =  0  to  |_lg(^  -  *  +  1)J 

Aij  =  gXi’j g~xi+2J j-1  H (mi  2j)ri’j ,  =  tf1'1  ,  for  i  =  3  to  £  and  j  =  0  to  T 

Dij  =  gXi’j g~Xi’j~1gZjr'i’j ,  Dij  =  gVio  ,  for  i  =  3  to  £  +  1  and  j  =  0  to  |_lg(i  —  1)  —  lj 
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for  randomly  chosen  nj,  rC,  r'h,  Xij  £  Zp. 

Case  where  f'  =  1  (Type  I  Signatures).  Let  C  =  min( [lg(i  —  1)  —  lj,  \  —  i  +  1)J).  When 

t'  =  1,  Sign(S'iL,  M1)  is  composed  of  the  following  values: 


■h",  //"//  S'B  </'■'  ,  for  i 

A'ij  =  gx,-J9  Xi+23’i-1H{m'i^2 j)Vi’j ,  A"j  =  gVi’j  ,  fori 

Dij  =  g  ^ g  ^~xg  J  D'B  =  g  ^  ,  for  i 

for  randomly  chosen  vtg ,  Q  j ,  v'B ,  x(  j  £  Zp. 


1  to  I'  and  j  =  0  to  [lg(^  —  i  +  1)J 
3  to  ('  and  j  =  0  to  r7 
3  to  l'  +  1  and  j  =  0  to  |_lg(*  —  1)  —  lj 


And  SignDerive(PA,  a,  M,  M ')  is  Quote-Type  I (PK,  a ,  m,  m'),  which  is  comprised  of  the  fol¬ 
lowing: 


S'ij  =  g"g  SB  =  ;/'•••'- 

A^j  =  gWi’i g~wi+v 2iYI,:i+ti’A  A'  ■  =  grrj+ti,i 


D'j  =  g^g  ■U,s^!.r<i),  D\  .  = 


.+t  . 
j  >j 


for  i 
for  i 
for  i 


1  to  I'  and  j  =  0  to  |_lg {£'  —  i  +  1)J 
3  to  £'  and  j  =  0  to  r7 
3  to  ('  +  1  and  j  =  0  to  [lg(i  —  1)  —  lj 


for  randomly  chosen  £  Zp,  where  m!  occurs  at  position  k  as  a  substring  of  m, 

I  =  i  +  k  —  1  and  Wij  =  xjg  +  ytg. 

Since  all  exponents  have  been  independently  re-randonrized,  one  can  see  by  inspection  that 
SignDerive(p/c,  a,  M' ,  M)  has  identical  distribution  as  that  of  Sign (sk,M'). 


Case  where  t!  =  0  (Type  II  Signatures).  Parse  m!  =  . . .  m'0  where  m7-  is  of  length  2J 

or  a  null  string  where  (3  =  [lg(OJ  •  ^  denotes  i-tli  bit  of  i  when  we  start  counting  with  zero  as 
the  least  significant  bit.  m!  occurs  at  position  k  of  m.  Sign (SK,  M')  =  ( P ,  S,  Zg_ i, . . . ,  Zq)  is  the 
following,  for  random  u,Ui  £  Zp: 


B  =  ga  ■  Hs{m'p)u  []  P(m7)^  []  (/W 

J</3,  t'=l  i'</3,  P,=0 

5  =  gu,  Zj  =  gUj 


Let  each  m7-  start  at  position  sy  in  m! .  SignDerive(PA,  <r,  M,  M')  =  Quote-Type  II (PA,  a,  m,  m7) 
is  (P7,  5',  . . . ,  Zq)  such  that 


P'  =  •  Ps(m^)r^+U  n 

3<P,  <■= 1 


n 


+v) 


j'<P>  L/=0 


5'  =  c^’^,  Z'  =  5 


,-Hu 


for  randomly  chosen  n,  Vj  £  Zp.  Since  all  exponents  have  been  independently  re-randomized, 
one  can  see  by  inspection  that  SignDerive(P/i,  a,  M,  M')  has  identical  distribution  as  that  of 
Sign (sk,  M'). 

Thus,  the  our  powers-of-2  construction  is  strongly  context-hiding.  □ 


Lemma  4.4  (Unforgeability)  If  the  CDH  assumption  holds  in  G,  then  the  Section  4  quotable 
signature  scheme  is  selectively  unforgeable  in  the  Unforg  game  in  the  random  oracle  model. 
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Proof.  We  first  apply  Lemma  A. 4,  which  allows  us  to  only  consider  adversaries  A  that  asks  queries 
to  Sign  oracle  in  the  simpler  NHU  game. 

Suppose  an  adversary  A  can  produce  a  forgery  with  probability  e  in  the  selective  NHU  un- 
forgeability  game;  then  we  can  construct  an  adversary  B  that  breaks  the  CDH  assumption  with 
probability  e  plus  a  negligible  amount. 

We  are  now  ready  to  describe  B  which  solves  the  CDH  problem.  On  input  the  CDH  challenge 
(ff,9a,g6),  B  begins  to  run  A  and  proceeds  as  follows: 

Selective  Disclosure  A  first  announces  the  message  M*  on  which  he  will  forge. 

Setup  Let  L  be  the  maximum  size  of  any  message  and  let  n  =  [lg(T)J.  Let  M*  =  ( t*,m *)  and 
i*  =  \m*\  and  let  (3  be  the  highest  bit  of  i*  set  to  1  (numbering  the  least  significant  bit  as  zero). 
Set  e(g,g)a  :=  e(ga,gb ),  which  implicitly  sets  the  secret  key  a  =  ab. 

For  i  =  0  to  n  —  1 ,  choose  a  random  6  Zp  and  set 

gbvi  jf  the  itli  bit  of  f*  is  1; 
gVi  otherwise. 

Finally,  B  give  the  public  key  PK  =  ( g ,  gzo , . . . ,  g 2n_1 ,  e(g,  g)a )  to  A  and  will  answer  its  queries 
to  random  oracles  H  and  Hs  interactively  as  described  below. 

Random  Oracle  Queries  Proceeding  adaptively,  A  may  make  any  of  the  following  queries  which 
B  will  answer  as  follows: 

1.  H(x ):  The  random  oracle  is  answered  as  follows.  If  the  query  has  been  made  before,  return 
the  same  response  as  before.  Otherwise,  imagine  dividing  up  m*  into  a  sequence  of  segments 
whose  lengths  are  decreasing  powers  of  two;  that  is,  the  first  segments  would  be  of  length  2^ 
where  (3  is  the  largest  power  of  two  less  than  £*,  the  second  segment  would  contain  the  next 
largest  power  of  two,  etc.  Let  mb  denote  the  segment  of  m*  corresponding  to  power  j.  If  no 
such  segment  exists,  let  mL  =_L.  Select  a  random  7  £  Zp  and  return  the  response  as: 

if  |x|  =  2°  and  j  <  (3  and  'mjN  =  x 
( x  is  on  the  selective  path); 
otherwise 

(x  is  not  on  the  selective  path). 

Note  that  H(m U)  is  set  according  to  the  first  method  for  all  segments  of  m*  except  the  first 
segment 

2.  Hs(x ):  The  random  oracle  is  answered  as  follows.  If  the  query  has  been  made  before,  return 
the  same  response  as  before.  Select  a  random  d  £  Zp  and  return  the  response  as: 

gs  if  | x |  =  2/3  and  tu*^  =  x\ 
gbS  otherwise. 

Note  that  Hs(m *^)  is  set  according  to  the  first  method  only  for  the  first  segment  of  rn* . 


H(x)  =  { 
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Signature  and  Quote  Queries 


Sign  (M):  Let  M  =  (t,m)  and  £  =  \m\.  Recall  that  (5*  is  highest  bit  of  £*  set  to  1  and  that  we 
are  counting  up  from  zero  as  the  least  significant  bit. 

We  describe  how  to  create  signatures. 

1.  When  t  =  1  and  m*  is  not  a  substring  of  m  (Type  I  Signature  Generation): 

Here  nriij  denotes  the  substring  m  of  length  j  starting  at  position  i.  It  will  help  us  to  first 
establish  the  variables  Xij,  which  will  be  set  to  1  if  on  the  selective  forgery  path  and  0 
otherwise.  We  give  a  set  of  “rules”  defining  terms  and  make  a  few  observations.  Then  we 
describe  how  the  reduction  algorithm  creates  the  signatures. 

Rules. 

For  i  =  1  up  to  £  +  1, 

For  j  =  Llg(f  —  i  +  1)J  down  to  —1, 

(a)  If  j  +  1  =  /3*  and  mi_2j+ y2j+i  =  then  set  Xt  j  =  1. 

(b)  Else,  if  j  +  1  <  /3*  and  (j  +  l)th  bit  of  £*  is  1  and  rrii_2j+i2j+i  =  m*j+i)  and 
Xi_2j+ i  j+i  =  1,  then  set  XhJ  =  1. 

(c)  Else  if  j  +  1  <  /3*  and  ( j  +  l)th  bit  of  £*  is  0  and  =  1,  then  set  Xtj  =  1. 

(d)  Else  set  Xij  =  0. 

Observations.  Before  we  show  how  B  will  simulate  the  signatures,  we  make  a  set  of  useful 
observations. 

(a)  For  all  i  and  j  >  /?*,  Xij  =  0. 

(b)  For  all  i,  W,-i  =  0.  Otherwise,  =  m*. 

(c)  For  all  i,j,  if  Xtj  =  1  and  ly_i  =  0,  then  the  jth  bit  of  £*  is  1.  If  the  jth  bit  were  0, 
then  Xij_ i  would  have  been  set  to  1  by  Rule  lc. 

(d)  For  all  i,j,  if  Xij  =  0  and  i  =  1,  then  the  jth  bit  of  £*  is  1.  If  the  jth  bit  were  0, 
then  the  only  way  to  set  i  to  1  would  be  by  Rule  lc,  however,  X,Lj  =  0  so  Rule  lc 
does  not  apply. 

(e)  For  all  i,j ,  if  Xij  =  1  and  Xi+2j  j_1  =  0,  then  H(mi  2j)  =  gbl  for  some  known  7  £  Zp. 
Otherwise,  Xi+2:ij-i  would  have  been  set  by  Rule  lb  to  be  1. 

(f)  For  all  i,  j,  if  Xtj  =  0  and  Xi+2jj_  1  =  1,  then  H{mi  2 j)  =  (/n  for  some  known  7  £  Zp.  If 
Xi+2j  j_  1  =  1  and  Xij  =  0,  then  Xi+2j  j_  1  was  set  to  be  1  either  by  Rule  la  or  Rule  lc. 
If  it  were  Rule  la,  then  j  =  f3*  and  it  follows  from  the  programming  of  the  random 
oracle  that  H(mi  2j)  =  ghl .  If  it  were  Rule  lc,  then  the  jth  bit  of  £*  is  0,  meaning  toqj 
cannot  be  on  the  selective  path  and  therefore  again  H{irii  2Jj  =  gb^  ■ 

(g)  For  all  i,  j,  if  Xi+2j  j_  1  =  0,  then  Hs(mi  2j)  =  gbS  for  some  known  5  £  Zp.  If  j  /  /3* ,  this 
follows  immediately  from  the  programming  of  the  random  oracle.  Otherwise,  if  j  =  /3*, 
then  the  only  way  for  Xi+2j  j_1  =  0  would  be  if  / 'm*^  by  Rule  la.  Thus,  it  also 
follows  that  Hs(m.i2j )  =  gbS . 

Signature  Components.  Next,  for  i  =  1  to  £  +  1  and  j  =  0  to  \\g{£  —  i  +  1)J,  choose  a 
random  x\j  £  Zp  and  logically  set  Xij  :=  x\j  +  Xij  ■  ( ab ).  For  i  =  1  to  £  +  1,  set  Xi-\  :=  0 
(as  consistent  with  Observation  lb.) 

A  signature  is  comprised  of  the  following  values: 

Start.  For  i  =  1  to  t  and  j  =  0  to  [lg(€  —  i  +  1)J : 
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(a)  If  Xi+2j  j- 1  =  0,  then  it  follows  by  Observation  lg  that  Hs{mi2j)  =  gb5  for  some  known 
6  £  Zp,  so  choose  random  stj  £  Zp,  implicitly  set  Tij  :=  —  a/S  +  Sij  and  set 


5, 


5, 


g  Xi+23,j-lgbSsi,j 
gag~Xi+V  ,j-l  Hs 

—a/6+Sij  _  gri,j 


(b)  Else  Xi+2j  j_i  =  1,  so  choose  random  nj  £  Zp  and  with  xi+2i,j-i  :=  ®^+2j  +  ab  set 

Sid  =  g  ^IUmi,2.nn- 
=  gag~Xi+2j’j-1Hs(mii2j)ri’j 
S~j  = 


Across.  Together  with  the  following  values  for  i  =  3  to  £  and  j  =  0  to  min(|_lg(?  —  1)  — 
1J,  \}g{l  —  i  +  1) J ) : 

(a)  If  Xij  =  1  and  Xi+2jj-i  =  1,  choose  random  r[3  £  Zp  with  implicitly  set  Xij  =  x[3+ab 
and  xi+2jj-i  =  x'i+2j  •_1  +  ab  and  set 

A,j  =  //''  //  Xi+2j’i-1H(mit23)r'i-:> 

=  !lx'  :g  II ( mi2j Yi'j 


(b)  Else,  if  Xij  =  1  and  Xi+23j~i  =  0,  then  H(mi2j)  =  gbl  for  some  known  7  £  Zp  by 
Observation  le.  Choose  random  s\3  £  Zp  with  implicitly  set  x^j  =  x'%  ■  +ab ,  xi+2jj-i  = 
x'i+2j  -_x  and  r'j  :=  —a/7  +  s'l3  and  set 

Aij  =  gAg-Xi+2i,3-ig^s'i,3 

=  gXi,j g  Xi+2J )2j)ri’j 
Aj  =  gr'^j 

(c)  Else,  if  Xij  =  0  and  Xi+2jj-i  =  lj  then  H(mi2j)  =  gbl  for  some  known  7  £  Zp  by 
Observation  If.  Choose  random  s\  3  £  Zp  with  implicitly  set  x^j  =  x  ■  ■ ,  x'J+2.)  .;_]  = 
x/+2,  3_}  +  ab  and  r[3  :=  a/ 7  +  s'j  and  set 


Xljj  =  gXi’ig~Xi+2i,i-igb^s'i,j 

=  gr>ig  X; '// (mi,23 Y 

Aij  =  grY 


(d)  Else,  Xij  =  0  and  Xi+2jj_i  =  0,  so  choose  random  r[  ■  £  Zp  and  set 

Aij  =  gx,jg  X;-  ’J-J  '  Aij  =  grY 


Down.  Together  with  the  following  values  for  i  =  3  to  £  +  1  and  j 


0  to  [lg(*  —  1)  —  1J : 
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(a)  If  Xij  =  1  and  Xij- 1  =  1,  choose  random  r'B  £  Zp  with  implicitly  set  xy  =  x\  rj  +  a& 
and  Xij-i  =  x[  +  a6  and  set 


Dj,j 

Di,j 


9  x’39 

r" 

9 


•j-  1 1 


=  Xi'i~3gziri 


(b)  Else,  if  Xij  =  1  and  =  0,  then  the  jth  bit  of  is  1  by  Observation  lc.  Thus 

Zj  =  bvj,  so  choose  random  s”  ■  £  Zp  with  implicitly  set  xtg  =  xO  +  ab ,  Xjj_ 1  =  x\  ■_l 
and  r'lj  :=  —a/vj  +  s'Z  and  set 


Di,j 

Di,j 


g<jg-xiJ-lgbvis"j 
g-a/vj+s’lj  =  gr>r 


—  gXi>i g  Xid-i 


n 

i,3 


(c)  Else,  if  Xjj  =  0  and  Wj-i  =  1,  then  the  jth  bit  of  l*  is  1  by  Observation  Id.  Thus 
Zj  =  bvj ,  so  choose  random  s'-  •  £  Zp  with  implicitly  set  xt,j  =  xO,  Xjj_ i  =  x'  •_1  +  a& 
and  r'(j  :=  a/foj  +  s'-j  and  set 


Di.j 


x'-  •  —  Xi  -7  —  1  bVnS'J 

1  *,.7/1  xi3  L  n  3  x,; 


g 

9 


a/v-j+s'-1  r" 

1  '  J  =  n 


9 

g1 


=  gXi,j  g 


n 


(d)  Else,  Xjj  =  0  and  .Xjj-i  =  0,  so  choose  random  r"  3  £  Zp  and  set 

Aj  =  sfvg-^g^,  l>;.j  = 


1.  When  t  =  0  and  m  ^  m*  (Type  II  Signature  Generation): 

Let  l  =  \m\,  and  (3  =  (lg(^)J-  denotes  i-tli  bit  of  i*  when  we  start  counting  with  zero  as 
the  least  significant  bit,  and  tL  denotes  z-th  bit  of  l. 

Parse  m*  as  m*g,m*g*_1  . . .  where  m*  is  a  string  of  length  2*  or  a  null  string,  m,  is  of  length 
2*  if  £i  =  0,  and  is  null  otherwise.  Similarly,  parse  m  as  mgmg- 1 . . .  mo- 
B  constructs  ( B ,  S,  Zg_ i, . . . ,  Zq)  in  the  following  way: 

•  If  mg  /  m*p,,  then  Hs(mg)  =  gbS  for  a  <5  which  is  known  to  B. 

(a)  B  sets  S  :=  g~a/s+r  for  a  randomly  chosen  r  and  B  :=  gbSr . 

(b)  For  j  =  [3  —  1  down  to  0,  Zj  :=  gri  for  a  randomly  chosen  rj,  and 

-  If  lj  =  1,  then  B  :=  B-  H(rrij)rB 

-  If  lj  =  0,  then  B  :=  B  ■  gz>ri . 

•  Otherwise,  if  (3  =  /3*  and  mg  =  there  exists  js  <  (3  such  that 

-  4  +  or 

-  lj.  =  f*]s  =  1  and  H{mjs)  / 

so  B  can  construct  a  signature  ( B ,  S ,  Zg_ i, . . . ,  Zq)  in  the  following  way. 

(a)  B  sets  S  :=  gTc  for  a  randomly  chosen  rc  and  B  :=  gSr°. 

(b)  For  j  =  (3  —  1  down  to  js  +  1  and  j  =  j s  —  1  to  0,  Zj  :=  gri  for  randomly  chosen  rj, 
and 

-  If  lj  =  1,  then  B  :=  B-  H{mj)r‘ . 

-  If  A,  =  0,  then  B  :=  B  ■  gz ^ . 

(c)  For  j  =  j.s, 
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—  If  £3  =  1,  whether  t*  =  0  or  not,  B  knows  7  such  that  H(rrij)  =  gbl .  B  sets 
Zj  =  g~aA+ri  for  a  randomly  chosen  77,  and  B  :=  B  ■  gb'yrB 
—  If  £j  =  0  and  £*  =  l,  then  B  knows  v  such  that  gZj  =  gbv .  B  sets  Zj  =  g~a/v+ri 
for  a  randomly  chosen  77,  and  B  :=  B  ■  gbvrj . 

B  returns  ( B ,  S.  Zg_  \ . . . . ,  Zq). 


Response  Eventually,  A  outputs  a  valid  signature  a*  on  M*  =  ( t*  ,m *).  Recall  that  £*  =  \m*\ 
and  /3  =  |_lg(^*)J .  Here  £*  denotes  i-tli  bit  of  £*  when  we  start  counting  with  zero  as  the  least 
significant  bit.  Parse  m*  as  . .  .m,Q  where  m*  is  a  string  of  length  2*  (when  £*  =  1)  or  a 

null  string  (when  £*  =0). 

Because  of  the  selective  disclosure  and  setup,  B  knows  the  following  exponents: 

-  7  such  that  Hs(rn*g)  =  g 7. 

-  Sj  such  that  H(m*  2, )  =  gb>  when  £*■  =  1  and  j  /  /3. 

-  Zj  when  £*  =  0. 

t*  is  either  1  or  0. 


•  lit*  =  1, 

Si  denotes  the  position  where  m*  starts.  B  can  compute  the  information  of  some  xtj  with 
the  following  components  of  a*. 

-  Shp  =  gag-x^^Hs(m*py°,  S^g  =  gr M 

B  knows  7  such  that  Hs(m*p )  =  g 7,  so  B  can  compute  gag~x^+^,P-i  =  Si^g/Si^g1 . 

—  For  j  =  f3  —  1  down  to  0, 

*  when  £j  =  1,  ASjj  =  gXsx3 g~Xsi-1'3~1  H(jn*)rsi'3 ,  ASjj  =  grsi'3 

B  knows  5  such  that  H(m*)  =  g5,  so  B  can  compute  gXai’3 g~Xsj-i •3~1  =  ASjj/ASjg  . 

*  when  £j  =  0,  DSjg  =  gXsj’j g~X3j-i’3~1  gZjrsj-3 ,  DSjj  =  g*i'3 

B  knows  Zj,  so  B  can  compute  g'Lsj’3 g  Xsj-i’3~1  =  DSjj/DSjj  3 . 
so  B  can  compute  gXsP3  g~Xsj- iJ_1. 

B  has  the  values  of  gXsi’3 g^Xsi~3’3~1  for  j  =  (3—  1  down  to  0  and  gag  xi+2P,p-i,  so  can  compute 

0-1 

gag~Xl  +  2P,P~l  gX°j,i  g-X°3-l,3*l  =  ga  g-Xs_lt- 1  =  ga 

j= 0 


•  lit*  =  0, 

B  parses  a*  as  ( B ,  S,  Zg_ i, . . . ,  Zq),  with 

S  =  gc ,  Zg_1=gc^,  ...,  Z0=gco 

for  some  c,  cg_ i, . . . ,  cq  G  Zp. 

B  =  ga  ■  Hs(m*g)c  H(m*)C3  (g ^f3’ 

j<0,  £*=1  j’<0,  t*,=  0 


because  the  signature  is  valid. 

—  B  knows  7  such  that  Hs(rn*g)  =  g1 .  B  sets  C  :=  S"7. 
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—  From  j  =  (3  —  1  down  to  0,  B  proceeds  as: 

*  If  lj  =  1,  B  knows  Sj  such  that  H(m *)  =  gSj .  B  sets  C  :=  C  ■  ZjJ  ; 

*  If  ij  =  0,  B  knows  Zj.  B  sets  C  :=  C  ■  Z*3 . 

Then 

C  =  Hs(m*p)c  H{m*r  If  GW" 

j</3,  e*= i  j'</3,  e*,=o 

so  B  can  compute  B/C  =  ga. 

Thus,  whether  t*  is  1  or  0 ,  B  can  solve  for  ga  =  gab  and  correctly  answer  to  the  CDH  challenge. 

Analysis  The  distribution  of  the  above  game  and  the  security  game  are  identical.  Thus,  whenever 
A  is  successful  in  a  forgery  against  our  scheme,  B  will  solve  the  CDH  challenge. 

□ 

5  A  Construction  for  Subset  Predicates  based  on  ABE 

The  Subset  Predicate.  We  now  point  out  a  surprising  connection  to  Attribute  Based  Encryp¬ 
tion  (ABE).  We  show  that  existing  constructions  for  Ciphertext-Policy  ABE  [8,  37,  58]  naturally 
lead  to  context  hiding  quotable  signatures  for  arbitrary  message  subsets  (as  opposed  to  the  sub¬ 
string  predicate  considered  in  the  previous  section).  In  particular,  let  U  be  a  set  of  strings  over 
an  arbitrary  alphabet.  These  strings  can  be  used  to  encode  elements  for  different  types  of  sets.  A 
message  will  be  a  set  of  strings  from  U .  A  general  way  to  define  the  subset  predicate  would  be 
P(M,  m ')  =  1  iff  m!  C  m,;  for  some  m;  G  M.  Recall  from  Section  2  that  M  is  a  set  of  messages, 
which  might  have  been  independently  authenticated.  Here,  we  want  to  disallow  “collusions”  be¬ 
tween  two  different  signatures  where  m'  is  a  subset  of  the  union  of  multiple  messages  in  M ,  but  not 
any  single  one.  (Otherwise,  this  would  be  trivially  realizable  from  standard  signatures  schemes.) 
In  other  words,  our  focus  here  is  extracting  a  subset  from  a  single  signed  set.  Thus,  we  will  restrict 
our  attention  in  this  section  to  the  simple  predicate  P(m,  rn! )  =  1  iff  m!  C  m. 

The  Construction  at  a  High-Level.  Our  main  tool  is  an  observation  of  Naor  that  shows  that 
secret  keys  in  Identity  Based  Encryption  [12]  can  function  as  signatures.  Recall  that  in  (ciphertext- 
policy)  attribute  based  encryption  an  authority  provides  secret  keys  to  a  user  based  on  the  user’s 
list  of  attributes.  The  main  challenge  in  building  such  systems  is  preventing  collusion  attacks: 
two  (or  more)  users  with  distinct  sets  of  attributes  should  be  unable  to  create  a  secret  key  for  a 
combination  of  their  attributes. 

If  we  treat  elements  in  a  message  rn  C  U  as  attributes,  that  is,  we  treat  a  message  m  = 
{ai, . . . ,  a(}  G  Ue  as  a  set  of  attributes  ai,...,a,£,  then  we  can  define  the  signature  on  m  as  a 
set  of  t  secret  keys  corresponding  to  the  £  attributes  in  the  message.  Verifying  the  signature  can 
be  done  by  trying  to  decrypt  some  test  ciphertext  using  the  secret  keys  in  the  signature.  Now, 
given  a  signature  on  m  we  derive  a  signature  on  a  subset  of  the  elements  in  m  by  simply  removing 
the  secret  keys  corresponding  to  elements  not  in  the  subset.  For  context  hiding,  we  need  to  re¬ 
randomize  the  resulting  set  of  secret  keys.  (Not  all  CP- ABE  schemes  may  support  the  removal  and 
re-randomization  of  secret  keys  in  this  manner,  but  the  schemes  of  [8,  37,  58]  do.) 

Since  ABE  security  prevents  collusion  attacks,  it  is  straight  forward  to  show  that  these  signatures 
are  unforgeable  in  the  sense  of  Definition  2.3.  Moreover,  due  to  the  re-randomization  of  secret  keys, 
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a  derived  signature  is  sampled  from  the  same  distribution  as  a  fresh  signature  and  is  independent 
from  the  given  signature.  This  implies  strong  context  hiding  in  sense  of  Definition  2.4. 

This  unexpected  connection  between  quoting  and  ABE  leads  to  the  following  theorem,  stated 
first  informally. 

Theorem  5.1  (informal)  The  Ciphertext-Policy  ABE  systems  in  [8,  37,  58]  translate  using  Naor’s 
transformation  into  a  signature  scheme  supporting  quoting  for  arbitrary  subsets  of  a  message.  (Se¬ 
lective)  security  of  the  CP-ABE  systems  imply  (selective)  unforgeability  and  context  hiding. 

In  other  words,  when  the  ABE  scheme  provides  adaptive  (resp,  selective)  security,  then  the 
resulting  signature  scheme  achieves  adaptive  (resp.,  selective)  unforgeability.  The  (third)  ABE 
scheme  of  Waters  [58]  provides  selective  security  from  the  Decisional  Bilinear  Diffie  Heilman  as¬ 
sumption.  Adaptive  security  is  proven  for  the  Bethencourt  et  al.  construction  [8],  but  only  in  the 
generic  group  model.  The  construction  of  Lewko  et  al.  [37]  proves  adaptive  security  under  certain 
static  assumptions  using  composite  order  groups. 

5.1  The  Subset  Construction  from  Existing  CP-ABE  Schemes 

We  now  formalize  the  intuition  and  claims  of  the  previous  section. 

5.1.1  Background:  Ciphertext-Policy  ABE 

Definition  1  (Access  Structure  [3])  Let  {Pi,  Pi,  ...,  Pn}  be  a  set  of  parties.  A  collection 
T  C  2{WP2,...,P4  is  monotone  if\/B,C  :  if  B  e  T  and  B  C  C  then  C  6  T.  An  access  structure 
(respectively,  monotone  access  structure)  is  a  collection  (resp.,  monotone  collection)  T  of  non-empty 
subsets  of  {Pi,  P^ , . . . ,  Pn},  Ae.,  T  C  The  sets  in  T  are  called  the  authorized  sets, 

and  the  sets  not  in  T  are  called  the  unauthorized  sets. 

In  the  context  of  CP-ABE,  the  role  of  the  parties  is  taken  by  the  attributes.  Thus,  the  access 
structure  T  will  contain  the  authorized  sets  of  attributes.  We  restrict  our  attention  to  monotone 
access  structures. 

Definition  5.2  (CP-ABE  Algorithm  Specification)  A  ciphertext-policy  attribute-based  encryp¬ 
tion  system  for  message  space  M.  and  access  structure  space  Q  is  a  tuple  of  the  following  algorithms: 

Setup(A,  U)  -»  (PK,MK).  The  setup  algorithm  takes  as  input  a  security  parameter  A  and  a  uni¬ 
verse  description  U ,  which  defines  the  set  of  allowed  attributes  in  the  system.  It  outputs  the 
public  parameters  PK  and  the  master  secret  key  MK. 

Encrypt(PK,  m,  T)  — >  CT.  The  encryption  algorithm  takes  as  input  the  public  parameters  PK,  a 
message  m  and  an  access  structure  T  and  outputs  a  ciphertext  CT  associated  with  the  access 
structure. 

KeyGen(MK,  S)  — >  sk.  The  key  generation  algorithm  takes  as  input  the  master  secret  key  MK 
and  a  set  of  attributes  S  and  outputs  a  private  key  sk  associated  with  the  attributes. 

Decrypt(sfc,  CT)  — »•  m.  The  decryption  algorithm  takes  as  input  a  secret  key  sk  associated  with 
attributes  S  and  a  ciphertext  CT  associated  with  access  structure  T  and  outputs  a  message  m 
if  S  satisfies  V  or  the  error  message  _L  otherwise. 

The  correctness  property  requires  that  for  all  sufficiently  large  A  £  N,  all  universe  descriptions 
U,  all  (PK,  MK)  g  Setup(A,  U),  all  S  CU,  all  sk  €  KeyGen(MK,  S),  all  me  M,  all  T  eQ  and 
all  CT  G  Encrypt  (PK,  m,  T),  if  S  satisfies  T,  then  Decrypt(sfc,  CT)  outputs  m. 
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Security  Model  for  CP- ABE  Let  II  =  (Setup,  Encrypt,  KeyGen,  Decrypt)  be  a  CP-ABE 

scheme  for  message  space  A4  and  access  structure  space  Q,  and  consider  the  following  experiment 
for  an  adversary  Adv,  parameter  A  and  attribute  universe  U: 

The  CP-ABE  experiment  CP-ABE-ExpAdv  n(A,  U): 

Start.  Setup(A,  U)  is  run  to  obtain  the  public  parameters  PK  and  master  secret  key  MK. 

Phase  1.  Adversary  Adv  is  given  PK  and  access  to  the  oracle  KeyGen(MK,  •),  which  generates 
a  private  key  corresponding  to  an  attribute  set  of  the  adversary’s  choosing. 

Challenge.  The  adversary  outputs  two  messages  mo,  mi  G  A4  and  a  challenge  access  structure  T* 
such  that  none  of  the  sets  of  attributes  queried  during  Phase  1  satisfy  it.  A  random  bit  b  is 
chosen  and  Encrypt(PK,  mb,  r*)  is  run  to  produce  CT*,  which  is  then  given  to  the  adversary. 

Phase  2.  The  adversary  is  given  access  to  the  oracle  KeyGen(MK,  •),  with  the  restriction  that  it 
cannot  query  the  oracle  on  any  set  of  attributes  that  satisfy  P*. 

Guess.  The  adversary  outputs  a  guess  b'  of  b.  The  output  of  the  experiment  is  defined  to  be  1  if 
and  only  if  b'  =  b. 

Definition  5.3  (CP-ABE  Security)  A  CP-ABE  scheme  II  is  secure  for  attribute  universe  U  if 
for  all  probabilistic  polynomial-time  adversaries  Adv,  there  exists  a  negligible  function  negl  such 
that: 

Pr[CP-ABE-ExpAdv  n(A,  U)  =  1]  <  negl( A). 

We  say  that  a  system  is  selectively  secure  if  we  add  an  Init  stage  before  Start  where  the  adversary 
outputs  the  challenge  access  structure  T*  (instead  of  waiting  until  Challenge  to  do  so). 

5.1.2  CP-ABE  with  Key  Reduction 

Our  construction  requires  that  the  holder  of  a  private  key  can  efficiently  “remove”  attributes  from 
his  private  key  and  then  re-randomize  the  remaining  private  key.  We  formalize  this  as  follows. 

Definition  5.4  (CP-ABE  with  key  reduction)  We  say  that  a  CP-ABE  system  for  attribute 
universe  U  supports  key  reduction  if  there  exists  an  efficient  algorithm 

KeyReduce(PK,  sk,S,S ')  — >  sk' .  The  key  reduction  algorithm  takes  as  input  the  piMic  parame¬ 
ters  PK  with  a  private  key  sk  associated  with  attribute  set  S  and  outputs  a  private  key  sk' 
associated  with  attribute  set  S',  if  S'  C  S,  and  _L  otherwise. 

such  that  if  (PK,MK)  G  Setup(A,  U)  and  S'  C  S  C  U,  then  for  all  such  tuples  (MK,  S,  S'),  the 
following  two  distributions  are  statistically  close: 

{  (MK,  sk  <-  KeyGen(MK,  S),  KeyGen(MK,  S'))  }MR  g  g, 

{  (MK,  sk  <-  KeyGen(MK,  S),  KeyReduce(PK,  sk,  S,  S'))  }MK  s  s, 

The  distributions  are  taken  over  the  coins  of  KeyGen  and  KeyReduce. 

It  is  not  a  coincidence  that  this  definition  strongly  resembles  the  context  hiding  definition 
presented  earlier.  Fortunately,  we  observed  that  several  existing  CP-ABE  schemes  support  key 
reduction. 
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Claim  5.5  The  Ciphertext- Policy  ABE  systems  in  [8,  Section  4-2], [37,  Section  2. 3.1], [58,  Section 

6]  support  key  reduction. 

Proof.  We  argue  this  claim  by  providing  a  key  reduction  algorithm  for  each  scheme.  In  all  cases, 

the  output  is  perfectly  indistinguishable  from  the  normal  key  generation  algorithm. 

The  BSW  Construction  [8,  Section  4.2] 

•  Setup(A,  17)  — >  (PK,MK):  The  algebraic  setting  is  a  bilinear  group  G  of  prime  order  p 
with  generator  g.  The  public  parameters  PK  are  G,g,p,h  =  g^ ,  f  =  ga^,e(g,g)a,  where 
(3,  a  £  Zp,  and  the  description  of  a  hash  function  H  :  {0, 1}*  — >  G.  The  master  secret  key 
MK  is  (PK,  (3,ga). 

•  KeyGen(MK,  S)  — >  sk:  The  key  generation  algorithm  chooses  random  r,  r*  £  Zp  for  each 
attribute  i  £  S.  The  private  key  sk  is: 

S,  D  =  g^+r)/^  D.  =  g'Hljy,.,)'  =  gr:i  Vj  £  5. 

•  KeyReduce(PK,  sk,  S,  S')  — >  sk':  The  key  reduction  algorithm  chooses  random  r',r[  for 
each  attribute  i  £  S'  and  outputs  the  private  key  sk'  as: 

S',  D'  =  Dgr'IP  =  g{«+r+r')/y 

D'j  =  Djgr'  H(j)ri  =  gr+r'  H(j)rj+r’j ,  Dl  =  DgfJ  =  gr ^  Vj  £  S'. 

The  LOSTW  Construction  [37,  Section  2.3.1] 

•  Setup(A,  U)  — >  (PK,  MK):  The  algebraic  setting  is  a  bilinear  group  G  of  order  N  =  P1P2P3 
(3  distinct  primes).  We  let  GPi  denote  the  subgroup  of  order  p%  in  G.  The  public  parameters 
PK  are  N,  g,  ga,e(g,  g)a ,  T,;  =  gSi  for  all  attributes  i  £  U,  where  g  £  Gpi  and  a,a,Si  £  Z jy. 
The  master  secret  key  MK  is  PK,  a  and  a  generator  X3  £  GP3. 

•  KeyGen(MK,  S)  — >  sk:  The  key  generation  algorithm  chooses  a  random  t  £  Zjv  and  random 
elements  Ro,R'0,Ri  £  GP3.  The  private  key  sk  is: 

5,  K  =  gagatR0,  L  =  gtR'0,  Rf  =  T[Rt  Vi  £  5. 

•  KeyReduce(PK,  sk,S,S')  — >  sk':  The  key  reduction  algorithm  chooses  a  random  t'  £  Z^r 
and  random  elements  Zq,  Z'0,  Zi  £  GP3  and  outputs  the  new  private  key  sk'  as: 

5',  K'  =  Kgat' Zq  =  gaga(-t+t') R{)Zq,  L'  =  Lg* Z'Q  =  gt+t' R'0Z’0, 

K'  =  KiTfZ'i  =  T];+f'RtZt  Vie  S'. 

The  Waters  Construction  [58,  Section  6] 

•  Setup(A,  U )  — >  (PK,  MK):  The  algebraic  setting  is  a  bilinear  group  G  of  prime  order  p  with 
generator  g.  Let  nmax  be  the  maximum  number  of  nodes  in  an  access  formula  and  let  \U\  be 
the  number  of  attributes  in  U.  The  public  parameters  PK  are  G,  g,p,  ga ,  e(g,  g)a ,  (h\t i, . . . ,  hip), 
. . . ,  (hnmax, i,  •  •  • ,  hnmaxp),  where  all  hltJ  values  are  elements  in  G.  The  master  secret  key  MK 
is  (PK,  ga). 
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•  KeyGen(MK,  S)  — >  sk:  The  key  generation  algorithm  chooses  random  t\, ... ,  tnjnax  G  Zp. 
The  private  key  sk  is: 


5,  I<  =  gagatl ,  Li  =  g'1 , . . . ,  Lr  ~  '-tn 


max 

t. 


=  9 


v.x  g  5,  kx  =  n ]=r  ht- 


KeyReduce(PK,  sk,  S,  S')  -»  sk':  The  key  reduction  algorithm  chooses  random  t\, . . . ,  t'nmaj,  G 
Z p.  The  private  key  sk'  is: 

5',  K'  =  Kg<  =g<*g“(Wi),  L\  =  Lig^  =gt^,...,L'nmax  =  LnmaJ'~ 

vx  g  s'.  k'x  =  kx  i  ■  h%  =  npr 


□ 


5.1.3  The  Subset  Signature  Construction 

Let  II  =  (Setup^g^,  Encrypt^g^,  KeyGen^ss,  Decrypt^g^)  be  a  CP- ABE  scheme  that  sup¬ 
ports  key  reduction  with  the  algorithm  KeyReduce^^.  Let  II  have  an  arbitrary,  finite  and 
efficiently-samplable10  message  space  A4  and  access  structure  space  Q  that  supports  AND  gates. 
Let  U  be  a  set  of  strings  over  an  arbitrary  alphabet.  We  construct  a  signature  scheme  that  supports 
computing  on  authenticated  subsets  of  U  as  follows. 

KeyGen(lA)  :  Run  Setup^g^fT^,  U)  to  obtain  the  key  pair  ( pk,sk ),  which  will  serve  as  the 
public  and  secret  keys  of  the  signature  scheme. 

Sign (sk,m  C  U )  :  Run  KeyGen ABE(sk,m)  to  obtain  an  ABE  private  key  which  will  be  treated 
as  the  signature  a . 

SignDerive(p/c,  a,  m,  m!)  :  First,  check  if  P(m,m!)  =  1.  If  not,  output  _L.  Otherwise,  run 
KeyReduce^g^pA;,  a,  m,  m!)  to  obtain  the  new  signature  a'  and  output  it. 

Verify(pA;,  m,  a)  :  Choose  a  random  value  x  G  M.  and  a  random  access  structure  r  G  Q.  Run 
Encrypt^gg(pA:,  x,  T)  to  obtain  CT.  Output  1  if  and  only  if  Decrypt^ ABE(ai  CT)  =  x. 

5.1.4  Security  Analysis 

Theorem  5.6  If  H  is  (resp.,  selectively)  secure  for  attribute  universe  U  with  respect  to  Defini¬ 
tion  5.3,  then  the  above  subset  signature  scheme  is  (resp.,  selectively)  unforgeable  with  respect  to 
Definition  2.3  and  strongly  context  hiding  with  respect  to  Definition  2.4- 

Proof.  We  argue  this  theorem  in  two  parts. 

Lemma  5.7  (Strong  Context  Hiding)  if  n  is  a  CP- ABE  scheme  that  supports  key  reduction, 
then  the  above  subset  signature  scheme  is  strongly  context  hiding  under  Definition  2-4- 

10We  mean  that  it  is  possible  to  efficiently  sample  elements  from  the  set  uniformly  at  random. 


Approved  for  Public  Release;  Distribution  Unlimited. 
31 
225 


Proof.  This  follows  directly  from  the  key  reduction  property  of  the  CP- ABE  scheme.  Let  (pk,  sk )  «— 
KeyGen(lA)  be  a  key  pair.  A  signature  scheme  (KeyGen,  SignDerive,  Verify)  is  strongly 
context  hiding  for  the  simple  subset  predicate  P  if  for  all  such  triples  ((pk,  sk),m,m')  where 
P(m,m')  =  1,  the  following  two  distributions  are  statistically  close: 

{( sk,a  <-  Sign(sk,m),  Sign (sk,m'))} skmm, 

{( sk,a  -e-  Sign(sk,m),  SignDeri ve(pk,a,m,m'))} skmm, 

where  the  distributions  are  taken  over  the  random  coins  of  Sign  and  SignDerive.  If  we  substi¬ 
tute  the  signature  algorithms  for  their  underlying  CP- ABE  algorithms,  we  have  the  following  two 
distributions: 

{{sk,a  <r-  KeyGen ABE(sk,m),  KeyGenABE(sk,  m'j) } sk  m  m, 

{{sk,a  <r-  KeyGen ABE(sk,m),  KeyReduc eABE(pk,a,m,m'))}  skmm, 

where  the  distributions  are  taken  over  the  random  coins  of  KeyGen^BS  and  KeyReduce^gg. 
The  statistical  closeness  of  these  distributions  is  directly  guaranteed  by  the  key  reduction  specifi¬ 
cation  when  the  predicate  is  satisfied,  i.e. ,  m!  Cm.  □ 


Lemma  5.8  (Unforgeability)  If  H  is  a  (resp.,  selectively)  secure  CP- ABE  scheme  that  sup¬ 
ports  key  reduction,  then  the  above  subset  signature  scheme  is  (resp.,  selectively)  unforgeable  in  the 
Unforg  game. 

Proof.  We  first  apply  Lemma  A. 4,  which  allows  us  to  only  consider  adversaries  A  that  asks  queries 
to  Sign  oracle  in  the  simpler  NHU  game. 

We  deal  with  the  non-selective  case  first.  Suppose  an  adversary  A  can  produce  a  forgery  with 
probability  e  in  the  NHU  selective  unforgeability  game;  then  we  can  construct  an  adversary  B  that 
breaks  the  selective  security  of  the  CP-ABE  scheme  with  key  reduction  with  probability  1/2  +  e/2. 
B  begins  to  run  A  and  proceeds  as  follows: 

Setup  When  B  receives  the  public  parameters  pk  from  its  challenger,  it  passes  these  on  as  the 
signature  public  key  to  A. 

Sign  When  A  queries  Sign(m),  B  queries  its  key  generation  oracle  on  m  and  returns  the  response 
to  A. 

Response  If  A  does  not  output  a  valid  forgery,  then  B  simply  chooses  and  outputs  a  random 
bit.  If  A  outputs  a  valid  message-signature  pair  (m* ,  a*)  where  m*  is  not  a  subset  of  any  message 
queried  to  Sign,  then  B  then  picks  two  arbitrary  messages  mo,  m\  in  the  message  space  of  the  CP- 
ABE  scheme.  It  outputs  these  to  its  challenger  together  with  a  challenge  access  structure,  which  is 
the  AND  of  all  attributes  in  m* .  (Recall  that  in  this  signature  scheme  messages  are  sets  of  strings.) 
This  challenge  access  structure  is  allowed,  under  the  CP-ABE  security  experiment,  because  none 
of  the  other  private  keys  created  by  the  oracle  can  satisfy  it.  Once  the  challenge  ciphertext  CT* 
is  returned,  B  simply  uses  the  private  key  a*  to  decrypt  CT*  and  to  then  state  which  of  the  two 
challenge  messages  was  encrypted. 
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The  Selective  Case  Suppose  an  adversary  A  can  produce  a  forgery  with  probability  e  in  the 
NHU  selective  unforgeability  game;  then  we  can  construct  an  adversary  B  that  breaks  the  selective 
security  of  the  CP- ABE  scheme  with  key  reduction  with  probability  e  plus  a  negligible  amount.  B 
behaves  as  above,  except  that  prior  to  Setup  there  is  a  selective  disclosure  phase  where  A  first 
announces  the  message  m*  on  which  he  will  forge.  B  then  announces  to  its  challenger  that  its 
challenge  access  structure  will  be  the  AND  of  all  attributes  in  m* .  This  information  is  latter  used, 
as  before,  in  B's  Response  phase,  where  now  A  will  only  output  a*. 

Analysis  The  following  analysis  applies  to  both  the  selective  and  non-selective  cases.  The  view 
of  A  when  interacting  with  B  is  identical  to  its  view  when  interacting  with  a  real  NHU  game  chal¬ 
lenger.  Whenever  A  correctly  produces  a  forgery,  then  B  correctly  identified  the  challenge  message. 
Whenever  A  fails  to  produce  a  forgery,  then  B  guesses  the  challenge  message  with  probability  1/2. 
Thus,  if  A  succeeds  with  probability  e,  then  B  succeeds  with  probability  e  +  (1  —  e)/2  =  1/2  + e/2. 
□  □ 


6  Computing  Weighted  Averages  and  Fourier  Transforms 

So  far  we  only  constructed  schemes  for  univariate  predicates  P.  We  now  give  an  example  where 
one  computes  on  multiple  signed  messages.  Let  p  be  a  prime,  n  a  positive  integer,  and  T  a  set  of 
tags.  The  message  space  A4  consists  of  pairs: 


M:=Tx  Fp 


Now,  define  the  predicate  P  as  follows:  P(s,m ) 


1  for  all  m  £  M  and11 


P 


Ol,Vl),...,(ffc,Vfc)  )  , 


(  t  =  t\  =  ■  ■  ■  =  tk,  and 
1  v  €  span(v1; . . . ,  vfc) 


Thus,  given  signatures  on  vectors  Vi, . . . ,  v*.  grouped  together  by  the  tag  t,  anyone  can  create  a 
signature  on  a  linear  combination  of  these  vectors.  This  can  be  done  iteratively  so  that  given  signed 
linear  combinations,  new  signed  linear  combinations  can  be  created.  Unforgeability  means  that  if 
the  adversary  obtains  signatures  on  vectors  vi,...,Vfc  for  particular  tag  t  £  T  then  he  cannot 
create  a  signature  on  a  vector  outside  the  linear  span  of  vi, . . . ,  v*.. 

Signature  schemes  for  this  predicate  P  are  presented  in  [15,  14,  13,  16,  2]  while  schemes  over  Z 
(rather  than  Fp)  are  presented  in  [28].  These  schemes  were  originally  designed  to  secure  network 
coding  where  context  hiding  is  not  needed  since  there  are  no  privacy  requirements  for  the  sender  (in 
fact,  the  sender  is  explicitly  transmitting  all  his  data  to  the  recipient).  The  question  then  is  how  to 
construct  a  system  for  predicate  P  above  that  is  both  unforgeable  and  context  hiding.  Fortunately, 
we  do  not  need  to  look  very  far.  The  linearly  homomorphic  signature  schemes  in  [15]  can  be  shown 
to  be  context  hiding.  We  state  this  in  the  following  theorem. 


Theorem  6.1  If  the  CDH  assumption  holds  in  group  G,  then  the  signature  scheme  NCS\  from  [15] 
is  unforgeable  and  context-hiding  in  the  random  oracle  model,  assuming  tags  are  generated  inde¬ 
pendently  at  random  by  the  unforgeability  challenger  when  responding  to  Sign  queries. 

11Recall,  the  signature  on  e  is  the  output  the  KeyGen  algorithm. 
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Unforgeability  is  Theorem  6  in  [15],  which  holds  only  when  tags  ti  £  T  are  generated  inde¬ 
pendently  at  random  by  the  signer.  While  context  hiding  has  not  been  considered  before  for  this 
scheme,  it  is  not  difficult  to  show  that  the  scheme  is  context  hiding.  The  scheme  is  unique  in  the 
sense  that  every  vector  v  has  a  unique  valid  signature.12  It  is  easy  to  show  that  any  homomorphic 
unique  signature  must  be  context  hiding  and  hence  NCSi  is  context  hiding. 

Viewed  in  this  way,  the  scheme  NCSi  gives  the  ability  to  carry  out  authenticated  addition  on 
signed  data.  Consider  a  server  that  stores  signed  data  samples  si, . . . ,  sn  in  Fp.  The  signature  on 
sample  s*  is  actually  a  signature  on  the  vector  (sj|ej)  £  Fp+1,  where  e*  is  the  ith  unit  vector  in 
Fp.  The  server  stores  (i,  Si)  and  a  signature  on  (sj|ej).  (The  vector  e*  need  not  be  stored  with  the 
data  and  can  be  reconstructed  from  i  when  needed.)  Using  SignDerive,  the  server  can  compute 
a  signature  a  on  the  sum  (^ l=1  Si,  1, . . . ,  1).  Since  the  schemes  are  context  hiding,  the  server  can 
publish  the  sum  Ya=  l  si  mod  p  and  the  signature  a  on  the  sum  and  (provably)  reveal  no  other 
information  on  the  original  data.  The  “augmentation”  (1, . . . ,  1)  proves  that  the  published  message 
really  is  the  claimed  sum  of  the  original  samples  (the  tag  t  prevents  mix-and-match  attacks  between 
different  data  sets).  We  can  similarly  publish  a  sum  of  any  required  subset. 

More  generally,  the  server  can  publish  an  authenticated  inner  product  of  the  samples  s  := 
(si, . . . ,  sn)  with  any  public  vector  c  £  Fp  without  leaking  additional  information  about  the  samples. 
This  is  needed,  for  example,  to  publish  a  weighted  average  of  the  original  data  set.  Similarly,  recall 

that  the  Fourier  transform  of  the  data  (si, _ ,  sn)  is  a  specific  linear  operator  (represented  by  a 

specific  n  x  n  matrix)  applied  to  this  vector.  Therefore,  we  can  publish  signed  Fourier  coefficients 
of  the  data.  If  we  only  publish  a  subset  of  the  Fourier  coefficients  then,  by  context  hiding,  we  are 
guaranteed  that  no  other  information  about  (si, . . . ,  sn)  is  revealed. 

7  Conclusion  and  Open  Problems 

In  summary,  the  goal  of  this  work  is  the  study  of  computing  on  authenticated  data.  We  pre¬ 
sented  one  unified  framework  for  a  variety  of  distinct  concepts  in  this  area,  including  arithmetic, 
homomorphic,  quotable,  redactable  and  transitive  signatures.  The  definition  we  provide  tackles 
unforgeability  as  well  as  a  strong  notion  of  privacy,  where  an  adversary  is  unable  to  distinguish 
a  derived  signature  from  a  fresh  one  even  when  given  the  original  signature.  In  this  setting,  we 
provide  generic  constructions  for  all  univariate  and  closed  predicates,  as  well  as  specific  efficient 
constructions  for  predicates  such  as  quoting,  subsets,  weighted  sums,  averges  and  Fourier  trans¬ 
forms. 

This  work  leaves  open  a  host  of  interesting  problems.  First,  one  can  imagine  predicates  that 
support  more  complex  operations  on  signed  messages.  One  natural  set  of  examples  are  spreadsheet 
operations  such  as  median,  standard  deviation,  and  rounding  on  signed  data  (satisfying  unforgeabil¬ 
ity  and  context  hiding).  Other  examples  include  graph  algorithms  such  as  computing  a  signature 
on  a  perfect  matching  in  a  signed  bipartite  graph.  Still  other  examples  involve  efficiently  expanding 
quoting/redacting  to  more  complex  data  types,  such  as  (potentially  compressed)  graphical  images. 

A  first  step  in  this  direction  may  be  to  improve  upon  some  of  the  constructions  for  basic  pred¬ 
icates  presented  herein.  For  example,  as  discussed  at  the  end  of  Section  4.2,  for  quoting/redacting 
on  simple  text,  it  is  still  unknown  how  to  balance  time  and  space  efficiently  while  achieving  full 
security  in  the  standard  model  from  a  simple  computational  assumption. 

12Recall  that  in  unique  signatures  [39]  in  addition  to  the  regular  unforgeability  requirement  there  is  an  additional 
uniqueness  property:  for  any  honestly-generated  public  key  pk  and  any  message  m  in  the  message  space,  there  do 
not  exist  values  ay,  02  such  that  <j\  ^  a  2  and  yet  Verify(pfc,  m,a  1)  =  Verify(pA),  m,  02 )  =  1. 
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A  A  Computational  Definition  of  Context  Hiding 

Let  (KeyGen,  SignDerive,  Verify)  be  a  P-homomorphic  signature  scheme  for  predicate  P  and 

message  AL  Consider  the  following  game  to  model  context  hiding: 

Setup:  The  challenger  runs  the  algorithm  ( pk,sk )  4—  KeyGen(lA)  to  obtain  the  public  key  pk 
and  the  secret  key  sk,  and  gives  pk  to  the  adversary. 
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Query  Phase  1:  Proceeding  adaptively,  the  adversary  may  query  any  of  the  three  oracles  from 
the  unforgeability  game: 

•  Sign(m  G  M):  (same  as  in  the  unforgeability  game) 

•  SignDerive(i  G  Z,m'):  (same  as  in  the  unforgeability  game) 

•  Reveal  (i  G  Z):  (same  as  in  the  unforgeability  game) 

Challenge:  At  some  point,  the  adversary  issues  a  challenge  ( m,m ')  where  P(m,m')  =  1  for 
any  m,m'  G  M.  The  challenger  computes  the  following  three  values:  a  <—  Sign(s&,m), 
do  t—  Sign  (sk,m?)  and  o\  SignDerive(pA:,  a,  m,  mf).  The  challenger  then  picks  a  random 
b  G  {0, 1}  and  returns  (a,  aj, )  to  the  adversary.  Note:  there  are  no  restrictions  on  m,  m!  other 
than  that  they  be  in  the  message  space;  in  particular,  they  could  be  equal  and  one  or  both 
could  have  been  previously  signed. 

Query  Phase  2:  Proceeding  adaptively,  the  adversary  may  query  the  oracles  from  Phase  1. 

Output:  Eventually,  the  adversary  will  output  a  bit  b'  and  is  said  to  win  if  b  =  b' . 

We  define  Adv^H  to  be  the  probability  that  adversary  A  wins  in  the  above  game  minus  )> . 

Definition  A.l  (Context  Hiding)  For  a  predicate  P  and  message  space  At,  a  P -homomorphic 
signature  scheme  (KeyGen,  Sign,  SignDerive,  Verify)  is  context  hiding  if  for  all  probabilistic 
polynomial  time  adversaries  A,  Adv is  negligible  in  A. 

A.l  Relation  to  Strong  Context  Hiding 

Lemma  A. 2  A  homomorphic  signature  scheme  that  is  strongly  context  hiding  is  context  hiding. 

Proof.  (Sketch)  Let  II  =  (KeyGen,  SignDerive,  Verify)  be  a  homomorphic  signature  scheme 
and  let  A  be  an  adversary  that  has  advantage  Adv^^(II)  =  p(X)  in  the  context-hiding  game.  The 
advantage  probability  for  A  is  taken  over  the  random  coins  of  the  key  generation,  random  coins  of  the 
Sign  and  SignDerive  operations  used  in  the  first  query  phase,  the  random  coins  used  by  algorithm 
A,  and  the  random  coins  used  by  the  rest  of  the  experiment.  Therefore  by  an  averaging  argument, 
there  must  exist  some  particular  key  pair  (PK,  SK )  KeyGen(lA;  z\),  some  particular  random 
tape  zq  for  the  Sign  and  SignDerive  operations  used  in  the  first  query  phase,  some  particular 
random  coins  za  for  A,  and  some  particular  message  pair  (m,  m')  output  by  A  over  which  the 
probability  of  A  winning  the  context-hiding  game  in  this  case  is  at  least  p( A).  Let  the  values  of  the 
random  tapes  be  given  as  non-uniform  advice. 

We  show  how  this  information  can  be  used  to  construct  a  (non-uniform)  adversary  A!  that 
distinguishes  {(STf,  a,  Sign(STf,  m!)}  from  {(SK,  a,  SignDerive(P/\,  a,  m,  m1)}  with  probability 
p( A)  for  the  triple  ((PK,  SK),m,m').  Thus,  if  II  is  strongly  context  hiding,  then  p( A)  must  be 
exponentially  small,  and  so  II  must  also  be  context-hiding. 

The  adversary  A'  works  as  follows:  On  input  the  challenge  tuple  ( SK,a,a' ),  A'  begins  to  run 
the  context-hiding  experiment  for  A(PK;  za).  A'  answers  the  queries  that  A  asks  by  using  SK 
and  the  random  tape  zq  to  run  Sign  and  SignDerive.  When  A  outputs  a  challenge  message  pair 
(m,m')  (which  must  occur  by  construction),  then  A'  answers  with  (a,  a').  A'  answers  the  second- 
phase  queries  of  A  using  SK  and  fresh  random  coins.  Finally,  when  A  outputs  b' ,  A'  echoes  this 
answer  as  output  and  halts. 

First  observe  that  A'  performs  a  perfect  simulation  of  the  context-hiding  game.  When  the  input 
pair  (a,  a')  corresponds  to  (Sign(SK,m),Sign(SK,m')),  then  A'  simulates  the  context-hiding 
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game  for  6  =  0.  In  the  other  case,  A!  simulates  the  context-hiding  game  for  6  =  1.  Therefore,  A1 
distinguishes 

{{SK,  Sign (SK,  m),  Sign(5A ,  rn'))}SK  m  m, 

{( SK ,  Sign (5/1,  m),  SignDerive(P//,  cr,  m,  nT))}^,™,™' 

with  probability  p(A).  □ 

A. 2  Simplified  Unforgeability  Under  Strong  Context  Hiding 

We  now  show  how  the  strong  context  hiding  property  can  help  simplify  the  security  argument  for 
unforgeability.  In  particular,  we  introduce  a  weaker  notion  of  unforgeability  in  which  the  adversary 
only  makes  calls  to  the  Sign  oracle  and  immediately  receives  a  signature. 

—  Game  NHU(II,  A,  A,  P):  This  game  is  the  same  as  the  Unforg(II,  A,  A,  P)  game  with  the 
exception  that  only  the  following  query  is  allowed: 

-  Sign(m  £  A4):  the  oracle  computes  a  £-  Sign (SK,m),  adds  m  to  Q  and  returns  a. 

Note,  the  only  difference  between  game  NHU  and  the  standard  unforgeability  game  for  a  signature 
scheme  is  that  in  this  game,  the  adversary  only  wins  if  it  produces  a  forgery  on  a  signature  m* 
such  that  for  all  m  £  Q ,  P(m,  m*)  =  0,  whereas  in  the  standard  unforgeability  game,  the  adversary 
wins  if  it  produces  a  signature  on  any  message  that  is  not  in  Q. 

Definition  A. 3  A  quoteable  signature  scheme  II  is  NHU -unforgeable  if  for  all  efficient  adversaries 
A,  it  holds  that  Pr[NHU(II,  A ,  A,  P)  =  1]  <  negl( A)  for  some  negligible  function  A. 

Lemma  A. 4  A  signature  scheme  that  is  NHXJ -unforgeable  and  strongly  context  hiding  is  Unforg- 
unforgeable. 

Proof.  Our  plan  is  to  present  a  series  of  hybrid  experiments  that  are  meant  to  simplify  the  quotable 
unforgeability  game. 

Hybrid  Hi(U,  A,  X,  P)  Consider  the  first  hybrid  experiment  H\  which  is  the  same  as  the  un¬ 
forgeability  game  Unforg(n,  A,  A,  P),  with  the  exception  that  all  Sign  and  SignDerive  queries  are 
lazily  evaluated.  That  is,  when  A  makes  a  query,  the  experiment  responds  in  the  following  way: 

-  Sign(m ):  generate  a  handle  i  and  record  information  (z,?,m,  e)  in  T  and  return  i 

-  SignDerive(i,  m!):  retrieve  (i,  z,  m,  •)  from  T,  return  X  if  it  does  not  exist  or  if  P(m ,  m')  A  b 
generate  a  new  handle  i',  record  ( [i ' ,  ?,  m' ,  i)  in  T,  and  return  i! 

Revealfi ):  retrieve  (i,z,  m,  i\)  from  T  (returning  _L  if  it  does  not  exist).  If  z  7U,  then  return 
z.  Otherwise,  if  i\  =  e,  then  compute  a  •(—  Sign (SK,m),  replace  the  entry  ( i,z,m,e )  with 
(■ i,a,m,e ),  and  return  a.  Finally,  if  i\  A  0  then  recursively  call  z\  <—  Reveal{i\),  obtain 
(*!,-,  mi,-)  from  T  and  compute  a  <—  SignDerive(PA,  z\,  mi,  m).  Replace  the  entry  with 
(i,cr,m,ii),  and  return  a. 

Claim  A. 5  Pr[i/i(II,  A,  A,  P)  =  1]  =  Pr[Unforg(II,  A,  A,  P)  =  1]. 

This  claim  follows  by  inspection.  For  any  query  that  is  eventually  revealed,  the  same  operations 
are  performed  in  both  H\  and  the  original  game.  For  any  query  that  is  never  revealed,  no  operation 
in  Hi  is  performed;  but  this  does  not  affect  the  view  of  the  adversary,  and  therefore  does  not  affect 
the  output  of  the  adversary. 
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Hybrid  H2,i(A,  A,  A,  P)  The  second  hybrid  is  the  same  as  H\  except  that  the  first  i  queries  to 
Reveal  are  answered  using  Reveal-2  described  below,  and  the  remaining  queries  are  answered  as  per 
H\:  ( The  only  difference  is  that  Sign(SK,mi)  is  used  in  place  of  SignDerive(P/\,  zi,  mi,  m)  in 
the  second  to  last  sentence.) 

Reveal2(i).  retrieve  ( i ,  z,  rn,  ii)  from  T  (returning  _L  if  it  does  not  exist).  If  z  7^?,  then  return 
z.  Otherwise,  if  i\  =  e,  then  compute  a  <—  Sign (SK,m),  replace  the  entry  (■ i,z,m,e )  with 
( i,a,m,e ),  and  return  a.  Finally,  if  i\  f  e,  then  recursively  call  z\  <—  Reveal{i\),  obtain 
(*i,  -,mi,  •)  from  T  and  compute  a  Sign (SK,  mi).  Replace  the  entry  with  (*,  a,  m,  ii),  and 
return  a. 

Claim  A. 6  ^2,0 (n,  A,  A,  P)  is  identically  distributed  to  H\(U,  A,  X,  P). 

By  inspection. 

Claim  A. 7  H-2,i(Tl,  A,  A,  P)  is  identically  distributed  to  i72,j-i(n,  A,  A,  P)  fori  >  1. 

This  claim  follows  via  the  strong  context-hiding  property  of  the  signature  scheme  because  this 
property  guarantees  Sign  (SK,  m')  and  SignDerive(Piv,  <7,  m,  rn1)  are  statistically  close. 

Suppose  that  A  makes  l  =  poly(X)  queries.  Observe  that  #2/(n,  A,  A,  P)  only  evaluates  Sign, 
and  only  does  so  on  messages  that  are  immediately  returned  to  the  adversary.  Thus,  H-2/  is 
syntactically  equivalent  to  the  NHU  game.  Since  the  H-2,e  game  enables  A  to  produce  a  forgery  with 
the  same  probability  as  Unforg(n,  A,  A,  P),  we  have  that  Unforg(II,  A,  A,  P)  =  NHU(II,  A,  A,  P) 
which  completes  the  lemma.  □ 
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Abstract 

We  introduce  the  concept  of  universal  signature  aggregators.  In  a  universal  signature  aggregator 
system,  a  third  party,  using  a  set  of  common  reference  parameters,  can  aggregate  a  collection  of  signatures 
produced  from  any  set  of  signing  algorithms  (subject  to  a  chosen  length  constraint)  into  one  short 
signature  whose  length  is  independent  of  the  number  of  signatures  aggregated.  In  prior  aggregation 
works,  signatures  can  only  be  aggregated  if  all  signers  use  the  same  signing  algorithm  (e.g.,  BLS)  and 
shared  parameters.  A  universal  aggregator  can  aggregate  across  schemes  even  in  various  algebraic  settings 
(e.g.,  BLS,  RSA,  ECDSA),  thus  creating  novel  opportunities  for  compressing  authentication  overhead. 
It  is  especially  compelling  that  existing  public  key  infrastructures  can  be  used  and  that  the  signers  do 
not  have  to  alter  their  behavior  to  enable  aggregation  of  their  signatures. 

We  provide  multiple  constructions  and  proofs  of  universal  signature  aggregators  based  on  indistin- 
guishability  obfuscation  and  other  supporting  primitives.  We  detail  our  techniques  as  well  as  the  tradeoffs 
in  features  and  security  of  our  solutions. 


1  Introduction 

An  aggregate  signature  system,  as  introduced  by  Boneh,  Gentry,  Lynn  and  Shacham  [BGLS03] ,  allows  a  party 
to  bundle  a  set  of  signatures  together  into  a  single  short  cryptographic  signature.  Aggregate  signatures  are 
motivated  by  applications  where  one  needs  to  simultaneously  verify  several  signatures  from  different  users  on 
different  messages  in  environments  with  communication  or  storage  resource  constraints.  For  example,  Boneh 
et  al.  [BGLS03]  proposed  applying  aggregate  signatures  to  Secure  BGP  [KLMSOO]  path  authentication;  later 
this  idea  was  empirically  evaluated  by  Zhao  et  al.  [ZSN05]. 

Over  the  past  several  years  many  solutions  to  aggregate  signatures  [LOS+06,  GR06,  BGOY07,  BNN07, 
AGH10]  have  been  proposed  that  have  explored  tradeoffs  regarding  computational  cost,  security  models, 
features  (e.g.  identity-based),  limitations  (e.g.  sequential  signing),  and  cryptographic  assumptions.  However, 
all  of  these  constructions  have  one  thing  in  common  in  that  they  require  all  signers  to  adopt  a  common 
signature  system  and  shared  parameters. 

In  practice,  the  common  scheme  and  parameter  requirements  can  be  a  large  barrier  to  adoption.  Existing 
users  will  already  have  established  signing  keys  and  algorithms  which  are  entrenched  in  an  existing  public 
key  infrastructure.  The  overhead  of  changing  and  re-certifying  one’s  public  keys  may  very  well  overwhelm 
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the  perceived  benefit  of  creating  signatures  that  can  be  aggregated  by  a  third  party.  Indeed  the  original 
signer  might  not  even  be  incentivized  to  allow  aggregation  in  the  first  place  when  the  benefits  fall  to  the 
aggregating  party  or  verifier  of  the  signatures.  Furthermore,  even  if  a  user  moved  from  one  signature  system 
to  an  aggregate  signature  system,  all  previously  created  signatures  would  be  unaggregatable.1 

Universal  Signature  Aggregators  We  introduce  the  concept  of  universal  signature  aggregators.  In 
a  universal  signature  aggregator  system,  a  third  party,  using  a  set  of  common  reference  parameters,  can 
aggregate  a  collection  of  signatures  produced  from  any  set  of  signing  algorithms  (subject  to  a  chosen  length 
constraint)  into  one  short  signature  whose  length  is  independent  of  the  number  of  signatures  aggregated.  A 
verifier  can  use  the  common  parameters  to  verify  the  aggregate  signature.  The  system  will  be  secure  in  the 
sense  that  it  is  hard  to  produce  an  aggregate  signature  on  a  verification  algorithm,  verification  key,  message 
tuple,  (Verify,  VK,  m)  unless  the  holder  of  the  corresponding  secret  key  produced  a  signature  on  m.  We 
emphasize  that  signers  in  the  system  need  not  do  anything  special  to  allow  aggregation;  indeed  they  could 
be  unaware  of  the  existence  of  such  a  system. 

Our  central  challenge  is  to  create  a  way  to  compress  many  signatures  of  varying  types  into  one  short 
object.  Prior  solutions  required  all  signatures  to  reside  in  a  common  (often  bilinear)  group,  where  it  was 
possible  to  leverage  homomorphic  properties  of  the  group  structure.  Here  we  are  afforded  no  such  luxury  as 
signatures  will  reside  in  different  groups  or  even  be  based  on  a  scheme  with  no  algebraic  structure. 

Our  approach  will  be  to  overcome  these  limitations  by  applying  the  tool  of  program  obfuscation.  At  the 
highest  level,  a  trusted  setup  routine  will  produce  a  pair  of  a  global  signature  verification  key  for  a  universal 
signature  aggregator  and  a  shared  obfuscated  program.  The  job  of  the  obfuscated  program  will  be  to  take 
as  input  tuples  of  the  form  (Verify,  VK,  m,  a)  that  respectively  represent  verification  algorithm,  verification 
key,  message  and  signature  4-tuples.  The  program  will  first  verify  using  algorithm  Verify  and  key  VK  that  a 
is  a  signature  on  m.  If  this  check  passes,  it  will  produce  a  signature  using  a  master  secret  key  on  the  message 
Msg  =  (Verify,  VK,  m)  —  essentially  transforming  the  arbitrary  signature  into  one  of  an  aggregateable  form. 

At  first  glance  it  might  appear  that  obfuscation  provides  an  open  and  close  solution  to  our  problem. 
Indeed,  if  we  heuristically  model  the  obfuscated  program  as  an  oracle  to  the  program,  the  analysis  is  relatively 
straightforward.  However,  as  noted  by  Hada  [HadOO]  such  a  definition  is  impossible  to  achieve  for  any 
functionality.  Our  goal  is  to  create  probably  secure  constructions  under  a  realizable  definition  of  obfuscation 

ideally  indistingusihability  obfuscation. 

Achieving  provable  security  under  indistingusihability  obfuscation  (and  without  knowledge  assumptions 
2)  presents  significant  challenges.  The  primary  technical  challenge  is  how  to  design  a  construction  and 
corresponding  reduction  that  can  extract  a  forgery  on  an  arbitrary  input  signature  scheme  from  an  attacker 
that  forges  on  the  aggregate.  We  emphasize  that  without  an  oracle  interface  or  knowledge  assumption  a 
reduction  is  not  afforded  the  opportunity  to  simply  “look  at”  the  input  signatures. 

Universally  Aggregating  Unique  Signatures  We  begin  by  exploring  how  to  universally  aggregate 
unique  signatures  —  a  unique  signature  system  [G093]  is  one  where  there  is  at  most  one  signature  that  will 
verify  per  message.  Notably,  RSA  based  full  domain  hash  [BR93,  BR96]  are  unique  signatures  that  form  the 
basis  of  the  widely  deployed  PKCS#1  standard  [KS98].  As  evidence  of  the  wide  scale  deployment,  Heninger 
et  al.  [HDWH12]  performed  an  Internet-wide  scan  of  machines  responding  on  the  TLS  and  SSH  ports  for 
IPv4  space  and  reported  3.9  million  distinct  RSA  keys  compared  to  only  1.9  thousand  DSA  keys. 

Our  construction  will  be  parameterized  by  four  polynomial  functions  over  the  security  parameter:  t?ver(A), 
£vk(A),£msg(A), £sig(A).  These  respectively  represent  a  bound  on  the  size  of  verification  circuits,  verification 
keys,  length  of  messages  signed  and  size  of  signatures  that  are  aggregated.  While  we  are  interested  in 
signatures  of  arbitrary  length  messages,  in  practice  almost  all  signature  schemes  will  apply  the  “hash  and 

1  We  note  that  the  concept  of  integrating  “special  property”  cryptography  into  existing  keys  is  relatively  unexplored,  but  has 
been  considered  in  ring  signatures  [BKM08]  and  deniable  encryption  [SW14], 

2  A  different  direction  is  to  attempt  to  build  universal  aggregation  from  succinct  arguments  of  knowledge 
(SNARKs)[BCCT13].  We  aim  to  achieve  our  goals  without  applying  knowledge  assumptions. 
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sign”  paradigm  where  a  longer  message  is  first  hashed  down  to  a  fixed  size  hash  value  (dependent  on  the 
security  parameter).  The  core  signature  scheme  then  signs  this  value. 

In  our  first  construction  (see  Section  4),  the  UniversalSetup  first  chooses  an  RSA  modulus  N  and  exponent 
e  t—  Z^jy).  Next,  it  chooses  a  puncturable  PRF  [BW13,  BGI13,  KPTZ13,  SW14]  key  K  for  a  function  F 
that  takes  inputs  of  the  form  (Verify,  VK,  m)  €  {0,  l}fver  x  {0,  l}fvk  x  {0,  l}^m8g  (i.e. ,  3-tuples  representing  a 
verification  circuit,  verification  key  and  message).  The  puncturable  PRF  will  output  into  Zjv- 

Finally,  the  setup  will  publish  (indistinguislrability)  obfuscations  of  two  programs.  The  first  is  Transform  v, k ■ 
This  program  takes  as  input  a  4-tuple  Verify,  VK,  to,  a.  It  then  computes  Verify  (VK,  to,  oj,  which  verifies 
the  signature  under  the  algorithm.  If  the  signature  verifies,  the  program  outputs  F(K,  Verify,  VK,  to)  €  ZN. 
This  can  be  thought  of  as  a  “transformed  signature”  where  the  obfuscated  program  maps  the  original  sig¬ 
nature  into  one  over  Zyv-  The  second  program  is  called  Transform-Image^  K  e.  On  input  (Verify,  VK,  m),  it 
computes  F(K,  Verify,  VK,  to)6  (mod  N). 

One  can  now  aggregate  a  sequence  of  signatures  (Verify  ^ ,  VK^,  mj,  ay)  by  transforming  each  one  by  comput¬ 
ing3  Sj  =  Transform^,  a  (Verify^  VK,,  to, ,  ay)  and  then  aggregating  into  one  element  of  ZN  as  aagg  =  JX,  .sy .  To 
verify  an  aggregate  signature,  <Jagg,  on  (Verify,,  VK,,  to, )  simply  compute  t,  =  Tra nsformjv,A'( Verify ,;,VK,,  to, ,  ay) 

and  test  whether  cragg  =  t,:.  4  Essentially  the  Transform  program  maps  an  arbitrary  signature  to  an  RSA 

FullDomain  hash  type  signature  on  the  “message”  (Verify^  VK,;,  mi). 

We  prove  selective  security  where  the  attacker  declares  before  seeing  the  public  parameters  a  message  m* 
that  they  will  forge  on.5  Our  security  argument  is  centered  around  an  alternative  program  Transform-Reject 
which  is  programmed  to  behave  the  same  as  Transform  except  on  input  y  =  (Verify*,  VK*, to*)  on  which  it 
always  outputs  _L  even  if  it  is  given  a  valid  signature  on  to*.  It  also  uses  a  PRF  key  that  is  punctured  at  y. 

Security  follows  from  two  primary  arguments  about  the  program.  We  first  establish  that  if  an  attack  algo¬ 
rithm,  Att,  is  successful  when  given  Transform,  it  must  be  almost  as  successful  when  given  Transform-Reject; 
otherwise,  the  underlying  unique  signature  scheme  is  broken.  Suppose  that  there  is  an  attacker,  Att,  with  a 
non-negligible  difference  in  advantage  between  these  two  games,  then  we  can  build  an  reduction  algorithm 
that  extracts  the  unique  signature  on  to*  in  a  bit  by  bit  fashion.  The  reduction  algorithm  runs  as  the  chal¬ 
lenger  in  the  aggregate  signature  game  and  receives  a  challenge  verification  key  from  the  challenger  in  the 
standard  signature  security  game.  It  runs  to  the  point  in  the  security  game  where  the  input  public  key  and 
parameters  are  established  and  saves  the  state  of  the  game  (including  the  state  of  Att).  Then  for  each  bit 
of  the  signature  it  performs  the  following  process  multiple  times.  It  runs  a  third  program  TransformAltyj. 
This  program  runs  as  Transform,  but  rejects  if  the  j-th  bit  of  the  input  signature  is  1.  For  each  j,  it  runs  the 
experiment  multiple  times  with  fresh  randomness.  If  the  measured  advantage  of  the  attacker  drops  when 
using  TransformAlty  j  then  it  guesses  that  the  j-th  bit  of  the  signature  is  1;  otherwise  it  guesses  that  it  is  0. 

It  complies  all  of  these  guesses  together  to  output  a  forgery.  (The  amount  of  rewinding  needed  depends  on 
the  difference  in  advantage.  In  addition,  our  actual  analysis  addresses  other  technical  details.) 

Since  signatures  are  unique,  the  program  TransformAltyj  is  functionally  equivalent  to  Transform  if  the 
j-th  bit  of  the  unique  signature  on  to*  is  0  and  thus  by  indistinguislrability  obfuscation  the  attacker’s 
advantage  should  be  negligibly  close  in  these  two  cases.  Similarly,  TransformAltyj  is  functionally  equivalent 
to  Transform-Reject  if  the  j-th  signature  bit  is  1  and  again  by  indistinguishability  obfuscation  the  advantage 
should  be  close  to  that  of  Transform- Reject. 

After  we  have  established  that  the  advantage  when  given  Transform-Reject  is  close  to  that  of  Transform, we 
show  that  an  attacker  that  can  win  when  given  Transform-Reject  will  either  break  iO,  the  punctured  PRF  or 
the  RSA  assumption  and  roughly  follows  [HSW14]  using  punctured  programming  [SW14]  techniques.  The 
main  proof  innovation  is  combining  a  rewinding  argument  with  indistinguishability  obfuscation  to  extract  a 
unique  signature. 

We  also  show  a  variation  of  this  idea  in  Appendix  A  that  is  a  universal  aggregator  of  unique  signatures, 

’We  slightly  abuse  notation  in  the  introduction  for  ease  of  exposition  by  using  the  names  Transform  and  Transform-Image  to 
refer  both  to  the  obfuscated  and  unobfuscated  forms  of  the  program.  In  the  main  body,  we  are  careful  about  these  distinctions. 

4We  require  in  verification  that  no  3-tuples  are  repeated.  I.e.,  for  all  i  yf  y,  (Verify,.  VK,.  m,, )  yf  (  Verify, .  VK, .  m, ). 

5  The  usual  complexity  leveraging  arguments  for  adaptive  security  can  be  applied  here  if  we  are  willing  to  make  sub¬ 
exponential  hardness  assumptions. 
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but  where  we  avoid  using  the  RSA  assumption.  (Indistinguishability  obfuscation  and  punctured  PRFs 
are  still  used.)  The  tradeoff  is  that  there  is  an  a  priori  bound  n  on  the  number  of  signatures  that  can  be 
aggregated.  In  the  construction,  the  parameters  will  grow  polynomially  with  n,  but  the  size  of  the  signatures 
is  independent  of  n.  We  also  conjecture  that  in  our  main  construction  the  RSA-type  transformed  signature 
can  be  replaced  by  a  BLS  [BLS01]  type  signature  (in  an  analogous  way  to  [HSW14]),  but  do  not  formally 
show  this. 

Universal  Aggregation  of  arbitrary  signatures  using  VBB  Obfuscation  While  covering  unique 
signatures  achieves  progress,  we  want  to  push  toward  our  central  goal  of  aggregating  arbitrary  signatures. 
Our  next  step  is  to  show  that  a  slight  tweak  to  the  previous  construction  gives  us  a  universal  aggregator  of 
arbitrary  signatures  under  a  specific  virtual  black  box  (VBB)  assumption.  This  appears  in  Section  5. 

It  might  first  seem  that  a  solution  proven  under  a  VBB  assumption  is  not  better  than  the  oracle  heuristic 
outlined  earlier.  However,  achieving  a  VBB  proof  provides  both  a  sounder  justification  and  is  more  technically 
challenging  than  the  oracle  heuristic.  First,  modeling  an  obfuscated  program  as  an  oracle  is  a  heuristic  —  a 
piece  of  code  is  clearly  a  different  object  than  an  oracle.  In  contrast,  a  VBB  assumption  could  be  true  for 
many  functionalities  even  though  there  exists  certain  functionalities  for  which  it  cannot  hold  [BGI+01]. 

Proving  our  construction  secure  under  a  VBB  definition  presents  an  interesting  technical  barrier.  A 
natural  proof  methodology  is  to  first  say  that  an  obfuscator  for  a  given  circuit  cannot  be  more  successful 
than  a  simulator  with  oracle  access  to  the  same  circuit  using  VBB.  And  then  making  further  hybrid  security 
arguments  leveraging  the  fact  that  the  simulator  has  oracle  access.  The  primary  problem  with  this  strategy 
is  that  while  the  universal  aggregator  security  game  gives  the  attacker  access  to  a  signing  oracle,  there  is  no 
place  to  “put”  this  signing  oracle  when  applying  the  VBB  security  game. 

We  overcome  this  obstacle  by  introducing  a  new  technique  that  we  call  “oracle  assimilation”  which  we 
believe  might  be  of  independent  interest.  In  our  construction,  the  Transform-VBB  program  behaves  in  almost 
the  same  way  as  Transform  before  except  an  extra  mode  bit  is  added  to  the  input.  If  this  mode  bit  b  is  set 
to  0,  it  indicates  normal  input  and  the  Transform-VBB  program  operates  roughly  as  described  above.  If  the 
mode  bit  is  set  to  1,  it  indicates  query  input  and  the  program  outputs  a  rejecting  _L  on  all  inputs  of  this 
type.  The  query  type  input  is  only  used  in  the  proof  and  not  in  the  construction. 

Our  proof  of  security  proceeds  by  a  sequence  of  games.  In  the  initial  security  game,  all  query  inputs 
output  a  rejecting  _L.  The  proof  (in  a  couple  of  steps)  then  moves  to  a  game  where  the  query  inputs 
will  take  a  form  of  (a,  to)  and  output  a  signature  on  m  under  the  challenge  input  secret  signing  key  if 
PRG(a)  =  PRG(a)  for  some  value  a  chosen  by  the  game,  but  hidden  from  the  attacker.  We  can  argue 
this  change  is  indiscernable  to  the  attacker  by  iO  and  pseudorandom  generator  security.  At  this  point  the 
security  game  will  use  the  query  interface  of  the  obfuscated  program  to  answer  signing  queries  and  we  can 
say  that  the  signing  oracle  was  “assimilated”  into  the  obfuscated  program.  Next,  we  can  use  VBB  security 
to  argue  that  there  must  exist  a  simulator  with  oracle  access  to  the  program  that  outputs  1  with  close  to  the 
same  probability  that  the  attacker  wins.  Now  that  the  input  signing  algorithm  is  accessed  by  an  oracle  we 
can  use  its  security  to  argue  that  the  game  is  indistinguishable  from  when  the  circuit  refuses  to  transform 
on  to*,  the  challenge  message.6  Finally,  we  use  VBB  again  to  reason  about  the  attack  algorithm’s  advantage 
when  given  this  second  circuit  that  will  not  transform  on  to*.  From  here,  the  proof  follows  as  in  the  unique 
signature  case. 

Stepping  back,  the  main  innovation  for  this  proof  is  to  use  punctured  programming  techniques  to  sublim- 
inally  assimilate  the  signing  oracle  for  one  scheme  into  the  obfuscated  program,  then  use  the  VBB  interface 
to  execute  the  proof.  We  expect  that  this  technique  will  be  useful  in  other  contexts.  One  interesting  view 
is  that  we  could  apply  either  this  VBB  argument  for  arbitrary  signatures  or  the  previous  iO  argument  for 
unique  signatures  to  this  single  construction.  So  a  user  with  any  signature  scheme  would  get  VBB  based 
security  and  if  a  user  had  a  unique  signature  scheme,  she  would  get  the  added  benefit  of  iO  based  security. 

®For  ease  of  exposition,  the  proof  in  the  main  body  proves  selective  security;  however,  we  show  how  a  minor  transformation 
of  the  construction  using  admissible  hash  functions  [BB04]  gives  adaptive  security  in  Appendix  B. 
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Aggregating  arbitrary  signatures  using  indistinguishability  obfuscation  For  our  final  contribu¬ 
tion,  we  return  to  our  goal  of  aggregating  arbitrary  signatures  using  indistinguishability  obfuscation.  Our 
primary  challenge  again  is  how  to  extract  an  input  forgery  from  the  attacker  in  a  proof.  The  previous  two 
methods  used  the  structure  of  a  unique  signature  and  an  oracle  interface,  neither  of  which  is  available  to  us 
now. 

We  overview  the  main  solution  ideas  and  our  proof  approach.  At  a  high  level,  we  devise  a  means  for  being 
able  to  extract  and  check  the  validity  of  a  single  signature  (from  the  aggregate)  of  our  choice  in  the  proof 
without  the  adversary  being  able  to  know  which  one  we  are  “looking  at”.  Thus,  we  build  our  confidence  in 
the  validity  of  all  the  signatures  by  being  able  to  check  any  given  one  of  them.  We  call  this  an  “enforce  all 
by  one”  technique. 

To  do  this,  we  first  use  additively  (or  singly)  homomorphic  encryption  to  combine  the  encryptions  of 
several  signatures  together  into  one  object  t.  Then  we  wrill  have  an  obfuscated  program  generate  a  PRF-type 
signature  component  s  on  a  message  representing  ciphertext  tag  t  along  with  tuples  {Verify ^ ,  VK;,  if  the 

input  contains  valid  signatures  on  each  message.  The  output  aggregate  signature  is  (Tag g  =  (t,s).  Although 
the  homomorphic  ciphertext  t  will  not  be  large  enough  to  contain  all  of  the  input  signatures,  in  the  proof 
it  can  be  used  to  remember  one  of  the  input  signatures  and  thus  provide  us  with  an  opportunity  to  extract 
a  forgery  on  the  input  signature.  The  difficulty  is  in  using  iO  to  ensure  that  an  attacker  can  only  output  a 
verifying  eragg  =  (t,  s)  on  a  ciphertext  “tag”  t  that  contains  a  proper  forgery  in  the  proof. 

Diving  in  a  little  further  in  our  solution,  the  setup  algorithm  will  be  parameterized  by  a  polynominal  n(-) 
that  gives  an  a-priori  bound  on  the  number  of  signatures  that  can  be  verified.  The  size  of  the  parameters 
will  grow  polynomially  with  n ,  but  the  signature  size  will  be  independent  of  it.  The  setup  algorithm  will 
output  n  ciphertexts  {count;  t—  HE.enc(pk,  0)};=i....n  each  of  which  is  an  encryption  of  0. 

The  universal  aggregation  algorithm  takes  input  {Verify;,  VK;,  to;,  ct;}.  It  then  computes  t  =  E;COunt;-cr;. 
Next  it  will  input  t  and  the  tuples  {Verify;,  VK;,  m;,  ex;}  to  an  obfuscated  program  AggSign  which  will  evaluate 
and  output  a  punctured  PRF  on  t  and  {Verify;,  VK;,  m;}  if  the  input  signatures  verify.  (We  will  return  shortly 
to  where  the  obfuscated  program  comes  from.) 

In  proving  security  we  perform  a  sequence  of  hybrids,  where  the  first  step  of  the  hybrid  is  to  guess  an 
index  j  (incurring  a  1/n  loss)  where  the  forgery  occurs.  Next,  we  change  count,  to  be  an  encryption  of  1. 
This  causes  an  honestly  computed  value  t  to  be  an  encryption  of  the  j-tli  signature  that  we  will  eventually 
use  for  extraction. 

The  challenge  at  this  point  is  to  come  up  with  a  formulation  of  the  program  AggSign  for  which  we 
can  prove  security  using  indistinguishability  arguments.  We  provide  two  approaches.  In  the  first  one  (see 
Section  6),  we  allow  AggSign  to  be  created  by  a  Universal  Sampler  (also  called  a  Universal  Parameters 
Scheme)  as  defined  by  Hofheinz  et  al.  [HJK+14].  A  Universal  Sampler  is  allowed  to  adaptively  sample 
from  an  arbitrary  (efficiently  computable)  distribution.  In  this  case  we  sample  from  an  obfuscation  of  the 
AggSign,  program  that  is  parameterized  to  only  work  with  a  given  tag  value  t.  As  noted  in  [HJK+14], 
Universal  Samplers  are  realizable  in  the  random  oracle  model  from  indistinguishability  obfuscation.  So  this 
solution  will  exist  in  the  random  oracle  model  as  well.  An  advantage  of  Universal  Samplers  is  that  they  can 
define  the  AggSign,  program  adaptively. 

We  also  propose  a  second  variation  of  this  solution  in  Section  7  that  does  not  need  the  random  oracle 
heuristic.  Instead  it  applies  complexity  leveraging  that  requires  assuming  sub-exponential  hardness  of  some 
of  the  underlying  computational  assumptions. 

1.1  Summary  of  our  results 

Our  results  are  summarized  in  the  following  table.  The  first  column  labels  the  construction.  The  remain¬ 
ing  columns  indicate:  type  of  signatures  that  can  be  aggregated,  selective  or  adaptive  security,  standard 
or  random  oracle  model  proofs,  whether  the  aggregator  is  bounded  or  not,  and  finally,  the  cryptographic 
assumptions  used  in  the  security  proof.  In  our  assumptions,  we  prefix  them  with  “subexp”  to  indicate  if 
sub-exponential  hardness  is  required  for  complexity  leveraging.  Since  PRFs,  PRGs,  and  (selectively-secure) 
puncturable  PRFs  are  constructible  from  one-way  functions,  we  list  OWF  as  the  assumption.  UPS  stands 
for  a  universal  parameters  scheme  [HJK+14]  (implied  by  iO  in  the  random  oracle  model),  HE  stands  for 
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singly  homomorphic  encryption,  iO  stands  for  indistinguishability  obfuscation,  and  VBB  stands  for  virtual 
black-box  obfuscation,  where  we  assume  that  VBB  holds  only  for  a  certain  limited  family  of  circuits. 


Construction 

Type 

Selective/ 

Adaptive 

RO 

Bounded 

Aggregator 

Assumptions 

Section  4 

Unique 

Selective 

No 

No 

iO,  RSA,  OWF 

Section  5 

Arbitrary 

Selective7 

No 

No 

iO,  VBB,  OWF 

Section  6 

Arbitrary 

Adaptive 

Yes 

Yes 

iO,  UPS,  HE,  OWF 

Section  7 

Arbitrary 

Selective 

No 

Yes 

subexp-iO,  HE,  subexp-OWF 

2  Preliminaries 

2.1  Notations 

For  any  set  X,  x  -e-  X  denotes  a  uniformly  random  element  drawn  from  X.  Given  integers  tckt,  tjnp,  tout,  let 
C[£ckt,  Anpi  4>ut]  denote  the  set  of  circuits  that  can  be  represented  using  £c^t  bits,  take  Unp  bits  as  input,  and 
output  tout  bits. 

2.2  Admissible  Hash  Functions 

We  recall  the  notion  of  admissible  hash  functions  due  to  Boneh  and  Boyen  [BB04] .  Here  we  state  a  simplified 
definition  from  [HSW14]. 

Definition  2.1.  Let  l,n  and  9  be  efficiently  computable  univariate  polynomials.  Let  h  :  {0,  l}dA)  — >. 
{0,  f}n(A)  an  effjcientiy  computable  function  and  AdmSample  a  PPT  algorithm  that  takes  as  input  1A 
and  an  integer  q ,  and  outputs  u  G  {0, 1,  -L}™(A).  For  any  u  G  {0, 1,  _L}ra(A),  define  Pu  :  {0, 1}^A)  — »  {0, 1}  as 
follows:  Pu(x )  =  0  if  for  all  1  <  j  <  n( A),  h{x)j  ^  Uj,  else  Pu(x)  =  1  (where  Uj  denotes  the  jth  bit  of  u ). 

We  say  that  (h,  AdmSample)  is  0-admissible  if  the  following  condition  holds: 

For  any  efficiently  computable  polynomial  Q ,  for  all  x1,. . .  ,x^x\x*  G  {0, 1}^A\  where  x*  £  {xl}i, 
Pr[(yi  <  Q(X),Pu(xi)  =  1)  A  Pu(x *)  =  0]  > 
where  the  probability  is  taken  over  u  <—  AdmSample(lA,  Q(A)). 

Theorem  2.1  (Admissible  Hash  Function  Family  [BB04],  simplified  proof  in  [FHPS13]).  For  any  effi¬ 
ciently  computable  polynomial  l ,  there  exist  efficiently  computable  polynomials  n,  9  such  that  there  exist 
^-admissible  function  families  mapping  l  bits  to  n  bits. 

2.3  Signature  Schemes 

A  signature  scheme  S  with  message  space  A4(A),  signature  key  space  SK.( A)  and  verification  key  space  V/C(A) 
consists  of  the  following  algorithms. 

•  Gen(lA)  The  setup  algorithm  is  a  randomized  algorithm  that  takes  as  input  security  parameter  A  and 
outputs  signing  key  SK  €  SIC  and  verification  key  VK  G  V/C. 

•  Sign(SK,m)  The  signing  algorithm  takes  as  input  the  signing  key  SK  G  SK.  and  a  message  m  G  M 
and  outputs  a  signature  a. 

•  Verify(VK,  ?n,  a)  The  verification  algorithm  takes  as  input  a  verification  key  VK  G  VK,  message  to  G  A4 
and  signature  a  and  outputs  either  0  or  1. 

7In  Appendix  B,  we  modify  this  construction  to  achieve  adaptive  security  without  any  additional  assumptions. 
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Correctness  For  all  A  £  N,  (SK,  VK)  •<—  Gen(lA),  messages  m  £  At(A),  we  require  that  Verify(VK,  m,  Sign(SK,  to)) 

1. 

Security  The  security  notion  for  signature  schemes,  formalized  by  Goldwasser,  Micali  and  Rivest  [GMR88], 
is  based  on  the  following  game  between  an  adversary  A  and  a  challenger. 

1.  Setup  Phase  Challenger  chooses  (SK,  VK)  -s—  Gen(lA). 

2.  Signing  Phase  A  sends  signature  query  rrii  £  A4  and  receives  cq  Sign(SK,  ?rq)- 

3.  Forgery  Phase  A  finally  outputs  a  message  m  and  signature  er. 

A  wins  if  m  was  not  queried  during  the  Signing  Phase  and  Verify(VK,  m,  a)  =  1.  Let  Adv_/i(A)  =  Pr[_4  wins  ]. 

Definition  2.2.  A  signature  scheme  <S=(Gen,  Sign,  Verify)  is  existentially  unforgeable  under  a  chosen  message 
attack  if  for  all  PPT  adversaries  A.  Adv_4(A)  is  negligible  in  A. 

Goldwasser  and  Ostrovsky  [G093]  introduced  the  notion  of  unique  signature  schemes  8.  In  a  unique 
signature  scheme,  there  is  a  unique  valid  signature  corresponding  to  any  message,  verification  key  pair. 

Definition  2.3  (Unique  Signatures).  A  signature  scheme  S  =  (Gen,  Sign,  Verify)  is  said  to  be  unique  if  for 
all  tuples  (VK,  ?n,  (Ji,  (J2),  either  ai  =  02  or  Verify(VK,  m,  ui)  =  0  or  Verify(VK,  m,  of)  =  0. 

In  this  work,  we  will  be  considering  signature  schemes  where  the  messages,  signatures  and  verification  keys 
have  bounded  length,  and  the  verification  algorithm  is  deterministic.  In  practice,  most  signature  schemes 
use  a  collision  resistant  hash  function  to  compress  an  arbitrary  length  message  to  bounded  length.  We  will 
be  dealing  with  these  ‘post-hash’  messages. 

Definition  2.4  ((Gk>  Gnsg)  £sig)- bounded  length  signature  scheme).  Let  Gk>  Unsg  and  Gig  be  fixed  polynomi¬ 
als.  A  signature  scheme  S  =  (Gen,  Sign,  Verify)  is  said  to  be  (Gk>  Gnsg)  Gig )-bounded  length  if  all  verification 
keys  output  by  Gen(lA)  have  length  at  most  Gk(A),  Sign  takes  as  input  messages  of  length  at  most  Gnsg(A) 
and  outputs  signatures  of  length  bounded  by  Gig(A- 

Since  the  verification  keys,  messages  and  signatures  have  bounded  length,  we  can  view  Verify  as  a  cir¬ 
cuit  with  three  inputs-  verification  key  VK,  message  m  and  signature  a.  We  assume  every  circuit  can  be 
represented  as  a  binary  string. 

Definition  2.5  ((Ger>  Gk>  Gnsg  >  Gig )-length  qualified  signature  scheme).  Let  £ver,  Gk>  Gnsg,  Gig  be  fixed  poly¬ 
nomials.  A  (Gk>Gnsg)4ig)-bounded  length  signature  scheme  S  =  (Gen,  Sign,  Verify)  is  said  to  be  (£ver,  Gk> 

Gnsg)  Gig)Gen<7t/i  qualified  if  the  verification  circuit  Verify  and  signing  circuit  Sign  can  be  represented  as  a 
binary  string  of  length  at  most  Ger(A)  bits. 

Abusing  notation,  we  will  say  that  a  tuple  (Verify,  VK,  to,  a)  is  a  (Gen  Gk>  Gnsg)  GigHength  qualified  tuple 
if  Verify  is  a  circuit  that  can  be  represented  using  Ger(A)  bits,  and  VK,m,  cr  are  of  length  at  most  Gk(A), 

Gnsg(A)  and  Gig  (A)  respectively.  Similarly,  a  tuple  (Verify,  VK,  m)  is  (Gen  Gk>  Gnsg)-length  qualified  if 
Verify,  VK  and  to  have  length  at  most  Ger(A),  Gk(A)  and  Gk(A)  respectively. 

2.4  Additively  Homomorphic  Encryption 

In  this  work,  we  will  be  using  encryption  schemes  which  allow  us  to  perform  additive  operations  on  ci¬ 
phertexts.  Many  encryptions  schemes  [GM84,  Ben87,  NS98,  OU98,  Pai99,  DJ03]  have  the  ‘additive  homo¬ 
morphism’  property.  We  will  now  define  the  syntax  and  security  definition  for  an  additively  homomorphic 
encryption  scheme. 

Let  p  be  a  prime9.  An  additively  homomorphic  encryption  scheme  US  with  message  space  Fp  and 
ciphertext  space  Che  consists  of  the  following  algorithms. 

x  Also  known  as  invariant  signature  schemes. 

9The  prime  p  is  a  property  of  the  encryption  scheme. 
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•  HE.setup(lA)  The  setup  algorithm  takes  the  security  parameter  as  input  and  outputs  public  key  pk, 
secret  key  sk. 

•  HE.enc(pk,  m)  The  encryption  algorithm  takes  as  input  a  public  key  pk  and  message  m  G  Fp  and 
outputs  a  ciphertext  ct  €  Che- 

•  HE.dec(sk,  ct)  The  decryption  algorithm  takes  as  input  a  secret  key  sk,  a  ciphertext  ct  G  Che  and  either 
outputs  an  element  in  Fp  or  _L. 

•  HE.add(pk,  cti,ct2)  The  addition  algorithm  takes  as  input  a  public  key  pk  and  two  ciphertexts  cti,  ct2  G 
Che  and  outputs  a  ciphertext  ct. 

For  simplicity  of  notation,  we  will  represent  HE.add(pk,  cti,  ct2)  as  cti  +  ct2. 

Correctness  We  require  the  following  correctness  property: 

•  Let  p  be  any  prime  and  q  any  polynomial  in  A.  For  any  A  G  N,  (pk,  sk)  g-  HE.setup(lA),  q  messages 
mi, . . . ,  mq  G  Fp,  the  following  must  hold. 


HE.dec(sk,  HE.enc(mi)  +  . . .  +  HE.enc(m9))  =  mi  +  . . .  +  mq. 


Note  that  given  an  encryption  ct  of  message  m  G  Fp,  and  a  plaintext  a  G  Fp,  one  can  use  HE. add  to 
compute  an  encryption  of  m  •  a  efficiently.  Let  a  ■  ct  represent  this  operation. 

Security  The  security  game  is  the  usual  IND-CPA  security  game  between  a  challenger  and  a  PPT  adversary 

Att. 

1.  The  challenger  chooses  (pk,  sk)  g-  HE.setup(lA)  and  sends  pk  to  Att. 

2.  Att  sends  messages  mo,  mi  G  Fp  to  the  challenger. 

3.  The  challenger  chooses  b  G-  {0, 1} ,  computes  cti,  G-  HE.enc(pk,  nib)  and  sends  ct&  to  Att. 

4.  Att  finally  outputs  a  guess  b' . 

Att  wins  if  b  =  b' .  Let  Adv^f  =  Pr[Att  wins  ]  —  1/2. 

Definition  2.6.  An  additively  homomorphic  encryption  scheme  T~L£  is  secure  if  for  all  PPT  adversaries  Att, 
Adv^f  is  negligible  in  A. 

2.5  Obfuscation 

We  recall  the  definition  of  indistinguishability  obfuscation  from  [GGH+13,  SW14], 

Definition  2.7.  (Indistinguishability  Obfuscation)  Let  C  =  {Ca}aen  be  a  family  of  polynomial-size  circuits. 
Let  iO  be  a  uniform  PPT  algorithm  that  takes  as  input  the  security  parameter  A,  a  circuit  C  G  C\  and 
outputs  a  circuit  C' .  iO  is  called  an  indistinguishability  obfuscator  for  a  circuit  class  {Ca}  if  it  satisfies  the 
following  conditions: 

•  (Preserving  Functionality)  For  all  security  parameters  A  G  N,  for  all  C  G  C\,  for  all  inputs  x ,  we  have 
that  C'{x)  =  C( x)  where  C'  G-  iO{  1A,  C). 

•  (Indistinguishability  of  Obfuscation)  For  any  (not  necessarily  uniform)  PPT  distinguisher  B  =  (Samp,  V), 
there  exists  a  negligible  function  negl(-)  such  that  the  following  holds:  if  for  all  security  parameters 

A  G  N,  Pr[Va:,  C0(x)  =  Ci(x )  :  (C0-Ci;a)  G-  Samp(  1A)]  >  I  —  negl(A),  then 

|Pr[2V,i0(lA,Co))  =  1  :  (C^C^a)  4-  Samp(  1A)]- 
Pi[V(a,iO(lx,C1))  =  1  :  (C0-,Cr,(?)  G-  Samp(  1A)]|  <  negl(A). 
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In  a  recent  work,  [GGH+13]  showed  how  indistinguishability  obfuscators  can  be  constructed  for  the  cir¬ 
cuit  class  P/poly.  We  remark  that  (Samp,  V)  are  two  algorithms  that  pass  state,  which  can  be  viewed 
equivalently  as  a  single  stateful  algorithm  B.  In  our  proofs  we  employ  the  latter  approach,  although  here  we 
state  the  definition  as  it  appears  in  prior  work. 

A  stronger  notion  of  obfuscation,  virtual  black  box  obfuscation  was  proposed  by  Barak  et  al.  [BGI+12]. 

Definition  2.8  (Virtual  Black-Box  Obfuscator).  Let  C  =  {CvIveN  be  a  family  of  polynomial-size  circuits. 
Let  O  be  a  PPT  algorithm  that  takes  as  input  the  security  parameter  A,  a  circuit  C  £  C\  and  outputs  a 
circuit  C .  O  is  called  a  virtual  black-box  obfuscator  for  a  circuit  class  {Ca}asn  if  it  satisfies  the  following 
conditions: 

•  (Preserving  Functionality)  For  all  security  parameters  A  €  N,  for  all  C  £  C\,  for  all  inputs  x,  we  have 
that  C'(x)  =  C(x)  where  C'  -S—  0(  1A,  C). 

•  (Virtual  Black-Box)  For  every  (non-uniform)  PPT  algorithm  A,  there  exists  a  PPT  simulator  S  such 
that,  for  all  C  £  C\, 

Pr[A(e>(l\C))  =  1]  -  Pr[S,c(l\llc'l)  =  1]  <  negl(A) 

For  simplicity  of  notation,  we  will  drop  the  dependence  of  iO  and  O  on  l'\ 


2.6  Puncturable  Pseudorandom  Functions 


The  notion  of  constrained  PRFs  was  introduced  in  the  concurrent  works  of  [BW13,  BGI13,  KPTZ13]. 
Punctured  PRFs,  first  termed  by  [SW14]  are  a  special  class  of  constrained  PRFs. 

A  PRF  F  :  K.  x  X  y  is  a  puncturable  pseudorandom  function  if  there  is  an  additional  key  space  tCp 
and  three  polynomial  time  algorithms  A.setup,  A.eval  and  A.puncture  as  follows: 

•  A.setup(lA)  is  a  randomized  algorithm  that  takes  the  security  parameter  A  as  input  and  outputs  a 
description  of  the  key  space  K.,  the  punctured  key  space  K,p  and  the  PRF  F. 

•  A.puncture(A',  x)  is  a  randomized  algorithm  that  takes  as  input  a  PRF  key  K  £  tC  and  x  £  X,  and 
outputs  a  key  Kx  £  Kp. 

•  F.eva\(Kx,  x')  is  a  deterministic  algorithm  that  takes  as  input  a  punctured  key  Kx  £  K,p  and  x'  £  X. 
Let  K  £  KL,  x  £  X  and  Kx  ■£-  A.puncture(A)  x).  For  correctness,  we  need  the  following  property: 


F.eva\(Kx,  x') 


F(K,x')  if  x  ^  x' 
T  otherwise 


In  this  work,  we  will  only  need  selectively  secure  puncturable  PRFs.  The  selective  security  game  between 
the  challenger  and  the  adversary  A  consists  of  the  following  phases. 


Challenge  Phase  A  sends  a  challenge  x*  £  X.  The  challenger  chooses  uniformly  at  random  a  PRF  key 
I\  ■£-  K,  and  a  bit  b  ■£-  {0,1}.  It  computes  K{x*}  ■£-  F. puncture} AA x*).  If  b  =  0,  the  challenger  sets 
y  =  F(K,x*),  else  y  £-  y.  It  sends  K{x*},  y  to  A. 


Guess  A  outputs  a  guess  b'  of  b. 

A  wins  if  b  =  b' .  The  advantage  of  A  is  defined  to  be  Adv{}(A)  =  Pr[A  wins]. 

Definition  2.9.  The  PRF  A  is  a  selectively  secure  puncturable  PRF  if  for  all  probabilistic  polynomial  time 
adversaries  A,  Adv^(A)  is  negligible  in  A. 
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2.7  Universal  Parameters 


In  a  recent  work,  Hofheinz  et  al.  [HJK+14]  introduced  the  notion  of  universal  parameters.  A  universal 
parameters  scheme  U,  parameterized  by  polynomials  Akt,  Anp  and  £outt  consists  of  algorithms  UniversalGen 
and  InduceGen  defined  below. 

•  UniversalGen(lA)  takes  as  input  the  security  parameter  A  and  outputs  the  universal  parameters  U. 

•  InduceGen  (£7,  d)  takes  as  input  the  universal  parameters  U  and  a  circuit  d  of  size  at  most  7ckt  bits.  The 
circuit  d  takes  as  input  £-ulp  bits  and  outputs  £out  bits. 

In  this  work,  we  will  be  using  a  universal  parameter  scheme  that  is  adaptively  secure  in  the  random 
oracle  model.  In  order  to  define  adaptive  security  for  universal  parameters,  let  us  first  define  the  notion  of 
an  admissible  adversary  A. 

An  admissible  adversary  A  is  defined  to  be  an  efficient  interactive  Turing  Machine  that  outputs  one  bit, 
with  the  following  input/output  behavior: 

•  A  takes  as  input  security  parameter  A  and  a  universal  parameter  U. 

•  A  can  send  a  random  oracle  query  (RO.a:),  and  receives  the  output  of  the  random  oracle  on  input  x. 

•  A  can  send  a  message  of  the  form  (params,  d)  where  d  £  C[£c kt,  Uip, -^out]-  Upon  sending  this  message, 
A  is  required  to  honestly  compute  pd  =  lnduceGen([/,  d),  making  use  of  any  additional  random  oracle 
queries,  and  A  appends  ( d,pd )  to  an  auxiliary  tape. 

Let  SimUGen  and  SimRO  be  PPT  algorithms.  Consider  the  following  two  experiments: 

Real'4(lA): 

1.  The  random  oracle  RO  is  implemented  by  assigning  random  outputs  to  each  unique  query  made  to  RO. 

2.  U  £-  UniversalGenR0(lA). 

3.  A(1X,U)  is  executed,  where  every  message  of  the  form  (RO,a;)  receives  the  response  RO(:r). 

4.  Upon  termination  of  A ,  the  output  of  the  experiment  is  the  final  output  of  the  execution  of  A. 

ldeal^mUGen  SimR0(lA): 

1.  A  truly  random  function  F  that  maps  £ckt  bits  to  £out  bits  is  implemented  by  assigning  random  f?out-bit 
outputs  to  each  unique  query  made  to  F  .  Throughout  this  experiment,  a  Parameters  Oracle  O  is 
implemented  as  follows:  On  input  d,  where  d  £  C[£ckt,  £inp>  4>utL  O  outputs  d(F(d)). 

2.  (U,  t)  4—  SimUGen(lA).  Here,  SimUGen  can  make  arbitrary  queries  to  the  Parameters  Oracle  O. 

3.  A(1X,U)  and  SimRO(r)  begin  simultaneous  execution. 

-  Whenever  A  sends  a  message  of  the  form  (RO,a:),  this  is  forwarded  to  SimRO,  which  produces  a 
response  to  be  sent  back  to  A. 

-  SimRO  can  make  any  number  of  queries  to  the  Parameter  Oracle  O. 

-  Finally,  after  A  sends  any  message  of  the  form  (params,  d),  the  auxiliary  tape  of  A  is  examined 
until  an  entry  of  the  form  ( d,pd )  is  added  to  it.  At  this  point,  if  pd  is  not  equal  to  d(F(d)),  then 
experiment  aborts,  resulting  in  an  Honest  Parameter  Violation. 

4.  Upon  termination  of  A ,  the  output  of  the  experiment  is  the  final  output  of  the  execution  of  A. 

Definition  2.10.  A  universal  parameters  scheme  U  =  (UniversalGen,  InduceGen),  parameterized  by  poly¬ 
nomials  f'cktjAnp  and  £0uti  is  said  to  be  adaptively  secure  in  the  random  oracle  model  if  there  exist  PPT 
algorithms  SimUGen  and  SimRO  such  that  for  all  PPT  adversaries  A,  the  following  hold: 

pr[ldeal^mUGen ,SimR0(lA)  aborts  ]  =  O10 

and 

|  Pr[Rea|-4(lA)  =  1]  -  Pr [Idea l^mUGen ,SimR0(lA)  =  1]|  <  negl(A) 

10The  definition  in  [HJK+14]  only  requires  this  probability  to  be  negligible  in  A.  However,  the  construction  actually  achieves 
zero  probability  of  Honest  Parameter  Violation.  Hence,  for  the  simplicity  of  our  proof,  we  will  use  this  definition. 
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Hofheinz  et  al.  [HJK+14]  construct  a  universal  parameters  scheme  that  is  adaptively  secure  in  the  random 
oracle  model,  assuming  a  secure  indistinguishability  obfuscator,  a  selectively  secure  puncturable  PRF  and 
an  injective  one  way  function. 

2.8  RSA  Assumption 

Assumption  1  (RSA  [RSA78]).  Let  A  be  the  security  parameter.  Let  N  =  pq  be  the  RSA  modulus,  where 
p1  q  are  randomly  chosen,  distinct,  A-bit  primes.  Let  e  be  a  randomly  chosen  positive  integer  less  than  and 
relatively  prime  to  (j>(N)  =  (p—l)(q—l)  and  y  <—  Zjv-  For  any  PPT  algorithm  A,  Pr[a;  A(N,  e,  y)and  xe  = 
y]  <  negl(A). 

3  Universal  Signature  Aggregators 

In  this  section,  we  define  the  notion  of  universal  signature  aggregators.  Let  Ger,  Gk,  Gnsg,  Gig  be  polyno¬ 
mials.  Given  any  security  parameter  A,  Ger(A)  represents  a  bound  on  the  size  of  verification  circuits,  Gk(A) 
represents  a  bound  on  the  size  of  verification  key,  Gnsg  (A)  is  a  bound  on  the  length  of  messages  signed  and 
Gig (A)  is  a  bound  on  the  size  of  signatures.  For  simplicity  of  notation,  we  will  drop  the  dependence  on  A 
when  the  context  is  clear. 

A  universal  signature  aggregator  (Gen  Gk,  Gnsg,  Gig)-UniversalSigAgg  consists  of  three  algorithms  UniversalSetup, 
UniversalAgg  and  UniversalVerify  defined  as  follows. 

•  UniversalSetup(lA)  is  a  randomized  algorithm  that  takes  as  input  security  parameter  A  and  outputs 
public  parameters  PP. 

•  UniversalAgg(PP,  {(Verify^  VKj,TOj,CTi)}-=1)  is  a  deterministic  algorithm  that  takes  as  input  security 
parameter  A,  public  parameters  PP  and  t  tuples  (Verify^,  VK, ,  m,; ,  ay)  (for  some  arbitrary  t)  where  each 
tuple  is  (Gen  Gk,  Gnsg,  Gig) -length  qualified.  It  outputs  an  aggregate  signature  o’agg  whose  length  is 
polynomial  in  A,  but  independent  of  t. 

•  UniversalVerify(PP,  {(Verify.^,  VKi,  m,;)}|=1,  o-agg)  is  a  deterministic  algorithm  that  takes  as  input  secu¬ 
rity  parameter  A,  public  parameters  PP,  t  tuples  (Verify^  VK,,  ?rq)  that  are  (Gen  Gk,  GnsgHength 
qualified,  and  an  aggregated  signature  o’agg.  It  outputs  either  0  or  1. 

For  our  constructions,  we  will  assume  that  all  verification  circuits  have  Ger  bit  representation,  all  ver¬ 
ification  keys  have  length  Gk,  ah  messages  signed  have  length  £msg  and  the  corresponding  signatures  have 
length  Gig- 

Correctness  Let  {(Verify,;,  VK,,  rrii,  oy)}*=1  be  any  t  distinct  tuples  that  are  (Gen  Gk,  Gnsg,  Gig)-length 
qualified  and  for  all  i  <  t,  Verify , (VKj,  ?7q,  oy)  =  1.  For  all  A  G  N,  PP  -S—  UniversalSetup(lA)  and  <jagg  <— 
UniversalAgg(lA,  PP,  { (Verify i:  VKi;  ?n,;,  o’j)}j),  we  require  that  UniversalVerify(PP,  {(Verifyi;  VK,;,  rrii)}i,  aagg )  = 

1. 

3.1  Security  of  Universal  Signature  Aggregators 

We  now  proceed  to  the  formal  security  definition  for  universal  signature  aggregators. 

Let  S  =  (S. Gen,  S. Sign,  S. Verify)  be  a  secure  (Gen  Gk,  Gnsg,  GigHength  qualified  signature  scheme. 
Consider  the  following  security  game  between  an  adversary  A  and  the  challenger. 


ExPas(a): 

•  Setup  Phase  Challenger  chooses  (SK,VK)  5.Gen(lA),  computes  PP  UniversalSetup(lA)  and 
sends  PP,  VK  to  A. 
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•  Signing  Phase  A  sends  signing  query  x{,  and  receives  a,  <—  <S.Sign(SK,  a;*). 

•  Forgery  A  finally  outputs  t  tuples  (Verify,-,  VK,, rn.j)  and  an  aggregated  forgery  cragg. 

A  wins  if  there  exists  i*  £  [f]  such  that  Verify^,  =  S. Verify,  VKj*  =  VK,  message  irif  was  not 
queried  during  the  signing  phase  and  UniversalVerify(PP,  {(Verify;,  VK,;,  m*)},  (7agg)  =  1.  Let  Adv_4s(A)  = 
Pr[A  wins  Exp^  5(A)]. 

Definition  3.1.  Let  S  be  a  (^Ver,^vk,^msg>4ig)-  length  qualified  secure  signature  scheme.  A  universal 
signature  aggregator  scheme  (f?Ver  Ak,^msg,4ig)-UniversalSigAgg  is  secure  with  respect  to  scheme  S  if  for  all 
PPT  adversaries  A,  Adv_4s(A)  is  negligible  in  A. 

We  can  also  define  a  weaker  selective  notion  where  the  adversary  A  chooses  the  message  m  correspond¬ 
ing  to  (S. Verify,  VK)  before  receiving  the  public  parameters  PP.  More  formally,  the  selective  experiment 
Exp^j5(A)  is  defined  as  follows. 

Expts(A): 

•  A  sends  a  message  m  to  the  challenger. 

•  Setup  Phase  Challenger  computes  (SK,VK)  4—  <S.Gen(lA),  PP  <—  UniversalSetup(lA)  and  sends 
PP,  VK  to  A. 

•  Signing  Phase  A  sends  signing  query  Xi  yf  m,  and  receives  a,  £-  <S.Sign(SK,  Xi). 

•  Forgery  A  finally  outputs  t  tuples  (Verify^,  VKj, to*)  and  an  aggregated  forgery  <ragg. 

A  wins  if  there  exists  an  i*  £  [t]  such  that  Verify^  =  S. Verify,  VK,-  =  VK,  *  =  m  and  UniversalVerify(PP, 
{(Verify.,,  VK^m,;)},  CTagg)  =  1.  Let  Adv^j5(A)  =  Pr[A  wins  Exp^j5(A)]. 

Definition  3.2.  Let  S  be  a  (fver,  fvk,  fmsg,  4igj-  length  qualified  secure  signature  scheme.  A  universal 
signature  aggregator  scheme  (fVeiAvk,  Usg,4ig)-UniversalSigAgg  is  selectively  secure  with  respect  to  scheme 
S  if  for  all  PPT  adversaries  A,  Adv^  5(A)  is  negligible  in  A. 

In  certain  situations,  it  may  be  possible  that  the  number  of  signatures  to  be  aggregated  is  known  in 
advance.  In  such  a  scenario,  we  can  use  bounded  universal  signature  aggregators  (defined  below). 

Definition  3.3.  An  n-bounded  universal  signature  aggregator  scheme  (£ver,  £vk,  f'msg,  4ig)-UniversalSigAgg 
=  (UniversalSetup,  UniversalAgg,  Universal  Verify)  is  a  universal  signature  aggregator  in  which  UniversalSetup 
takes  an  additional  input  1”.  The  public  parameters  output  by  UniversalSetup  have  size  bounded  by  some 
polynomial  in  A  and  n.  However,  the  aggregated  signature  has  size  bounded  by  a  polynomial  in  A,  but  is 
independent  of  n. 


4  Universally  Aggregating  Unique  Signatures 

We  will  now  describe  our  universal  signature  aggregator  (£veT,  Uc,  4nsg,  4ig)-UniversalSigAgg.  Let  iO  be  a 
secure  indistinguishability  obfuscation  scheme,  F  a  puncturable  PRF  with  key  space  1C,  punctured  key  space 
K,p,  domain  X  =  {0,  l}<ver  x  {0,  l}£vk  x  {0, and  range  y  =  Z*N  for  some  randomly  chosen  RSA  modulus 
N,  and  algorithms  F.setup,  F.puncture,  F.eval.  Our  scheme  consists  of  the  three  algorithms  UniversalSetup, 
UniversalAgg  and  UniversalVerify. 
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UniversalSetup(lA)  UniversalSetup  first  chooses  an  RSA  modulus  N  and  e  -e-  h*^Ny  Next,  it  chooses  a  PRF 
key  K  -e-  P.setup(lA)  and  computes  obfuscations  of  the  programs  Transformer^'11  and  Transform-Image^  K  e12 
defined  below.  It  sets  the  public  parameters  to  be  PP  =  ^©(Transformer^))  ^(Transform-Image^  K  e),  N,  e). 

Transformer^  : 

Inputs:  Verify'  €  {0, 1}*™,  VK'  G  {0,  l}^k,  m'  G  {0, 1}^,  a'  G  {0, 1}^. 

Constants  :  RSA  modulus  N  G  N,  K  G  1C. 

if  Verify' (VK',  m! ,  a')  =  0  then 
Output  _L. 
else 

Output  F(K,  Verify'||VK'||m'). 

end  if 


Transform-Image^  K  e  : 

Inputs:  Verify'  G  {0, 1}^",  VK'  G  {0,  l}^k,  m’  G  {0, l}*™*. 
Constants  :  RSA  modulus  N  G  N,  K  G  /C,  e  G  Z^er). 

Let  w  =  F(K,  Verify'||VK'||rn').  Output  we  (mod  N). 


UniversalAgg(PP,{(Verifyi,VKj,mj,crj)}"=1):  Let  PP  =  (Pi,  P2,  N,  e).  UniversalAgg  first  checks  if  the  n 
tuples  are  distinct.  If  not,  it  outputs  _L.  Else,  it  computes  tj  =  Pi  (Verify^  VKj,  ay)  for  each  i  <  n.  If 
tj  =_L  for  some  i,  then  UniversalAgg  outputs  _L,  else  it  outputs  crag g  =  II ik  (mod  N ). 

UniversalVerify(PP,  {(Verifyi5  VKj,  mj)}"=1,  f7agg):  Let  PP  =  (Pi,P2,  N,  e).  UniversalVerify  first  checks  if  all 
n  tuples  are  distinct.  If  not,  it  outputs  0.  Else,  it  computes,  for  all  i  <  n,  Sj  =  Transform-lmage(Verifyi,  VK,,  rrij). 
^  01,  si)  =  algg  (mod  N),  it  outputs  1,  else  it  outputs  0. 

Correctness:  Let  { (Verify ^ ,  VK*,  m»,  <7,)}"=1  be  n  tuples  such  that  they  are  all  distinct  and  Verify^VK,,  m, ,  ay) 
1  for  all  i  <  n.  Fix  any  A  G  N,  PP  <—  UniversalSetup(lA),  (cragg)  <—  UniversalAgg(PP,  {(Verify^,  VK,;,  m,,  oy)}). 
Then, 


cragg  =  (II  Transform  (Verify,,  VK;,  mi;  ay))e  (mod  N ) 

=  (n^(^Verifyi||VKi||ml))e  (mod  N ) 

=  (JI  P(Ff,  Verifyi||VKj||rnj)e)  (mod  N) 

=  (JI  Transform-lmage^j^  e(Verifyj,  VK.j,  mi))  (mod  N) 

Also,  note  that  the  size  of  the  aggregated  signature  (cragg  G  Z^)  depends  only  on  the  security  parameter  A, 
but  not  on  the  number  of  signatures  aggregated. 

4.1  Proof  of  Security 

In  this  subsection,  we  will  show  that  our  construction  from  Section  4  is  selectively  secure  with  respect  to 
secure  unique  signature  schemes. 

11Padded  to  be  of  the  same  size  as  TransformAlt  and  Transform-Reject. 

12Padded  to  be  of  the  same  size  as  Transform-Image-1. 
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Theorem  4.1.  Assuming  iO  is  a  secure  indistinguishability  obfuscator,  F  is  a  selectively  secure  puncturable 
PRF  and  RSA  is  secure,  for  all  (£ver,  fvk,  4nsg!  4ig)-length  qualified  secure  unique  signature  schemes  S,  the 
universal  signature  aggregator  (£ver,  4k,  4nsg,  4ig)-UniversalSigAgg  is  selectively  secure  with  respect  to  S. 

Let  S  =  (S. Gen,  S. Sign, S. Verify)  be  a  secure  (lvel,  4k,  £msg,  4ig)-length  qualified  unique  signature 
scheme,  and  Att  a  PPT  adversary.  In  order  to  prove  this  theorem,  we  will  define  a  sequence  of  experiments 
Game  0,  . . Game  3,  where  Game  0  =  Exp^°*t  s. 

4.1.1  Sequence  of  Games 

Game  0:  This  game  corresponds  to  Exp^  s.  The  adversary  Att  first  selectively  sends  message  to,  and  then 
receives  the  verification  key  and  public  parameters  for  the  aggregator.  Next,  the  adversary  makes  signing 
queries,  and  finally  submits  the  forgery. 

1.  Att  sends  message  m. 

2.  Compute  (SK,  VK)  4—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  4—  Z ^Ny  K  4—  F.setup(lA)  and  set 
PP  =  (iO(Transformjv,jc),  iC^Transform-lmagejv  K  e),  N,  e).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  to,  compute  cr ;  4-  <S.Sign(SK,  a;*)  and  send  cq  to  Att. 

4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify;,  VK.;,  rrii)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify.;,  = 

S. Verify,  VK;*  =  VK  and  To;.  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK,,  m;)  },  cragg)  =  1. 

Game  1:  This  game  is  exactly  similar  to  the  previous  one,  except  that  the  program  Transform  is  replaced  by 
Transform-Reject13  which  outputs  _L  if  the  input  tuples  is  (S. Verify,  VK,  m,  cr)  even  if  <S.Verify(VK,  to,  a)  =  1. 
Also,  it  uses  a  PRF  key  punctured  at  y  =  <S.Verify||VK||m. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  4—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  4—  h*^Ny  K  4—  F.setup(lA). 

Set  y  =  5.Verify||VK||TO,  compute  K{y}  4—  F.puncture(A",  y)  and  PP  =  (i(T(Transform-RejectyiAr  A-{,yj), 
iOjTransform-lmage^  ^  g),  N,  e).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  to,  compute  cq  4-  <S.Sign(SK,  Xi)  and  send  cr;  to  Att. 

4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify;,  VK.j,  TOj)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify.;,  = 

S. Verify,  VKj,  =  VK  and  m;»  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK;,  mi)  },  cragg)  =  1. 

Transform-Reject^  N  : 

Inputs:  Verify'  €  {0, 1}*™,  VK'  £  {0,  l}^k,  m'  £  {0, 1}^,  a'  £  {0,  l}4i<r 
Constants  :  y  £  {0,  l}^var  x  {0,  l}^vk  x  {0,  l}lmss,  RSA  modulus  N  £  N, 

K{y}  £  Kp. 

if  Verify'(VK',  to',  a')  =  0  then 
Output  _L. 

else  if  Verify'HVK'llm/  =  y  then 
Output  _L. 
else 

Output  F. eva  I  ( K{  y } ,  Ve r i fy 1 '  \  |  VK'  1 1  m' ) . 

end  if 


Game  2:  This  game  is  similar  to  the  previous  one,  except  that  the  program  Transform- 1  mage  is  replaced 
by  Transform-Image-114.  It  uses  a  PRF  key  punctured  at  y  =  iS.Verify||VK||m.  For  input  y,  it  outputs  a 
hardwired  constant  2.  In  this  game,  z  is  set  to  be  F(K,y)e. 

13Padded  appropriately  to  be  of  the  same  size  as  Transform  and  TransformAlt. 

14Padded  appropriately  to  be  of  the  same  size  as  Transform-Image. 
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1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  G-  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  G-  Z and  K  G-  13setup(lA). 

Set  y  =  5.Verify||VK||m.  Compute  K{y}  G-  F.puncture(iG, y),  w  =  F(K,y)  and  z  =  we  (mod  N). 

Set  PP  =  (^(Transform-Reject^  jv K ryi),  iC^Transform-lmage-lyjv.Aqi/}  2  e),  N,  e)  and  send  PP,  VK 
to  Att. 

3.  For  each  signing  query  X;  ^  m,  compute  a ;  G-  <S.Sign(SK,  X;)  and  send  cr,:  to  Att. 

4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify;,  VK;,  m;)}.  Att  wins  if  3 i*  G  [n]  such  that  Verify.;.  = 
S. Verify,  VK;.  =  VK  and  m;»  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK;,  To;)  },  cragg)  =  1. 


Transform-lmage-lyijvjif{y}lZ)e  : 

Inputs:  Verify'  G  {0,  l}fver,  VK'  G  {0,  l}Ak,m/  G  {0,  l}A"8g. 

Constants:  y  G  {0,  1}A-  x  {0, l}Ak  x  {0, 1}£°^,  RSA  modulus  N  G  N, 

K{ v}  €  ICp,  z  G  Z*N,  e  G 

if  Verify;  ||VK;||to;  =  y  then 
Output  z. 
else 

Let  w  =  F.eva\(K{y},  Verify'  |  |VK'| \m'). 

Output  we. 

end  if 


Game  3:  In  this  game,  the  challenger  chooses  2  at  random. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  G-  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  G-  Z^A ^  and  K  G-  F.setup(lA). 

Set  y  =  5.Verify||VK||TO.  Compute  K{y}  G-  F1.puncture(AT, y)  and  z  G-  Jj*n. 

Set  PP  =  (^(Transform-Rejectyjy  *0(Transform-lmage-lyiW  R-{y},2,e)) e)  and  send  PP,  VK  to 
Att. 

3.  For  each  signing  query  X;  ^  m,  compute  ct;  g-  6>.Sign(SK,  X;)  and  send  cr;  to  Att. 

4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify.;,  VK;,  m;)}.  Att  wins  if  all  the  n  tuples  are  distinct  and 
3 i*  G  [n]  such  that  Verify;,  =  S. Verify,  VK;,  =  VK  and  TO;»  =  to  and  UniversalVerify(  PP,  {(Verify.;, 
VK;,  TO.;)  },  (Tagg)  =  1. 

4.1.2  Analysis 

Let  AdvAtt  denote  the  advantage  of  adversary  Att  in  Game  j. 

Lemma  4.1.  Assuming  iO  is  a  secure  indistinguishability  obfuscator  and  S  is  a  secure  (£ver,  £vk,  f'msg,  4ig)- 
length  qualified  unique  signature  scheme,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Suppose,  on  the  contrary,  there  exists  a  PPT  adversary  Att  such  that  AdvAtt  —  AdvAtt  =  e,  where  e 
is  non-negligible  in  A.  Assuming  O  is  a  secure  indistinguishability  obfuscator,  we  will  use  Att  to  construct 
a  PPT  algorithm  B  that  breaks  the  security  of  S.  Here,  we  will  crucially  use  the  fact  that  S  is  a  unique 
signature  scheme;  that  is,  there  is  a  unique  accepting  signature  cr  G  {0,  l}Ais  corresponding  to  verification 
key  VK  and  message  to. 

First,  let  us  consider  the  following  altered  circuit  TransformAltyb^w.A15  which  takes  as  input  a  tuple 
(Verify',  VK',  to',  cr')  and  outputs  _L  if  Verify'  =  S. Verify,  VK'  =  VK  and  the  jth  bit  of  cr'  is  b. 

15Padded  appropriately  to  be  of  the  same  size  as  Transform  and  Transform-Reject. 
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Transform  Alt  j.b,y,N,K  '■ 

Inputs:  Verify'  £  {0, 1}^-,  VK'  £  {0,  l}^k,  m'  £  {0, 1}^,  a'  £  {0, 1}4*®. 

Constants  :  j  £  [4ig],  b  £  {0, 1},  y  £  {0, 1  }^ver  x  {0,  l}^vk  x  {0,  RSA  modulus 

N  £  N,  K  £  TC. 

if  Verify'(VK',  to',  a1)  =  0  then 
Output  _L. 

else  if  Verify' | IVK'llm'  =  y  and  a'[j ]  =  b  then 
Output  _L. 
else 

Output  F(K,  Verify'  |  |VK'||m'). 

end  if 

We  will  now  state  two  observations  which  will  be  useful  for  proving  our  claim.  Fix  a  message  to  £ 
{0,  l}b"Bs.  Let  (SK,VK)  •£-  <S.Setup(lA),  a  <—  iS.Sign(SK,  to)  and  y  =  <S.Verify||VK||TO.  Let  a  [j]  denote  the 
jth  bit  of  a. 

Observation  4.1.  For  all  j  £  [4ig],  the  circuits  Transform and  TransformAlt7  -|-o-[)]:y.,v,rc  are  functionally 
identical. 

Observation  4.2.  For  all  j  £  [£s;g],  the  circuits  Transform- Reject,y  N  and  TransformAlt,j0.[j])2/jjv,if  are 

functionally  identical. 

Both  these  observations  follow  from  the  fact  that  S  is  a  unique  signature  scheme  and  the  correctness  of 
punctured  key  on  non-punctured  inputs. 

Next,  we  define  Game-Alt  j,b,  which  is  exactly  similar  to  Game  0  and  Game  1,  except  that  the  challenger 
outputs  0(lx,  TransformAItj^^jv.if)  (instead  of  Oilx,  Transformer,^)  or  0(lx,  Transform- Reject^ ^N^Ksy\))  as 
part  of  the  public  parameters  PP.  Let  £?  be  the  event  that  a[j ]  =  1,  where  <r  is  the  unique  signature 
corresponding  to  challenge  message  m  output  by  Att. 

From  these  observations,  it  follows  that  0(lx,  Transform n,k)  and  0(lx,  TransformAlty  1_crui ,v,n,k)  are 
computationally  indistinguishable  (by  the  security  of  O)  and  similarly,  0(1A,  TransformAlty .a[j],y,N,K)  and 
0(1A,  Transform- Rejecty>Arif{y})  are  computationally  indistinguishable.  Hence,  for  all  j  <  4ig>  we  get  the 


following  equations: 

|Pr[(Att  wins  in  Game  0)  |£J]  —  Pr[(Att  wins  in  Game-Alt  j,  0)  \£j\\  <  negl(A),  (1) 

|Pr[(Att  wins  in  Game  0)  |-i £J]  —  Pr[(Att  wins  in  Game-Alt  j,  1)  |-i£jr]|  <  negl(A),  (2) 

|Pr[(Att  wins  in  Game  1)  \£J)  —  Pr[(Att  wins  in  Game-Alt  j,  1)  |£jr]|  <  negl(A)  (3) 

|Pr[(Att  wins  in  Game  1)  |-i £J]  —  Pr[(Att  wins  in  Game-Alt  j,  0)  |-i£J]|  <  negl(A)  (4) 


Continuing  with  our  proof,  let  us  assume  Att  =  (Att!,Att2).  Attj  is  a  randomized  algorithm  that  on 
input  1A,  outputs  message  m  £  {0,  l}^mBs  which  it  sends  to  the  challenger,  and  state  st  which  is  sent  to  Att2. 
Att2  is  a  randomized  algorithm  that  receives  state  to,  st  from  Atti  and  inputs  PP,VK  from  challenger.  It 
makes  signature  queries  before  outputting  the  forgery.  We  will  now  describe  algorithm  B  that  interacts  with 
a  unique  signature  S  challenger.  Let  r  =  . 

1.  B  first  runs  Atti(lA)  and  receives  message  to  and  state  st.  It  sends  to  to  S  challenger,  and  receives 
VK. 

2.  For  j  =  1  to  4ig,  do 
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(a)  Set  county  =  0.  For  i  =  1  to  r, 

i.  Choose  RSA  modulus  TV,  e  t—  and  K  £-  F.setup(lA).  Set  y  =  <S.Verify||VK||TO, 

PP  =(0(  1A,  TransformAlt^o^jiv,*:),  0(lx,  Transform-Image N  K  e),  TV,  e)  and  send  PP,  VK,  to,  st 
to  Att2  as  input.  Att2  uses  fresh  randomness  for  each  run. 

ii.  For  each  signing  query  ay,  B  forwards  ay  to  the  challenger,  receives  o>,  which  it  sends  to  Att2. 

iii.  Finally,  Att2  outputs  oygg  and  n  tuples.  If  Att  wins,  B  increments  countyo- 

(b)  Set  county  =  0.  For  i  =  1  to  t 

i.  Choose  RSA  modulus  TV,  e  t—  ZV^  and  K  «—  F.setup(lA).  Set  j/  =  5.Verify||VK||TO, 
PP  =  (C(1A,  TransformAltj;li!/;jv,if ),  0(  1A,  Transform-Image N  K^e),  TV,  e)  and  send  PP,  VK,  to,  st 
to  Att2  as  input.  Att2  uses  fresh  randomness  for  each  run. 

ii.  For  each  signing  query  ay,  B  forwards  ay  to  the  challenger,  receives  ay,  which  it  sends  to  Att2. 

iii.  Finally,  Att2  outputs  oygg  and  n  tuples.  If  Att  wins,  B  increments  countyi. 

(c)  If  countyo  >  county!,  B  sets  ay  =  1,  else  it  sets  ay  =  0. 

3.  Finally,  B  outputs  a'  =  a\ .. .  a^si  as  forgery  to  challenger. 

We  will  now  analyze  the  winning  probability  of  B.  In  order  to  do  this,  we  will  first  define  a  subset  of 
verification  keys  which  are  ‘good’  (i.e.  verification  keys  for  which  the  difference  between  the  advantages  of 
Att  in  Game  0  and  Game  1  is  ‘large’)  and  then  show  that  a  non- negligible  fraction  of  the  verification  keys  are 
‘good’.  This  technique  is  similar  to  the  heavy  row  lemma  used  in  [0098]. 

For  any  (to,  st)  4—  Atti(lA),  let  Goodm;St  C  VIC  be  the  set  of  verification  keys  VK  such  that  the  following 
holds: 


Pr[Att2(PP,  VK, to, st)  wins  in  Game  0]  —  Pr[Att2(PP,  VK, to, st)  wins  in  Game  1]  >  e/2, 

where  the  probability  is  taken  over  the  random  coins  used  by  Att2  and  the  random  coins  used  by  the  challenger 
to  compute  PP  and  the  signatures. 

Let  £  denote  the  event  (to,  st)  4—  Att!(lA)  and  (SK,VK)  4—  <S.Gen(lA)  and  VK  £  GoodmjSt.  We  can 
also  view  £  as  the  set  of  all  tuples  (to,  st,  VK)  such  that  (?n,st)  Atti(lA)  and  (SK,VK)  <S.Gen(lA)  and 
VK  £  Goodm,st. 

Claim  4.1.  Pr[£]  >  e/2,  where  the  probability  is  over  the  random  coins  of  Atti  and  S. Gen. 

Proof. 


e  =Pr[Att  wins  in  Game  0]  —  Pr[Att  wins  in  Game  1] 

=  Pr[Att  wins  in  Game  0|£]  Pr[£]  +  Pr[Att  wins  in  Game  0|^£]  Pr[^£] 

—  Pr[Att  wins  in  Game  1|£]  Pr[£]  —  Pr[Att  wins  in  Game  1|^£]  Pr[^£] 

=  Pr[£](Pr[Att  wins  in  Game  0|£]  —  Pr[Att  wins  in  Game  1|£]) 

+  Pr[-i£](Pr[Att  wins  in  Game  0|^£]  —  Pr[Att  wins  in  Game  1|^£]) 

<  Pr[£]  +  e/2 

This  implies  Pr [£T]  >  e/2.  | 

Let  us  assume  event  £.  We  will  now  compute  the  probability  that  B  fails  to  recover  forgery,  given  £.  Let 
Pj  denote  the  probability  that  the  jth  bit  of  forgery  a'  is  incorrect,  given  £. 

Let  v  =  (to,  st,  VK)  £  £.  Define  9" b  =  Pr[Att2(PP,  VK,  to,  st)  wins  in  Game-Alt  j,  6|u].  Then,  the  expected 
value  of  country  given  v,  F[countyb|u]  =  •  r.  Note  that  in  each  of  the  runs,  the  random  coins  used  by 

Att2  and  the  random  coins  used  by  the  challenger  to  compute  PP  and  the  signatures  are  chosen  afresh.  By 
Chernoff-Hoeffding  bounds, 
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Pr 


Pr 


| county  -  0^ o  •  t\  > 


|  countyy  —  0jtl  -  r |  >  (  — 


(i) 

(!) 


<  exp  — 


“  exP  32 


Setting  t  =  we  get  that  the  above  probabilities  are  bounded  by  a  negligible  function  in  A. 


(5) 

(6) 


We  will  now  compute  p3 . 

Pj  =  Pr  [ay  <r[j]|£]  =  YlveS  Pr  [ai  7^  cr[j]|u]  •  Pr  \y\S\ .  Let  us  focus  on  one  such  term  Pr  [ay  ^  cr[j]|u] 
for  some  v  €  £.  Pr  [ay  ^  a \j)  |u]  =  Pr  [ay  =  0  and  a[j]  =  l|u]  +  Pr  [ay  =  1  and  cr[j]  =  0|u] . 

Since  S  is  a  unique  signature  scheme,  given  v ,  ct[j]  is  fixed.  If  a\j]  =  1,  then, 

Pr  [ay  ^  a\j]\v] 

=  Pr  [ ctj  =  0  and  a[j]  =  l|u] 

=  Pr  [ay  =  0|u] 

=  Pr  [county, o  <  country  |i>] 

<  Pr  [county, 0  <  (0yO  +  9vjl)r/2  |u]  +  Pr  [country  >  (0j,o  +  0yy)r/ 2\v] 


=  Pr  [county, o  <  0y,or/ 2  -  (0£o  -  0yy)r/2  \v]  +  Pr  [count yy  >  6»Jy  +  (0J,O  -  0yy)r/2  \v]  (7) 

Now,  note  that  if  v  £  £  and  a[j]  =  1,  then 

9j  0  =  Pr[Att2(PP,  VK,  m,  st)  wins  in  Game- Alt  j,  0|v]  (8) 

>  Pr[Att2(PP,  VK,  m,  st)  wins  in  Game  0 1 zj]  —  negl(A)  (9) 

>  Pr[Att2(PP,  VK,  m,  st)  wins  in  Game  l|v]  +  e/2  —  negl(A)  (10) 

>  Pr[Att2(PP,  VK,  m,  st)  wins  in  Game-Alt  j,  l|i>]  +  e/2  —  negl(A)  (11) 

=  0Jy  +  e/2  -  negl(A)  (12) 


The  transitions  from  Equation  8  and  9,  and  from  Equation  10  to  11  follow  from  Equations  1  and  3  respectively, 
while  the  transition  from  Equation  9  to  10  uses  the  fact  that  v  €  8.  Hence,  getting  back  to  Equation  7, 


Pr  [county, o  <  0/>oT  -  (0y,o  -  0yy)r/ 2  \v]  +  Pr  [countyy  >  0Jyr  +  (0yO  -  0yy)r/2  \v] 

<  Pr  [county, o  <  0J,ot  —  e  •  r/4  |t;]  +  Pr  [countyy  >  0JyT  +  e  •  r/4  |u] 

Now,  we  can  use  Equations  5  and  6  to  conclude  that  Pr  [ay  <j[j]  v]  <  negl(A).  A  similar  argument 
follows  if  v  is  such  that  cr[j]  =  0.  Therefore,  Pr  [ay  ^  cr[j]|£]  <  negl(A).  Hence,  Pr [B  fails  |£]  <  negl(A). 
This  implies  Pr[H  wins]  >  Pr[H  wins  \£\  Pr[£]  >  e/2  —  negl(A).  Since  this  violates  the  unforgeability  of  the 
signature  scheme,  we  have  our  contradiction. 


Claim  4.2.  Assuming  iO  is  a  secure  indistinguishability  obfuscator,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  B  that  constructs  two  circuits  Co  and  C\  with  identical  functionality,  and  uses  Att  to  distinguish 
between  1C  (Co)  and  lO(C-\),  thereby  breaking  the  security  of  iO. 

B  receives  m  from  Att,  chooses  (SK,  VK)  <—  S.Gen(lA),  RSA  modulus  N,  e  <—  Z W,  and  K  -f- 

F.setup(lA).  It  sets  y  =  <S.Verify||VK||m  and  computes  K{y}  <—  F.puncture(A/  y).  It  sets  Co  =  Transform-Image^  K  e 
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and  Ci  =  Transform-lmage-ly  Ar,/c{y},z,e)  and  sends  C0,Ci  to  the  iO  challenger.  It  receives  C  =  iO{Cb).  B 
sets  PP  =  (*0(Transform-Rejecty  C,  N,  e)  and  sends  PP,VK  to  Att. 

Note  that  B  can  respond  to  the  signing  queries  perfectly,  since  it  has  SK.  Finally,  if  Att  wins,  then  B 
outputs  0,  else  it  outputs  1.  Clearly,  if  C  =  iO(Co),  then  it  corresponds  to  Game  1,  else  it  corresponds  to 
Game  2. 

To  conclude,  we  need  to  argue  that  Co  and  C\  have  identical  functionality.  This  follows  from  the 
correctness  property  of  puncturable  PRFs.  ijg} 

Claim  4.3.  Assuming  F  is  a  selectively  secure  puncturable  PRF,  for  any  PPT  adversary  Att, 

Ad v -  Adv|tt  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  B  that  uses  Att  to  break  the  security  of  puncturable  PRF  F  with  advantage  e. 

First,  B  receives  the  message  m  from  Att.  As  in  Game  2  and  Game  3,  it  computes  (SK,  VK)  <—  <S.Gen(lA), 
chooses  an  RSA  modulus  N  and  e  ZV^.  Next,  it  sends  y  =  iS.Verify||VK||m  as  the  challenge  to  the  PRF 
challenger.  B  receives  a  punctured  key  K{y}  and  z  £  Z^,  where  z  =  F(K,  y)  or  z  £-  Z*N.  B  sets  the  public 
parameters  PP=(10(Transform-RejectyJV!K  ryi),*C,(Transform-lmage-ly;jv,if{2/},z,e)>  AT,  e).  It  sends  PP,VK 
to  Att. 

The  signing  phase  and  forgery  phase  are  exactly  similar  in  Game  2  and  Game  3.  For  each  signing  query 
Xi,  B  sends  <S.Sign(SK,  xf)  to  Att.  Finally,  Att  outputs  the  forgery  aagg  and  n  tuples  {(Verify^,  VKi;  m,;)}. 

Note  that  if  z  =  F(K,y),  then  B  simulates  Game  2  perfectly.  If  z  <—  1CN,  B  simulates  Game  3  perfectly. 
This  concludes  our  proof.  H 

Claim  4.4.  Assuming  RSA  is  secure,  for  any  PPT  adversary  Att,  Adv^tt  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  =  e.  We  will  construct  a  PPT  algorithm 
B  that  breaks  the  RSA  assumption  with  advantage  e. 

B  receives  message  m  from  Att.  It  receives  the  RSA  tuple  (N,  e,  z)  from  the  RSA  challenger.  B 
chooses  (SK,VK)  S.Gen(lA),  K  «—  F.setup(lA).  Next,  it  sets  y  =  Verify||VK||m  and  computes  K{y}  £- 
F.pur\cture(K,y).  It  sets  PP  =  (*0(lA(Transform-RejectJ/JV  A:{,i/j),  i0(Transform-lmage-l3/ijv,A'{j/},z,e),  AT,  e) 
and  sends  PP,  VK  to  Att. 

Att  sends  signature  queries,  which  B  can  compute  by  itself,  since  it  has  the  signing  key  SK.  Fi¬ 
nally,  Att  outputs  forgery  aagg  along  with  n  tuples  {Verify^,  VK»,  m*}.  If  Att  wins,  then  all  n  tuples  are 
distinct,  and  there  exists  i*  £  [n]  such  that  Verify,;.  =  S. Verify,  VKj.  =  VK,  to,;*  =  m  and  aagg  = 
(n,:^  Transform-lmage-ly)jv,A'{i/},*,e(Verifyi,VKi, mi))^  (mod  N).  For  all*  ^  i* ,  Transform-lmage-ly  Ar,if{y},z 

outputs  F(K,  Verify^ |VKj||rrij)e  on  input  (Verify^  VK,,  rm).  Therefore,  F^VerlfyJlVK.Hm,))  =  2 

(mod  N).  | 

Using  the  above  claims,  it  follows  that  any  PPT  adversary  has  negligible  advantage  in  Game  0,  assuming 
iO  is  a  secure  indistinguishability  obfuscator,  F  is  a  selectively  secure  puncturable  PRF  and  the  RSA 
assumption  holds.  Therefore,  the  construction  in  Section  4  is  selectively  secure  with  respect  to  all  secure 
unique  signature  schemes. 


5  Universal  Aggregation  of  Arbitrary  Signatures  Using  VBB  Ob¬ 
fuscation 

In  this  section,  we  will  describe  our  construction  based  on  virtual  black  box  obfuscation.  The  construction 
is  similar  to  the  one  in  Section  4,  the  only  difference  being  in  program  Transform-VBB,  which  now  takes 
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some  additional  inputs  and  has  additional  constants  hardwired.  The  additional  inputs/constants  are  used 
for  “oracle  assimilation”  (see  Section  1  for  a  discussion  on  this  technical  issue). 

We  will  assume  that  all  signing  algorithms  (corresponding  to  schemes  whose  signatures  need  to  be  aggre¬ 
gated)  use  at  most  £rncj  random  bits  to  compute  signatures,  for  some  polynomial  f  rrK] .  We  use  a  pseudorandom 
generator  PRG  :  {0,  l}7  <—  {0, 1}2£  (where  £  is  some  polynomial  in  A),  a  (standard)  PRF  F  with  key  space 
1C.  domain  X  and  range  y  =  {0, 1  }£rnd  and  a  puncturable  PRF  F  as  in  Section  4. 

Our  universal  signature  aggregator  consists  of  the  three  algorithms  UniversalSetup,  UniversalAgg  and 
UniversalVerify  described  below. 

UniversalSetup(lA)  UniversalSetup  first  chooses  random  primes  p,q  G  0(2A),  sets  the  RSA  modulus  N  = 
pq.  It  chooses  e  <—  PRF  key  K  «—  F.setup(lA)  as  in  Section  4.  It  computes  obfuscations  of 

the  programs  Transform-VBBjvyc  16  and  Transform-Image^  K  e  17 ,  where  Transform-VBBjvj^  is  defined  be¬ 
low,  while  Transform-Image^  K  e  is  the  same  as  in  Section  4.  It  sets  the  public  parameters  to  be  PP  = 
(0(Transform-VBBAr ),  ©(Transform-Image^  K  e),  N,  e). 

T ra nsform- VB B  .y. k  '■ 

Inputs:  b  G  {0,1}, a  G  {0, 1}*,  Verify'  G  {0,1}^”,  VK7  G  {0,1}^\  m'  G  {0,1}^, 

a'  G  {0,1}^. 

Constants  :  RSA  modulus  N  G  N,  K  G  1C. 

if  b  =  0  then 

Output  jL. 

else  if  Verify7 (' VK7,  m! ,  <j')  =  0  then 

Output  _L. 

else 

Output  F(K,  Verify' 1 1  VK7 1  (m'). 

end  if 


UniversalAgg(PP,  {(Verify !;,VKj,  m, ,  <7* )}"=1):  Let  PP  =  (Pi,  P2,  N,  e).  UniversalAgg  first  checks  that  all  the 
n  tuples  are  distinct.  If  not,  it  outputs  _L.  Else,  it  computes  t,;  =  Pi  (Verify VK*,  mj,  ai)  for  each  i  <  n.  If 
tj  =T  for  some  i,  then  UniversalAgg  outputs  _L,  else  it  outputs  aagg  =  UiU  (mod  N). 

UniversalVerify(PP,  {(Verify^,  VK.j,  mi)}”=1,  <jagg):  Let  PP  =  (Pi ,  P2 ,  N,  e) .  UniversalVerify  checks  that  the  n 
tuples  are  distinct.  If  not,  it  outputs  0.  Else,  it  computes,  for  all  i  <  n,  s,  =  Transform-lmage(Verifyi,  VK,,  m, ) . 
If  (]{[,  Si)  =  a|gg  (mod  N),  it  outputs  1,  else  it  outputs  0. 

5.1  Proof  of  Security 

We  will  now  prove  that  the  construction  in  Section  5  is  selectively  secure  with  respect  to  all  secure  signature 
schemes. 

Theorem  5.1.  Assuming  ©  is  a  secure  virtual  black-box  obfuscator  for  a  class  of  circuits  C  (as  defined  in 
Section  5.1.3),  F  is  a  selectively  secure  puncturable  PRF,  F  is  a  secure  PRF,  PRG  is  a  secure  pseudorandom 
generator  and  RSA  is  secure,  for  all  (£ver,  £vk,  fmsg)  -4ig)-length  qualified  signature  schemes  S,  the  universal 
signature  aggregator  (£ver,  £vk,  £msg,  4ig)-UniversalSigAgg  is  selectively  secure  with  respect  to  S. 

We  will  now  describe  the  intermediate  hybrid  experiments. 

16Padded  appropriately  to  be  of  the  same  size  as  Transform-VBB-1,  Transform-VBB-2,  Transform-VBB-3  defined  later  in  this 
section. 

17Padded  appropriately  to  be  of  the  same  size  as  Transform- 1  mage- 1  as  in  Section  4. 
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5.1.1  Sequence  of  Games 

Game  0:  This  game  corresponds  to  Exp^  s. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  ■£-  K  t—  F.setup(lA)  and  set 

PP  =  (©(Transform-VBB;v,A')i  ©(Transform-Image^ Ke),  N,  e).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  yf  to,  compute  cr,;  •<—  <S.Sign(SK,  xi)  and  send  cr,:  to  Att. 

4.  Att  sends  forgery  aagg  and  n  tuples  {(Verify;,  VK;,  rrii)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify,;,  = 
S. Verify,  VK;*  =  VK  and  To;.  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK;,  mi)  },  eragg)  =  1. 

Game  1:  In  this  game,  the  challenger  uses  pseudorandomly  generated  strings  as  randomness  for  the  signature 
queries. 

1.  Att  sends  message  m. 

2.  Compute  (SK,  VK)  <s—  S.Gen(lA).  Choose  an  RSA  modulus  N,  e  ■£-  K  t—  F.setup(lA). 

Choose  standard  PRF  key  I\  F.setup(lA). 

Set  PP  =  (©(Transform-VBBjv^ ),  ©(Transform-Image^  K  e),  TV,  e).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  yf  m ,  choose  p;  <—  {0, l}^aig,  compute  r;  =  F(K,pi),  cr,;  «—  lS.Sign(SK,  xp  r;) 
and  send  <j;  to  Att. 

4.  Att  sends  forgery  <jagg  and  n  tuples  {(Verify;,  VK;,  mi)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify,;,  = 
S. Verify,  VK;,  =  VK  and  To;,  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK;,  mi)  },  eragg)  =  1. 

Game  2:  In  this  game,  the  challenger  uses  the  program  Transform-VBB-1  instead  of  Transform-VBB.  Unlike 
Transform-VBB,  Transform-VBB-1  uses  the  input  a  to  check  if  PRG(a)  is  equal  to  the  hardwired  a.  If  the 
‘mode’  bit  is  0  and  PRG(a)  =  a,  then  the  program  outputs  the  verification  key  VK  and  a  signature  on  the 
desired  message. 

1.  Att  sends  message  m. 

2.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  <—  K  £-  K.setup(lA). 

Choose  PRF  key  I\  <—  F.setup(lA),  a  <—  {0,  l}2e. 

Let  Transform-VBB-118  be  the  circuit  defined  below. 

Set  PP  =(0(Transform-VBB-lAf  K  a  gK  ^),  ©(Transform-Image^  ^),  ./V,  e).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  X;  yf  m,  choose  p;  £-  {0,  l}^aig,  compute  r;  =  F{K,  pi),  a  <—  <S.Sign(SK,  xp  ri) 
and  send  <j;  to  Att. 

4.  Att  sends  forgery  aagg  and  n  tuples  {(Verify;,  VK;,  mi)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify,;,  = 
S. Verify,  VK;,  =  VK  and  m;«  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK;,  To;)  },  eragg)  =  1. 

18Padded  appropriately  to  be  of  the  same  size  as  Transform-VBB,  Transform-VBB-2  and  Transform-VBB-3. 
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Transform-VBB-1^  Q  SK  k  : 

Inputs:  b  G  {0,1}, a  G  {0, 1}£,  Verify'  G  {0,1}^,  VK'  G  {0,l}^k,  m'  G  {0,1}*™*, 
o’  G  {0,1}^. 

Constants  :  RSA  modulus  N  G  N,  K  G  /C,  a  G  {0,  l}2^,  SK  G  SIC ,  K  G  1C. 

if  b  =  0  then 

if  PRG(a)  yf  a  then 
Output  _L. 
else 

Output  (VK, <S.Sign(SK, to'; K(/\ , cr'))). 

end  if 

else  if  Verify' (VK7,  to',  <t')  =  0  then 
Output  _L. 
else 

Output  F(K,  Verify'||VK'||m'). 

end  if 


Game  3:  In  this  experiment,  cr  is  a  pseudorandom  string;  i.e.  a  =  PRG(o),  where  a  <—  {0, 1}'. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  t—  K  t—  F.setup(lA). 

Choose  a  G-  {0,  l}e  and  set  a  =  PRG(a).  Choose  PRF  key  K  «—  F.setup(lA). 

Set  PP  ^©(Transform-VBB-1^  x  a  gK  ^-),  ©(Transform-Image^^),  ./V,  e).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  yf  m,  choose  pi  <-  {0,  l}^=ig,  compute  r,  =  F{K,pi),  cr,;  -s—  S.Sign(SK,  x,;  r,) 
and  send  ct;  to  Att. 

4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify^,  VKi;  m,)}.  Att  wins  if  3 i*  G  [n]  such  that  Verify^  = 
S. Verify,  VKj*  =  VK  and  to*«  =  to  and  UniversalVerify(  PP,  {(Verifyi;  VK,,  m*)  },  cragg)  =  1. 

Game  4:  This  experiment  is  similar  to  the  previous  one,  except  that  the  challenger  uses  Transform-VBB-2 
instead  of  Transform-VBB-1. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  t—  S.Gen(lA).  Choose  an  RSA  modulus  N,  e  t—  K  <—  F.setup(lA). 

Choose  a  «—  {0,  \}1  and  set  a  =  PRG(a).  Choose  K  «—  K.setup(lA). 

Let  Transform-VBB-219  be  the  circuit  defined  below. 

Set  y  =  5.Verify||VK||m,  PP  =(©(Transform-VBB-2y  N  K  a  SK  ^),  ©(Transform- Imagery  ^e),  N,  e).  Send 
PP,  VK  to  Att. 

3.  For  each  signing  query  x,  yf  m,  choose  pi  <—  {0,l}^ig,  compute  r,  =  F(K,pi)  and  send  cr,  = 
<S.Sign(SK,  a;*;  r,)  to  Att. 

4.  Att  sends  forgery  aagg  and  n  tuples  {(Verify^,  VKi;  m.;)}.  Att  wins  if  3 i*  G  [n]  such  that  Verify^  = 
S. Verify,  VK**  =  VK  and  m,*  =  m  and  UniversalVerify(  PP,  {(Verify^,  VK,,  m.;)  },  cragg)  =  1. 

19Padded  appropriately  to  be  of  the  same  size  as  Transform-VBB,  Transform-VBB-1  and  Transform-VBB-3. 
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Transform-VBB-2y  Ar  K  a  SK  k  : 

Inputs:  b  G  {0,1}, a  G  {0, 1}£,  Verify'  G  {0,1}^,  VK'  G  {0,l}^k,  m'  G  {0,1}^, 
o’  G  {0,1}^. 

Constants  :  y  G  {0,  l}^ver  x  {0,  l}£vk  x  {0,  l}^ms«,RSA  modulus  N  G  N,  K  G  V, 
a  G  {0, 1}^,  SK  G  iS/C,  K  G  t. 

if  b  =  0  then 

if  PRG(a)  yf  a  then 
Output  _L. 
else 

Output  (VK,  6>.Sign(SK,  m';  F( K,  a'))). 

end  if 

else  if  Verify' (VK =  0  then 
Output  _L. 

else  if  Verify'HVK'llm'  =  y  then 
Output  _L. 
else 

Output  F(K,  Verify'  |  |VK'||m'). 

end  if 


Game  5:  In  this  experiment,  the  challenger  uses  a  key  punctured  at  y  instead  of  the  master  PRF  key. 

1.  Att  sends  message  m. 

2.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  «—  K  t—  F.setup(lA). 

Choose  a  <—  {0,  \}1  and  set  a  =  PRG(a).  Choose  K  «—  G.setup(lA). 

Set  y  =  <S.Verify||VK||m,  compute  K{y}  «—  F.puncture(IG,  y)  and  z  =  F(K,y)e. 

Let  Transform-VBB-320  be  the  circuit  defined  below,  while  Transform-image-121, e)  is  the  same  as  in 
Section  4.1  Set  PP  =(0(Transform-VBB-3a  N  K,  i  a  gK  k),  <D( Transform-lmage-ly  Ar,if{y},2,e)- 
Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xj  yf  m,  choose  pi  <—  {0,l}^Big,  compute  r,  =  F(I\,pi)  and  send  ay  = 
<S.Sign(SK,  xp,  Vi)  to  Att. 

4.  Att  sends  forgery  aagg  and  n  tuples  {(Verify^,  VK*,  m*)}.  Att  wins  if  3 i*  G  [n]  such  that  Verify^  = 
S. Verify,  VKj*  =  VK  and  rm-  =  m  and  UniversalVerify(  PP,  {(Verify,,  VK,,  rrn)  },  a-agg)  =  1. 

20Padded  appropriately  to  be  of  the  same  size  as  Transform-VBB,  Transform-VBB-1  and  Transform-VBB-2. 

21Padded  appropriately  to  be  of  the  same  size  as  Transform-Image-1. 
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Transform-VBB-3y  Ar  K{y}jQ  SK  k  : 

Inputs:  b  G  {0,1}, a  G  {0, l}e.  Verify'  G  {0, 1}A-,  VK'  G  {0,l}Ak,  m'  G  {0,1}^, 
o’  G  {0,1}^. 

Constants  :  y  G  {0,  l}^ve’  x  {0,  l}Ak  x  {0,  l}^mss,  RSA  modulus  N  G  N,  K{y}  G  JCP , 
a  G  {0,  l}2^,  SK  G  SAC,  K  G  A. 

if  b  =  0  then 

if  PRG(a)  a  then 
Output  _L. 
else 

Output  (VK, S.Sign(SK, m'; F(K , a'))). 

end  if 

else  if  Verify' (VK',  to',  a')  =  0  then 
Output  _L. 

else  if  Verify''  1 1 VK/ 1  |t7T.'  =  y  then 
Output  _L. 
else 

Output  .F.eval(/i{y},  Verify' 1 1 VK' | \m'). 

end  if 


Game  6:  Here  the  challenger  chooses  a  uniformly  random  z  G-  1,*N. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  G-  S.Gen(lA).  Choose  an  RSA  modulus  N,  e  G-  K  G-  F.setup(lA). 

Choose  a  G-  {0, 1  }e  and  set  a  =  PRG(a).  Choose  K  G-  E.setup(lA). 

Set  y  =  tS. Verify 1 1 VK  to,  compute  K{y}  g-  F.puncture(A,  y)  and  z  G-  h*N. 

Set  PP  =(0(Transform-VBB-32/)Jv  xr2/i  a  SK  ^),  ©(Transform-lmage-l^jv.iGfj/},*^)^)-  Send  PP,  VK  to 

Att. 

3.  For  each  signing  query  Xi  ^  to,  compute  oy  G-  S.Sign(SK,  xf)  and  send  cr,:  to  Att. 

4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify^,  VK.j,  rrii)}.  Att  wins  if  3 i*  G  [n]  such  that  Verify,;,  = 
S. Verify,  VK**  =  VK  and  to,;.  =  to  and  UniversalVerify(  PP,  {(Verify;,  VK,,  rm)  },  eragg)  =  1. 

5.1.2  Analysis 

We  will  now  show  that  if  a  PPT  adversary  has  non  negligible  advantage  in  Game  i,  then  it  has  non- negligible 
advantage  in  the  next  game.  Some  of  the  proofs  are  exactly  similar  to  the  corresponding  ones  in  Section  4.1, 
and  hence  we  skip  them  in  this  section.  Except  the  part  involving  oracle  assimilation,  the  remaining  proofs 
are  relatively  easier.  The  step  involving  oracle  assimilation  is  discussed  in  a  separate  subsection  (Section 
5.1.3). 

Let  Adv^tt  denote  the  advantage  of  adversary  Att  in  Game  j. 

Claim  5.1.  Assuming  F  is  a  secure  PRF,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Suppose  there  exists  an  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  B  that  uses  Att  and  breaks  the  security  of  F  with  advantage  e. 

B  receives  message  to  from  Att.  It  chooses  (SK,VK)  g-  S.Gen(lA),  RSA  modulus  V,  e  G-  and 

I\  g-  F.setup(lA).  It  sets  PP  =(C)(Transform-VBBjviif),  ©(Transform-Image^  K  e),  e)  and  sends  PP,VK  to 
Att. 
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For  each  signing  query  x*,  B  first  chooses  pi  <—  {0,  l}fsiE  and  sends  pi  to  the  PRF  challenger.  In  response, 
it  receives  ry.  B  sends  cr,  =  <S.Sign(SK, x»; ry)  to  Att. 

Finally,  Att  outputs  a  forgery.  If  Att  wins,  then  B  outputs  1,  indicating  that  the  PRF  challenger’s 
responses  were  truly  random.  Else  it  outputs  0. 

If  the  PRF  challenger’s  responses  were  truly  random,  then  for  each  query  pt,  r,  is  a  truly  random  string. 
Therefore,  this  corresponds  to  Game  0.  If  the  PRF  challenger’s  responses  were  pseudorandom,  then  there 
exists  a  PRF  key  K  such  that  for  each  query  piy  ry  =  F{K,pi).  This  corresponds  to  Game  1.  Therefore, 

Advg  =  e.  | 

Claim  5.2.  Assuming  ©  is  a  secure  indistinguishability  obfuscator,  for  any  PPT  adversary  Att, 

Ad v -  Ad v ^tt  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  —  Adv^  =  e.  We  will  construct  a  PPT 
algorithm  B  that  breaks  the  security  of  ©  with  advantage  e. 

B  receives  message  m  from  Att.  It  chooses  (SK,VK)  £-  <S.Gen(lA),  RSA  modulus  N,  e  <—  ,  K  «— 

F.setup(lA),  K  F.setup(lA)  and  a  {0, 1}2G  It  sets  Co  =  Transform-VBBjy^,  Ci  =  Transform-VBB-lAf  K  a  gK  pp 
and  sends  Co,Ci  to  the  ©  challenger.  It  receives  an  obfuscated  circuit  C'  =  0(Cb)  in  response,  and  sets 
PP  =  (C7,  ©(Transform- Imagery >K>e),  e)  and  sends  PP,VK  to  Att. 

For  each  signing  query  x»,  B  first  chooses  pi  -S—  {0,  l}fais  and  computes  ry  =  F(K,pi).  B  sends  ay  = 
iS.Sign(SK, Xjjr,)  to  Att. 

Finally,  Att  outputs  a  forgery.  If  Att  wins,  then  B  outputs  0,  else  it  outputs  1.  Clearly,  if  b  =  0,  then  this 

CO 

corresponds  to  Game  1,  else  it  corresponds  to  Game  2.  Therefore,  in  order  to  show  that  Adve  =  e,  we  need 
to  show  that  Co  and  C\  have  identical  functionality. 

This  follows  from  the  observation  that  with  overwhelming  probability,  there  exists  no  a  £  {0,1} 7  such 
that  a  =  PRG(a),  since  a  is  chosen  uniformly  at  random.  As  a  result,  on  input  (0,  a,  Verify',  VK7,  to',  a'), 

both  circuits  output  J_  for  all  a,  Verify7,  VK7,  to7,  a'.  This  concludes  our  proof.  H 

Claim  5.3.  Assuming  PRG  is  a  secure  pseudorandom  generator,  for  any  PPT  adversary  Att, 

Ad v -  Ad v An  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^t  —  Adv^t  =  e.  We  will  construct  a  PPT 
algorithm  B  that  breaks  the  security  of  PRG  with  advantage  e. 

B  receives  a  from  the  PRG  challenger,  where  a  <—  {0, 1}£  or  a  =  PRG(a)  for  some  a  ■£-  {0,  l}7.  Note 
that  B  can  simulate  either  Game  1  or  Game  2  perfectly  using  a.  It  chooses  (SK,VK)  5.Gen(lA),  RSA 
modulus  N,  e  Z^W),  A'  F.setup(lA),  K  F.setup(lA).  B  sets  PP  ^((^(Transform-VBB-lAr  K  a  gK  p.). 
©(Transform-Image^  Ar  e),  e)  and  sends  PP,  VK  to  Att. 

For  the  signature  queries,  B  uses  SK.  Finally,  if  Att  wins,  B  outputs  1  (indicating  that  a  <—  {0,  l}2^). 

Else  it  outputs  0.  Clearly,  Advg  =  e.  This  concludes  our  proof.  I 

Lemma  5.1.  Assuming  ©  is  a  secure  virtual  black  box  obfuscator  for  a  class  of  circuits  C  (defined  in  Section 
5.1.3),  F  is  a  secure  pseudorandom  function,  PRG  is  a  secure  pseudorandom  generator  and  ©  is  a  (£vel,  £vk) 

^msg>  ^sig)-fongth  qualified  secure  signature  scheme, 

Ad v Att  -  Ad v An  <  negl(A). 

The  proof  of  this  lemma  consists  of  multiple  intermediate  hybrids,  and  is  contained  in  Section  5.1.3. 

Claim  5.4.  Assuming  ©  is  a  secure  indistinguishability  obfuscator,  for  any  PPT  adversary  Att, 

Ad v Att  -  Ad v An  <  negl(A). 
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Proof.  Similar  to  proof  of  Claim  4.2. 


Claim  5.5.  Assuming  F  is  a  selectively  secure  puncturable  PRF,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Similar  to  proof  of  Claim  4.3.  B 

Claim  5.6.  Assuming  RSA  is  secure,  for  any  PPT  adversary  Att, 

AdvAtt  <  negl(A). 


Proof.  Similar  to  proof  of  Claim  4.4.  | 

Using  the  above  claims,  we  can  conclude  that  any  PPT  adversary  has  at  most  negligible  advantage  in 
Game  0,  assuming  O  is  a  secure  virtual  black-box  obfuscator  for  circuit  family  C,  F  is  a  selectively  secure 
puncturable  PRF,  F  is  a  secure  (standard)  PRF,  PRG  is  a  secure  pseudorandom  generator,  and  RSA  is 
secure.  Therefore,  the  construction  described  in  Section  5  is  selectively  secure  with  respect  to  all  secure 
length-qualified  signature  schemes. 

5.1.3  Proof  of  Lemma  5.1 

Proof.  Let  Att  be  a  PPT  adversary  such  that  AdvAtt  —  AdvAtt  =  e-  As  proof  of  Lemma  4.1,  we  will 
assume  that  Att  =  (Atti,  AR2)  where  Atti  takes  as  input  the  security  parameter  A  and  outputs  (m,  st),  where 
st  denotes  some  state  information.  Att2  takes  as  input  m,  st,  PP,VK,  issues  signature  queries  and  finally 
outputs  a  forgery. 

Let  us  assume  rndRSA  =  rndRSA(A)  bits  are  used  to  choose  the  RSA  modulus  N,  rndp  =  rndp(A)  bits  are 
used  by  F.setupf  1 A)  to  choose  a  PRF  key  K  G  JC  and  rndAtt  =  rndAtt(A)  bits  are  used  by  Atti  to  compute 
(m,  st).  Let  VA  =  {( a,rN,rK,rAn )  \ a  G  {0,  l}e,  rN  G  {0,  l}rndRSA,  rK  G  {0,l}rndF,  rAtt  G  {0,  l}rndA«}.  For 
any  v  =  (a,  r n,  i’k,  I'Mt)  G  VA,  let  Nv  denote  the  RSA  modulus  generated  by  rjv,  Kv  =  F.setup(lA;  tk)  and 
(mv,stv)  =  Atti(lA;  rAtt)-  Let  v  denote  the  family  of  circuits  corresponding  to  Transform-VBB-1;  that  is 

C°X  y  =  {Transform-VBB-1^  :  cr  =  PRG(a),SK  G  S/C,  V K  G  VK,K  G  it}. 

Similarly,  v  denotes  the  circuits  corresponding  to  Transform-VBB-2;  that  is 

C\  v  =  {Transform-VBB-2y  ,v(i  k„  a  sk  k  :  V  =  S.Verify||VK||m„,  a  =  PRG(a),  SK  G  SIC,  VK  G  VIC,  K  £  it}. 

When  the  context  is  clear,  we  will  drop  the  dependence  of  Nv,  Kv,  mv  and  st„  on  v.  We  will  now  define 
a  PPT  algorithm  Algt,  that  takes  as  input  a  circuit  C'  G  CXv  U  C{  „,  has  v  hardwired,  interacts  with  Att2 
and  outputs  a  bit  b' . 
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Alg„: 

Inputs:  Circuit  C'  €  C°  v  U  C\  v 

Constants:  v  =  (a,  rx,  rjf,  rAtt)  €  {0, 1 Y  x  {0,  l}rndRSA  x  {0,  l}rndF  x  {0,  l}rndAtt 

1.  Compute  p,  q  using  rx,  set  N  =  pq  and  choose  e  ZCW).  Compute  A'  «— 
F.setup(lA;  rx)- 

2.  Choose  Verify'  •<—  {0,  l}^,  VK'  ■<—  {0,  l}£vk,  m'  ■<—  {0, o’  «-  {0,  l}^si® 
and  compute  (VK,  p)  =  C"(0,  a,  Verify',  VK',  m',  a'). 

3.  Compute  P2  <—  ©(Transform-Image^  K  e).  Set  PP  =  (C',P2,e)  and  send 
PP,  VK,  m,  st  to  Att2. 

4.  For  each  signing  query  Xi,  Av  chooses  a'  <—  {0,  l}^sig  computes 

C'(0,  a,  5. Verify,  VK,  &*,</)  =  a,  and  sends  cq  to  Att. 

5.  Att2  sends  forgery  eragg  and  n  tuples  { (Verify ^ ,  VK,;,  mj)}.  If  3 i*  €  [n]  such 
that  Verify^.  =  S. Verify,  VK,.  =  VK  and  m j»  =  m  and  UniversalVerify(  PP, 
{ (Verify ^ ,  VK m,)  },  cragg)  =  1,  then  Av  outputs  1.  Else  it  outputs  0. 


Consider  the  following  experiment  Exp[):  Compute  RSA  modulus  N  using  rx,  K  =  P.setup(lA;  rx), 
a  =  PRG(a)  and  (m,  st)  =  Atti(lA;  ?’Att)-  Choose  (SK,VK)  ■<—  5.Gen(lA)  and  K  F.setup(lA).  If 
6  =  0,  set  C'  <=  ©(Transform-VBB-ljy  K  a  gK  ^),  else  set  C'  <=  ©(Transform-VBB-2y  N  K  a  SK  x)->  where 
y  =  5.Verify||VK||m.  Output  Algu(C"). 

From  the  definition  of  Exp1,!  and  Algy ,  it  follows  that  Pr  [l  ■<—  Exp°]  =  Pr  [Att  wins  in  Game  3|u].  Simi¬ 
larly,  Pr  [l  <r-  Exp*]  =  Pr  [Att  wins  in  Game  4],  Hence,  E  [Pr  [l  Exp°]  —  Pr  [l  •<—  Exp*]]  =  e,  where  the 
expectation  is  over  the  choice  of  v  4—  Va-  Let  v*  =  v*(X)  =  argmax,ugV{Pr[l  •<—  Exp°]  —  Pr[l  ■<—  Expi]}. 
Then,  it  follows  that 

Pr[l  <-  Exp°.]  -  Pr[l  <-  Exp*.]  >  e.  (13) 

Using  Alg,  we  can  now  define  our  non-uniform  algorithm  A.  For  each  security  parameter  A,  A(1A)  = 

(A)  • 

Now,  consider  the  class  of  circuits  C\  =  C°  v,  U  C\  v, .  We  will  require  our  obfuscator  ©  to  be  a  virtual 
black  box  obfuscator  for  circuit  class  C  =  {CaIagn- 

From  the  security  property  of  VBB  obfuscator,  it  follows  that  there  exists  a  PPT  simulator  S  corre¬ 
sponding  to  A  such  that 


Pr  [A  (©(©))  =  1]  -  Pr  SG  (l|c|)  =  1  <  negl(A) 


(14) 


for  all  circuits  C  £  C\  and  the  probabilities  are  over  the  random  coins  of  A  and  S  respectively. 

Therefore,  from  Equations  13  and  14,  we  get  the  following  observation. 

Observation  5.1.  Let  (SK,VK)  ■<—  <S.Gen(lA)  and  K  F.setup(lA).  Let  v*  =  (a,rx,rx,'r Att);  cr  = 
PRG(a).  Nv »,  Kyt  and  (rn„.,  st„.)  computed  using  rx,rx  and  rAtt  respectively,  and  y  =  <S.Verify||VK||ra„». 
Let  ©0  =  Transform-VBB-1^  K  ,  a  sk  k  an<^  Ci  =  Transform-VBB-2,^  N  f  K  ,  a  sk  k-  Then 


Pr 


gC0  ^ICo 


=  1 


—  Pr 


SGl  (l'6'1 


=  1 


>  e  -  negl(A) 


where  the  probabilities  are  over  the  choice  of  (SK,  VK),  K  and  the  random  coins  of  S. 

We  will  show  that  this  leads  to  a  contradiction.  Consider  the  algorithm  Transform-VBB'-l  which  is  exactly 
similar  to  the  circuit  Transform-VBB-1,  except  that  the  signature  is  computed  using  true  randomness  instead 
of  using  F. 
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Transform-VBB'-ljy  K  Q  SK  : 

Inputs:  b  G  {0,1}, a  G  {0, 1}*,  Verify'  G  {0,1}*™,  VK'  G  {0,l}^k,  m!  G  {0,1}*“^, 
a'  G  {0,1}^. 

Constants  :  RSA  modulus  N  G  N,  K  G  /C,  aG  {0,  l}2*,  SK  G  SK.. 

if  b  =  0  then 

if  PRG(a)  ^  a  then 
Output  _L. 
else 

Choose  r  G  {0,  l}*rnd  and  output  (VK, <S.Sign(SK,  in'; r)). 

end  if 

else  if  Verify7  (VK7,  to',  a')  =  0  then 
Output  _L. 
else 

Output  F(K,  Verify'||VK7||m7). 

end  if 

From  the  security  of  F,  we  get  the  following  claim: 

Claim  5.7.  Let  (SK,  VK)  «—  <S.Sign(lA)  and  K  g-  F.setup(lA).  Let  v*  =  (a.  rjv,  i"k,  CAtt)-  a  =  PRG(a). 
Nv*,  Kv* ,  (mv* ,  st„» )  are  computed  using  rjy,rK,r  am  respectively.  Let  Co  =  Transform-VBB-1^  K  SK  ^ 
and  C0  =  Transform-VBB,-lAr  i<-jQ,jSK.  Assuming  F  is  a  secure  PRF,  for  any  PPT  algorithm  S, 


Pr 


Sc°  ('ilColj 


=  1 


—  Pr 


S 


c' 


1  <  negl(A). 


Similarly,  we  define  an  algorithm  Transform-VBB7-2  which  is  exactly  similar  to  Transform-VBB-2,  except 
that  the  signature  is  computed  using  true  randomness. 


Claim  5.8.  Let  (SK,  VK)  <—  <S.Sign(lA)  and  K  t—  F.setup(lA).  Let  v*  =  (a,  rjv,  rx,  ^Att),  a.  =  PRG(a). 
Nv*,  Kv*,(mv*,stv*)  are  computed  using  r/v,rif,r Att  respectively  and  y  =  <S.  Verify  ||VK||mi,*.  Let  Ci  = 
Transform-VBB-2y  N  K  a  sk  k  an<^  =  Transform-VBB7-2y tN,K,a,SK-  Assuming  F  is  a  secure  PRF,  for  any 
PPT  algorithm  S, 


Pr 


=  1 


-Pr 


<  negl(A). 


Therefore,  if  we  can  show  that  no  PPT  algorithm  can  distinguish  between  C'0  and  C{  given  only  oracle 
access,  then  together  with  Equation  14  and  Claims  5.7,  5.8,  this  leads  to  a  contradiction.  Note  that  if  any 
algorithm  S  has  only  oracle  access  to  Cj)  and  C{ ,  then  in  order  to  distinguish  between  the  two,  S  must  send 
a  query  (1,  a',  5. Verify,  VK,  m,  a)  such  that  <S.Verify(VK,  to,  a)  =  1.  This  breaks  the  security  of  signature 
scheme  S. 


Claim  5.9.  Let  (SK,  VK)  «—  <S.Sign(lA)  and  K  <—  F.setup(lA).  Let  v*  =  (a, Tat, rx ,  J’Att),  ct  =  PRG(a). 
Nv*,  KV*,  (m„*,  st„»)  are  computed  using  rN,rx,r  Att  respectively  and  y  =  <S.  Verify  ||VK||m„*.  Let  Cq  = 
Transform-VBB7-lAr,A',ct,SK  and  C[  =  Transform-VBB7-2yijv,A:,a,SK-  Assuming  S  is  a  secure  signature  scheme, 
for  any  PPT  algorithm  S, 


Pr 


jcj  ^|c; 


=  1 


-Pr 


S 


A  ^iicf 


=  1 


<  negl(A). 
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6  Universal  Aggregation  of  Arbitrary  Signatures  from  iO  in  the 
Random  Oracle  Model 

In  this  section,  we  describe  our  n-bounded  universal  signature  aggregator  (£Ver,  ^vk,  Asg,  4ig)~UniversalSigAgg. 
By  n-bounded,  we  mean  that  at  most  n  signatures  can  be  aggregated. 

We  will  use  a  secure  (f?ckt,-6np,4mt)  universal  parameters  scheme  U  =  (UniversalGen,  InduceGen)  (where 
the  parameters  t'ckiAinp  and  £0ut  will  be  specified  later),  an  additively  homomorphic  encryption  scheme 
(HE. setup,  HE.enc,  HE. dec,  HE. add)  with  message  space  Fp  for  some  prime  p  >  2^  and  ciphertext  space  Che- 
We  will  assume  each  ct  £  Che  can  be  represented  using  £ct  bits.  Finally,  we  will  also  use  a  one-way  function 
/  :  {0, 1  y  — ►  {0,  l}2f  and  a  secure  indistinguishability  obfuscator  iO. 

Our  construction  consists  of  three  algorithms  UniversalSetup,  UniversalAgg  and  UniversalVerify  described 
as  follows. 

UniversalSetup(lA,  1")  Let  (pk,sk)  HE.setup(lA).  It  computes  ciphertexts  ct,  ■£-  HE.enc(pk,  0)  and 
U  <—  UniversalGen(lA).  It  sets  the  public  parameters  to  be  PP  =  (pk,  cti, . . . ,  ct„,  U).  Let  us  assume  PP  can 
be  represented  using  ipp  bits. 

UniversalAgg(PP  =  (pk,  cti, . . . ,  ct„,  U),  {Verify^  VK,;,  m*,  Uj}  "=1)  We  will  view  each  signature  Ct;  as  an  in¬ 
teger  in  [0,2^ei«  -  1]. 

The  universal  aggregator  first  checks  if  all  n  tuples  are  distinct.  If  not,  it  outputs  _L.  Else,  it  computes 
t  =  01  •  cti  T  •  •  •  +  cr„  •  ct„. 

Let  AggSetup  be  the  (randomized)  algorithm  (defined  below)  that  takes  as  input  security  parameter  A, 
and  outputs  a  program  Cagg  and  s  £  {0,  l}2f .  It  uses  t)np  bits  of  randomness,  and  its  output  has  length 
£out.  Let  C-AggSetup^pp  |Verify  e  {0,  l}fckt  be  a  string  corresponding  to  canonical  description  of 

AggSetup^pp  |Verify  We  will  assume  that  given  C-AggSetupt  PP  {Verify .  VK.  m. y. ,  one  can  efficiently 

extract  the  hardwired  constants  t ,  PP  and  the  n  tuples  {Verify^,  VKj,  mj}j. 

The  aggregator  algorithm  first  computes  ( C3gg,s )  =  lnduceGen(C-AggSetupt  PP  |Verify  VK.  m.j.).  Next,  it 
computes  s  =  Cagg(cri, . . . ,  an)  and  outputs  o^gg  =  (t,  s). 
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AggSetup,  Pp  |Verify.  VK.im.} . : 

Inputs:  Security  parameter  1A,  r  £  {0,  l}<inp. 

Constants:  t  €  Che,  PP  =  (pk. cti . £  {0, 1}^PP,  (Verify^ VK*, TOj}j  € 

({0, 1 Y™  x  {0, 1  }^k  x  {0,  l}^*)n. 

1.  Choose  s  <—  {0,  l}f  using  r. 

2.  Compute  Cagg  £-  iO( AggSign,  t  PP  {Verify.  VKi>m.}.),  where  AggSign  is  the 
circuit  described  below. 


AggSlgnstjpp  {Verify.  5VK  * 

Inputs:  cr i, . . . ,  un,  where  ay  £  {0,  l}^8ig. 

Constants:  s  £  {0,1}^,  t  €  Che,  PP  =  (pk,  cti, . . . ,  ct„,  U), 
{Verify^  VKjrTOjli. 

if  3 i  such  that  Verify^VKj, m*,  oy)  =  0  then 
Output  J_. 

end  if 

if  t  o\  ■  cti  +  •  •  •  +  &n  ■  ctn  then 
Output  ±. 
end  if 
Output  s. 


3.  Compute  s  =  f(s). 

4.  Output  (CaggjS). 


UniversalVerify(PP  =  (pk,  cti,  •••,  ct„,  17),  {Verify^  VKj,  mj}"=1,  cragg  =  (t,sr))  The  verification  algorithm 
first  checks  if  all  n  tuples  are  distinct.  If  not,  it  outputs  0.  Else,  let  C-AggSetup  be  the  canonical  descrip¬ 
tion  of  AggSetup  as  defined  above.  It  computes  (Cagg,  s)  =  lnduceGen(I7,C-AggSetupt  PP  {Verify  VK.  m.i .).  If 
s  =  /(s'),  output  1,  else  output  0. 

Correctness  follows  directly  from  the  observation  that  InduceGen  is  a  deterministic  algorithm. 

6.1  Proof  of  Security 

Theorem  6.1.  Assuming  iO  is  a  secure  indistinguishability  obfuscator,  (UniversalGen,  InduceGen)  is  a  secure 
universal  parameters  scheme  in  the  random  oracle  model,  T~L8  is  a  secure  additively  homomorphic  encryption 
scheme  and  /  is  a  secure  one-way  function,  for  all  (fVer,  fvk,  fmsg,  fsig)-length  qualified  secure  signature 
schemes  S,  the  bounded  universal  signature  aggregator  described  in  Section  6  is  adaptively  secure  in  the 
random  oracle  model  with  respect  to  S. 

We  will  first  describe  a  sequence  of  intermediate  experiments  Game  0, . . . ,  Game  5,  where  Game  0  is  the 
adaptive  security  game  in  random  oracle  model.  From  Game  3  onwards,  the  challenger  starts  simulating 
the  universal  parameters  and  the  responses  to  random  oracle  queries.  In  order  to  do  so,  the  challenger 
implements  a  parameter  oracle  O ,  and  the  simulation  algorithms  are  allowed  to  make  random  oracle  queries 
to  O.  Let  us  assume  the  simulator  algorithms  SimUGen  and  SimRO  makes  at  most  qpar  calls  to  the  Parameters 
Oracle. 
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6.1.1  Sequence  of  Games 


Game  0:  In  this  game,  the  challenger  first  sends  PP,  VK  to  the  adversary  Att.  Att  then  makes  polynomially 
many  signature  and  random  oracle  queries.  Finally,  Att  outputs  forgery  cragg  and  n  tuples  {Verify ^ ,  VKi,  to,},. 

1.  Choose  (SK,VK)  <—  <S.Gen(lA),  (pk,sk)  £-  HE.setup(lA)  and  U  ■£-  UniversalGen(lA). 

Compute  ctj  t—  HE.enc(pk,  0)  for  all  i  £  [n]  and  set  PP  =  (pk,  cti, . . . ,  ctn,  U). 

Send  PP,VK  to  Att. 

2.  For  each  signature  query  Xi ,  compute  cy  =  <S.Sign(SK,  Xi)  and  send  ay  to  Att. 

3.  For  each  random  oracle  query  yi,  check  if  y.-,  has  already  been  queried. 

If  yes,  let  (yi,ay)  be  the  tuple  corresponding  to  y*.  Send  ay  to  Att. 

If  not,  choose  cq  t—  {0,  1}£ro,  send  to  Att  and  add  (yi5  a,)  to  table. 

4.  Finally,  Att  sends  a  forgery  <7agg  =  ( t*,s *)  and  n  tuples  {Verify^  VKi,  m,}.;.  Att  wins  if 

(a)  3 i*  such  that  Verify =  S. Verify  and  VKi*  =  YK, 

(b)  nrii*  was  not  queried  during  the  signing  phase, 

(c)  f(s*)  =  s  and  lnduceGen(t/,  C-AggSetupt,PP , {verify,, viq.m,},)  =  (C,s). 

Game  1:  This  game  is  exactly  similar  to  the  previous  one,  except  that  the  challenger  guesses  a  position 
i*  £  [n],  and  the  attacker  wins  only  if  the  forgery  verifies,  and  the  i*th  tuple  corresponds  to  S. Verify,  VK. 

1.  Choose  i*  t—  [n]. 

Choose  (SK,VK)  ■*—  5.Gen(lA),  (pk,sk)  HE.setup(lA)  and  U  £-  UniversalGen(lA). 

Compute  cti  HE.enc(pk,  0)  and  set  PP  =  (pk,  cti, . . . ,  ctn,  U). 

Send  PP,VK  to  Att. 

2.  For  each  signature  query  Xi,  compute  Oi  =  5.Sign(SK,  Xi)  and  send  cy  to  Att. 

3.  For  each  random  oracle  query  yi,  check  if  y,  has  already  been  queried. 

If  yes,  let  (yi,cii)  be  the  tuple  corresponding  to  yi.  Send  cti  to  Att. 

If  not,  choose  cq  <—  {0,  l}fRO,  send  on  to  Att  and  add  (yi,  cti)  to  table. 

4.  Finally,  Att  sends  a  forgery  <ragg  =  ( t*,s *)  and  n  tuples  { Verifyi;  VKi,  ?Bi}i.  Att  wins  if 

(a)  Verify,;,  =  S. Verify  and  VKi*  =  VK, 

(b)  rrii*  was  not  queried  during  the  signing  phase, 

(c)  f(s*)  =  s  and  lnduceGen({7,C-AggSetupt,iPPi{Verify.iVK.im.}.)  =  (C,s). 

Game  2:  In  this  game,  the  challenger  modifies  the  public  parameters  PP.  Instead  of  outputting  n  encryp¬ 
tions  of  0,  the  challenger  outputs  an  encryption  of  1  at  position  i*. 

1.  Choose  i*  <—  [n]. 

Choose  (SK,VK)  <—  5.Gen(lA),  (pk,sk)  HE.setup(lA)  and  U  t—  UniversalGen(lA). 

Compute  cti  HE.enc(pk,0)  for  all  i  £  [n],i  ^  i* .  Let  cti*  £~  HE.enc(pk,  1). 

Set  PP  =  (pk,  cti,  ■  ■  ■ ,  ct„,  U). 

Send  PP,VK  to  Att. 

2.  For  each  signature  query  Xi,  compute  cr,  =  5.Sign(SK,  xi)  and  send  a  to  Att. 

3.  For  each  random  oracle  query  yi,  check  if  y,  has  already  been  queried. 

If  yes,  let  (y^cq)  be  the  tuple  corresponding  to  yi.  Send  cq  to  Att. 

If  not,  choose  «i  t—  {0,  l}fRO,  send  c*i  to  Att  and  add  (yi;  cti)  to  table. 

4.  Finally,  Att  sends  a  forgery  <ragg  =  ( t*,s *)  and  n  tuples  { Verifyi;  VKi;  m,}i.  Att  wins  if 

(a)  Verify,;,  =  S. Verify  and  VKi*  =  VK, 

(b)  rrii *  was  not  queried  during  the  signing  phase, 

(c)  f(s*)  =  s  and  lnduceGen(t/, C-AggSetupt,  PP ,{Verify.,VKi,mi}i)  =  (C,s). 
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Game  3  In  this  game,  the  challenger  ‘simulates’  both  the  universal  parameters  U  and  the  responses  to 
random  oracle  queries.  Let  SimUGen  and  SimRO  be  the  simulation  algorithms  corresponding  to  the  universal 
parameters  scheme  (UniversalGen,  InduceGen).  The  challenger  also  implements  the  Parameters  Oracle  O.  O 
takes  as  input  a  circuit  d  £  C\tc kt,^inp,4mt]-  If  d  has  already  been  queried,  O  returns  the  same  response. 

Else,  it  chooses  r  <-  {0,  l}^inp,  outputs  d(r),  and  adds  (d,  d(r))  to  its  table  T.  Though  the  parameters  oracle 

O  is  described  in  the  Setup  Phase,  it  is  used  in  all  the  later  phases  as  well. 

1.  Choose  i*  <-  [n]. 

Choose  (SK,VK)  <-  S.Gen(lA),  (pk,sk)  <-  HE.setup(lA). 

Compute  U  <—  SimllGen(lA). 

Compute  ctj  ■£-  HE.enc(pk,0)  for  all  i  £  [n],i  ^  i*.  Let  cti*  ■£-  HE.enc(pk,  1). 

Set  PP  =  (pk,  cti, . . . ,  ct„,  U). 

Implement  the  Parameters  Oracle  O  as  follows. 

-  Maintain  a  table  T.  Initially,  T  is  empty. 

-  For  the  ith  query  d  £  C[Hc kt,  AnP,  4>ut]>  check  if  T  contains  an  entry  corresponding  to  d. 

-  If  T  contains  an  entry  of  the  form  (d,  6),  output  <5. 

-  Else  choose  r  £-  {0,  l}^inp  and  output  d(r).  Add  (d,  d(r))  to  T. 

Send  PP,VK  to  Att. 

2.  For  each  signature  query  Xi,  compute  cr;  =  5.Sign(SK,  Xi)  and  send  cq  to  Att. 

3.  For  each  random  oracle  query  j/j,  output  SimRO(yi)  22 . 

4.  Finally,  Att  sends  a  forgery  eragg  and  n  tuples  {Verify^  VKj,  TOj},. 

Let  O-Queries,  denote  the  set  of  first  i  queries  to  O.  Att  wins  if 

(a)  Verify =  S. Verify  and  VKi»  =  VK, 

(b)  TOi*  was  not  queried  during  the  signing  phase, 

(c)  f(s*)  =  s  and  0(C-AggSetupf»  pP;{Verify.  VK.  m.}.)  =  (C,s). 

Recall  from  Section  6  that  C-AggSetupf  PP  ,jVerify  VK.  m.j  £  {0,  l}£ckt  allows  efficient  extraction  of  t,  PP 
and  (Verify^,  VKi,TOi)  for  all  i  <  n.  Without  loss  of  generality,  we  can  assume  that  if  Att  outputs  aagg  = 
(■ t*,s *)  as  forgery,  along  with  n  tuples  {Verifyi;  VIC,  then  the  circuit  C-AggSetupt»jPP  |Verify  VK.  m.j. 

was  sent  as  query  to  the  Parameters  Oracle  O.  We  will  now  define  games  Game  4-j-a  and  Game  4 -j-b  for 
j  <  qPar-  Let  us  first  define  some  notations.  Given  a  canonical  circuit  C-AggSetup4  PP  {verify  vk,  m,},i  ca^  it 
(i* ,  sk)-rejecting  if  Verify^,  (VKj» ,  m,. ,  HE.dec(sk,  t))  =  0.  Let  Reject-ckt  be  a  circuit  of  size  same  as  AggSign 
that  outputs  _L  for  all  inputs. 

Game  4 -j-a 

1.  Choose  i*  £-  [n]. 

Choose  (SK,  VK)  <-  S.Gen(lA),  (pk,sk)  <-  HE.setup(lA). 

Compute  U  <—  SimllGen(lA). 

Compute  cti  £-  HE.enc(pk,0)  for  all  i  £  [n],i  ^  i* .  Let  cti*  £-  HE.enc(pk,  1). 

Set  PP  =  (pk,  cti, . . . ,  ct„,  U). 

Implement  the  Parameters  Oracle  O  as  follows. 

-  Maintain  a  table  T.  Initially,  T  is  empty. 

-  For  the  ith  query  d  £  C\i ckt,  Anp>  4>ut]>  check  if  T  contains  an  entry  corresponding  to  d. 

-  If  T  contains  an  entry  of  the  form  (d,  d),  output  <5. 

-  Else  if  i  <  j  and  d  =  C-AggSetupt]PPi{Verify.iVK.im.}  is  (i* ,  sk)-rejecting, 

output  iC>(Reject-ckt)  and  /(s)  for  s  £-  {0, 1  }e. 

-  Else,  choose  r  <—  {0,  l}^inp  and  output  d(r).  Add  (d,  d(r))  to  T. 

22Note  that  SimRO  can  make  polynomially  many  queries  to  O. 
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Send  PP,VK  to  Att. 

2.  For  each  signature  query  Xi,  compute  cr,  =  <S.Sign(SK,  Xi)  and  send  cr,;  to  Att. 

3.  For  each  random  oracle  query  yi ,  output  SimRO(yi). 

4.  Finally,  Att  sends  a  forgery  cragg  and  n  tuples  {Verify,,  VK*,  nrii}i.  Let  O-Queries,  denote  the  set  of  first 
i  queries  to  O.  Att  wins  if 

(a)  Verify,,  =  S. Verify  and  VK,.  =  VK, 

(b)  rrii *  was  not  queried  during  the  signing  phase, 

(c)  (C-AggSetupt,  ppi{Verify.)VK.  m.}  is  not  (i* ,  sk)-rejecting)  or  (C-AggSetupt,iPP i{Verify.>VKi,TOi}  i  O-QuerieSj.i), 

(d)  f(s*)  =  s  and  0(C-AggSetupt,iPPi{Verify.jVK.im.}.)  =  ( C,s ). 

Game  4 -j-b 

1.  Choose  i*  t—  [n]. 

Choose  (SK,  VK)  <-  S.Gen(lA),  (pk,  sk)  <-  HE.setup(lA). 

Compute  U  <—  SimllGen(lA). 

Compute  ctj  ■£-  HE.enc(pk,0)  for  all  i  £  [n],i  ^  i*.  Let  ct,»  •<—  HE.enc(pk,  1). 

Set  PP  =  (pk,  cti, . . . ,  ct„,  U). 

Implement  the  Parameters  Oracle  O  as  follows. 

-  Maintain  a  table  T.  Initially,  T  is  empty. 

-  For  the  ith  query  d  £  C  [l ckt ,  Anp ,  A>ut]  j  check  if  T  contains  an  entry  corresponding  to  d. 

-If  T  contains  an  entry  of  the  form  ( d,5 ),  output  <5. 

-  Else  if  i<j  and  d  =  C-AggSetuptPP  {VerifyiVK.m.}  is  («*,  sk)-rejecting, 
output  iO(Reject-ckt)  and  f(s)  for  s  £-  {0, 1}^. 

-  Else,  choose  r  <—  {0,  l}£inp  and  output  d(r).  Add  ( d,d(r ))  to  T. 

Send  PP,VK  to  Att. 

2.  For  each  signature  query  Xj,  compute  cr,  =  5.Sign(SK,  Xi)  and  send  cr,  to  Att. 

3.  For  each  random  oracle  query  yi,  output  SimRO(yi). 

4.  Finally,  Att  sends  a  forgery  cragg  =  ( t*,s *)  and  n  tuples  {Verifyi;  VKi;  m,}.;.  Att  wins  if 

(a)  Verify,-,  =  S. Verify  and  VK,.  =  VK, 

(b)  m,*  was  not  queried  during  the  signing  phase, 

(c)  (C-AggSetupt,  ppi{Verify.  VK.  m.}  is  not  (**,  sk)-rejecting)  or  (C-AggSetUpt%pp;{Verify.|VK.im.}  j  O-Queries,,), 

(d)  f(s*)  =  s  and  0(C-AggSetuPi,iPpi{Verify.iVK.;ro.}.)  =  (C,s). 

Game  5  This  game  is  exactly  similar  to  Game  4 -qpar-b. 

1.  Choose  i*  £-  [n]. 

Choose  (SK,VK)  ■£-  5.Gen(lA),  (pk,sk)  HE.setup(lA). 

Compute  U  <—  SimllGen(lA). 

Compute  cti  HE.enc(pk,0)  for  all  i  £  [n],i  ^  i*.  Let  cti*  HE.enc(pk,  1). 

Set  PP  =  (pk,  cti,  ■  ■  ■ ,  ct„,  U). 

Implement  the  Parameters  Oracle  O  as  follows. 

-  Maintain  a  table  T.  Initially,  T  is  empty. 

-  For  the  ith  query  d  £  C[£ckt, -^inpj  ^out],  check  if  T  contains  an  entry  corresponding  to  d. 

-If  T  contains  an  entry  of  the  form  ( d,S ),  output  <5. 

-  Else  if  d  =  C-AggSetupt  pP  {Verifyj  VK.  m.}  is  (i*,  sk)-rejecting, 
output  iO(Reject-ckt)  and  /(s)  for  s  £-  {0, 1  }A 

-  Else,  choose  r  £-  {0,  l}^inp  and  output  d(r).  Add  (d,  d(r))  to  T. 

Send  PP,VK  to  Att. 

2.  For  each  signature  query  xi:  compute  cr,  =  S.Sign(SK,  Xj)  and  send  cr,  to  Att. 
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3.  For  each  random  oracle  query  y, ,  output  SimRO(yi). 

4.  Finally,  Att  sends  a  forgery  eragg  =  (t*,s*)  and  n  tuples  {Verify^  VKj,  mjj.  Att  wins  if 

(a)  Verify^,  =  S. Verify  and  VK,»  =  VK, 

(b)  rrii*  was  not  queried  during  the  signing  phase, 

(c)  iS.Verify(VK,  m*. ,  HE.dec(sk,  t*))  =  1, 

(d)  f(s*)  =  s  and  0(C-AggSetupt%PPi{Verify.)VK.im.}.)  =  (C,s). 

6.1.2  Analysis 

Let  Adv^tt  denote  the  advantage  of  Att  in  Game  j. 

Claim  6.1.  For  any  adversary  Att, 

AdvAtt  =  AdvAtt/™- 

Proof.  This  follows  from  the  definitions  of  Game  0  and  Game  1.  The  only  difference  between  the  two 
experiments  is  the  change  in  winning  condition,  which  now  includes  the  guess  i*.  This  guess  is  correct  with 
probability  1/n.  | 

Claim  6.2.  Assuming  (HE. setup,  HE. enc,  HE. dec)  is  a  secure  additively  homomorphic  encryption  scheme, 
for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Suppose  there  exists  an  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  B  that  breaks  the  semantic  security  of  HE  scheme  using  Att. 

B  receives  the  public  key  pk.  It  sends  0, 1  as  challenge  messages  to  the  HE  challenger,  and  receives  ct  in 
response.  It  chooses  i*  <—  [n],  (SK,VK),  computes  n—1  encryptions  of  0,  that  is,  ct,  <—  HE.enc(pk,  0)  for 
i  ^  i*.  It  sets  ctj*  =  ct.  It  computes  U  <—  UniversalGen(lA)  and  sends  PP  =  (pk,  cti, . . .  ,ct„,  U)  and  VK  to 
Att. 

Att  then  asks  for  signature/random  oracle  queries,  which  B  can  simulate  perfectly.  Finally,  Att  outputs  a 
forgery  <ra gg  and  n  tuples  {Verify,,  VIC,  TOi}.  If  Att  wins  as  per  the  winning  conditions  (which  are  the  same 
in  both  Game  1  and  Game  2),  output  0,  else  output  1. 

Clearly,  if  ct  is  an  encryption  of  0,  then  this  corresponds  to  Game  1,  else  it  corresponds  to  Game  2.  This 
completes  our  proof.  9 

Claim  6.3.  Assuming =  (UniversalGen,  InduceGen)  is  a  secure  (£ckt,  6np,  4>ut)  universal  parameters  scheme, 
for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  A  such  that  Pr[Real^(lA)  =  1]  —  Pr[ldeal^mUGen  SimR0(lA)  =  1]  =  e. 

A  interacts  with  Att  and  participates  in  either  the  Real  or  Ideal  game.  It  receives  the  universal  parameters 
U.  It  chooses  (SK, VK)  <—  6>.Gen(lA),  (pk, sk)  <—  HE.setup(lA),  computes  ciphertexts  ct1;...,ct„  and  sets 
PP  =  (pk,  cti, . . . ,  ct„,  U).  It  sends  PP,  VK  to  Att. 

For  the  signature  queries,  A  computes  the  signatures  using  SK.  For  any  random  oracle  query  x,  it  forwards 
x  to  the  challenger  in  the  Real/Ideal  game,  and  receives  either  RO(ir)  or  SimRO(a;).  Finally,  it  receives  a 
forgery  tjagg  =  ( t*,s *)  and  n  tuples  {Verify^, VKj, mj}j.  Note  that  since  there  is  no  Honest  Parameter 
Violation,  lnduceGen(t/, C-AggSetupt,  PP ,{Verify.,VKi>mi}i)  =  0(C-AggSetupt,  PP  {Verify.  VK.;m.} .).  Therefore, 
Game  2  corresponds  to  Real'4(lA)  experiment,  while  Game  3  corresponds  to  ldeals}mUGen  SimR0(lA).  Hence, 
Pr[Real^(lA)  =  1]  —  Pr [Idea l^}mUGen  SimR0 (1 A )  =  1]  =  Adv^tt  —  Adv^tt. 
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Claim  6.4.  Assuming  iO  is  a  secure  indistinguishability  obfuscator,  for  any  j  <  qpar,  for  any  PPT  adversary 

Att, 

AdvAttJ_1)"6  -  AdvAtT  <  negl(A). 

Proof.  The  only  difference  between  Game  4 -(j  —  1  )-b  and  Game  4 -j-a  is  with  respect  to  the  jth  query  to 
the  parameters  oracle  O.  If  the  jth  query  is  not  of  the  form  C-AggSetup,  PP qVerify .jVKijTOi} ,  or  if  it  is  not 
('<*,  sk)-rejecting,  then  both  games  are  identical.  Therefore,  let  us  consider  the  case  where  the  jth  query  to  O  is 
C-AggSetupf  PP  {Verify .  VK.  for  some  t,  {Verify;,  VK;,  m;},  and  it  is  (z*,  sk)-rejecting.  In  Game  4-(j  — 1)-6,  O 
outputs  (*C(AggSignfjSjPp  |Verify  VK.jm.}),  f(s))  while  in  Game  4-j-a,  it  outputs  (z(7(Reject-ckt),  /(s)).  Hence, 
if  we  can  show  that  C-AggSetuptjPP  |Verify  VK.  m.j  and  Reject-ckt  are  functionally  identical  for  (z*,  sk)-rejecting 
circuit,  then  we  can  use  the  security  of  iO  to  prove  our  claim. 

Consider  any  input  <j\,...,an  to  C-AggSetuptPP  |Verify  VK.  .  If  3z  such  that  Verify  i  (VK,;,  m;,  ay)  =  0, 
then  it  outputs  T.  If  t  cr1  ■  cti  +  . . .  +  an  ■  ctn,  then  it  output  T.  However,  note  that  if  t  =  oq  • 
cti  +  . . .  +  an  ■  ctn,  then  t  is  an  encryption  of  ay*.  Since  C-AggSetupt  Pp  |Verify  VK.  is  (z* ,  sk)-rejecting, 
Verify;,  (VK;* ,  m;» ,  HE. dec(sk,  f))  =  0.  Therefore,  this  circuit  outputs  _L  on  all  inputs,  and  is  functionally 
identical  to  Reject-ckt.  j£j 

Claim  6.5.  Assuming  /  is  a  secure  one  way  function,  for  any  j  <  qpar,  for  any  PPT  adversary  Att, 

AdvAu’a  -  AdvA«  6  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^'°  —  Adv^“b  =  e.  We  will  construct  a  PPT 
algorithm  B  that  inverts  the  one  way  function  /  using  Att. 

Note  that  the  only  way  an  adversary  can  distinguish  between  Game  4 -j-a  and  Game  4 -j-b  is  by  sub¬ 
mitting  a  forgery  eragg  =  ( t*,s *)  and  n  tuples  {Verify,;,  VK;,  to,}  such  that  C-AggSetupt  PP  |Verify  VK.  is 
(z*,  sk)-rejecting  and  C-AggSetupt«  pP qVerify was  sent  as  jth  query  to  O. 

B  receives  as  input  s.  It  chooses  i*  <—  [zz],  chooses  (SK,  VK)  5.Gen(lA)  and  sets  PP  as  in  Game  4 -j-a 
and  Game  4 -j-b.  It  sends  PP,VK  to  Att.  For  each  signature  query  Xi,  it  sends  ay  <—  <S.Sign(SK, xf)  to 
Att.  For  each  random  oracle  query  yi,  B  uses  SimRO.  SimRO,  in  turn,  makes  a  number  of  queries  to  the 
Parameters  Oracle  O.  If  the  jth  query  to  O  is  C-AggSetupt  PP  {Verify  ,VKi,mi}  and  is  (i* ,  sk)-rejecting,  send 
(iO (Reject-ckt),  s)  as  response.  All  other  oracle  queries  are  computed  as  before.  Finally,  if  Att  wins,  then  B 
can  use  the  forgery  aagg  =  ( t * ,  s* )  and  send  s*  as  inverse  of  s. 


Claim  6.6.  Assuming  S  is  a  (£vel,  £vk,  ^msg)  ^sigj-lengtli  qualified  secure  signature  scheme,  for  any  adversary 

Att, 

Adv^t  <  negl(A). 

Proof.  Suppose  Adv^tt  =  e.  We  will  construct  a  PPT  algorithm  B  that  breaks  the  security  of  S  with 
advantage  e. 

B  receives  VK  from  the  challenger.  It  chooses  i*  [n],  PP  as  in  Game  5  and  sends  PP.VK  to  Att.  For 
each  signature  query  ay  sent  by  Att,  B  sends  it  to  the  challenger,  receives  ay,  which  it  forwards  to  Att.  It 
simulates  the  oracle  queries  using  SimRO,  as  in  Game  5.  Finally,  Att  outputs  a  forgery  aagg  =  ( t*,s *)  and 
rz  tuples  {Verify VK,,  TOz},;.  Att  wins  if  Verify,;,  =  S. Verify;, ,  VK;,  =  VK,  To;,  was  not  queried  during  the 
signature  phase  and  <S.Verify(VK,  m;» ,  HE.dec(sk,  t*))  =  1.  It  sends  (m;* ,  HE.dec(sk,  t*))  as  forgery.  Note 
that  B  wins  the  signature  game  if  Att  wins  Game  5.  This  concludes  our  proof. 


Using  the  above  claims,  it  follows  that  any  PPT  adversary  has  negligible  advantage  in  Game  0,  assuming 
the  universal  parameters  scheme  is  secure  (in  the  random  oracle  model),  T-L£  is  a  secure  additively  homomor¬ 
phic  encryption  scheme  and  /  is  a  secure  one-way  function.  Therefore,  the  universal  signature  aggregator 
described  in  Section  6  is  adaptively  secure  with  respect  to  all  secure  signature  schemes  in  the  random  oracle 
model. 
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7  Universal  Aggregation  of  Arbitrary  Signatures  from  iO  in  the 
Standard  Model 

In  this  section,  we  will  describe  a  construction  for  an  n-bounded  universal  signature  aggregator  that  can 
be  proven  selective  secure  with  respect  to  all  secure  length-qualified  signature  schemes  using  complexity 
leveraging.  We  will  use  an  additively  HE  scheme  HE  with  message  space  Fp  for  some  prime  p  >  2 *ai<5  and 
ciphertext  space  Che,  where  each  ciphertext  in  Che  can  be  represented  using  £ct  bits.  We  will  also  use  an 
indistinguishability  obfuscator  iO ,  a  puncturable  pseudorandom  function  F  with  key  space  /C,  input  space 
{0,  l}^ver+^vk+hnsg+i°gn+logp  ancj  range  {0,1}*  for  £  >  2fct  and  an  injective  one-way' function  /  :  {0,1}* 

{0, 1}2£.  The  universal  signature  aggregator  consists  of  three  algorithms  UniversalSetup,  UniversalAgg  and 
UniversalVerify  described  below. 

UniversalSetup(lA,  1")  The  setup  algorithm  takes  A ,  n  as  input,  and  chooses  (pk,  sk)  4—  HE.setup(lA).  It 
then  computes  n  encryptions  of  0,  that  is,  ctj  <—  HE.enc(pk,0)  for  i  £  [n]. 

Let  (7 i  £  Fp  for  i  £  [n].  Let  C'<7l)...)<Tn  be  a  circuit  that  takes  as  input  n  bits  x\, . . .  ,xn  and  outputs  cqa;, 
mod  p.  The  setup  algorithm  computes  Pi  =  iO(AggSignii-  kjCti  ctn)  and  P2  =  tOjAggVerify^ ),  where  the 
programs  AggSign23  and  AggVerify24  are  dehned  below.  It  outputs  PP  =  (Pi,P2). 


AggSign^pk  ctu  .  _ctn 

Inputs:  {Verify,,  VK.(,  m,:,  cr,:},:. 

Constants:  PRF  Key  K  £  1C,  pk,  (cti, . . .  ,ct„)  £  C^E. 

if  3i  such  that  Verifyj(VKi,  ml ,  <Ji)  =0  then 
Output  T. 

end  if 

Compute  t  =  cti  •  cti  +  . . .  +  an  ■  ctn. 

Let  Si  =  F(K,  VerifyJ|VKi||mi||*||f). 

Output  aagg  = 


AggVerify  x 

Inputs:  {Verify,,  VK^mJj,  (t*,s*)  £  CHe  x  {0, 1}* 
Constants:  PRF  key  K 

Compute  s  =  ®iF(K,  Verify^ 1 1 VK^ |  |m.i |  |i|  ). 

Output  1  if  s  =  s* ,  else  output  0. 


UniversalAgg(PP  =  (Pi,  P2),  {Verify^  VKj,  rrii,  <Tj}j)  The  aggregator  algorithm  receives  as  input  the  public 
parameters  PP  and  n  tuples  { Verify VKj,rn.j,  },;.  Without  loss  of  generality,  we  will  assume  the  n  tuples 
are  lexicographically  ordered.  If  the  n  tuples  are  not  distinct,  the  algorithm  outputs  _L.  Else,  it  outputs 
Pi  ({  Verify VKj,  mu  crj,;). 


UniversalVerify(PP  =  (Pi,  P2),  {Verify^,  VKi;  m,;}"=i,  cragg  =  ( t*,s *))  Assume  the  n  tuples  are  sorted  in 
lexicographic  order.  The  verification  algorithm  checks  that  the  n  tuples  are  distinct.  If  not,  it  outputs  0. 
Else,  it  outputs  P2({Verifyi5  VK^mJ,  (■ t*,s *)). 

23Padded  to  be  of  same  size  as  AggSign-1. 

24Padded  to  be  of  same  size  as  AggVerify-1  and  AggVerify-2. 
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7.1  Proof  of  Security 

Let  S  be  a  secure  signature  scheme.  In  order  to  prove  the  construction  in  Section  7  selectively  secure  with 
respect  to  S ,  we  will  describe  a  sequence  of  intermediate  hybrid  experiments.  Looking  ahead,  there  will  be 
an  exponential  number  of  intermediate  hybrid  experiments,  and  hence  we  will  be  using  stronger  security  for 
the  indistinguishability  obfuscator  iO ,  the  puncturable  PRF  F  and  the  one  way  function  /. 

Theorem  7.1.  Let  Att  be  any  PPT  adversary,  and  S  a  (£ver,  fvk,  4nsg,  4ig)-length  qualified  secure  signature 
scheme.  Let  Adv^ett  s  denote  the  advantage  of  Att  in  the  universal  signature  aggregator  selective  security 
game  with  respect  to  S.  Let  Adv5,  Advw£,  Adv?°,  AdvF  and  Adv-^  denote  the  maximum  advantage  of  a  PPT 
adversary  against  signature  scheme  5,  HE  scheme  T~L£ ,  indistinguishability  obfuscator  iO ,  selectively  secure 
puncturable  PRF  F  and  one  way  function  /  respectively.  Then, 

AdvAtU  -  n(Adv^f  +  2At  (6Advi0  +  2Advf  +  Adv/)  +  Adv5) 

where  4t  is  the  length  of  ciphertexts  in  Che- 

7.1.1  Sequence  of  Games 

Game  0:  This  corresponds  to  the  selective  security  game.  The  challenger  receives  to*  from  Att,  chooses 
(SK,  VK)  4—  <S.Gen(lA),  the  public  parameters  PP  and  sends  PP,  VK  to  the  adversary  Att.  Att  then  queries 
for  signatures,  which  the  challenger  can  compute  using  SK.  Finally,  Att  outputs  forgery  <ra gg  and  n  tuples 
{Verify^  VKj,mJ. 

1.  Att  sends  message  to*. 

2.  Choose  (SK,VK)  4—  <S.Gen(lA),  (pk,sk)  HE.setup(lA)  and  K  £-  P.setup(lA). 

Compute  ctj  4-  HE.enc(pk,  0)  for  all  i  £  [n]  and  Pi  4—  iO( AggSignA-  pk  ctl  ctn),  P2  <—  iO( AggVerify^). 
Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  x,  ^  to*,  compute  a.,  =  lS.Sign(SK,  Xj)  and  send  cr,  to  Att. 

4.  Finally,  Att  sends  a  forgery  eragg  =  (t*,s*)  and  n  tuples  {Verify^,  VK*,  to*}*.  Att  wins 

(a)  3 i*  such  that  Verify =  S. Verify,  VKj*  =  VK,  to»*  =  m*, 

(b)  AggVerifyx(PP,{Verifyi,VKi,TOi},(7agg)  =  1. 

Game  1:  In  this  experiment,  the  challenger  chooses  i*  4—  [n],  and  the  adversary  wins  if  Verify,;,  =  S. Verify, 
VKj*  =  VK  and  m.j *  =  m* . 

1.  Att  sends  to*. 

2.  Choose  i*  4—  [n]. 

Choose  (SK,VK)  4—  <S.Gen(lA),  (pk,sk)  HE.setup(lA)  and  K  £-  P.setup(lA). 

Compute  ctj  4-  HE.enc(pk,0)  for  all  i  £  [n],  Pi  R7(AggSignA*  pk  cti]  ctii),  P2  4-  iO( AggVerify^ ). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  Xj  ^  to*,  compute  ay  =  S.Sign(SK,  Xj)  and  send  ay  to  Att. 

4.  Finally,  Att  sends  a  forgery  eragg  =  (t*,s*)  and  n  tuples  {Verify^  VKj,  TOj}j.  Att  wins 

(a)  Verify =  S. Verify,  VKj*  =  VK,  to j*  =  to*, 

(b)  AggVerifyK(PP,  {Verify,,,  VKj,  TOj},cragg)  =  1. 

Game  2:  This  game  is  similar  to  the  previous  one,  except  that  ctj*  is  an  encryption  of  1,  instead  of  0. 

1.  Att  sends  to*. 

2.  Choose  i*  4—  [n\. 

Choose  (SK,VK)  4—  <S.Gen(lA),  (pk,sk)  4—  HE.setup(lA)  and  K  £-  P.setup(lA). 

Compute  ctj  4—  HE.enc(pk,  0)  for  all  i  ^  i* ,  ctj*  4—  HE.enc(pk,  1),  Pi  4—  ^(AggSign^ jPk)Ctlj P‘2  ~ 
iO(  AggVerify^). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 
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3.  For  each  signature  query  X;  ^  to*,  compute  cr,  =  <S.Sign(SK, X;)  and  send  a,  to  Att. 

4.  Finally,  Att  sends  a  forgery  cragg  =  ( t*,s *)  and  n  tuples  {Verify;,  VK;,  rm}i.  Att  wins 

(a)  Verify;,  =  S. Verify,  VK ;.  =  VK,  m,.  =  to*, 

(b)  AggVerifyx(PP,  {Verify,,  VK;,  TOi},cragg)  =  1. 

We  will  now  describe  an  exponential  number  of  hybrid  experiments  Game  3,  j  for  j  <  2^“.  Before  describ¬ 
ing  these  intermediate  hybrids,  we  will  define  some  notations.  Recall  AggVerifyA  takes  as  input  tuples  of  the 
form  ({Verify,;,  VK;,  To;},  (f*,  s*)).  Call  such  a  tuple  (**,  sk)-rejecting  if  Verify;.  (VK;» ,  m;»  ,  HE.dec(sk,  t*))  = 
0. 

Game  3 ,j:  In  this  game,  the  adversary  does  not  win  if  the  forgery  input  ({Verify;,  VK;,  To;},  ( t*,s *))  is 
(**,  sk)-rejecting  and  t*  <  j. 

1.  Att  sends  to*. 

2.  Choose  i*  4—  [n]. 

Choose  (SK,VK)  4—  <S.Gen(lA),  (pk,sk)  4—  HE.setup(lA)  and  K  <s—  P.setup(lA). 

Compute  ct;  4—  HE.enc(pk,0)  for  all  i  ^  i* ,  ct;»  4—  HE.enc(pk,  1),  Pi  4—  iO(Agg5\gr\K  pk  ti jCtrJ, 
P2  4-  iO( AggVerifyA). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  X;  ^  to*,  compute  cr;  =  S.Sign(SK,  X;)  and  send  a,  to  Att. 

4.  Finally,  Att  sends  a  forgery  cragg  =  (t*,s*)  and  n  tuples  {Verify;,  VK;,  To;};.  Att  wins 

(a)  Verify,;,  =  S. Verify,  VK;.  =  VK,  To;.  =  m*, 

(b)  ({Verify,,  VK;,  To;},  (f*,s*))  is  not  (i*,  sk)-rejecting  or  t*  >  j, 

(c)  AggVerifyK({Verify,,VK;,  to;},  cragg)  =  1. 

Game  4:  This  game  is  identical  to  Game  3,  2^ct. 

1.  Att  sends  to*. 

2.  Choose  i*  [n]. 

Choose  (SK,VK)  4—  6>.Gen(lA),  (pk,sk)  4—  HE.setup(lA)  and  K  P.setup(lA). 

Compute  ct;  4—  HE.enc(pk,0)  for  all  i  ^  i*,  ct;.  4—  HE.enc(pk,  1),  P1  4—  iO(AggS\gnKpkcti _  ctn), 
P2  4-  iO{ AggVerifyA). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  x;,  compute  u;  =  <S.Sign(SK,  x;)  and  send  cr;  to  Att. 

4.  Finally,  Att  sends  a  forgery  cragg  =  (t*,s*)  and  n  tuples  {Verify;,  VK;,  To;};.  Att  wins 

(a)  Verify,;,  =  S. Verify,  VK;,  =  VK,  To;*  =  to*, 

(b)  ({Verify,;,  VK;,  To;},  (i*,s*))  is  not  (i*,  sk)-rejecting, 

(c)  AggVerifyK({Verify,,VK;,  to;},  cragg)  =  1. 

7.1.2  Analysis 

Let  AdvAtt  denote  the  advantage  of  Att  in  Game  j. 

Claim  7.1.  For  any  adversary  Att, 

AdvAtt  =  Ad  VAtt/ra. 

Proof.  This  follows  from  the  definitions  of  Game  0  and  Game  1.  The  only  difference  between  the  two 
experiments  is  the  change  in  winning  condition,  which  now  includes  the  guess  i*.  This  guess  is  correct  with 
probability  1/n. 
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Claim  7.2.  For  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  Adv«£(A). 

Proof.  Suppose  there  exists  an  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  B  that  breaks  the  semantic  security  of  HE  scheme  using  Att. 

B  receives  the  public  key  pk.  It  sends  0, 1  as  challenge  messages  to  the  HE  challenger,  and  receives  ct 
in  response.  It  chooses  i*  t—  [n],  (SK,VK),  computes  n  —  1  encryptions  of  0,  that  is,  ct*  t—  HE.enc(pk,  0) 
for  i  7^  i*.  It  sets  ct*.  =  ct.  It  chooses  I\  F.setup(lA),  computes  Pi  <—  iO(AggS\gnK  rt,  rt  ), 
P2  p.  TofAggVerify*)  and  sends  PP  =  (P„  P2)  and  VK  to  Att 

Att  then  asks  for  signature/random  oracle  queries,  which  B  can  simulate  perfectly.  Finally,  Att  outputs  a 
forgery  (7agg  and  n  tuples  {Verify^,  VIC,  m,;}.  If  Att  wins  as  per  the  winning  conditions  (which  are  the  same 
in  both  Game  1  and  Game  2),  output  0,  else  output  1. 

Clearly,  if  ct  is  an  encryption  of  0,  then  this  corresponds  to  Game  1,  else  it  corresponds  to  Game  2.  This 
completes  our  proof.  H 


Observation  7.1.  For  any  PPT  adversary  Att, 


AdvAtt 


Adv 


3,0 

Att- 


Claim  7.3.  For  any  j  <  . 

AdvAtt  ~  AdvAtt+1  —  6AdviCI  +  2AdvF  +  Adv^. 


Proof.  The  proof  of  this  claim  involves  a  sequence  of  intermediate  hybrids  described  below.  Note  that  the 
only  difference  between  the  two  hybrids  is  Step  4b.  Both  games  are  identical  if  j  +  1  is  not  (i* ,  sk)-rejecting. 
Hence,  we  will  consider  the  case  where  S.  Verify  (VK,  to*,  HE.dec(sk,  j  +  1))  =  0. 


Game  3 ,j,a  In  this  game,  the  challenger  uses  obfuscations  of  circuit  AggVerify-1  instead  of  AggVerify. 
Instead  of  checking  whether  s*  =  ®;S;,  AggVerify-1  uses  an  injective  one  way  function  /  to  check  if  f(s  ® 
=  /(s;.). 

1.  Att  sends  m* . 

2.  Choose  i*  t—  [n]. 

Choose  (SK,VK)  <—  6>.Gen(lA),  ( pk,  sk)  t—  HE.setup(lA)  and  K  t—  F.setup(lA). 

Compute  ct,  «—  HE.enc(pk,0)  for  all  i  i* ,  ct ;.  <—  HE.enc(pk,  1),  Pi  <—  iO(AggS\gnK  pk  cti  ctn), 

P2  <-  *0 ( AggVerify-1  a')- 

Set  PP  =  (PUP2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  x;  ^  to*,  compute  cr,:  =  iS.Sign(SK,  x,)  and  send  cr,  to  Att. 

4.  Finally,  Att  sends  a  forgery  eragg  =  (t*,s*)  and  n  tuples  {Verify^  VK;,  mji.  Att  wins 

(a)  Verify,;,  =  S. Verify,  VK;.  =  VK,  to,.  =  to*, 

(b)  ({Verify,,  VK;,  To;},  (i*,s*))  is  not  (**,  sk)-rejecting  or  t*  >  j, 

(c)  AggVerify-lA({Verifyi,VK;,TO,},cragg)  =  1. 


AggVerify-1^ 

Inputs:  {Verify,,  VK;,  to;};,  (C,s*)  G  Che  x  {0,1}^ 

Constants:  PRF  key  K 

Compute  8  =  (®;^;.F(/\,  Verify^ 1 1 VK;| |to; 1 1* | |t))  ®  s* . 

Output  1  if  f(F(K,  Verify;, ||VK;. ||TO;.f|i*||t*)  =  f(s),  else  output  0. 
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Game  3 ,j,b:  In  this  game,  AggSign  and  AggVerify-1  are  replaced  by  AggSign-1  and  AggVerify-2.  Both  the 
replaced  programs  use  a  PRF  key  punctured  at  y  =  <S.Verify||VK||m,»||i*||j  +  1. 

1.  Att  sends  m* . 

2.  Choose  i*  «—  [n]. 

Choose  (SK,VK)  <—  <S.Gen(lA),  (pk,sk)  HE.setup(lA)  and  K  £-  P.setup(lA). 

Let  y  =  Verify  ||VK||m*||i*||j  +  1,  K{y}  «—  P.puncture(/G, y)  and  z  =  f{F(K,y)). 

Compute  ctj  £-  HE.enc(pk,0)  for  all  i  ^  i* ,  ct,.  <—  HE.enc(pk,  1),  P1  £-  ^(AggSign-l^^ypk  ct^  ctri), 

P2  <-  iO (AggVerify-2y  ^{k}^) ■ 

Set  PP  =  (Pi,P2).  Send  PP,YK  to  Att. 

3.  For  each  signature  query  ay  ^  m* ,  compute  ay  =  S.Sign(SK,  Xi)  and  send  oy  to  Att. 

4.  Finally,  Att  sends  a  forgery  cragg  =  ( t*,s *)  and  n  tuples  { Verify;,  VKj,  mj}j.  Att  wins 

(a)  Verify;,  =  S. Verify,  VKj,  =  VK,  mj»  =  m*, 

(b)  ({Verify;,  VKj,  my},  ( t*,s *))  is  not  (i*,  sk)-rejecting  or  t*  >  j, 

(c)  AggVerify-2^,^^}^ ({Verify,,  VKj,  ?Bj},  o-agg)  =  1. 


AggSign-1 

K{y}  ,pk,cti  ,...,ctn 

Inputs:  {Verify,, VKj, Wj, oy};. 

Constants:  PRF  Key  K{y},  pk,  (cti, . . . ,  ctra)  £  C^E. 

if  3*  such  that  Verify.;  (VK;,  m.;,  a,)  =  0  then 
Output  _L. 

end  if 

Compute  t  =  cr i  •  cti  +  . . .  +  anctn. 

Let  Si  =  F.eva\(K{y},  Verify,  ||VKj||mj||i||t). 
Output  cragg  =  (t,©jSj). 


AggVerify-2^^}^ 

Inputs:  {Verify,,  VKj,  ?nj}j,  ( t*,s *)  £  CHE  x  {0,  l}e 

Constants:  y,  PRF  key  K{y},  z  £  {0, 1}2€. 

Compute  a  =  (®j^j*P(Jf,  VerifyJ|VKj||mj||i||t))  ®  s*. 
if  Verify,,.  1 1 VKj.  |  |mj.  \\i*\\t*  =  y  then 
Output  1  if  z  =  f(s),  else  output  0. 
else 

Output  1  if  /(P.eval(iG,  Verify,;,  ||VKj.||mj.||P||P)  =  f(s),  else  output  0. 

end  if 


Game  3,  j,  c:  This  game  is  similar  to  the  previous  one,  except  that  2  is  a  uniformly  random  string. 

1.  Att  sends  m*. 

2.  Choose  i*  t—  [n]. 

Choose  (SK,VK)  ■£-  <S.Gen(lA),  (pk,sk)  HE.setup(lA)  and  K  £-  P.setup(lA). 

Let  y  =  S.  Verify  ||VK||m*||i*||j  +  1,  K{y}  «—  F.puncture(A', y)  and  z' t—  {0, 1}£,  z  =  f{z'). 

Compute  ctj  t—  HE.enc(pk,0)  for  all  i  ^  i*,  ctj.  <—  HE.enc(pk,  1),  Pi  <—  iC>(AggSign-lx{y},Pk,cti,...,ct,l); 
P2  £-  jG>(AggVerify-2yjK{y}jZ). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 
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3.  For  each  signature  query  ay  ^  to*,  compute  ay  =  <S.Sign(SK, ay)  and  send  ay  to  Att. 

4.  Finally,  Att  sends  a  forgery  cragg  =  (t*,s*)  and  n  tuples  {Verify^,  VKj,  rm}i.  Att  wins 

(a)  Verify^,  =  S. Verify,  VKj.  =  VK,  to j,  =  to*, 

(b)  ({Verifyj,  VKj,  to*},  (i*,s*))  is  not  (?*,  sk)-rejecting  or  t*  >  j, 

(c)  AggVerify-2j/iJf{3/}^({Verifyi,VKi,TOi},c7Bgg)  =  1. 

Game  3,  j,  d  :  In  this  game,  the  challenger  modifies  the  winning  condition  in  Step  4b. 

1.  Att  sends  to*. 

2.  Choose  i*  t—  [n]. 

Choose  (SK,VK)  4—  6>.Gen(lA),  (pk,sk)  4—  HE.setup(lA)  and  K  <s—  P.setup(lA). 

Let  y  =  S.  Verify  ||VK||TO*||z*||j  +  1,  K{y}  <r-  F.puncture(A', y),  z'  {0, 1 Y  and  z  =  f(z'). 

Compute  ctj  4-  HE.enc(pk,0)  for  all  i  ^  i*,  ct,»  <—  HE.enc(pk,  1),  Pi  4—  ^(AggSign-l^^}  pk  ctl 
P2  «-  jO(AggVerify-2yjK{y}i2). 

Set  PP  =  (Pi,  P2,  pk,  cti, . . . ,  ctn).  Send  PP,  VK  to  Att. 

3.  For  each  signature  query  ay  ^  to*,  compute  ay  =  iS.Sign(SK, xi)  and  send  ay  to  Att. 

4.  Finally,  Att  sends  a  forgery  aagg  =  (t*,s*)  and  n  tuples  {Verify^,  VKj,  mj}j.  Att  wins 

(a)  Verify,;,  =  S. Verify,  VKj.  =  VK,  to*.  =  to*, 

(b)  ({Verify,,  VKj,  TOj},  (i*,s*))  is  not  (**, sk)-rejecting  or  t*  >  j  +  1, 

(c)  AggVerify-2j/iif{y})2 ({Verify,,,  VKi;  TOj},  <ragg)  =  1. 

Game  3,  j,  e  :  In  this  game,  the  challenger  sets  2  =  f(F(K,y))  as  in  Game  3 ,j,c. 

1.  Att  sends  to*. 

2.  Choose  i*  [n\. 

Choose  (SK,VK)  4—  <S.Gen(lA),  (pk,sk)  HE.setup(lA)  and  K  <s—  P.setup(lA). 

Let  y  =  <S.Verify||VK||m*||i*||j  +  1,  K{y}  4—  F.puncture(AT,  y),  and  z  =  f(F(K,y)). 

Compute  ctj  HE.enc(pk,0)  for  all  i  ^  i* ,  ctj.  <—  HE.enc(pk,  1),  Pi  •<—  zC^AggSign-l^ryi  pk  ctl  ctn), 
P2  4-  zO(AggVerify-2yiK{y}j2). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  ay  ^  to*,  compute  cr,;  =  S.Sign(SK,  ay)  and  send  oy  to  Att. 

4.  Finally,  Att  sends  a  forgery  cragg  =  ( t*,s *)  and  n  tuples  {Verifyj,  VKj,  TOj};.  Att  wins 

(a)  Verifyj,  =  S. Verify,  VKj.  =  VK,  TOj.  =  to*, 

(b)  ({Verifyj,  VKj,  TOj},  (t*,s*))  is  not  (i*,  sk)-rejecting  or  t*  >  j  +  1, 

(c)  AggVerify-2yiif {y}>2 ({Verify,,  VKl;  ?nj},o-agg)  =  1. 

Game  3,  j,  /:  In  this  game,  the  challenger  uses  PRF  key  K  in  both  AggSign  and  AggVerify-1  instead  of  using 
K{y}  in  AggSign-1  and  AggVerify-2. 

1.  Att  sends  to*. 

2.  Choose  i*  <—  [n]. 

Choose  (SK,VK)  6>.Gen(lA),  (pk,sk)  4—  HE.setup(lA)  and  K  c—  P.setup(lA). 

Compute  ctj  4—  HE.enc(pk,0)  for  all  i  ^  i*,  ctj.  4—  HE.enc(pk,  1),  Pi  4—  iO(AggSignif  pkcti  ctn), 
P2  4-  iO{ AggVerify-1  x). 

Set  PP  =  (Pi,P2).  Send  PP,VK  to  Att. 

3.  For  each  signature  query  ay  ^  to*,  compute  ay  =  S.Sign(SK,  ay)  and  send  oy  to  Att. 

4.  Finally,  Att  sends  a  forgery  <jagg  =  (t*,s*)  and  n  tuples  {Verifyj,  VKj,  ?Bj}j.  Att  wins 

(a)  Verify,;,  =  S. Verify,  VKj,  =  VK,  TOj.  =  to*, 

(b)  ({Verify,,  VKj,  TOj},  (i*,s*))  is  not  (i* ,  sk)-rejecting  or  t*  >  j  +  1, 

(c)  AggVerify-lg({Verifyj,VKj,mj},cragg)  =  1. 
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We  will  now  relate  the  difference  in  Att’s  advantages  in  these  games  to  either  Adv 


%o 


Adv^  or  Adv-^ . 


Claim  7.4.  For  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtta  <  Advi°- 

Proof.  To  prove  this  claim,  we  need  to  show  that  the  programs  AggVerifyA  and  AggVerify-lA  are  functionally 
identical.  This  follows  from  the  observation  that  /  is  an  injective  function,  and  hence,  for  any  t* ,  s* , 

s*  =  ®;P(A',  Verifyi 1 1 VK*  1 1 TOf  | |i| 1 1* ) 

«=►  (®Mi.  F(K,  Verify,  1 |  VK,  |  |m<| \i |  |t* ))  ©  s*  =  F(K,  Verify,,  1 1 VK,,  |  |m;.  \  \i*  \ \t* ) 

/((®  F(K,  Verify^ 1 1 VK, | \m,  |  |i|  |t*))  ®  s*)  =  f(F(K,  Verify,;,  |  |VK;»  ||rnj»  |  |i* | \t*)) 


Claim  7.5.  For  any  PPT  adversary  Att, 

AdvAt{’°  -  AdvA£b  <  2Adv!°. 

Proof.  Let  K  ■<—  P.setup(lA),  y  =  iS.Verify||VK||m*||i*||j  + 1,  K{y}  •<—  P.puncture(A', y)  and  2  =  f(F(K,y)). 

As  in  the  previous  proof,  it  suffices  to  show  that  AggSignK  pkcti  tn  and  AggSign-lK-{j/},pk,ctl,...lCt;n  have 
identical  functionality,  and  AggVerify-1^-  and  AggVerify-2y tK{y},z  have  identical  functionality. 

Let  us  first  consider  AggSign^  pk  cti  iCtrj  and  AggSign-lA{y} >pk)Ctl; Consider  input  {Verify;,  VK,;,  m,,  cr,};. 
Let  t  =  a i-cti  +  . .  •  +  trnctn.  From  the  correctness  property  of  puncturable  PRFs,  it  follows  that  the  only  case 
in  which  AggSignA  pk  cti>  and  AggSign,yA-{y}ipkcti  >ctji  can  possibly  differ  is  when  Verify ,(VK,,  m;,  cr,)  = 

1  for  all  i  <  n,  Verify;.  =  S. Verify,  VK.;,  =  VK,  m,.  =  m*  and  t  =  j  +  1.  But  this  case  is  not  possible,  since 
S. Verify  (VK,  to*,  HE.dec(sk,  tf)  =  S. Verify  (VK,  to*,  <7;*)  =  1,  while  <S.Verify(VK,  to*,  HE.dec(sk,  j  +  1))  =  0. 

Next,  let  us  consider  the  programs  AggVerify-lA  and  AggVerifyy  K[y^z.  Both  programs  have  identical 
functionality,  because  2  =  f(F(K,y))  and  for  all  y'  yf  y,  F(K,y')  =  F.eva\(K{y},y'). 

This  concludes  our  proof.  H 

Claim  7.6.  For  any  PPT  adversary  Att, 

AdvAtt 6  —  AdvAtt’C  —  AdyF- 

Proof.  We  will  construct  a  PPT  algorithm  B  such  that  Advg  =  AdvAt{’b  —  AdvAt{’c.  B  interacts  with  Att, 
and  receives  to*.  It  chooses  i*  [n],  chooses  (SK,VK)  y-  <S.Gen(lA),  (pk,sk)  HE.setup(lA).  Next,  it 
computes  ct;  t—  HE.enc(pk,0)  for  all  i  yf  i* ,  ct;*  HE.enc(pk,  1).  It  sends  y  =  5.Verify||VK||m*||f*||j  +  1 
to  the  PRF  challenger,  and  receives  K{y},z',  where  either  z'  =  F(K,y)  or  z'  <—  {0,  l}2^.  It  computes 
^  =  /(-'),  Pi  ^(AggSign-l^pyj  pk  ctli  >ctii),  P2  t-  *0(AggVerify-2yjA:{y}jZ)  and  sets  PP  =  (Pi,P2).  It 
sends  PP,VK  to  Att. 

Next,  it  receives  signature  queries,  and  it  computes  the  signature  using  SK.  Finally,  it  receives  (Tagg  = 

( t*,s *)  and  n  tuples  {Verify;,  VK,;,  m;};.  If  Att  wins,  it  outputs  0,  indicating  z'  =  F(K,y).  Else,  it  outputs 
1.  Since  both  games  have  the  same  winning  condition,  it  follows  Adv^  =  AdvAtt &  —  AdvAtt’C-  HI 

Claim  7.7.  For  any  PPT  adversary  Att, 

AdvAtt’°  ~  AdvAtt’<i  —  Adv^  • 

Proof.  Suppose  Adv^{’c— Adv^{’d  =  e.  Then,  with  probability  e,  Att  receives  PP,  VK,  sends  signature  queries, 
and  outputs  forgery  cragg  =  (j  +  1,  s*)  and  n  tuples  {Verify,;,  VK;,  to,};  such  that  S. Verify,;.  =  Verify;. ,  VK;.  = 

VK,  rrii •  =  to* ,  the  output  forgery  is  (i*,  sk)-rejecting  and  AggVerify-2yiA{j/}i. ({Verify,,  VK,;,m;},CTagg)  =  1. 
From  the  definition  of  AggVerify-2,  it  follows  that  /((®;^;*P.eval(A'{y{,  Verify;||VK;||m,||i||j  +  l))®s*)  =  z. 
Therefore,  using  Att,  we  can  construct  a  PPT  algorithm  B  that  breaks  the  security  of  one  way  function  / 
with  advantage  e.  B  receives  z  from  the  OWF  challenger,  and  uses  it  to  compute  PP  as  in  Game  3,  j,  c  and 
Game  3 ,j,d.  It  sends  PP,VK  to  Att,  responds  to  signature  queries,  and  finally  receives  forgery  ( j  +  l,s*)25. 

25If  B  receives  any  other  forgery,  then  it  simply  quits. 
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and  n  tuples.  It  sends  z'  =  (®i^i*F.eva\(K{y},  Verify.^ 1 1 VK* |  |?ri* 1 1*|  |j  +  1))  ®  s*  to  the  OWF  challenger,  and 
clearly,  B  wins  if  Att  wins.  This  completes  our  proof.  (j 


Claim  7.8.  For  any  PPT  adversary  Att, 

AdvAtt d  —  Adv^’e  <  AdvF. 

Proof.  Similar  to  the  proof  of  Claim  7.6.  H 

Claim  7.9.  For  any  PPT  adversary  Att, 

Ad v Att’ 6  -  <  2Advi0. 

Proof.  Similar  to  the  proof  of  Claim  7.5.  H 

Claim  7.10.  For  any  PPT  adversary  Att, 

Adv^tJ  -  Adv^{+1  <  Advi0. 

Proof.  Similar  to  the  proof  of  Claim  7.4.  9 

Summing  it  up,  from  the  above  claims,  it  follows  that  for  any  PPT  adversary  Att,  Adv^  —  Adv^+1  < 
6Advl°  +  2AdvF  + Adv-^'. 


Claim  7.11.  For  any  PPT  adversary  Att, 


Adv^t  <  Adv5. 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^  =  e.  We  will  construct  a  PPT  algorithm 
B  that  breaks  the  security  of  S  with  advantage  e. 

B  interacts  with  Att  and  the  challenger  for  S.  First,  it  receives  m*  from  S  and  VK  from  the  challenger.  It 
chooses  i*  <—  [n],  (pk,  sk)  HE.setup(lA),  K  P.setup(lA).  It  computes  ct,;  -s—  HE.enc(pk,  0)  for  all  i  ^  i*, 
ctj.  «-  HE.enc(pk,  1),  Pi  ?;e>(AggSignK  pkcti and  P2  i(7(AggVerifyK).  It  sends  PP  =  (Pi,P2),  VK 
to  Att. 

For  each  signature  query  xt  ^  m*  sent  by  Att,  it  forwards  x.t  to  the  challenger,  and  receives  <7,;,  which  it 
sends  to  Att. 

Finally,  Att  outputs  a  forgery  <7agg  =  ( t*,s *)  along  with  n  tuples  {Verify;,  VK;,  nii}.  If  Att  wins  in  Game  4, 
then  Verify,,  =  S. Verify,  VK;.  =  VK,  rn,»  =  m*  and  ( aagg ,  {Verify;,  VK;,  m;})  must  not  be  (i*,  sk)-rejecting. 
In  other  words,  5.Verify(VK,  m* ,  HE.dec(sk,  £*))  =  1.  B  sends  to*,  HE.dec(sk,  t*)  as  a  forgery  to  the  challenger. 
This  completes  our  proof.  0 

Summing  up,  it  follows  that  any  adversary  Att  has  advantage  at  most  n(Adv^f  +  2^“  (6Adv^t  +  2AdvAtt  + 
Adv^tt)  +  Adv^)  in  Game  0,  where  Adv^f .  Adv^t,  AdvAtt,  Adv^tt  and  Adv5tt  denote  the  advantages  of  Att  in 
the  security  games  for  HE  scheme  HS,  indistinguishability  obfuscator  iO,  (selectively  secure)  puncturable 
PRF  F,  one-way  function  /  and  signature  scheme  S  respectively.  Therefore,  if  2A‘(AdvA^t  +  Adv^t  +  Adv{tt) 
is  negligible  in  A,  then  the  aggregator  scheme  described  in  Section  7  is  adaptively  secure  with  respect  to  all 
signature  schemes  S.  Note  that  we  require  sub-exponential  hardness  assumption  for  the  indistinguishability 
obfuscator  iO,  puncturable  PRF  F  and  one-way  function  /. 
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A  Universally  Aggregating  Unique  Signatures  without  the  RSA 
Assumption 

In  this  section  we  show  a  modification  of  our  universal  aggregation  of  unique  signatures  construction  and 
proof  from  Section  4  The  primary  diffence  is  that  the  transformed  siganture  output  will  be  a  bit  string  as 
opposed  to  an  RSA- type  group  element  in  Zjv-  Thus,  we  are  able  to  prove  security  without  using  the  RSA 
assumption  (but  keeping  indistinguishability  obfuscation  and  punctured  PRF  security  assumptions.)  The 
primary  tradeoff  is  that  the  setup  must  commit  to  an  a-priori  bound,  n  on  the  number  of  signatures  that 
can  be  aggregated.  The  signature  length  is  independent  of  n. 

We  will  now  describe  our  ?r-bounded  universal  signature  aggregator  (£ver,  £vk,  Imsg,  4ig)-UniversalSigAgg. 
Let  I  and  t<,wf  be  polynomials  such  that  £(X)  >  A.  We  will  use  a  puncturable  PRF  F  with  key  space  1C, 
punctured  key  space  JCP,  domain  A  =  {0,  l}^ver  x  {0,  l}('vk  x  {0,  l}^mag  and  range  y  =  {0,1}^,  a  one-way 
function  /  :  {0, 1}*  — >  {0, 1  }e°"'r  and  an  indistinguishability  obfuscator  iO.  Our  scheme  consists  of  the  three 
algorithms  UniversalSetup,  UniversalAgg  and  UniversalVerify. 

UniversalSetup(lA,  1"):  UniversalSetup  takes  as  input  the  security  parameter  A  and  a  bound  n  on  the  num¬ 
ber  of  signatures  to  be  aggregated.  It  chooses  a  puncturable  PRF  key  K  t—  F.setup(lA)  and  computes 
obfuscations  of  the  circuits  Transform^'  and  AggVerify^  defined  below.  It  sets  the  public  parameters  to  be 
PP  =  (iO(Transformx),  iC^AggVerify^)). 
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AggVerify^  : 

Inputs:  {(Verify^,  VK^TOj)}”^  where  (Verify,-,  VK*,  m*)  £  {0,  l}^var  x  {0,  l}^vk  x 
{0,  l}fmag  for  all  i  <  n,  aagg  £  {0,  l}e. 

Constants  :  K  £  1C. 

for  all  i  <  n  do 

Compute  Si  =  F{K,  Verify^  |VKy| \nrii). 

end  for 

Output  1  if  ®"=1s,;  =  <Tagg,  0  otherwise. 


UniversalAgg(PP,{(Verifyi,VKi,mi,tri)}-l=1):  Let  PP  =  (Pi,P2)-  UniversalAgg  first  checks  that  the  n  tuples 
are  distinct.  If  not,  it  outputs  _L.  Else,  it  computes  ti  =  Pi(Verifyj,  VIV,  m^,  oy)  for  each  i  <  n.  If  ti  =_L  for 
some  i,  then  UniversalAgg  outputs  _L,  else  it  outputs  eragg  =  ®jtj . 

UniversalVerify(PP,  {(Verify.^,  VKi,  mj)}"=1,  cragg):  Let  PP  =  (Pl,P2).  UniversalVerify  first  checks  if  the  n 
tuples  are  distinct.  If  not,  it  outputs  0.  Else,  it  outputs  P2({(Verifyi,  VKi;  rrii)  }"=1,  cragg). 

A.l  Proof  of  security 

In  this  section,  we  will  show  that  our  construction  is  selectively  secure  with  respect  to  unique  signature 
schemes. 

Theorem  A.l.  Assuming  iO  is  a  secure  indistinguishability  obfuscator,  (P,  P.setup,  P.puncture,  P.eval) 
is  a  puncturable  PRF  and  /  is  an  injective  one  way  function,  for  all  ( £ver ,  fvk,  4nsg)  4ig)-longth  qual¬ 
ified  secure  unique  signature  schemes  S,  the  n-bounded  universal  signature  aggregator  ( fver ,  £v^,  £msg, 
4ig)-UniversalSigAgg  is  selectively  secure  with  respect  to  S. 

Let  S  =  (S. Gen, <S. Sign, S. Verify)  be  a  secure  ( £vel ,  4k,  tmsg,  4ig)-length  qualified  unique  signature 
scheme,  and  Att  a  PPT  adversary.  Assume  Att  sends  q  signing  queries  during  the  signing  phase.  In  order  to 
prove  this  theorem,  we  will  define  a  sequence  of  experiments  Game  0,  . . .,  Game  4,  where  Game  0  =  Exp^  s. 

A. 1.1  Sequence  of  Games 

Game  0:  This  game  corresponds  to  Exp^^.  The  adversary  Att  first  sends  message  m,  and  then  receives 
the  verification  key  and  public  parameters  for  the  aggregator.  Next,  the  adversary  makes  signing  queries, 
and  finally  submits  the  forgery. 

1.  Att  sends  message  m. 

2.  Compute  (SK,VK)  <—  <S.Gen(lA,  1").  Choose  A'  <—  P.setup(lA)  and  set  PP  =  (^(Transform#),  fO(AggVerifyA-)). 
Send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  yf  m,  compute  ay  £-  6>.Sign(SK,  ay)  and  send  ay  to  Att. 

4.  Att  sends  forgery  <jagg  and  n  tuples  {(Verify^,  VKi;  to*)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify^  = 

S. Verify,  VK,.  =  VK  and  to**  =  to  and  UniversalVerify(  PP,  {(Verify^,  VIC,  mt )  },  cragg )  =  1. 

Game  1:  This  game  is  exactly  similar  to  the  previous  one,  except  that  the  program  Transform^  is  replaced 
by  Transform^-  which  outputs  _L  if  the  input  tuples  is  (5. Verify,  VK,  m,  <x)  where  6>.Verify(VK,  to,  a)  =  1. 

1.  Att  sends  message  to. 

2.  Compute  (SK,  VK)  £-  S.Gen(lA,  ln).  Choose  K  «—  P.setup(lA). 

Set  y  =  5.Verify||VK||TO  and  PP  =  (^(Transform^),  jO(AggVerifyx)).  Send  PP,  VK  to  Att. 

3.  For  each  signing  query  ay  yf  m,  compute  ay  <—  5.Sign(SK,  xi)  and  send  ay  to  Att. 
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4.  Att  sends  forgery  cragg  and  n  tuples  {(Verify^  VKj,  m.j)}.  Att  wins  if  3 i*  £  [n]  such  that  Verify^  = 
S. Verify,  VKj.  =  VK  and  m j.  =  m  and  UniversalVerify(  PP,  {(Verify^  VKj,  m, )  },  cragg)  =  1. 


Transform',  K  : 

Inputs:  Verify'  €  {0, 1}*™-,  VK'  £  {0,  l}^k,  m'  £  {0, 1}^,  a'  €  {0,  l}4i*. 
Constants  :  y  €  {0, l}f™  x  {0,  l}^k  x  {0, 1}*™*,  K  £  V. 

if  Verify' (VK',  m',  ex')  =  0  then 
Output  _L. 

else  if  Verify'||VK'||m'  =  y  then 
Output  _L. 
else 

Output  F(K,  Verify'|  |VK'|  |m'). 

end  if 


Game  2:  This  game  is  similar  to  the  previous  one,  except  that  the  programs  Transform'  and  AggVerify  are 
replaced  by  Transform-1  and  AggVerify-1  respectively.  Each  of  these  programs  uses  a  PRF  key  punctured  at 
y  =  S.  Verify  ||VK||m. 

1.  Att  sends  message  m. 

2.  Compute  (SK,VK)  4—  <S.Gen(lA,  ln).  Choose  K  4—  F.setup(lA). 

Set  y  =  tS. Verify 1 1 VK|  Compute  K{y}  4—  F.puncture(Jv,  y)  and  z  =  F(K,y). 

Set  PP  =  (iO(Transform-l.y  ^(AggVerify-ly  ^^j^))  and  send  PP,  VK  to  Att. 

3.  For  each  signing  query  Xi  ^  m,  compute  cq  £-  6>.Sign(SK,  Xi)  and  send  er.j  to  Att. 

4.  Att  sends  forgery  <ragg  and  n  tuples  {(Verify^,  VK,.  m.j)}.  Att  wins  if  3 i*  £  [n]  such  that  Verifyj.  = 
S. Verify,  VKj.  =  VK  and  =  m  and  UniversalVerify(  PP,  {(Verifyj,  VKj,  m.j)  },  eragg)  =  1. 


Transform-1  V}K{y}  '■ 

Inputs:  Verify'  £  {0, 1}*™,  VK'  £  {0,  l}^k,  m!  £  {0, 1  }*■“«,  a  £  {0,  l}4i®. 
Constants  :  y  £  {0, x  {0,  l}^k  x  {0, 1  }*”■■*,  K{y}  £  Kp. 

if  Verify' (VK',  m',  a')  =  0  then 
Output  _L. 

else  if  Verify' 1 1  VK' | \m!  =  y  then 
Output  _L. 
else 

Output  F. eva  I  ( K{  y } ,  Ve r i fy '  1 1 VK'  1 1  m' ) . 

end  if 
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AggVerify-l^j,}^  : 

Inputs:  {(Verify^,  where  (Verify,-,  VK*,  rrii)  £  {0,  l}^var  x  {0,  l}^vk  x 

{0,  l}fmBg  for  all  i  <n,  aagg  £  {0,  l}e. 

Constants  :  y  £  {0, 1}^“  x  {0,  l}^k  x  {0,  l}imss,  K{y}  £  K,p,  z  £  {0, 1}/ 

for  all  i  <  n  do 

if  Verify,  ||VKi||mi  =  y  then 

Si  =  z 

else 

Compute  Si  =  F.eval(/\{y},  VerityJIVKiUmi). 

end  if 
end  for 

Output  1  if  (B'i-iSi  =  (Jagg,  0  otherwise. 


Game  3:  In  this  game,  the  program  AggVerify-1  is  replaced  by  AggVerify-2.  As  before,  a  punctured  key  is 
used  in  the  program.  However,  instead  of  directly  checking  whether  <jagg  =  ©Si,  AggVerify-2  uses  a  injective 
one  way  function  /. 

1.  Att  sends  message  to. 

2.  Compute  (SK,VK)  ■£-  <S.Gen(lA,  ln).  Choose  K  ■£-  F.setup(lA). 

Set  y  =  <S.Verify||VK||m.  Compute  K{y}  <—  F.puncture(/v,  y)  and  z  =  F(K,y). 

Compute  w  =  f(z),  set  PP  =  (»0(Transform-ly  ^{.y}),  i(D(AggVerify-2y tK{y},w))  and  send  PP,  VK  to 

Att. 

3.  For  each  signing  query  Xi  yf  m,  compute  a,  <—  6>.Sign(SK,  xi)  and  send  cr,  to  Att. 

4.  Att  sends  forgery  <jagg  and  n  tuples  {(Verify^,  VKi;  m*)}.  Att  wins  if  3i*  £  [n]  such  that  Verify^  = 
S. Verify,  VK,.  =  VK  and  to*.  =  m  and  AggVerify-2yiif{y},w({(Verifyi,  VK,,  mi)  },  cragg)  =  1. 


AggVerify-2^^}^  : 

Inputs:  {(Verify^,  VKi,mi)}"=1  where  (Verify^,  VKj, mi)  £  {0,  l}^var  x  {0,  l}^vk  x 
{0,  lj-Ansg  for  all  %  <  n,  cragg  £  {0,  l}e. 

Constants  :  y  £  {0,  l}fver  x  {0,  l}^vk  x  {0,  l}A“s,  K{y}  £  K,p,  w  £  {0,  l}^owf. 

Set  present  =  False,  pos  =  0. 
for  all  i  <  n  do 

if  Verify,  ||VKi||mi  =  y  then 
Set  present  =  True,  pos  =  i. 
else 

Compute  Si  =  F.eva\(K{y},  Verify  ||VKj]|TOi). 

end  if 
end  for 

if  present  =  False  then 

Output  1  if  ®"=1s,  =  cr agg ,  0  otherwise, 
else 

Output  1  if  /(<Jagg  ©i^pos  Si)  =  w,  0  otherwise. 

end  if 


Game  4:  This  game  is  exactly  similar  to  the  previous  one,  except  that  z  is  chosen  at  random. 
1.  Att  sends  message  to. 
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2.  Compute  (SK,  VK)  «—  <S.Gen(lA,  ln).  Choose  K  F.setup(lA). 

Set  y  =  <S.Verify||VK||ro.  Compute  K{y}  «—  F.puncture(A',  y)  and  z  «—  {0, 1 Y- 

Compute  w  =  f(z),  set  PP  =  (iCjTransform-ly ,K{y})i  *C(AggVerify-2 v,K{y},w))  and  send  PP,  VK  to 

Att. 

3.  For  each  signing  query  Xi  Y  to,  compute  ay  <-  <S.Sign(SK,  a;*)  and  send  oy  to  Att. 

4.  Att  sends  forgery  aagg  and  n  tuples  {(Verify^,  VK*,  mi)}.  Att  wins  if  3 i*  G  [n]  such  that  Verify,,  = 
S' Verify,  VK*.  =  VK  and  m».  =  m  and  AggVerify-2yjivr{y}>^({(Verifyi,  VK,,  TOj)};,  cragg)  =  1. 

A. 1.2  Analysis 

Let  Adv^tt  denote  the  advantage  of  adversary  Att  in  Game  j. 

Claim  A.l.  Assuming  iO  is  a  secure  indistinguishability  obfuscator  and  S  is  a  secure  (£Ver, f?vk>  f?msg, 4ig)- 
length  qualified  unique  signature  scheme,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  The  proof  of  this  claim  is  similar  to  the  one  for  Lemma  4.1. 


Claim  A. 2.  Assuming  iO  is  a  secure  indistinguishability  obfuscator,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  In  order  to  prove  this  claim,  we  will  define  an  intermediate  hybrid  Game  1.5  which  is  exactly  same 
as  Game  1  and  Game  2,  except  that  the  challenger  sets  PP  =  (zC^Transform-ly^qy}),  iC(AggVerifyA-)).  We 
will  show  (a)  Game  1  and  Game  1.5  are  computationally  indistinguishable,  (b)  Game  1.5  and  Game  2  are 
computationally  indistinguishable. 

Proof  of  (a).  Suppose  there  exists  a  PPT  adversary  Att  such  that  AdvAtt  —  AdvAt®  =  e.  We  will  construct 
a  PPT  algorithm  B  that  constructs  two  circuits  Co  and  C\  with  identical  functionality,  and  uses  Att  to 
distinguish  between  iO(Ca)  and  iO[C\),  thereby  breaking  the  security  of  iO. 

B  receives  m  from  Att,  chooses  (SK,  VK)  <S.Gen(lA)  and  K  K.setup(lA).  It  sets  y  =  <S.Verify||VK||m 
and  computes  K{y}  <—  F.puncture(A',  y).  It  sets  C0  =  Transform'^  K  and  C\  =  Transform-1  y,K{y}>  an(l  sends 
Co,  Ci  to  the  iO  challenger.  It  receives  C  =  iO(Cb).  B  sets  PP  =  (C,iO( AggVerify^-))  and  sends  PP,  VK  to 
Att. 

Note  that  B  can  respond  to  the  signing  queries  perfectly,  since  it  has  SK.  Finally,  if  Att  wins,  then  B 
outputs  0,  else  it  outputs  1.  Clearly,  if  C  =  iO(Co).  then  it  corresponds  to  Game  1,  else  it  corresponds  to 

Game  1.5. 

To  conclude,  we  need  to  argue  that  Co  and  Ci  have  identical  functionality.  This  follows  from  the  cor¬ 
rectness  property  of  puncturable  PRFs.  Note  that  both  programs  output  _L  if  one  of  the  input  tuples  is 
(S. Verify,  VK,  m,  a).  For  all  other  tuples  (Verify',  VK7,  m7,  a'),  F( K,  Verify' |  |VK'|  |m7)  =  A.eval(Jv  {y},  Verify' ||VK7||m7). 
This  completes  the  first  step  of  our  proof. 

Proof  of  (b).  The  second  step  (showing  that  Game  1.5  and  Game  2  are  computationally  indistinguishable) 
follows  along  similar  lines.  I 

Claim  A. 3.  Assuming  iO  is  a  secure  indistinguishability  obfuscator  and  /  is  an  injective  function,  for  any 
PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  AdvAtt  —  AdvAtt  =  e.  As  in  the  previous  proof,  we 
will  construct  a  PPT  algorithm  B  that  constructs  two  circuits  Co  and  C\  with  identical  functionality,  and 
uses  Att  to  distinguish  between  iC(Co)  and  iO(C i),  thereby  breaking  the  security  of  iO. 

The  only  difference  between  Game  2  and  Game  3  is  that  in  Game  2,  circuit  AggVerify-ly^yi  .  is  used, 
while  in  Game  3,  circuit  AggVerify-2yjA-{y}>UJ  is  used.  B  interacts  with  Att  and  receives  m.  It  chooses 
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(SK,  VK)  «—  <S.Gen(lA)  and  K  «—  A.setup(lA).  Next,  it  computes  a  key  punctured  at  y  =  <S.Verify||VK||ro, 
i.e.  K{y}  < —  A.puncture(/i,  y)  and  sets  z  =  F(K,  y)  and  w  =  f(z).  Given  y,  K{y},  z,  w,  B  can  now  construct 
circuits  Co  =  AggVerify-lyiA'{y}>z  and  C\  =  AggVerify-2 yiK{y},w  &  sends  Co  and  C\  to  the  iO  challenger, 
and  receives  C  =  iO(Cb )•  B  sets  PP  =(*C(Transform-ly^{j/}),  C)  and  sends  PP,  VK  to  Att. 

B  now  responds  to  signing  queries  using  SK.  Finally  Att  sends  forgery  cragg,  along  with  n  tuples  { (Verify ^ , 
VK;,  to.;)}.  If  C({Verify;,VK;,m,},  cragg)=  1,  output  0,  else  output  1.  Clearly,  if  C  =  iO(Co),  then  this 
corresponds  to  Game  2,  else  it  corresponds  to  Game  3.  Therefore,  all  that  remains  is  to  prove  that  Co  and 
Ci  have  identical  functionality. 

Consider  any  input  ({(Verify, ,  VK;,  TO;)},eragg).  If  there  is  no  i*  such  that  Verify,;, || VKj. ||m;»  = 
y,  then  both  circuits  check  if  cragg=®;A(A'{y},  Verify, ;||VK;||to;).  If  there  exists  an  i*  G  [n]  such  that 
Verify;,  ||VK;,||m;»  =  y,  then  Co  accepts  iff 

(®i&*F(K{y},  Verify;||VKj||mj))  ®  F(K,  y)  =  cragg 

(®;^;*A(A'{i/},  Verify, ||VK;||to.;))  ®  cragg  =  F(K,y)  =  z 
«=>  f((®ifr*F(K{y},  Verify;  1 1 VK*  |  |mi))  ®  aagg)  =  /(z)  =  w. 

The  last  equivalence  follows  from  the  fact  that  /  is  an  injective  function.  However,  note  that  the  last 
statement  is  the  condition  for  Ci  accepting.  This  proves  that  both  Co  and  Ci  have  identical  functionality, 
which  proves  our  claim.  IS 

Claim  A. 4.  Assuming  A  is  a  puncturable  PRF,  for  any  PPT  adversary  Att, 

Adv^tt  -  Adv^t  <  negl(A). 

Proof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  —  Adv^tt  =  e.  We  will  construct  a  PPT 
algorithm  B  that  uses  Att  to  break  the  security  of  puncturable  PRF  (A,  Asetup,  Apuncture,  Aeval)  with 
advantage  e. 

First,  B  receives  the  message  m  from  Att.  As  in  Game  3  and  Game  4,  it  computes  (SK,  VK)  <S.Gen(lA). 
Next,  it  sends  y  =  5.Verify||VK||rn  as  the  challenge  to  the  PRF  challenger.  B  receives  a  punctured  key  K{y} 
and  z  €  {0,  l}f,  where  z  =  F(K,y)  or  z  {0, 1  }e.  B  computes  w  =  f(z)  and  sets  the  public  parameters 
PP=(jC(Transform-lyj^{j/}),tC(AggVerify-2yix{y},w))-  R  sends  PP,VK  to  Att. 

The  signing  phase  and  forgery  phase  are  exactly  similar  in  Game  3  and  Game  4.  For  each  signing  query 
Xi,  B  sends  S.Sign(SK, xf)  to  Att.  Finally,  Att  outputs  the  forgery  <ragg  and  n  tuples  {(Verify,;,  VK;,  ?n,;)}. 

Note  that  if  z  =  F(K,y),  then  B  simulates  Game  3  perfectly.  If  z  <—  {0,  l}f,  B  simulates  Game  4  perfectly. 
This  concludes  our  proof.  H 

Claim  A. 5.  Assuming  /  is  a  one  way  function,  for  any  PPT  adversary  Att, 

Adv^tt  <  negl(A). 

Pi'oof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  =  e.  We  will  construct  a  PPT  algorithm 
B  that,  using  Att,  inverts  the  one  way  function  /  with  probability  e. 

B  receives  w  from  the  one  way  function  challenger  and  m  from  Att.  It  chooses  (SK,VK)  <S.Gen(lA), 
K  •<—  A.setup(lA)  and  computes  K{y }  ■<—  A.puncture(A", y)  (where  y  =  <S.Verify||VK||m).  It  sets  the  public 
parameters  PP=(jO(Transform-ly>^{^}),  iC,(AggVerify-2yix{y},-u,))  and  sends  PP,  VK  to  Att. 

For  each  signing  query  Xi,  it  computes  5.Sign(SK,  xf). 

Finally,  B  receives  cragg  €  {0, 1 Y  and  n  tuples  {(Verify,,  VK,,  to,;)}.  If  AggVerify-2y  ^{yjjU,({ Verify,-,  VK;, 
TO;},<Tagg)=l  and  3i*  such  that  Verify,;,  ||VK;,||m;,  =  y,  then  B  can  successfully  find  an  inverse  for  w.  B 
computes  s*  =  F(K,  Verify;  ||VK;||mj)  for  i  ^  i*  and  sends  tragg  ®j^j*  Sj  to  the  one  way  function  challenger. 
Clearly,  if  Att  wins  in  Game  4,  then  B  inverts  the  one  way  function.  j|[ 

To  conclude,  it  follows  from  the  above  claims  that  any  PPT  adversary  has  at  most  negligible  advantage 
in  Game  0  (assuming  iO,  A  and  /  are  secure),  and  therefore  the  n-bounded  aggregator  described  in  A  is 
selectively  secure  with  respect  to  secure  unique  signature  schemes. 
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B  Making  our  VBB  proof  Adaptively  Secure 

We  now  show  how  a  minor  adaptiation  of  our  selectively  secure  universal  aggregator  from  VBB  of  Section  5 
can  be  proven  adaptively  secure.  The  primary  change  is  to  first  hash  every  message  with  an  “admissible  hash 
function”  introduced  by  Boneh  and  Boyen  [BB04],  From  there  the  additonal  RSA-type  techniques  needed 
fall  in  line  with  those  used  by  Hohenberger,  Sahai  and  Waters  [HSW14]. 

We  now  describe  our  construction  and  proof.  Let  O  be  a  virtual  black-box  obfuscator,  F  a  secure  PRF 
with  key  space  K.  domain  {0,  l}£aig  and  range  {0,  l}*rnd,  PRG  a  secure  pseudorandom  generator  and  h  a 
0-admissible  hash  function  mapping  fmsg  bits  to  di  bits.  Let  d2  =  di  +  Ger  +  fvk-  Our  universal  signature 
aggregator  (fver,fvk,fmsg>  Ag)-UniversalSigAgg  consists  of  three  algorithms  UniversalSetup,  UniversalAgg  and 
UniversalVerify  described  below. 

UniversalSetup(lA):  The  setup  algorithm  first  chooses  an  RSA  modulus  N,  v  £  Z*N  and  e  £  Z^(Ny 
Next,  it  chooses  2 d2  constants  -S—  Z^jv)-  Let  c  =  {c?:,ft}ie[rf2],be{0,i} -  It  sets  PP  =((7(Transform]v,i;,c), 
O (Transform- 1 mage^  v  c  e),  N,  e),  where  Transform26  and  Transform-Image2'  are  as  follows. 

Transform n,v,c  ■ 

Inputs:  b  £  {0,1}, a'  £  {0, 1}*,  Verify'  €  {0,1}*™,  VK'  €  {0,1}*^,  m!  £  {0,1}*™*, 
a'  £  {0,  l}*sig. 

Constants  :  RSA  modulus  N  £  N,  v  £  Z*Nl  c  =  {c^}  £  Z%R. 

if  b  =  0  then 

Output  _L. 

else  if  Verify' (VK',  m' ,  a1)  =  0  then 
Output  T. 
else 

Compute  h(m')  =  x  and  let  2  =  x||Verify'||VK'. 

Output  uHi  Ci’zi  (mod  N). 

end  if 


Transform- 1  mage c  e  : 

Inputs:  Verify'  <E  {0, 1}*™,  VK'  €  {0, l}*-k,  m'  £  {0,  l}*“ag. 
Constants  :  RSA  modulus  N  £N,  v  £  Z*N,  c  —  {cyt,}  £  Z%^,  e  € 

Compute  h(m')  =  x  and  let  z  =  x\ | Verify' |  |VK'. 

Output  (v^Ci-H)e  (mod  N). 


UniversalAgg(PP,{(Verify,;,VKj,TOi,c7i)}™=1):  Let  PP  =  (Pi,  P2,  N,  e).  UniversalAgg  first  checks  if  the  n 
tuples  are  distinct.  If  not,  it  outputs  _L.  Else,  it  computes  =  P1(Verifyi,  VKi;  rrij,  crj)  for  each  i  <  n.  If 
tj  =_L  for  some  i,  then  UniversalAgg  outputs  _L,  else  it  outputs  (Tagg  =  UiU  (mod  N). 

UniversalVerify(PP,  {(Verify^,  VKj,  mi)}"=1,  cragg):  Let  PP  =  (Pl,P2,  N,  e).  UniversalVerify  first  checks  if  all 
n  tuples  are  distinct.  If  not,  it  outputs  0.  Else,  it  computes,  for  all  i  <  n,  s*  =  Transform-lmage(Verifyi,  VKi?  to,). 
II  (IT,  s*)  =  ^agg  (mod  N),  it  outputs  1,  else  it  outputs  0. 

26Padded  appropriately  to  be  of  the  same  size  as  Transform-1,  Transform-2,  Transform-3  and  Transform-4. 

27Padded  appropriately  to  be  of  the  same  size  as  Transform-Image-1  and  Transform-Image-2. 
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B.l  Proof  of  Security 

We  will  now  prove  that  the  scheme  described  in  Section  B  is  an  adaptively  secure  universal  signature 
aggregator  with  respect  to  all  secure  length-qualified  signature  schemes. 

Theorem  B.l.  Assuming  O  is  a  secure  virtual  black-box  obfuscator,  F  is  a  secure  puncturable  PRF,  F  is  a 
secure  PRF,  PRG  is  a  secure  pseudorandom  generator  and  RSA  is  secure,  for  all  (£veT,  £vk,  £msg,  4ig)-length 
qualified  secure  signature  schemes  S,  the  universal  signature  aggregator  (£ver,  £vk,  £msg,  4ig)-UniversalSigAgg 
is  adaptively  secure  with  respect  to  S. 

To  prove  the  above  theorem,  we  will  first  describe  a  sequence  of  hybrid  experiments. 

B.1.1  Sequence  of  Games 

Game  0  This  corresponds  to  the  adaptive  security  game  ExpAtt5(A)  in  which  the  challenger  interacts  with 
adversary  Att. 

1.  Compute  (SK,VK)  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  £  Z^ N y  v  £  h*N  and  £ 
Z )  for  all  i  <  d2,b  £  {0,1}.  Choose  (SK,VK)  «—  <S.Gen(lA)  and  set  PP  =  (©(Transformer^,,), 
©(Transform-Imagery  ,,  c  e),  N,  e).  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  xi:  choose  '/y  «—  {0,  l}frnd  and  compute  eq  £-  <S.Sign(SK,  Xi).  Send  a,  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify,;,  VK;,  mi}"=1.  Att  wins  if 

(a)  3 i*  £  [n]  such  that  Verify,;,  =  S. Verify,  VK;»  =  YK  and  m,»  was  not  queried  during  the  signature 
phase 

(b)  UniversalVerify(PP,  {Verify,;,  VK;,  ?B;},  cragg)  =  1 

Game  1  In  this  game,  the  challenger  computes  the  signatures  using  the  PRF  F. 

1.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  £  Z^^,  v  £  Z*N  and  £  Z^jy)  for 
all  i  <  d2,b  £  {0, 1}. 

Choose  K  •£-  F.setup(lA). 

Set  PP  =  (©(Transformer^^),  ©(Transform-Imagery^,,^),  N,  e).  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  a choose  p;  £-  {0,  l}^3ig,  compute  r,  <—  F{K,  pi)  and  cr;  =  6>.Sign(SK,  xf,  ri). 
Send  a,  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify;,  VK;,m.;}"=1.  Att  wins  if 

(a)  3i*  £  [n]  such  that  Verify,;,  =  S. Verify,  VK;,  =  VK  and  mi*  was  not  queried  during  the  signature 
phase 

(b)  UniversalVerify(PP,  {Verify,,,  VK;,  ?n;},  <ragg)  =  1 

Game  2  In  this  game,  the  challenger  uses  program  Transform-1  to  compute  the  public  parameters  PP.  This 
program  is  similar  to  the  program  Transform.  However,  it  has  the  additional  functionality  that  it  allows  user 
to  receive  signatures  using  secret  key  SK,  provided  the  user  has  a  ‘trapdoor’  for  Transform-1.  In  this  game, 
since  a  <—  {0, 1}  ,  it  is  unlikely  that  there  exists  a  ‘trapdoor’. 

1.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  £  Z£^,  v  £  Z*N  and  c,j,  £  Z^rv)  for 
all  i  <  d2,b  £  {0, 1}. 

Choose  K  <—  F.setup(lA)  and  a  <—  {0,  l}2^. 

Let  Transform-128  be  the  circuit  defined  below. 

Set  PP  =  (©(Transform-ljy  ^),  ©(Transform-lmagee; <v  c  e),  N,  e ).  Send  (PP,  VK)  to  Att. 

28Padded  appropriately  to  be  of  the  same  size  as  Transform,  Transform-2,  Transform-3  and  Transform-4. 
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2.  For  each  signature  query  choose  p;  <—  {0,  l}*3ig,  compute  r,  <—  F(K ,  pi)  and  ct;  =  <S.Sign(SK,  a:.;;  ri). 
Send  cr,;  to  Att. 

3.  Att  sends  a  forgery  a-agg  along  with  n  tuples  {Verify;,  VKj, rrij}"=1.  Att  wins  if 

(a)  3i*  £  [n]  such  that  Verify,;,  =  S. Verify,  VK,:«  =  VK  and  m^*  was  not  queried  during  the  signature 
phase 

(b)  UniversalVerify(PP,  {Verify^  VKj,  mi},  (jagg)  =  1 


Transform-1^  c  q  SK  r  : 

Inputs:  b  G  {0,1},  a'  G  {0, 1}*,  Verify'  G  {0,1}*™, 
cr'  G  {0,  l}*sig . 

VK'  G  {0,  l}Ak;  rri  G  {0,  l}*™g, 

Constants  :  RSA  modulus  N  G  N,  v  G 
a  G  {0,  l}2*,  SK  G  S/C,  K  G  t. 

^JV>  C  =  {Ci,b}  G 

if  b  =  0  then 

if  PRG(a')  ^  a  then 

Output  _L. 
else 

Output  (VK,  <S.Sign(SK,  rri ;  F(K,  a'))). 

end  if 

else  if  Verify' (VK',  m',  a')  =  0  then 

Output  _L. 
else 

Compute  h(m')  =  x  and  let  2  =  a;  Verify'  VK'. 

Output  v^Ci’zi  (mod  N ) 

end  if 

Game  3  This  game  is  exactly  similar  to  the  previous  experiment,  except  that  the  challenger  chooses  a  such 
that  there  exists  a  trapdoor  for  program  Transform-1.  For  this,  the  challenger  chooses  a  -s—  {0,  1}'  and  sets 
cr  =  PRG(a). 

1.  Compute  (SK,  VK)  <—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  £  Z v  £  %*N  and  Cqb  £  Z^jy)  for 
all  i  <  d2,b  £  {0, 1}. 

Choose  K  «—  F.setup(lA),  a  «—  {0, 1}'  and  set  a  =  PRG(a). 

Set  PP  =  (©(Transform-l^  v  c  a  gK  ^),  (^(Transform-lmagejv  „  c  e),  N,  e).  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  Xi,  choose  pi  <—  {0,  l}*sig,  compute  rt  «—  F(K,  pi)  and  <7;  =  <S.Sign(SK,  xp  ri). 
Send  cr,;  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify,,,  VK;,mi}”=1.  Att  wins  if 

(a)  3i*  £  [n]  such  that  Verify.;,  =  S. Verify,  VK;,  =  VK  and  mi*  was  not  queried  during  the  signature 
phase 

(b)  UniversalVerify(PP,  {Verify,;,  VKj,  m;},  cragg)  =  1 

Game  4  In  this  experiment,  the  challenger  defines  a  random  challenge  subspace  of  the  message  space.  The 
adversary  wins  if  all  signature  queries  lie  outside  the  challenge  space  and  the  message  m;*  corresponding  to 
S. Verify,  VK  lies  in  the  challenge  space. 

1.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  £  ,  v  G  %*N  and  Cqb  £  Z ^N)  for 

all  *  <  d2,b  G  {0, 1}. 

Choose  K  g-  F.setup(lA),  a  t—  {0,  l}f  and  set  a  =  PRG(a).  Choose  u  t—  AdmSample(lA,  q±  +  ri). 

Set  PP  =  (0(Transform-l^  W)C  a)SK  ^-),  C^Transform-lmagejv  v  c  e),  N ,  e).  Send  (PP,VK)  to  Att. 
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2.  For  each  signature  query  27, 

(a)  If  Pu(xi)  =  0,  flip  a  coin  7,;  £  {0, 1}  and  abort.  Att  wins  if  7 ;  =  1. 

(b)  Else,  choose  p;  <-  {0, 1}^®,  compute  77  <—  F(I\,pi)  and  07  =  <S.Sign(SK, 27; 77).  Send  07  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify;,  VK;, m;}"=1.  Att  wins  if 

(a)  3 i*  £  [n]  such  that  Verify.;,  =  S. Verify,  VK,:»  =  VK  and  mi*  was  not  queried  during  the  signature 
phase.  Let  i*  be  the  smallest  such  index.  Then, 

(b)  (Vi  7^  i*  such  that  Verify;  =  S. Verify,  VK;  =  VK,  Pu(m;)  =  1)  and  Pu(m ;*)  =  0 

(c)  UniversalVerify(PP,  {Verify;,  VKj,  mi},cragg)  =  1 

Game  5  In  this  experiment,  the  challenger  uses  program  Transform-2  instead  of  Transform-1.  The  only  differ¬ 
ence  between  Transform-1  and  Transform-2  is  that  Transform-2  rejects  inputs  of  the  form  (1,  a,  S.  Verify,  VK,  m',  a') 
such  that  6>.Verify(VK,  to',  tr')  =  1  and  m!  lies  in  the  challenge  space. 

1.  Compute  (SK,  VK)  «—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  £  v  £  Z*N  and  C;^  £  for 

all  i  <  d2,b  £  {0, 1}. 

Choose  K  £-  P.setup(lA),  a  ■£-  {0,  l}f  and  set  a  =  PRG(a).  Choose  u  <—  AdmSample(lA,  q±  +  n). 

Let  Transform-229  be  the  circuit  defined  below. 

Set  PP  =  (C,(Transform-2UjAr  v>CjCtjSKjif),  ©(Transform-Image^ „  c  e),  N,  e ).  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  27, 

(a)  If  Pu(xi)  =  0,  flip  a  coin  7;  £  {0, 1}  and  abort.  Att  wins  if  7 j  =  1. 

(b)  Else,  choose  p;  £-  {0, l}^1*,  compute  77  «—  F(iG,  p;)  and  07  =  6>.Sign(SK,  27;  77).  Send  07  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify.;,  VK;, ?n;}”=1.  Att  wins  if 

(a)  3 i*  £  [n]  such  that  Verify,;*  =  S. Verify,  VK;*  =  VK  and  m;*  was  not  queried  during  the  signature 
phase.  Let  i*  be  the  smallest  such  index.  Then, 

(b)  (Vz  7^  i*  such  that  Verify;  =  S. Verify,  VK;  =  VK,Pu(m;)  =  1)  and  PM(m;*)  =  0 

(c)  UniversalVerify(PP,  {Verify;, VK;,m;},  <jagg)  =  1 

29Padded  appropriately  to  be  of  the  same  size  as  Transform,  Transform-1,  Transform-3  and  Transform-4. 


55 

Approved  for  Public  Release;  Distribution  Unlimited. 

290 


Transform^  ^  c  a  SK  £  : 

Inputs:  b  G  {0,1},  a'  G  {0, 1}*,  Verify'  G  {0,1}*™,  VK'  G  {0,1}*^,  m!  G  {0,1}*™®, 
o’  G  {0,1}*“®. 

Constants  :  u  G  {0,1,  _L}d2 ,  RSA  modulus  N  G  N,  v  G  Z*N,  c  =  { c, ,&}  G  Z^)fo, 
a  G  {0,  l}2*,  SK  G  SIC,  I<  G  1C. 

if  b  =  0  then 

if  PRG(a')  ^  a  then 
Output  _L. 
else 

Output  (VK,  <S.Sign(SK,  to';  F(I\ ,  a'))). 

end  if 

else  if  Verify' (VK',  m! ,  a')  =  0  then 
Output  _L. 
else 

Compute  h(m')  =  x  and  let  2  =  Verify'  ||VK'|| x. 
if  Verify'  =  S. Verify,  VK'  =  VK  and  Pu(m')  =  0  then 
Output  _L. 

end  if 

Output  (mod  N). 

end  if 


Game  6  This  game  is  similar  to  the  previous  one,  except  for  the  manner  in  which  the  constants  cpb  are 
chosen. 

1.  Compute  (SK,  VK)  g-  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  G-  Z^^,  v  G  Z*N. 

Choose  c'i  h  G  for  all  i  <  d2,b  G  {0, 1}.  Set  C\ $  =  c'l  b  •  e_1  and  ahb  =  c'  b  for  all  i  >  1. 

Choose  K  G-  F.setup(lA),  a  G-  {0, 1}'  and  set  a  =  PRG(a).  Choose  u  G-  AdmSample(lA,  q±  +  n). 

Set  PP  =  (©(Transform^  ^  c  a  SK  ^),  ©(Transform-Image^  ,.  e),  N,  e).  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  a q, 

(a)  If  Pu{xi)  =  0,  flip  a  coin  7 \  G  {0, 1}  and  abort.  Att  wins  if  7 *  =  1. 

(b)  Else,  choose  pi  G-  {0, 1}*“®,  compute  r,  <—  F(K,pi)  and  cq  =  <S.Sign(SK,  xp,  ri).  Send  a  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify^,  VKj,mj}}C1.  Att  wins  if 

(a)  3 i*  G  [n]  such  that  Verify =  S. Verify,  VK,-  =  VK  and  was  not  queried  during  the  signature 
phase.  Let  i*  be  the  smallest  such  index.  Then, 

(b)  (Vi  7^  i*  such  that  Verify^  =  S. Verify,  VK,  =  VK ,Pu(rrii)  =  1)  and  Pu{m.i *)  =  0 

(c)  UniversalVerify(PP,{Verifyi,VKi,?ni},(jagg)  =  1 

Game  7  In  this  game,  the  challenger  uses  programs  Transform-3  and  Transform-Image-1. 

1.  Compute  (SK,  VK)  g-  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  <—  Z v  G  h*N. 

Choose  Cj G  Z mN\  for  all  i  <  d2,b  G  {0, 1}. 

Choose  I\  g-  F.setup(lA),  a  g-  {0, 1}*  and  set  a  =  PRG(a).  Choose  u  G-  AdmSample(lA,  q±  +  n). 

Let  Transform-330  and  Transform- 1  mage-131  be  the  circuits  defined  below. 

30Padded  appropriately  to  be  of  the  same  size  as  Transform,  Transform-1,  Transform-2  and  Transform-4. 

1 1  Padded  appropriately  to  be  of  the  same  size  as  Transform-Image  and  Transform-Image-2. 


56 

Approved  for  Public  Release;  Distribution  Unlimited. 

291 


Set  PP  =  (0(Transform-3u  N  v  coiskk  e-1);  ^(Transform-lmage-ljv.D.c)?  At,  e)  where  the  circuits  Transform-3 
and  Transform-Image-1  are  defined  below.  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  27, 

(a)  If  Pu(xi)  =  0,  flip  a  coin  7 ,  £  {0, 1}  and  abort.  Att  wins  if  7 *  =  1. 

(b)  Else,  choose  pi  4—  {0,  l}*Big,  compute  r\  «—  F(K,p.i)  and  ay  =  <S.Sign(SK, a;,;  r»).  Send  a,;  to  Att. 

3.  Att  sends  a  forgery  aagg  along  with  n  tuples  {Verify^  VKj,  my  }"=1.  Att  wins  if 

(a)  3 i*  £  [n]  such  that  Verify,^  =  S. Verify,  VK,;*  =  VK  and  mi*  was  not  queried  during  the  signature 
phase.  Let  i*  be  the  smallest  such  index.  Then, 

(b)  (Vi  yf  i*  such  that  Verify.^  =  S. Verify,  VKi  =  VK,P„(my)  =  1)  and  Pu(mj.)  =  0 

(c)  UniversalVerify(PP,  {Verify,^  VKi,  m-i},  <jagg)  =  1 

Transform-3^  ^a  a  SK  : 

Inputs:  b  £  {0, 1}, a  £  {0, 1}£,  Verify'  e  {0,1}*™,  VK'  €  {0,  l}*-k,  m'  £  {0,l}*”Bg, 
a'  £  {0,  l}*Big . 

Constants  :  u  £  {0,l,_L}d2,  RSA  modulus  N  £  N,  v  £  Z*N,  c  =  {ay;,}  £  Z2^2 , 
a  £  {0,  l}2*,  SK  £  SIC,  K  £  t.  e~l  £  ZJ(JV). 


if  b  =  0  then 

if  PRG(a)  yf  a  then 
Output  _L. 
else 

Output  (VK,  <S.Sign(SK,  m' ;  F{K,  a'))). 

end  if 

else  if  Verify' (VK7,  m' ,  a')  =  0  then 
Output  _L. 
else 

Compute  h{m')  =  x  and  let  z  =  a:|  |Verify7 1  |VK7. 
if  Verify'  =  S. Verify  and  VK'  =  VK  and  Pu{m')  =  0  then 
Output  _L. 

end  if 

Output  udliCi.aO-e  1  (mod  AT). 

end  if 


Transform-lmage-lAr]t,,c  : 

Inputs:  Verify'  €  {0, 1}*™,  VK'  £  {0,  l}^k,  m'  £  {0,  l}*”Bg. 
Constants  :  RSA  modulus  N  £N,  v  £  Z*N ,  c  =  {c^f,}  €  Z2^2 . 

Compute  h{m')  =  x  and  let  z  =  x\ | Verify' |  |VK'. 

Output  Ci^i  (mod  N). 


Game  8  In  this  game,  the  challenger  modifies  the  manner  in  which  constants  c,;  f,  are  chosen.  Instead  of 
choosing  them  uniformly  at  random  from  Z mn)>  the  challenger  now  chooses  a,. 5  4—  Z^n y)  and  sets  c^f, 
appropriately,  depending  on  u  and  y  =  S. Verify 1 1 VK. 

1.  Compute  (SK,  VK)  4—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  4—  Z*^Ny  v  £  Z*N. 

Choose  I\  4—  P.setup(lA),  a  4—  {0,  l}f  and  set  a  =  PRG(a).  Choose  u  4—  AdmSample(lA,  q±  +  n). 
Choose  aitb  £  Zn  for  all  i  <  d,2,b  £  {0, 1}.  Let  y  =  <S. Verify | |VK. 
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For  i  <  di,  set  ciyb  =  e  •  a^;,  mod  (j>(N)  if  Uj  =  b ,  else  ciyb  =  e  •  aiyb  +  1  mod  <j>(N). 

For  i  >  d±,  set  Cjtb  =  e  ■  a*,*,  mod  4>(N)  if  yi-^  i=-  b,  else  Cjt&  =  e  •  +  1  mod  <j>(N). 

Set  PP  =  (0(Transform-3u  N  v  c  a  SK  ^  e_i),  C?(Transform-lmage-ljv,v,c))  AT,  e).  Send  (PP,  VK)  to  Att. 

2.  For  each  signature  query  27, 

(a)  If  Pu{xi)  =  0,  flip  a  coin  7*  £  {0, 1}  and  abort.  Att  wins  if  7 *  =  1. 

(b)  Else,  choose  pi  £-  {0, 1}^“®,  compute  r,  <—  F(K,pi)  and  cr,  =  <S.Sign(SK,  Xj;  r,).  Send  ct,  to  Att. 

3.  Att  sends  a  forgery  cragg  along  with  n  tuples  {Verify^  VKj, mj}"=1.  Att  wins  if 

(a)  3**  £  [n]  such  that  Verify^.  =  S. Verify,  VKj.  =  VK  and  to**  was  not  queried  during  the  signature 
phase.  Let  i*  be  the  smallest  such  index.  Then, 

(b)  (Vi  7^  i*  such  that  Verify^  =  S. Verify,  VK,  =  VK, Pu(rrii)  =  1)  and  Pu(rrii*)  =  0 

(c)  UniversalVerify(PP,{Verifyi,VKj,mj},cragg)  =  1 

Game  9  This  game  is  similar  to  the  previous  one,  except  that  the  constants  c^j,  are  computed  within  the 
program  Transform-4  (which  is  used  instead  of  Transform-3).  Similarly,  program  Transform-Image-2  is  used 
instead  of  Transform-Image-1. 

1.  Compute  (SK,  VK)  4—  <S.Gen(lA).  Choose  an  RSA  modulus  N,  e  <—  v  £  Z*N. 

Choose  K  £-  F.setup(lA),  a  4—  {0,  l}f  and  set  a  =  PRG(a).  Choose  u  4—  AdmSample(lA,  q±  +  n). 
Choose  CLi^b  £  Zjv  for  all  *  <  d2,b  €  {0, 1}.  Let  a  =  {0,7,}  and  y  =  tS. Verify |  |VK. 

Let  Transform-432  and  Transform- 1  mage-233  be  the  circuits  defined  below. 

Set  PP  =  [0(Jrsns^orm-4:uNvaaSKke,y)^  C’(Transform-lmage-2JVj„,a,e,!/),  N,  e)  where  Transform-4 
and  Transform-Image-2  are  defined  below.  Send  (PP,VK)  to  Att. 

2.  For  each  signature  query  27, 

(a)  If  Pu(xi )  =  0,  flip  a  coin  7*  £  {0, 1}  and  abort.  Att  wins  if  7 j  =  1. 

(b)  Else,  choose  pi  4-  {0,  l}^sig,  compute  r,  4—  F(K,pi)  and  cq  =  <S.Sign(SK,  x4;  r,).  Send  cq  to  Att. 

3.  Att  sends  a  forgery  <Tagg  along  with  n  tuples  {Verify^  VKj, mj}"=1.  Att  wins  if 

(a)  3**  £  [n]  such  that  Verifyj.  =  S. Verify,  VKj.  =  VK  and  Wj.  was  not  queried  during  the  signature 
phase.  Let  i*  be  the  smallest  such  index.  Then, 

(b)  (Vi  7^  i*  such  that  Verify^  =  S. Verify,  VKj  =  VK,  Pu(mj)  =  1)  and  P„(mj.)  =  0 

(c)  UniversalVerify(PP,  {Verifyj,  VKj,  TOj},cragg)  =  1 

32Padded  appropriately  to  be  of  the  same  size  as  Transform,  Transform-1,  Transform-2  and  Transform-3. 

33Padded  appropriately  to  be  of  the  same  size  as  Transform-Image  and  Transform-Image-1. 
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Transform-^  ^a  ^SK  ^e  : 

Inputs:  b  G  {0,1}, a  G  {0, 1}*,  Verify'  G  {0,1}*™,  VK'  G  {0,l}^k,  rri  G  {0,1}*™®, 
o’  G  {0,1}*“®. 

Constants  :  u  G  {0, 1, _L}da ,  RSA  modulus  IV  G  N,  v  G  T?N,  a  =  {a^b}  G  Z^2, 
a  G  {0,  l}2*,  SK  G  SK,  K  G  K,  e  G  Z;(Af),  y  G  {0, 1}*™  x  {0, 1}*^ 

Let  y'  =  Verify'IIVK'. 
if  b  =  0  then 

if  PRG(a)  yf  a  then 
Output  _L 
else 

Output  (VK,  (S.Sign(SK,  m';  F(K,  a'))). 

end  if 

else  if  Verify' (VK',  m',  a')  =  0  then 
Output  _L. 
else 

Compute  h(m')  =  x  and  let  z  =  a;|  | Verify' 1 1 VK'. 
if  Verify'  =  S. Verify  and  VK'  =  VK  and  Pu{m!)  =  0  then 
Output  _L. 

end  if 

if  y  =  y'  then 

Let  i!  be  the  first  index  such  that  zv  =  .  Set  =  (V)X., . 

Vz  <  c?i,  i  yf  set  c^b  =  e  •  b  if  Ui  =  b,  else  c^b  =  e  •  b  +  1. 

Vz  >  d±,  set  ci:b  =  e  ■  aitb  if  yj-dl  yf  b ,  else  c^b  =  e  •  aiyb  +  1. 

else 

Let  z'  be  the  first  index  such  that  yv  y^  z/', .  Set  q1+  ^  j,/  = 

Vz  <  dr,  set  Ciyb  =  e  •  a^b  if  zzj  =  6,  else  c^b  =  e  •  a^b  +  1. 

Vz  dr,  z  dr  yf  z  ,  set  Cj?b  —  e  *  rz^b  if  yi—d\  y^  b,  else  Cj?b  —  e  *  zAb  V  1* 

end  if 

Output  i>n  Ci^i  (mod  V). 

end  if 


Transform-lmage-2jv,t),a,e  : 

Inputs:  Verify'  G  {0, 1}*™,  VK'  G  {0, 1}^,  m’  G  {0, 1}*™®. 

Constants  :  RSA  modulus  N  G  N,  v  G  Z*N,  a={ai)4G2^!,eGZp|, 
y  G  {0,1}*™  x  {0,  l}*vk. 

Compute  h{m’)  =  x  and  set  z  =  ar||Verify'||VK'. 

Vz  <  dr,  set  c^b  =  e  •  a^b  if  Wj  =  b,  else  c^b  =  e  •  a^b  +  1- 
Vz  >  dr,  set  ci}b  =  e  ■  ai}b  if  yi-dl  y^  b ,  else  ci;b  =  e  •  ai}b  +  1. 

Output  uffCi’xi  (mod  N). 


B.1.2  Adversary’s  Advantage  in  the  Games 

Let  Adv({tt  denote  the  advantage  of  adversary  Att  in  Game  j. 
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Claim  B.l.  Assuming  A1  is  a  secure  PRF,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Similar  to  proof  of  Claim  5.1.  | 

Claim  B.2.  Assuming  O  is  a  secure  indistinguishability  obfuscator,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 


Proof.  Similar  to  the  proof  of  Claim  5.2.  8 

Claim  B.3.  Assuming  PRC  is  a  secure  pseudorandom  generator,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 


Proof.  Similar  to  proof  of  Claim  5.3.  8 

Claim  B.4.  For  any  adversary  Att, 


AdvAtt  >  AdvAtt/^(^i  +  n)- 

Proof.  This  follows  from  the  ^-admissibility  of  h.  Let  I  =  {*'  :  Verify^  =  S. Verify,  VKj/  =  VK}.  Let 
Hi  =  h{xi )  for  all  i  <  qXl  and  yqi+j  =  h(m,j)  for  all  j  £  X.  Note  that  rrii*  ^  a for  all  i  <  qi,  and  rrii *  ^  m,j 
for  all  j  £  I,j  ^  i* .  Therefore, 

Pr[V*  <  qi,Pu(xi)  =  1  and  Mj  £  T,  j  ^  i*Pu(m,j)  =  1  and  Pu(?n,;.)  =  0]  >  l/d(q1  +  n) 
where  the  probability  is  only  over  the  choice  of  u  £-  AdmSample(lA,  qx  +  n).  8 

Claim  B.5.  Assuming  O  is  a  secure  virtual  black  box  obfuscator,  F  is  a  secure  pseudorandom  function, 
PRC  is  a  secure  pseudorandom  generator  and  S  is  a  (tve r,  £vkj  4nsgj  ^sig)-length  qualihed  secure  signature 
scheme, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  The  proof  of  this  claim  is  along  the  lines  of  the  proof  of  Claim  5.1.  Given  only  oracle  access  to  either 
Transform-1^^  C«SK  k  or  Transform-2,^  N  v  caSK  x,  the  only  way  in  which  an  adversary  S  can  distinguish 
between  the  two  is  by  sending  a  query  of  the  form  (1,  a',  Verify',  VK',  to',  a')  such  that  Verify'  =  S.  Verify, 
VK'  =  VK,  Verify' (VK',  to',  a1)  =  1  and  Pu(m')  =  0.  Note  that  to'  was  not  queried  during  the  signature 
phase,  since  Pu(m')  =  0.  This  implies  ( m',a ')  is  a  valid  forgery,  thereby  breaking  the  signature  scheme  S. 


Claim  B.6.  For  any  adversary  Att, 

AdvAtt  =  AdvAtf 


Proof.  The  only  difference  between  Game  5  and  Game  6  is  the  choice  of  c\ In  Game  5,  Cyf,  •£-  Z^aq,  while  in 
Game  6,  dx  b  ■£-  Z^at)  and  c\ $  =  c'lb  •  e^1  mod  </>(N).  However,  the  distributions  Vx  =  {(c,  e)|c  ■£-  Zmn)} 
and  V 2  =  {(c-  e_1  mod  <j>{N),e)\c  ■£-  Z^/jv)}  are  identical,  which  implies  that  Game  5  and  Game  6  are 
identical.  j£ 


Claim  B.7.  Assuming  O  is  a  secure  indistinguishability  obfuscator,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 
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Proof.  Let  (SK,  VK)  <S.Gen(lA),  I\  «—  F.setup(lA),  a  «—  {0, 1  }e,  a  =  PRG(a)  and  u  £-  AdmSample(lA,  qi+ 
n).  Choose  an  RSA  modulus  N,  let  e  «—  ZV^,,  v  £-  Z*N  and  c'  b  <—  Z^Ny  Let  c  =  {c*^}  where 
Ci}b  =  dx  b  ■  e-1  and  —  c'ib  for  all  «  >  1.  Let  c  =  {c^b}  where  Cj^  =  c'  b  for  all  i. 

To  prove  this  claim,  it  suffices  to  show  that  Transform-2u  Nvca  sk  k  and  Transform-3u  N  v  -  a  SK  k  e-1  are 
functionally  identical.  Let  us  consider  the  behavior  of  the  two  programs  on  input  (6,  a1,  Verify',  VK7,  mf,  a'). 
Let  x'  =  h(mf).  The  only  case  where  Transform-2  and  Transform-3  can  possibly  differ  is  when  6=1, 
Verify'(VK',  to',  a')  =  1,  Verify'  =  S. Verify,  VK'  =  VK  and  Pu(m')  =  1.  Transform-2  outputs  v^Ci,z'i 

(mod  N)  while  Transform-3  outputs  (mod  N).  However,  note  that  Y[ici,z‘.  =  (TI ;C,Z')  •  e~1 

since  C\b  =  c[  b  ■  e_1  =  C\tb-  This  concludes  our  proof.  8 

Claim  B.8.  For  any  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Let  us  consider  the  two  distributions  V 1  =  {a|a  <—  Z^(7V)}  and  V2  =  {a  mod  (j>(N)\a  £-  Z^r}-  The 
statistical  distance  between  V\  and  X>2  is  (p  +  q  —  l)/iV,  where  N  =  pq.  Since  p,q  £  0(2A),  the  statistical 
distance  between  T>\  and  T> 2  is  negligible  in  A. 

Next,  note  that  the  distributions  T>[  =  {(a,e)\a  £-  Z^^)},  V2  =  {(a  •  e  mod  (f(N),e)\a  <—  and 

V'3  =  {(a  •  e  +  1  mod  <j>(N),e)\a  <—  Z^nyn}  are  identical.  As  a  result,  Game  6  and  Game  7  are  statistically 
indistinguishable.  U 

Claim  B.9.  Assuming  O  is  a  secure  indistinguislrability  obfuscator,  for  any  PPT  adversary  Att, 

AdvAtt  -  AdvAtt  <  negl(A). 

Proof.  Let  N  be  an  RSA  modulus,  e  -f-  Z^^,  a,;^  e-  Zjv  and  u  £-  AdmSample  (1A:  <7i  +  n)>  a  {0, 1}^, 

a  =  PRG(a),  (SK,  VK)  «—  5.Gen(lA)  and  K  -s—  F.setup(lA).  Let  c^f,  =  e  •  a^b  (mod  <j))(N )  if  =  6, 
else  Cij,  =  e  ■  di ^  +  1  (mod  <f>)(N).  In  order  to  prove  this  claim,  it  suffices  to  prove  that  the  programs 
Transform-3,u  N  v  c  a  SK  y-  e_i  and  Transform-4  uNvaasKke  are  functionally  identical,  and  similarly,  the 
programs  Transform-lmage-ljv,u,c  and  Transform-lmage-lv^a,®  are  functionally  identical.  We  will  use  the 
following  observation. 

Observation  B.l.  Let  v  £  Z*N ,  Wi  £  Z  for  i  <  n.  Let  w'  =  vj  mod  <j>(N)  Then  v^iWi  =  v^iwi. 

This  follows  from  the  fact  that  =  1. 


Let  us  first  consider  the  circuits  Transform-3,^  Nv  c  a  SK  x  e-i  and  Transform-4u  N  v  c  a  sk  k  e-  On  iuput 
(6,  a',  Verify',  VK7,  mf,  a'),  the  only  case  Transform-3  and  Transform-4  can  possibly  differ  is  when  6  =  1, 
Verify' (VK',  ml,  a')  =  1,  and  either  Verify'||VK'  yf  5.Verify||VK  or  Pu(m')  =  1.  Let  y  =  5.  Verify  ||VK, 
y'  =  Verify' 1 1 VK'  and  z '  =  h(m')\ | Verify' |  |VK'.  Either  there  exists  an  index  if  such  that  Ui>  =  h(m')i r,  in 
which  case  set  f  to  be  the  first  such  index,  or  there  exists  an  index  if  such  that  yt>  yf  y't, ,  in  which  case  set 
f  =  d\  +  if .  Note  that  =  e  •  CLj',z'.,  ■ 


Transform-3U)JVi„iCiaiSK  k  e-,  (Verify',  VK',  m',  a’) 

(TlCj.z'Ye-1 


(fl^y  ci,,'f)-cr 


—V 


(n? 


r  c  •  ,/  )-a  • 


mod  0(iV ) 


=Transform-4u>JV ^  a  a  SK  ^->e(Verify',  VK',  m! ,  a') 
where  the  last  step  follows  from  Observation  B.l. 


61 

Approved  for  Public  Release;  Distribution  Unlimited. 

296 


Let  us  now  consider  Transform-Image-1  and  Transform-Image-2.  This  case  follows  directly  from  Observa¬ 
tion  B.l,  since  the  only  difference  between  the  two  programs  is  that  Transform-lmage-lAr„iC  has  c  hardwired, 
while  in  Transform-lmage-27v,„,a,e>  a  is  hardwired. 


Claim  B.10.  Assuming  RSA  is  secure,  for  any  PPT  adversary  Att, 

Adv^tt  <  negl(A). 

Pi'oof.  Suppose  there  exists  a  PPT  adversary  Att  such  that  Adv^tt  =  e.  We  will  construct  a  PPT  algorithm 
B  that  breaks  the  RSA  assumption  with  advantage  e. 

B  receives  as  input  N,e,v.  R  chooses  (SK,  VK)  <S.Gen(lA).  It  chooses  K  P.setup(lA),  a  t—  {0, 1}^, 
sets  a  =  PRG(a).  It  chooses  u  t—  AdmSample(lA,  qi+n),  aitb  «—  Zrv-  It  sends  PP  =  (^(Transform-4^  v  a  a  SK  x  e), 
C>(Transform-lmage-2Ar>„jaie),  e)  and  VK  to  Att. 

For  each  signing  query  aq,  B  checks  that  P„(aq )  =  1  and  sends  cr.;  =  <S.Sign(SK,  aq)  to  Att. 

Finally,  Att  outputs  a  forgery  craee  along  with  n  tuples  {Verify,,  VK.j,  mA.  Let  z;  =  h(rrii)  1 15.  Verify  1 1  VK, 
y  =  5. Verify 1 1 VK,  yr  =  Verify' ||VK'  and  I  =  {i|Verifyi  =  ^.Verify,  VK,  =  VK}. 

If  Att  wins,  then  Eli*  £  [n]  such  that  Verify^,  =  S.  Verify,  VK,»  =  VK,  ?n,;*  was  not  queried  during  the  signa¬ 
ture  phase,  Pu(rrii * )  =  0  ,  for  all  i  £  X,i  yf  i*  Pu{nrii )  =  1,  and  cragg  =  }}■  Transform-lmage-2Ari.Ujaie(Verifyi,  VKj,  ?n,;). 

Let  us  consider  Transform-lmage-2iv,'u,a,e(Verifyi,  VK.j,  m.i)  for  some  i  yf  i* .  For  j  <  d\,  let  Cj\,  =  e  •  ayb  if 
Uj  =  b ,  else  cjy  =  e  ■  ajy  +  1-  For  j  >  d\,  let  Cjy  =  e  •  if  Uj-d-i  y^  b,  else  cjy  =  e  •  dj ^  +  1-  If  y  =  y' ,  let 
j'  £  [di]  be  the  first  index  such  that  uy  =  z^y.  Else,  let  j"  be  the  first  index  such  that  yy  yf  y^y/  and  set 
f  =  d\  +j".  Then, 


Transform-lmage-2jv,-u,a,e(Verifyj,  VKi;  ?n,;) 

(mod  N) 

—  r  1 1  (mod  N) 

=ve'Ti  (mod  N)  where  t,  =  aytZ.  •  (JJ  CyZij). 

On  the  other  hand,  if  we  consider  the  term  corresponding  to  i* ,  then 

Transform-lmage-2Arjt,ce 
=  (mod  N ) 

=  J)nj(e,%i*i«,J+1)  (mod  N) 

=  v  ■  ve'Ti *  (mod  N)  for  some  U*  that  can  be  efficiently  computed  using  e,  aty. 

Hence,  eragg  =  v  ■  {v^Ti)e  (mod  N).  B  finally  outputs  x  =  cragg/(i^Ti)  (mod  N ),  and  wins  with  advantage 


Therefore,  assuming  O  is  a  secure  VBB  obfuscator  for  class  C,  F  is  a  selectively  secure  puncturable 
PRF,  F  is  a  secure  PRF,  PRG  is  a  secure  pseudorandom  generator  and  the  RSA  assumption  holds,  the 
construction  described  in  Section  B  is  adaptive  secure  with  respect  to  all  length-qualified  signature  schemes. 
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Abstract 

As  devices  everywhere  increasingly  communicate  with  each  other,  many  security  applications  will 
require  low-bandwidth  signatures  that  can  be  processed  quickly.  Pairing-based  signatures  can  be  very 
short,  but  are  often  costly  to  verify.  Fortunately,  they  also  tend  to  have  efficient  batch  verification 
algorithms.  Finding  these  batching  algorithms  by  hand,  however,  can  be  tedious  and  error  prone. 

We  address  this  by  presenting  AutoBatch,  an  automated  tool  for  generating  batch  verification  code 
in  either  Python  or  C++  from  a  high  level  representation  of  a  signature  scheme.  AutoBatch  outputs 
both  software  and,  for  transparency,  a  LaTeX  file  describing  the  batching  algorithm  and  arguing  that  it 
preserves  the  unforgeability  of  the  original  scheme. 

We  tested  AutoBatch  on  over  a  dozen  pairing-based  schemes  to  demonstrate  that  a  computer  could 
find  competitive  batching  solutions  in  a  reasonable  amount  of  time.  In  particular,  it  found  an  algorithm 
that  is  faster  than  a  batching  algorithm  from  Eurocrypt  2010.  Another  novel  contribution  is  that  it 
handles  cross-scheme  batching,  where  it  searches  for  a  common  algebraic  structure  between  two  distinct 
schemes  and  attempts  to  batch  them  together. 

In  this  work,  we  expand  upon  our  paper  on  AutoBatch  appearing  in  ACM  CCS  2012  [2]  in  a  number 
of  ways.  We  add  a  new  loop-unrolling  technique  and  show  that  it  helps  cut  the  batch  verification 
cost  of  one  scheme  by  roughly  half.  We  describe  our  pruning  and  search  algorithms  in  greater  detail, 
including  pseudocode  and  diagrams.  All  experiments  were  also  re-run  using  the  RELIC  pairing  library. 
We  compare  those  results  to  our  earlier  results  using  the  MIRACL  library,  and  discuss  why  RELIC 
outperforms  MIRACL  in  all  but  two  cases.  Automated  proofs  of  several  new  batching  algorithms  are 
also  included. 

AutoBatch  is  a  useful  tool  for  cryptographic  designers  and  implementors,  and  to  our  knowledge,  it 
is  the  first  attempt  to  outsource  to  machines  the  design,  proof  writing  and  implementation  of  signature 
batch  verification  schemes. 


1  Introduction 

We  anticipate  a  future  where  computers  are  everywhere  as  an  integrated  part  of  our  surroundings,  continu¬ 
ously  exchanging  messages,  e.g.,  sensor  networks,  smartphones,  vehicular  communications.  For  these  systems 
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to  work  properly,  messages  must  carry  some  form  of  authentication,  and  yet  the  system  requirements  on  this 
authentication  are  particularly  demanding.  Applications  such  as  vehicular  communications  [23,60],  where 
cars  communicate  with  each  other  and  the  highway  infrastructure  to  report  on  road  conditions,  traffic  con¬ 
gestion,  etc.,  require  both  that  signatures  be  short  (due  to  the  limited  spectrum  available)  and  that  many 
messages  from  different  sources  can  be  processed  quickly. 

Pairing-based  signatures  are  attractive  due  to  their  small  size,  but  they  often  carry  a  costly  verification 
procedure.  Fortunately,  these  schemes  also  lend  themselves  well  to  batch  verification ,  where  valuable  time 
is  saved  by  processing  many  messages  at  once.  E.g.,  Boneh,  Lynn  and  Shacham  [15]  presented  a  160-bit 
signature  together  with  a  batching  algorithm  over  signatures  by  the  same  signer,  where  verification  time 
could  be  reduced  from  47.6ms  to  2.28ms  per  signature  in  a  batch  of  200  [28]  —  a  95%  saving! 

To  prepare  for  a  future  of  ubiquitous  messaging,  we  would  like  batching  algorithms  for  as  many  pairing- 
based  schemes  as  possible.  Designing  batch  verification  algorithms  by  hand,  however,  is  challenging.  First, 
it  can  be  tedious.  It  requires  knowledge  of  many  batching  rules  and  exploration  of  a  potentially  huge  space 
of  algebraic  manipulations  in  the  hunt  for  a  good  candidate  algorithm.  Second,  it  can  be  error  prone.  In 
Section  1.3,  we  discuss  both  the  success  and  failure  of  the  past  fifteen  years  in  batching  digital  signatures. 
The  clear  lesson  is  that  mistakes  are  common  and  that  even  when  generic  methods  for  batching  have  been 
suggested,  they  have  often  been  misapplied  (e.g.,  a  critical  step  is  forgotten).  This  paper  demonstrates  that 
it  is  feasible  for  humans  to  turn  over  some  of  the  design,  proof  writing  and  implementation  work  in  batch 
verification  to  machines. 

1.1  Our  Contributions 

We  present  AutoBatch,1  an  automated  tool  that  transforms  a  high-level  description  of  a  signature  scheme2 
into  an  optimized  batch  verification  program  in  either  Python  or  C++.  This  high-level  specification  is  written 
in  a  language  called  Scheme  Description  Language  (SDL),  which  is  designed  specifically  for  automation. 
AutoBatch  takes  as  input  an  SDL  specification  of  a  signature  scheme  and  searches  for  a  batching  algorithm 
by  repeatedly  applying  a  combination  of  novel  and  existing  batching  techniques.  Because  some  loops  or  other 
infinite  paths  could  occur,  AutoBatch  prunes  its  search  using  a  set  of  carefully  designed  heuristics.  Despite 
these  heuristics,  AutoBatch  is  not  guaranteed  to  terminate  but  we  conjecture  that  it  does  in  practice.  Our 
tool  produces  a  modified  SDL  file  and  executable  code,  which  includes  logic  for  altering  the  behavior  of  the 
batching  algorithm  based  on  its  input  size  or  past  input. 

To  our  knowledge,  this  is  the  first  attempt  to  automatically  identify  when  certain  batching  techniques 
are  applicable  and  to  apply  them  in  a  secure  manner.  Importantly,  the  way  in  which  we  combine  these 
techniques  and  optimizations  preserves  the  unforgeability  of  the  original  scheme.  Specifically,  with  all  but  a 
negligible  probability,  the  batch  verifier  will  accept  a  batch  S  of  signatures  if  and  only  if  every  s  £  S  would 
have  been  accepted  by  the  individual  verification  algorithm.  AutoBatch  also  produces  a  machine-generated 
LaTeX  file  that  specifies  each  technique  applied  and  an  argument  for  why  security  is  preserved. 

AutoBatch  was  tested  on  several  pairing-based  schemes.  It  produced  the  first  batching  algorithms,  to  our 
knowledge,  for  the  Camenisch-Lysyanskaya  [20]  and  Hohenberger- Waters  [36]  signatures.3  It  also  discovered 
a  faster  algorithm  for  batching  the  proofs  of  the  verifiable  random  functions  (VRF)  of  Hohenberger  and 
Waters  [37].  Moreover,  AutoBatch  is  able  to  handle  batches  with  more  than  one  type  of  signature.  Indeed, 
we  found  that  the  Hess  [35]  and  Clra-Cheon  [24]  identity-based  signatures  can  be  processed  twice  as  fast  when 
batched  together  compared  to  sorting  by  type  and  batching  within  the  type.  The  capability  to  do  cross¬ 
scheme  batching  is  a  novel  contribution  of  this  paper,  and  we  feel  could  be  of  great  value  for  applications, 
such  as  mail  servers,  which  may  encounter  many  signature  types  at  once. 

AutoBatch  is  a  tool  with  many  applications  for  both  existing  and  future  signature  schemes.  It  helps  to 
enable  the  secure,  but  rapid  processing  of  authenticated  messages,  which  we  believe  will  be  of  increasing 
importance  in  a  wide-variety  of  future  security  applications. 

1  The  AutoBatch  source  and  test  cases  described  herein  are  publicly  available  at  https://github.com/JHUISI/auto-tools. 

2  Optionally,  one  can  start  with  an  existing  implementation,  from  which  AutoBatch  will  extract  a  representation. 

3It  also  produced  a  candidate  batching  scheme  for  the  Waters  dual-system  [66]  signatures,  although  this  signature  scheme 
does  not  have  perfect  correctness  and  therefore  our  techniques  do  not  immediately  apply  to  it.  See  Section  2.1.1  for  more. 
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1.2  Overview  of  Our  Approach 

We  present  a  detailed  explanation  of  AutoBatch  in  §3.  In  this  section  and  in  Figure  1  we  provide  a  brief 
overview  of  the  techniques.  At  a  high  level,  AutoBatch  is  designed  to  analyze  a  scheme,  extract  the  signature 
verification  equation,  and  derive  working  code  for  a  batch  verifier.  This  involves  three  distinct  components: 

1.  (Optional)  A  Code  Parser,  which  retrieves  the  verification  equation  and  variable  types  from  some 
existing  scheme  implementation.  Our  parser  assumes  that  the  scheme  has  been  implemented  in  Python 
following  a  specific  structure  (see  Section  3.5  for  more  details).  Given  such  an  implementation,  the 
Parser  obtains  the  signature  verification  equation  and  encodes  it  into  an  intermediate  representation 
in  SDL. 

2.  A  Batcher,  which  takes  as  input  an  SDL  file  describing  a  signature  verification  equation.  In  addition  to 
the  signature  verification  equation,  the  Batcher  requires  details  in  SDL  such  as  types,  variable  names 
of  public  parameters  and  signatures,  and  estimated  batch  size.  It  first  consolidates  the  set  of  individual 
verification  equations  into  a  single  equation,  then  derives  a  batch  verification  equation.  The  Batcher 
then  searches  through  a  series  of  rules,  which  may  be  applied  repeatedly,  to  optimize  the  equation 
and  thus  derive  a  new  equation  of  a  batch  verifier.  The  output  of  the  Batcher  is  a  second  SDL  file, 
which  includes  the  individual  and  batch  verifiers,  along  with  an  analysis  of  the  batcher’s  estimated 
running  time.  For  transparency,  the  Batcher  optionally  outputs  a  LaTeX  file  that  can  be  compiled 
into  a  human-readable  document  describing  the  batching  algorithm  and  arguing  that  it  maintains  the 
unforgeability  of  the  original  scheme. 

3.  A  Code  Generator,  which  takes  the  output  of  the  Batcher  and  generates  working  source  code  to 
implement  the  batch  verifier.  The  batch  verifier  implementation  includes  group  membership  checks,  a 
recursive  divide-and-conquer  process  to  handle  batches  that  contain  invalid  signatures,  and  additional 
logic  to  identify  cases  where  individual  verification  is  likely  to  outperform  batching.  The  user  can  choose 
either  Python  or  C++  as  the  output  language,  either  building  on  the  MIRACL  [59]  or  RELIC  [4]  library. 

There  are  two  usage  scenarios  for  AutoBatch.  The  most  common  may  be  that  a  user  begins  with  a  hand- 
coded  SDL  file  and  feeds  this  directly  into  the  Batcher.  Since  SDL  files  are  human-readable  ASCII-based 
files  containing  a  mathematical  representation  of  the  scheme,  some  developers  may  prefer  to  implement  new 
schemes  directly  in  this  language,  which  is  agnostic  to  the  programming  language  of  the  final  implementation. 

As  a  second  scenario,  if  the  user  has  a  working  implementation  of  the  scheme  in  Charm  [1],  then  she 
can  save  time.  This  program  can  be  given  to  the  Code  Parser,  which  will  extract  the  necessary  information 
from  the  code  to  generate  an  SDL  file.  Charm  is  a  Python  and  C-| — I-  based  prototyping  framework  created 
by  Akinyele  et  al.  [1]  that  provides  infrastructure  for  developing  advanced  cryptographic  schemes.  There  is 
already  a  library  of  pairing-based  signatures  publicly  available  in  Charm/Python,  so  we  provide  this  as  a 
second  interface  option  to  our  tool. 

1.3  Related  Work 

Computer-aided  security  is  a  goal  of  high  importance.  Recently,  the  best  paper  award  at  CRYPTO  2011  was 
given  to  Barthe,  Gregoire,  Heraud  and  Zanella  Beguelin  [10]  for  their  invention  of  EasyCrypt,  an  automated 
tool  for  generating  security  proofs  of  cryptographic  systems  from  proof  sketches.  The  reader  is  referred  there 
for  a  summary  of  efforts  to  automate  the  verification  of  cryptographic  security  proofs. 

In  1989,  batch  cryptography  was  introduced  by  Fiat  [29]  for  a  variant  of  RSA.  In  1994,  an  interactive 
batch  verifier  for  DSA  presented  in  an  early  version  of  [55]  was  broken  by  Lim  and  Lee  [44],  In  1995,  Laih 
and  Yen  proposed  a  new  method  for  batch  verification  of  DSA  and  RSA  signatures  [41],  but  the  RSA  batch 
verifier  was  broken  five  years  later  by  Boyd  and  Pavlovski  [17].  In  1998,  two  batch  verification  techniques  were 
presented  for  DSA  and  RSA  [32,33]  but  both  were  later  broken  [17,38,39].  The  same  year,  Bcllare,  Garay 
and  Rabin  took  the  first  systematic  look  at  batch  verification  [11]  and  presented  three  generic  methods  for 
batching  modular  exponentiations,  one  of  which  is  called  the  small  exponents  test.  Unfortunately,  in  2000, 
Boyd  and  Pavlovski  [17]  published  attacks  against  various  batching  schemes  which  were  using  the  small 
exponents  test  incorrectly.  In  2003-2004,  several  batch  verification  schemes  based  on  bilinear  maps  (a.k.a., 
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Figure  1:  The  flow  of  AutoBatch.  The  input  is  a  signature  scheme  comprised  of  key  generation,  signing 
and  verification  algorithms,  represented  in  the  domain-specific  SDL  language.  The  scheme  is  processed  by  a 
Batcher,  which  applies  the  techniques  and  optimizations  from  Section  3  to  produce  a  new  SDL  file  containing 
a  batch  verification  algorithm.  Optionally,  the  Batcher  outputs  a  proof  of  correctness  (as  a  PDF  typeset 
using  LaTeX)  that  explains,  line  by  line,  each  technique  applied  and  its  security  justification.  Finally,  the 
Code  Generator  produces  executable  C++  or  Python  code  implementing  both  the  resulting  batch  verifier, 
and  the  original  (unbatched)  verification  algorithm.  An  optional  component,  the  Parsing  Engine,  allows  for 
the  automatic  derivation  of  SDL  inputs  based  on  existing  scheme  implementations. 


pairings)  were  proposed  [24,68,70,71]  but  all  were  later  broken  by  Cao,  Lin  and  Xue  [22].  In  2006,  a  method 
was  given  for  identifying  invalid  signatures  in  RSA-type  batches  [43],  but  it  was  also  flawed  [64]. 

It  is  natural  to  ask  what  the  source  of  the  errors  were  in  these  papers.  In  several  cases,  the  mathematics 
of  the  scheme  were  simply  unsound  and  the  proof  of  correctness  was  either  missing  or  lacking  in  rigor. 
However,  there  were  two  other  common  problems.  One  was  that  the  paper  claimed  in  English  to  be  doing 
batch  verification,  but  the  security  definition  provided  in  the  paper  was  insufficient  to  establish  this  guarantee. 
Most  commonly  this  matched  the  strictly  weaker  screening  guarantee;  see  [19]  for  more.  A  second  problem 
was  more  insidious:  the  security  definition  and  proof  were  “correct”,  but  the  scheme  was  still  subject  to  a 
practical  attack  because  the  authors  started  the  proof  by  explicitly  assuming  that  elements  of  the  signature 
were  members  of  certain  algebraic  groups  and  this  was  not  a  reasonable  assumption  to  make  in  practice. 
Boyd  and  Pavlovski  [17]  provide  numerous  examples  of  this  case. 

AutoBatch  addresses  these  common  pitfalls.  It  uses  one  security  definition  (in  Section  2.1)  and  provides 
a  proof  of  correctness  for  every  algorithm  it  outputs  relative  to  this  definition  (in  Section  3.3),  where  no 
assumptions  about  the  algebraic  structure  of  the  input  are  made  and  therefore  any  necessary  tests  are 
explicitly  performed  by  the  algorithm. 

In  addition  to  the  works  on  batch  verification  mentioned  above,  we  mention  a  few  more.  Shacham 
and  Boneh  presented  a  modified  version  of  Fiat’s  batch  verifier  for  RSA  to  improve  the  efficiency  of  SSL 
handshakes  on  a  busy  server  [61].  Boneh,  Lynn  and  Shacham  provided  a  single-signer  batch  verifier  for  BLS 
signatures  [15].  Camenisch,  Hohenberger  and  Pedersen  [19]  gave  multiple-signer  batch  verifiers  for  Waters 
identity-based  signatures  [65]  and  a  novel  construction.  Ferrara,  Green,  Hohenberger  and  Pedersen  outlined 
techniques  for  batching  pairing-based  signatures  and  showed  how  to  batch  group  and  ring  signatures  [28]. 
Blazy,  Fuchsbauer,  Izabaclrene,  Jambert,  Sibert  and  Vergnaud  [12]  applied  batch  verification  techniques  to 
the  Groth-Sahai  zero-knowledge  proof  system  as  well  as  group  signatures  and  anonymous  credential  systems 
relying  on  them,  obtaining  significant  savings. 

Law  and  Matt  describe  methods  for  identifying  invalid  signatures  in  a  batch  [42,50,51]. 

Lastly,  there  have  been  several  research  efforts  toward  automatically  generating  cryptographic  protocols 
and  executable  code.  This  compiler-like  approach  has  been  applied  to  cryptographic  applications  such  as 
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security  protocols  [40,45,46,57,63],  optimizations  to  software  implementations  involving  elliptic-curve  cryp¬ 
tography  [9]  and  bilinear-map  functions  [56],  secure  two-party  computation  [34,48,49],  and  zero- knowledge 
proofs  [3,5-7,21,30,52], 

2  Background 

Definition  2.1  (A  Digital  Signature)  A  digital  signature  scheme  is  a  tuple  of  probabilistic  polynomial¬ 
time  (p.p.t.)  algorithms  (Gen,  Sign,  Verify); 

1.  Gen(lA)  — ►  (pk,  sk):  the  key  generation  algorithm  takes  as  input  the  security  parameter  1A  and  outputs 
a  pair  of  keys  (pk,  sk). 

2.  Sign (sk,m)  — >  a:  the  signing  algorithm  takes  as  input  a  secret  key  sk  and  a  message  m  from  the 
message  space  and  outputs  a  signature  a. 

3.  Verify  (pk,  m,  a)  — >  {0,1};  the  verification  algorithm  takes  as  input  a  public  key  pk,  a  message  m  and 
a  purported  signature  a,  and  outputs  a  bit  indicating  the  validity  of  the  signature. 

A  scheme  is  typically  said  to  be  correct  (or  perfectly  correct)  if  for  all  Gen(T)  — ►  ( pk,sk ), 

Verify(p/c,  m,  Sign(sfc,  m))  =  1  for  all  m. 

That  is,  a  scheme  is  correct  if  all  honestly  generated  signatures  pass  the  verification  test.  Our  focus  will  be 
on  perfectly  correct  schemes,  however,  we  discuss  in  Section  2.1.1  the  implications  for  batch  verification  if 
some  correctness  error  is  allowed. 

A  scheme  is  defined  to  be  unforgeable  as  follows  [31]:  Let  Gen(T)  — >  (pk,sk).  Suppose  (m,a)  is  output 
by  a  p.p.t.  adversary  with  access  to  a  signing  oracle  Osk(-)  and  input  pk.  Then  the  probability  that  m  was 
not  queried  to  0sfc(')  and  yet  Verify (pk,m,a)  =  1  must  be  negligible  in  £. 

In  this  work,  we  explore  three  variants: 

1.  Identity-Based  Signatures  [62]:  Gen  is  executed  by  a  master  authority  who  publishes  pk  and  uses 
sk  to  generate  signing  keys  for  users  according  to  their  public  identity  string,  e.g.,  email  address.  To 
verify  a  signature  on  a  given  message,  one  only  needs  the  public  key  of  the  master  authority  and  the 
public  identity  string  of  the  purported  signer. 

2.  Privacy  Signatures:  Group  [26]  and  ring  [58]  signatures  are  associated  with  a  group  of  users,  where 
verification  shows  that  at  least  one  member  of  the  group  signed  the  message,  but  it  is  difficult  to  tell 
who. 

3.  Verifiable  Random  Functions  [53]:  A  VRF  is  a  pseudo-random  function,  where  the  computing 
party  publishes  a  public  key  pk  and  then  can  offer  a  short  non-interactive  proof  that  the  function  was 
correctly  evaluated  for  a  given  input.  This  proof  can  be  viewed  as  a  signature  by  the  computing  party 
on  the  input  to  the  pseudo-random  function. 

2.1  The  Basics  of  Batch  Verification  for  Signatures 

Our  security  focus  here  is  not  directly  on  unforgeability  [31].  Rather  we  are  interested  in  designing  batch 
verification  algorithms  that  accept  a  set  of  signatures  if  and  only  if  each  signature  would  have  been  accepted 
by  its  verification  algorithm  individually  (except  perhaps  with  a  negligible  probability).4  If  an  input  scheme 
is  unforgeable,  then  our  batching  algorithm  will  preserve  this  property  in  the  output  scheme.  If  an  insecure 
scheme  is  provided  as  input,  then  all  bets  are  off  on  the  output. 

4We  assume  perfectly  correct  schemes  here. 
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Specifically,  we  consider  the  case  where  we  want  to  quickly  verify  a  set  of  signatures  on  possibly  different 
messages  by  possibly  different  signers.  The  input  is  {(fi, mi,  01), . . . ,  (tn,mn,crn)},  where  t,  specifies  the 
verification  key  against  which  <7,;  is  purported  to  be  a  signature  on  message  rrii.  It  is  important  to  understand 
that  here  one  or  more  signers  may  be  maliciously  colluding  against  the  batch  verifier. 

We  recall  the  definition  of  batch  verification  from  Bellare,  Garay  and  Rabin  [11]  as  extended  in  [19]  to 
deal  with  multiple  signers.  We  note  that  this  definition  is  well  specified  for  perfectly  correct  schemes,  but 
not  for  schemes  that  allow  some  correctness  error.  We  discuss  this  further  shortly. 

Definition  2.2  (Batch  Verification  of  Signatures)  Lett  be  the  security  parameter.  Suppose  (Gen,  Sign, 
Verify)  is  a  signature  scheme  with  perfect  correctness,  k,n  £  poly(t),  and  (pk1,  ski), . . . ,  (pkk,  skk)  are 
generated  independently  according  to  Gen(l^).  Let  PK  =  {pk±, . . . , pkk} .  We  call  a  probabilistic  algorithm 
Batch  a  batch  verification  algorithm  when  the  following  conditions  hold: 

•  Ifpkt.  £  PK  and\Zer\fy(pkt.,m.i,ai)  =  1  for  alii  £  [l,n],  then  Batch  {fpkti,m\,<Ji ),...,  (pktri,mn,an)) 
=  1.  ‘ 

•  If  pkt.  €  PK  for  all  i  £  [1,  n\  and  Verify {pkt. ,  )  =  0  for  some  j  £  [1,  n],  then  Batch {{pktl ,  mi,  ay), 

. . . ,  ( pktn ,  mn,  crn))  =  0  except  with  pi'obability  negligible  in  t,  taken  over  the  randomness  of  Batch . 

The  above  definition  can  be  generalized  beyond  signatures  to  apply  to  any  keyed  scheme  with  a  perfectly- 
correct  verification  algorithm.  This  includes  zero-knowledge  proofs,  verifiable  random  functions,  and  variants 
of  regular  signatures,  such  as  identity-based,  attribute-based,  ring,  group,  aggregate,  etc.  The  above  defini¬ 
tion  requires  that  signing  keys  be  generated  honestly.  In  practice,  users  could  register  their  keys  and  prove 
some  necessary  properties  of  the  keys  at  registration  time  [8]. 

2.1.1  On  Schemes  with  a  Correctness  Error 

The  standard  definition  for  signature  batch  verification  (as  presented  in  Definition  2.2)5  assumes  that  the 
basic  signature  scheme  has  perfect  correctness.  That  is,  the  first  part  of  the  definition  inherently  assumes 
that  all  valid  signatures  will  pass  the  individual  verification  test.  This  is  the  case  for  the  majority  of  signature 
schemes  as  well  as  all  signature  schemes  that  we  are  aware  of  being  actively  used  in  practice. 

However,  one  could  imagine  a  signature  scheme  with  a  negligible  or  small  constant  correctness  error. 
One  example  of  a  scheme  with  a  negligible  correctness  error  is  the  Waters09  scheme  as  derived  from  the 
Waters  Dual-System  IBE  [66]  using  the  technique  described  by  Naor  [14],  In  this  scheme,  a  signature  on 
message  m  corresponds  to  the  IBE  private  key  on  identity  m.  The  verification  test  operates  by  choosing  a 
random  message  in' ,  encrypting  it  for  identity  m,  running  the  decryption  algorithm  using  the  signature  as 
the  private  key,  and  testing  to  see  that  decryption  successfully  recovers  m! .  Since  the  Dual-System  IBE  [66] 
has  a  negligible  correctness  error  in  the  decryption  algorithm,  this  signature  scheme  also  has  a  negligible 
correctness  error  in  verification.  This  leaves  the  question:  what  is  the  right  batching  definition  for  such  a 
scheme? 

For  a  scheme  that  allows  an  arbitrary  amount  of  correctness  error,  the  first  requirement  of  Definition  2.2 
no  longer  makes  sense.  Rather  in  this  setting  it  seems  to  us  that  one  could  no  longer  base  the  batching 
security  on  the  base  signature  security,  but  rather  would  have  to  create  a  new  game-based  definition  that 
simulated  the  batching  scenario  and  directly  prove  that  the  algorithm  matches  the  definition.  Direct  proofs 
of  this  sort  are  currently  beyond  our  ability  to  automate. 

One  might  instead  narrow  the  focus  to  schemes  that  allow  at  most  a  negligible  correctness  error.  In 
this  case,  we  suggest  relaxing  both  of  the  batching  requirements  by  a  negligible  probability  taken  over  the 
randomness  of  the  individual  and  batch  verification  algorithms.  We  leave  as  an  open  problem  a  formal 
treatment  of  batching  for  schemes  in  this  class. 

We  tested  AutoBatch  on  one  scheme  with  a  correctness  error,  Waters09  [66],  because  its  complication 
made  it  a  challenging  test  case.  We  report  on  the  candidate  batching  algorithm  we  found  in  Section  4, 

5 We  added  the  restriction  to  perfect  correctness  in  Definition  2.2.  It  was  assumed  in  prior  works  but  not  always  made 
explicit. 
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although  we  note  there  and  in  Appendix  D  that  our  automated  proofs  were  only  written  to  handle  schemes 
with  perfect  correctness.  This  is  a  correction  over  the  conference  version  of  this  work  [2]  which  did  not  make 
this  distinction. 

2.2  Algebraic  Setting 

Bilinear  Groups.  Let  Gi,  G2  and  G t  be  groups  of  prime  order  q.  A  map  e  :  Gi  x  G2  ->  G t  is  an 
admissible  bilinear  map  (or  pairing)  if  it  satisfies  the  following  three  properties: 

1.  Bilinearity:  for  all  g  £  Gi,  h  £  G2,  and  a,  b  £  Z^,  it  holds  that  e(ga,  hb)  =  e(g,  h)ab . 

2.  Non-degeneracy:  if  g  and  h  are  generators  of  Gi  and  G2,  respectively,  then  e(g,h)  is  a  generator  of 
Gt- 

3.  Efficiency:  there  exists  an  efficiently  computable  function  that  given  any  g  £  Gi  and  h  £  G2,  computes 
e(9,h). 

An  admissible  bilinear  map  generator  BSetup  is  an  algorithm  that  on  input  a  security  parameter  l/, 
outputs  the  parameters  for  a  bilinear  group  (q,  g ,  h,  Gi,  G2,  G t,  e)  such  that  groups  of  prime  order  q  £  0(2^), 
Gi,  G2  and  G t  are  groups  of  order  q  where  g  generates  Gi,  h  generates  G2  and  e  :  Gi  x  G2  ->  G t  is  an 
admissible  bilinear  map. 

The  above  bilinear  map  is  called  asymmetric  and  our  implementations  use  this  highly  efficient  setting. 
We  also  consider  symmetric  maps  where  there  is  an  efficient  isomorphism  ip  :  Gi  — X  G2  (and  vice  versa)  such 
that  a  symmetric  map  e  is  defined  as  e  :  Gi  x  ip{ Gi)  —X  G t-  We  abstractly  treat  symmetric  groups  equally 
(Gi  =  G2)  for  simplicity. 

Testing  Membership  in  Bilinear  Groups.  When  batching,  it  is  critical  to  test  that  the  elements  of  each 
signature  are  members  of  the  appropriate  algebraic  group.  Boyd  and  Pavlovski  [17]  demonstrated  efficient 
attacks  on  batching  algorithms  for  DSA  signature  verification  which  omitted  a  subgroup  membership  test. 

In  this  paper,  we  must  test  membership  in  bilinear  groups.  We  require  that  elements  of  purported 
signatures  are  members  of  Gi  and  not,  say,  members  of  E(¥p)  \  Gi.  Determining  whether  some  data 
represents  a  point  on  a  curve  is  easy.  The  question  is  whether  it  is  in  the  correct  subgroup.  If  the  order 
of  Gi  is  a  prime  q ,  one  option  is  to  verify  that  an  element  y  is  in  Gi  by  checking  that  yq  mod  q  =  1  [19]. 
Although  this  costs  an  extra  modular  exponentiation  per  group  element,  this  will  largely  be  dwarfed  by  the 
savings  from  reducing  the  total  pairings,  as  experimentally  verified  first  by  Ferrara  et  al.  [28]  and  confirmed 
by  our  tests. 

2.3  Batch  Verification  in  Bilinear  Groups 

Let  us  recall  from  [28]  the  formal  definition  of  a  bilinear-based,  (or  pairing-based)  batch  verifier.  A  pairing- 
based  verification  equation  is  represented  by  a  generic  pairing-based  claim  X  corresponding  to  a  boolean 
relation  of  the  following  form:  nf=i  e(/i,/b)Ci  =  A,  for  k  £  poly(r)  and  /»  €  Gi,/q  €  G2  and  c*  €  Z*,  for 
each  i  =  1, . . .  ,k.  A  pairing-based  verifier  Verify  for  a  generic  pairing-based  claim  is  a  probabilistic  poly(r)- 
time  algorithm  which  on  input  the  representation  ( A ,  /1, . . . ,  /*,,  hi, . . . ,  hk,  c±, . . . ,  Ck)  of  a  claim  X ,  outputs 
accept  if  X  holds  and  reject  otherwise.  We  define  a  batch  verifier  for  pairing-based  claims. 

Definition  2.3  (Bilinear-based  Batch  Verifier) 

Let  BSetup(lT)  — x  (<?,  <?i,  <72,  Ga,  G&,  Gt,  e).  For  each  j  £  [1,??],  where  g  £  poly(r),  let  X^A  be  a  generic 
pairing-based  claim  and  let  Verify  be  a  pairing-based  verifier.  We  define  a  pairing-based  batch  verifier  for 
Verify  as  a  probabilistic  poly (t) -time  algorithm  which  outputs: 

•  accept  if  X^A  holds  for  all  j  €  [1,7?]; 

•  reject  if  X^  does  not  hold  for  any  j  £  [1, 77]  except  with  negligible  probability. 
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2.4  Small  Exponents  Test  Applied  to  Bilinear  Groups 

Bcllare,  Garay  and  Rabin  [11]  proposed  methods  for  verifying  multiple  equations  of  the  form  t/i  =  gXi  for 
i  =  1  to  n,  where  g  is  a  generator  for  a  group  of  prime  order.  One  might  be  tempted  to  just  multiply  these 
equations  together  and  check  if  IX]=i  Vi  =  g^-,i=lXi-  However,  it  would  be  easy  to  produce  two  pairs  ( £1,2/1 ) 
and  (£2,2/2)  such  that  the  product  of  them  verifies  correctly,  but  each  individual  verification  does  not,  e.g. 
by  submitting  the  pairs  {x\  —  a,  2/1)  and  (£2  +  ct,  2/2)  for  any  a.  Instead,  Bellare  et  al.  proposed  the  following 
method  for  batching  the  verification  of  these  equations,  which  we  will  shortly  apply  to  bilinear  groups. 

The  Small  Exponents  Test  of  Bellare,  Garay  and  Rabin:  Choose  exponents  6,  of  (a  small  number 
of)  4  bits  and  compute  ]T]=i  Vi'  =  g^"=lXiSi.  Then  the  probability  of  accepting  a  bad  pair  is  2“  A  The 
size  of  4  is  a  tradeoff  between  efficiency  and  security.  (By  default  in  AutoBatclr,  we  set  4  =  80  bits  and 
select  random  exponents  from  the  range  [1,  2A  —  1] .  Even  though  0  is  allowed  for  the  test,  we  forbid  it  in  our 
implementation. ) 

Subsequently,  Ferrara,  Green,  Hohenberger  and  Pedersen  [28]  proved  that  the  Small  Exponents  Test  could 
be  securely  applied  to  bilinear  groups  as  well.  We  recall  the  following  theorem  from  their  work  which 
encapsulates  the  test  as  well. 

Theorem  2.4  (Small  Exponents  Test  Applied  to  Bilinear  Groups  [28])  Let  BSetup(lT)  — /  (<7,271,272, 
Gi,  G2,  Gr,  e)  where  q  is  prime.  For  each  j  £  [1, 77] ,  where  r)  £  poly{r),  let  X^)  be  a  generic  claim  as  in 
Definition  2.3.  For  simplicity,  assume  that  is  of  the  form  A  =  Y 0)  where  A  is  fixed  for  all  j  and  all 
the  input  values  to  the  claim  are  in  the  correct  groups.  For  any  random  vector  A  =  (<5i, . . .  ,<5^)  of  lb 

bit  elements  from  Z9,  an  algorithm  Batch  which  tests  the  following  equation  Wj=1A5j  =  J][J=1  is  a 

pairing-based  batch  verifier  that  accepts  an  invalid  batch  with  probability  at  most  2~(b. 

In  later  sections,  we  will  frequently  make  use  of  the  small  exponents  tests  and  rely  on  the  security 
guarantees  of  Theorem  2.4  as  proven  by  Ferrara  et  al.  [28]. 

3  The  AutoBatch  Toolchain 

In  this  section  we  summarize  the  techniques  used  by  AutoBatch  to  programmatically  generate  batch  verifiers 
from  standard  signature  schemes.  A  high  level  abstraction  is  provided  in  Figure  1.  The  main  stages  are  as 
follows. 

1.  Derive  the  scheme’s  SDL  representation.  The  AutoBatch  toolchain  begins  with  an  SDL  represen¬ 
tation  of  a  signature  scheme.  While  SDL  is  not  a  full  programming  language,  it  provides  sufficient  flexibility 
to  represent  most  pairing-based  signature  schemes.  We  provide  a  description  of  the  SDL  grammar  in  Ap¬ 
pendix  E,  as  well  as  a  description  of  the  SDL  semantics  and  several  examples  in  Appendix  F.  For  developers 
who  already  have  an  existing  Charm/Python  implementation,  we  also  provide  a  Parsing  Engine  that  can 
optionally  derive  an  SDL  representation  directly  from  this  Python  code.6 

2.  Apply  techniques  and  optimize  the  batch  verification  equation.  We  first  apply  a  set  of  techniques 
designed  to  convert  the  SDL  signature  verification  equation  into  a  batch  verifier.  These  techniques  optimize 
the  verification  equation  by  combining  pairing  equations  and  re-arranging  the  components  to  minimize  the 
number  of  expensive  operations.  To  prevent  known  attacks,  we  apply  the  small  exponents  test  of  Bcllare, 
Garay  and  Rabin  [11],  and  optimize  the  resulting  equation  to  ensure  that  all  signature  elements  are  in 
the  group  with  the  smallest  representation  (typically,  Gi).  Additionally,  the  Batcher  embeds  a  recursive 
divide- and- conquer  strategy  to  handle  cases  where  batch  verification  fails  due  to  invalid  signatures.  This 
binary  search  strategy  is  borrowed  from  Law  and  Matt  [42]  and  could  be  extended  to  support  other  methods 

6We  developed  this  capability  for  two  reasons.  First,  there  is  already  a  library  of  pairing-based  signature  schemes  available  in 
Charm/Python  (in  fact,  the  number  of  Charm  implementations  is  greater  than  all  other  settings  combined).  Secondly,  we  believe 
that  there  is  value  in  providing  multiple  interfaces  to  our  tools,  particularly  interfaces  that  work  with  real  implementations. 
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Charm/Python  SDL 


[class  BLS:  1 

name  :=  bis 

def _ init _ (self):  1 

N  :=  100 

global  group  1 

secparam  :=  80 

group  =  Pairing(MNT1 60)  1 

1  1 

BEGIN  ::  types 

1  def  keygen(self): 

M  :=  str;  h  :=  G1 ;  sig  :=  G1 

1  g  =  group. random(G2)  j 

g  :=  G2;  pk  :=  G2 

I  x  =  group. random(ZR)  « 

END  ::  types 

1  pk  =  g  **  x 

1  sk  =  x  1 

BEGIN  ::  func:sign 

1  return  (pk,  sk,  g)  , 

input  :=  list{sk,  M} 

sig  :=  h  A  sk 

1  def  sign(self,  sk,  M):  1 

output  :=  sig 

1  h  =  group. hash(M,  G1)  1 

END  ::  func:sign 

1  sig  =  h  **  sk  1 

1  return  sig  * 

constant  :=  g;  public  :=  pk 

1 

1  def  verify(self,  pk,  g,  sig,  M):  | 

signature  :=  sig;  message  :=  h 

1  h  =  group. hash(M,  G1)  j 

BEGIN  ::  precompute 

|  if  pair(h,  pk)  ==  pair(sig,  g):  ( 

h  :=  H(M,  G1) 

return  True  1 

END  ::  precompute 

return  False  1 

!  1 

verify  :=  {e(h,  pk)  ==  e(sig,  g)> 

Batch  Verifier 

Python  OR  C++ 


#  1  Choose  deltas  for  small  exponents  test 

for  z  in  range(0,  N): 

delta[z]  =  SmallExp(secparam) 

#  2  Initialize  dot  products 

dotA  =  1 ;  dotACache  =  {} 
dotB  =  1 ;  dotBCache  =  {} 

#  3  Precompute  dot  products  that  can  be 

#  cached  between  runs  of  divide  /  conquer 
for  z  in  range(0,  N): 

#  4  group  membership  tests 

#  ...  variables  calculated  over  sigs... 

#  5  Compute  dotA  &  dotB  using  cache 

#  6  Batch  Verification  check 

if  pair(dotA,  pk)  ==  pair(dotB,  g): 

return  True 
else: 

#  7  divide  and  conquer 
dividenconquer(delta,  0,  N,  inclndices, 

dotACache,  dotBCache,  pk,  g) 


#  1  Choose  deltas  for  small  exponents  test 

for  (int  z  =  0;  z  <  N;  z++) 

delta[z]  =  SmallExp(secparam); 

#  2  Initialize  dot  products 

#  3  Group  membership  tests 

#  4  Precompute  cacheable  dot  products 

for  (int  z  =  0;  z  <  N;  z++)  { 

h  =  group. hashListToG1(Mlist[z]); 
dotACache[z]  =  group. exp(h,  delta[z]); 
dotBCachejz]  =  group. exp(sig[z],  delta[z]); 
} 

#  5  Compute  dotA  &  dotB  using  cache 

#  6  Batch  Verification  check 
if  (  group. pair(  dotA ,  pk  )  == 

group.pair(  dotB,  g  ) )  {  ...  } 
else  { 

#  7  divide  and  conquer 
dividenconquer(delta,  0,  N,  inclndices, 

dotACache,  dotBCache,  pk,  g); 

} 


Figure  2:  The  Boneh-Lynn-Shacham  (BLS)  signature  scheme  [15]  at  various  stages  in  the  AutoBatch 
toolchain.  At  the  left,  an  initial  Charm-Python  implementation  of  the  scheme.  In  the  center,  an  SDL 
representation  of  the  same  scheme,  programmatically  extracted  by  the  Parsing  Engine.  At  right,  a  fragment 
of  the  resulting  batch  verifier  generated  after  applying  the  Batcher  and  Code  Generator. 


that  outperform  this  approach.  Finally,  the  output  of  this  phase  is  a  modified  SDL  file,  and  (optionally)  a 
human-readable  proof  that  the  resulting  equation  is  a  secure  batch  verifier. 

3.  Evaluate  the  capabilities  of  the  batch  verifier.  Given  the  optimized  batching  equation  produced 
in  the  previous  step,  we  estimate  the  performance  of  the  verifier  under  various  conditions.  This  is  done  by 
counting  the  operations  in  the  verifier,  and  deriving  an  estimate  of  the  runtime  based  on  the  expected  cost 
of  each  mathematical  operation  (e.g.,  pairing,  exponentiation,  multiplication).  The  cost  of  each  operation  is 
determined  via  a  set  of  diagnostic  tests  conducted  when  the  library  is  initialized. ' 

4.  Generate  code  for  the  resulting  batch  verifier.  Finally,  we  translate  the  resulting  SDL  file  into 
a  working  batch  verifier.  This  verifier  can  be  implemented  in  either  Python  or  C++  using  the  Charm 
framework.  It  implements  the  SDL-specified  batch  verification  equation  as  well  as  the  individual  verification 
equation.  Based  on  the  calculations  of  the  previous  step,  the  generated  code  embeds  logic  to  automatically 
determine  which  verifier  is  most  appropriate  for  a  given  dataset  (individual  or  batch).  Two  fragments  of 
generated  code  (Python  and  C++)  are  shown  in  Figure  2. 

We  will  now  describe  each  of  the  above  steps  in  detail. 

3.1  Batching  and  Optimization 

Given  an  SDL  file  containing  the  verification  equation  and  variable  types,  the  Batcher  first  securely  con¬ 
solidates  the  individual  verification  equations  into  a  single  equation  using  the  small  exponents  test.  Then, 
the  Batcher  applies  a  series  of  optimizations  to  the  batch  verification  equation  in  order  to  derive  an  efficient 
batch  verifier.  Many  of  these  techniques  were  first  explored  in  previous  works  [19,28].  However,  the  intended 
audience  of  those  works  is  humans  performing  manual  batching  of  signatures.  Hence,  they  are  in  many  cases 
somewhat  less  “general”  than  the  techniques  we  describe  here.8  Furthermore,  unlike  previous  works  we  are 

'  Obviously  these  experiments  are  very  specific  to  the  machine  and  curve  parameters  on  which  they  are  ran.  Our  implemen¬ 
tation  re-runs  these  experiments  whenever  the  library  is  initialized  with  a  given  set  of  parameters. 

8For  example:  techniques  2  and  3  of  [19]  each  combine  a  series  of  logical  operations  that  are  more  widely  applicable  and 
easily  managed  by  splitting  them  into  finer-grained  sub-techniques. 
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Verification  Equation  Initial  Batch  Equation  after  Technique  1 


Figure  3:  The  Boneh-Lynn-Shacham  (BLS)  signature  scheme  [15]  with  same  signer  and  r/  signatures  in  a 
batch.  We  show  the  abstract  syntax  tree  (AST)  of  the  unoptimized  batch  equation  after  Batcher  has  applied 
technique  1  by  combining  all  instances  of  the  verification  equations  (denoted  by  node)  and  applying  the 
small  exponents  test  (denoted  by  Sz  node). 


able  to  programmatically  identify  when  these  techniques  are  applicable,  and  apply  them  to  the  verification 
equation  in  a  consistent  way. 

The  Batcher  assumes  that  the  input  will  be  a  collection  of  ?y  signatures,  possibly  on  different  messages  and 
public  keys  (or  identities).  To  construct  a  batch  verifier,  the  Batcher  first  parses  and  performs  type  checking 
on  the  SDL  input  file  to  extract  an  abstract  syntax  tree  (AST)  representing  the  verification  equation.  During 
the  type  checking,  it  informs  users  if  there  are  type  mismatches  or  if  the  typing  information  is  incomplete 
in  SDL.  Next,  the  Batcher  traverses  the  AST  of  the  verification  equation,  applying  various  techniques  at 
various  nodes  in  the  tree. 

We  now  list  those  techniques  and  provide  details  on  how  some  of  these  techniques  are  implemented  on 
the  AST. 

Technique  Oa:  Consolidate  the  verification  equation.  Many  pairing-based  signature  schemes  actually  require 
the  verifier  to  check  more  than  one  pairing  equation.  During  the  first  phase  of  the  batching  process,  the 
batcher  applies  the  small  exponents  test  from  [11]  to  combine  these  equations  into  a  single  verification 
equation.9  A  variation  of  this  is  Technique  Ob  which  is  applicable  for  schemes  that  utilize  for  loops  in  the 
verification  equation  (e.g.,  VRF  [37]).  If  the  bounds  over  the  loop  are  known  it  might  be  useful  to  unroll  the 
loop  to  allow  application  of  other  techniques. 

Replace  for  i  =  1  to  t  :  e{g1hi )  =  e(c, df)  with  e(g1hi)Sl  ■  ...  •  e{g,ht)~St  =  e(c, di)Sl  ■  ...  •  e(c,dt)~^ 

Technique  1:  Combine  equations.  Assume  we  are  given  ry  signature  instances  that  can  be  verified  using  the 
consolidated  equation  from  the  previous  step.  We  now  combine  all  instances  into  one  equation  by  applying 
the  Combination  Step  of  [28],  which  employs  as  a  subroutine  the  small  exponents  test.  This  results  in  a 
single  verification  equation.  The  correctness  of  the  resulting  equation  requires  that  all  elements  be  in  the 
correct  subgroup,  i.e. ,  that  group  membership  has  already  been  checked.  AutoBatch  ensures  that  this  check 
will  be  explicitly  conducted  in  the  final  batch  verifier  program.  See  Figure  3  for  an  example. 

Technique  2:  Move  exponents  inside  the  pairing.  When  a  term  of  the  form  e(gi,hf)Si  appears,  move  the 
exponent  Si  into  e().  Since  elements  of  Gq  and  G2  are  usually  smaller  than  elements  of  Gy,  this  gives  a 
noticeable  speedup  when  computing  the  exponentiation. 

Replace  e(gi,hi)Si  with  e{g5ii ,hf) 

'Tor  example,  consider  two  verification  conditions  e(a,  b)  =  e(c,  d)  and  e(a,  c)  =  e(g,  h).  These  can  be  verified  simultaneously 
by  selecting  random  <5i,  £2  and  evaluating  the  single  equation  e(a,  b)Sl  e(c,  <:/)  T  e(a,  cf-  e(g.  h)~S2  =  1. 
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Batch  Equation  after  Technique  2  Batch  Equation  after  Technique  3 

Y[e{hszz,pk)  =  Y[e{sigs/,g)  e([[hsz*  ,pk)  =  e(Y[sigsz*  ,g) 


Figure  4:  The  Boneh-Lynn-Shacham  (BLS)  signature  scheme  [15]  with  same  signer  and  77  signatures  in  a 
batch.  Upon  applying  technique  1  from  Figure  3  to  obtain  the  initial  secure  batch  verifier,  the  goal  is  to 
optimize  the  equation.  We  first  show  the  AST  of  the  equation  after  the  Batcher  has  applied  technique  2 
(move  exponents  inside  the  pairing).  Then,  we  show  the  result  of  applying  technique  3a  (move  products 
inside  the  pairing)  to  arrive  at  an  optimized  batch  equation. 


Wherever  possible,  we  move  the  exponent  into  the  group  with  the  lowest  exponentiation  cost.  We  identify 
this  group  based  on  a  series  of  operation  microbenchmarks  that  run  automatically  at  code  initialization.10 

Technique  3a:  Move  products  inside  the  pairing.  When  a  term  of  the  form  JX’Li  e(a*,s)  with  a  constant  first 
or  second  argument  appears,  move  the  product  inside  to  reduce  the  number  of  pairings  from  77  to  1. 

v  v 

Replace  n  with  e(J  a,;,  g) 

i—1  i=l 

A  special  case  of  this  technique  is  Technique  3b  where  77  =  2.  In  this  case,  when  two  terms  share  a 
common  first  or  second  argument,  they  can  also  be  combined.  For  example: 

Replace  e(a,  g)  •  e(b,  g)  with  e(a  ■  b,  g)  where  a  /  1  At  /  1. 

For  a  concrete  example,  we  show  how  techniques  2  and  3a  are  programmatically  applied  to  the  BLS 
scheme  [15]  in  Figure  4. 

Technique  f:  Optimize  the  Waters  Hash.  A  variety  of  identity-based  signature  schemes  employ  a  hash 
function  by  Waters  [65],  which  can  be  generalized  [25,54].  Verifying  signatures  generated  by  these  schemes 
requires  hashing  identity  strings  of  the  form  V  =  V\V2  ■  ■  .vz  where  each  ty  is  a  short  string.  The  hash  function 
is  evaluated  as  v!  YU=i  UT  where  u '  and  wiit2  . . .  uz  are  public  generators  in  <Gi  or  G2. 

When  batching  77  equations  containing  the  Waters  hash,  one  often  encounters  terms  of  the  form  Ilj=i  e(tl.v 
J][)=1  u l'3).  This  can  be  rewritten  to  make  the  number  of  pairings  independent  of  the  number  of  equations 
one  wants  to  batch.  This  is  most  useful  when  77  >  z. 

V  z  z  V 

Replace  n  e(9j,  n  u’f1)  with  IM  9jVij,Ui) 

7=1  i=l  i=%  3=1 

In  future  versions,  AutoBatch  will  output  code  to  switch  between  the  most  efficient  verifier  when  77  >2 
and  77  <  z. 

1  °For  many  common  elliptic  curves,  this  is  the  Gi  base  group.  However,  in  some  curves  the  groups  Gi  and  G2  have  similar 
operation  costs;  this  may  give  us  some  flexibility  in  modifying  the  equation. 
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Technique  5:  Distribute  products.  When  a  product  is  applied  to  two  or  more  terms,  distribute  the  product 
to  each  term  to  allow  application  of  other  techniques  such  as  techniques  3  or  4.  For  example: 

v  v  v 

Replace  •  e{bi:  hi))  with  JJe(aj,0j)  •  JJe(b;,/ij) 

i= 1  i=  1  i= 1 

Technique  6:  Move  known  exponents  outside  pairing  and  precompute  pairings.  In  some  cases  it  may  be 
necessary  to  move  exponents  outside  of  a  pairing.  For  example,  when  JIILi  e(<?a%  hbi)  appears,  move  the 
exponents  outside  of  pairing.  When  multiple  such  exponents  appear,  we  can  pre-compute  the  sum  of  a,  •  h.t 
for  all  and  exponentiate  once  in  Gj*. 

v 

Replace  \\_e.{gai ,hbi)  with  e(g,h)^i^ai'bi^ 

i= 1 

Technique  7:  Precompute  constant  pairings.  When  pairings  have  a  constant  first  and  second  argument,  we 
can  simply  remove  these  from  the  equation  and  pre-compute  them  once  at  the  beginning  of  verification 
(equivalent  to  making  them  a  public  parameter). 

Technique  8:  Split  pairings.  In  some  rare  cases  it  can  be  useful  to  apply  technique  3b  in  reverse:  splitting  a 
single  pairing  into  two  or  more  pairings.  This  temporarily  increases  the  number  of  pairings  in  the  verification 
equation,  but  may  be  necessary  in  order  to  apply  subsequent  techniques.  For  example,  this  optimization  is 
necessary  so  that  we  can  apply  the  Waters  hash  optimization  (technique  4)  to  the  ring  signature  of  Boyen  [18]. 

Discussion:  Several  of  the  above  techniques  are  quite  simple,  in  that  they  perform  optimizations  that  would 
seem  “obvious”  to  an  experienced  cryptographer.  However,  many  optimizations  (e.g.,  technique  7)  could 
have  been  applied  in  published  algorithm  descriptions  [20,37],  and  yet  were  not.  Moreover,  it  is  a  computer 
and  not  a  human  that  is  performing  the  search  for  us,  so  an  important  contribution  of  this  work  is  providing 
a  detailed  list  of  which  optimizations  we  tell  the  computer  to  try  out  and  in  which  order,  and  verifying  that 
such  an  approach  can  find  competitive  solutions  in  a  reasonable  amount  of  time.  This  is  nontrivial:  we 
discovered  that  many  orderings  lead  to  “dead  ends” ,  where  the  optimal  solution  is  not  discovered.  We  now 
describe  our  approach  to  finding  the  order  of  techniques. 

3.2  Technique  Search  Approach 

The  challenge  in  automating  the  batching  process  is  to  identify  the  order  in  which  techniques  should  be 
applied  to  a  given  verifier.  This  is  surprisingly  difficult,  as  there  are  many  possible  orderings,  many  of  which 
require  several  (possibly  repeated)  invocations  of  specific  techniques.  Moreover,  some  techniques  might 
actually  worsen  the  performance  of  the  verifier  in  the  hope  of  applying  other  techniques  to  obtain  a  better 
solution.  An  automated  search  algorithm  must  balance  all  of  these  issues  and  must  also  identify  the  orderings 
in  an  efficient  manner. 

The  naive  approach  to  this  problem  is  simply  to  try  all  possible  combinations  up  to  a  certain  limit,  then 
identify  the  best  resulting  verifier  based  on  an  estimate  of  total  running  time.  This  limit  can  be  vastly 
different  as  the  complexity  of  the  scheme  increases.  While  this  approach  is  feasible  for  simple  schemes,  it 
is  quite  inefficient  for  schemes  that  require  the  application  of  several  techniques.  Moreover,  there  is  the 
separate  difficulty  of  determining  when  the  algorithm  should  halt,  as  the  application  of  one  technique  will 
sometimes  produce  a  new  equation  that  is  amenable  to  further  optimization,  and  this  process  can  continue 
for  several  operations. 

Our  Search  Approach:  Our  approach  is  a  “pruned”  breadth-first  search  (PBFS)  which  utilizes  a  finite 
state  transition  function  to  constrain  the  transitions  between  techniques.  This  transition  function  determines 
which  techniques  can  be  applied  to  the  current  state  and  was  constructed  with  our  experience  of  how  the 
optimization  techniques  work  together  logically.  For  instance,  if  technique  5  is  applied  to  the  current  state 
(i.e. ,  distribute  products  to  pairings),  then  techniques  2-4  most  likely  will  apply  given  that  these  techniques 
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move  exponents  or  products  inside  pairings.  From  the  current  state,  only  the  subset  of  techniques  in  which 
the  conditions  for  the  transformation  are  met  are  pursued  further  in  the  search. 

Our  search  algorithm  is  broken  down  into  three  stages.  The  first  stage  of  the  search  is  to  try  technique  Oa 
if  there  are  multiple  verification  equations.  After  consolidating  the  verification  equations,  we  try  technique 
3b  since  there  may  have  been  pairings  with  common  elements  from  separate  equations.  Our  intuition  for 
attempting  technique  3b  in  this  stage  is  to  combine  as  many  pairings  as  possible  before  embarking  on  the 
search.  The  side  effect  is  that  it  reduces  the  number  of  paths  explored  by  the  PBFS,  thereby  making  the 
search  more  efficient.  Moreover,  it  is  useful  to  attempt  technique  7  at  this  stage  and  precompute  pairings 
that  utilize  generators.  We  then  apply  technique  1  to  combine  rj  instances  of  the  equations  to  form  an  initial 
batch  verifier.  However,  if  the  scheme  specifies  a  single  verification  equation,  then  only  technique  1  is  applied 
in  the  first  stage. 

The  second  stage  of  the  search  employs  the  PBFS  (starting  with  technique  2)  and  terminates  when  none 
of  the  techniques  can  be  applied  to  the  current  state  of  a  batch  verifier.  Each  path  from  the  set  of  ordering 
paths  uncovered  during  the  PBFS  is  evaluated  in  terms  of  total  running  time.  The  algorithm  selects  the 
path  from  the  candidate  paths  that  provides  the  highest  cost  savings.  From  the  selected  path,  the  final  (or 
post-processing)  stage  of  the  search  attempts  to  apply  technique  Ob  (unroll  loops)  if  the  equation  utilizes 
for  loops.  We  delay  testing  for  technique  Ob  until  the  post-processing  stage  to  limit  the  search  space  for  an 
efficient  batch  verifier.  If  technique  Ob  is  applied,  then  we  always  attempt  technique  3b  given  that  there  may 
now  be  pairings  that  can  be  further  combined. 

To  prevent  infinite  loops  during  our  PBFS,  the  state  function  disallows  the  application  of  certain  tech¬ 
niques  that  might  potentially  undo  optimizations.  For  example,  technique  8  performs  a  reverse  split  on 
pairings  to  allow  further  optimizations;  this  might  affect  technique  3b,  which  combines  pairings  that  have 
common  elements.  Certain  combinations  of  techniques  8  and  3b  lead  to  an  infinite  cycle  that  combines  and 
splits  the  same  pairings.  Thus,  the  state  function  only  allows  a  transition  from  Technique  8  to  3b  to  occur 
once  on  a  given  path.  We  provide  the  pseudocode  of  our  search  in  Algorithm  1  &  2  and  our  state  transition 
function  in  Table  1. 

Our  approach  is  effective  and  enables  efficiently  deriving  batch  verification  algorithms.  While  our  ap¬ 
proach  does  not  guarantee  the  optimal  batch  equation,  in  practice  we  rediscover  all  existing  lower  bounds 
on  batch  verification  performance,  and  in  some  cases  we  improve  on  results  developed  by  humans. 


Current  State 

Next  States 

(2,  J 

{3a,  3b,  4,  5,  6,  7,  8} 

(3a,  _) 

{2,  3b,  4,  5,  6} 

(3b,  _) 

{2,  3a,  3b,  5,  8} 

(4,  J 

{2,  3a,  3b,  5} 

(5,  J 

{2,  3a,  4} 

(6,  J 

{2,  3b,  5} 

(7,  J 

{2,  3a,  6} 

(8,  true) 

{2,  4,  5,  6} 

(8,  false) 

{2,  4,  5,  3b,  6} 

Table  1:  This  represents  the  transitionFun  of  Algorithm  2  developed  for  pruning  our  breath- first  search 
(PBFS)  algorithm.  The  function  accepts  as  input  the  current  state  which  represents  the  technique  that 
was  previously  applied  to  the  batch  equation  and  whether  there  exists  a  transition  from  technique  8  to  3b 
along  the  path.  In  an  effort  to  ensure  that  all  paths  terminate,  the  function  restricts  the  transition  from 
technique  8  to  3b  to  occur  once  on  a  given  path.  Although  we  do  not  prove  that  our  algorithm  is  guaranteed 
to  terminate,  we  conjecture  that  it  does  in  practice.  In  fact,  it  terminated  promptly  for  all  of  our  test  cases. 
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Algorithm  1  Global  search:  Our  overall  search  procedure  takes  as  input  an  AST  representation  of  the 
initial  verification  equation,  then  attempts  technique  Oa,  3b,  7  and  1  in  the  pre-processing  step.  The  rest  of 
the  algorithm  executes  the  PBFSearch  algorithm  (shown  in  Algorithm  2)  to  determine  ordering.  Then,  it 
applies  the  post-processing  step  by  attempting  technique  Ob  and  3b  if  there  are  loops  involved.  The  search 
returns  the  best  batch  verification  algorithm  and  the  order  of  techniques  applied, 
l:  procedure  GlobalSearch^) 

2:  pathl  ■<—  {} 

3:  pre -techniques  4—  {36, 7}  Pre-processing  stage 

4:  applied ,  eql  4—  applyTechnique(tec/migwe  =  Oa,  eq)  — >  Try  to  consolidate  equations 

5:  if  applied  =  True  then  — >  Technique  Oa  condition  is  satisfied 

6:  for  all  x  €  pre  techniques  do 

7:  applied ,  new  eq  4—  applyTechniqu e(technique  =  x,  eql) 

8:  if  applied  =  True  then 

9:  pathl  4—  pathl  +  [x] 

10:  eql  4—  new  eq 

11:  end  if 

12:  end  for 

13:  end  if 

14:  applied ,  eql  4—  applyTechnique(tec/migwe  =  1,  egl)  — >  Combine  rj  instances  of  equations 

15:  assert  (applied  =  True) 

16:  pathl  4-  pathl  +  [1] 

17: 

18:  AllThePaths  4—  PBFSEARCH(egl,pat/il,  allPaths  =  0,  start  technique  =  2) 

19:  ( bestEq,path2 )  4—  findMin (AllThePaths) 

20:  — >  Finds  path  with  lowest  runtime  estimate  recorded  during  PBFS 

21: 

22:  post  techniques  {06, 36}  -A  Post-processing  stage 

23:  for  all  x  €  post  techniques  do 

24:  applied ,  new  eq  4—  applyTechniqu e(technique  =  x,  bestEq) 

25:  if  applied  =  True  then 

26:  path2  4 —  path2  +  [x] 

27:  bestEq  new  eq 

28:  end  if 

29:  end  for 

30: 

31:  return  bestEq,  path2 

32:  end  procedure 
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Algorithm  2  Pruned  Breadth-First  Search:  the  PBFS  algorithm  takes  as  input  an  AST  of  the  equation, 
sequence  of  applied  techniques  (called  path),  an  empty  set  for  storing  all  uncovered  paths  (called  allPaths), 
and  a  start  technique  for  the  search.  The  path  argument  records  the  techniques  being  explored  in  the  search 
execution.  The  algorithm  returns  a  set  of  paths  dictated  by  transitionFunc  which  is  illustrated  in  Table  1 
and  an  estimate  of  the  batch  verifier  runtime  that  is  associated  with  each  path.  Our  algorithm  selects 
whichever  path  yields  the  lowest  runtime. 

1:  procedure  PBFSEARCH(eg,  path,  allPaths,  technique ) 

2:  applied,  new  eq  4—  applyTechnique(fechragite,  eq) 

3: 

4:  if  applied  =  True  then  — »  Technique  condition  is  satisfied 

5:  path  4—  path  +  [ technique }  Append  technique  to  path 

6:  checkR.es  4—  checkForEdge(8,  36,  path)  —>  check  if  transition  from  8  to  3b  exists  in  path 

7:  techset  4—  transitionFunc(technique,  checkRes)  — ►  return  pruned  set 

8:  for  all  x  £  tech  set  do 

9:  newAUPaths  4—  PBFSearch(neu;  eq,  path,  allPaths,  x) 

10:  allPaths  4—  allPaths  U  newAUPaths 

11:  end  for 

12:  else  — ►  Reached  dead  end  with  this  path 

13:  if  path  qL  allPaths  then 

14:  allPaths  £-  allPaths  U  path  — ►  Add  path  to  set  of  all  paths 

15:  time  4—  estimateRuntime(eg,  N,  T)  — >  N  for  batch  size  &  T  for  group  op.  costs 

16:  recordTime(f?'me,  path)  record  in  a  global  database 

17:  end  if 

18:  end  if 

19:  return  allPaths 

20:  end  procedure 


15 

Approved  for  Public  Release;  Distribution  Unlimited. 

312 


We  begin  with  the  original  verification  equation. 
e(Y,  a)  =  e(g,  b)  and  e(X,  a)  ■  e(X,  b)m  =  e{g,  c) 

Step  1:  Consolidate  the  verification  equations  (tech.  Oa),  and  apply  the  small  exponents 
test  as  follows:  For  each  of  the  2  =  1  to  g  signatures,  choose  random  81,62  £  [1,  2A  —  1] 
and  compute  for  each  equation: 

e(g,  b)dl  ■  e(Y,  a)~Sl  =  e(X,  a)62  ■  e(X,  b)mS2  ■  e(g,  c)~S2 

Step  2:  Combine  g  signatures  (tech.  1),  move  the  exponent(s)  inside  pairing  (tech.  2): 


Q  e(g,  bzSzA )  ■  e(Y,  az  '5*’1 )  =  JI  e(A, 


e(X,  bz 


e(g,  cz 


Step  3:  Merge  pairings  with  common  first  or  second  argument  (tech.  3b): 


0 


czSz'2)  ■  e(y,  az  5z 


=  II  e(X> 


■  e(X,  bz 


2  =  1  2=1 

Step  4:  Merge  pairings  with  common  first  or  second  argument  (tech.  3b): 


]^[  e(g,bzSzA  ■  czz'2)  ■  e(Y,az  Sz’1)  =  ]^[  e(X,az5z’2  ■  bzmz'5z'2) 


2=1  2=1 

Step  5  :  Move  products  inside  pairings  to  reduce  g  pairings  to  1  (tech.  3a): 


]^[  e(g,  bj11’1  ■  cz5z-2)  ■  e(Y,  az  Sz-1)  =  e(X,  ]^[  azz'2  ■  bzmz'Sz'2) 

2=1  2=1 

Step  6:  Distribute  products  (tech.  5): 

II  <id,bzSzA  ■  czSz-2)  ■  e(y,  aj-^’1)  =  e(X,  ajz’2  ■  bzmz'Sz’2) 

2  =  1  2  =  1  2  =  1 

Step  7:  Move  products  inside  pairings  to  reduce  g  pairings  to  1  (tech.  3a): 


e(g,  I}  bz^’1  ■  czSz'2)  ■  e(Y,  ]^[  az  5zA)  =  e(X,  ]^[  a/z-2 
2=1  2  =  1  2  =  1 


Figure  5:  A  fragment  of  the  machine-generated  security  proof  of  a  single-signer  batch  verifier  for  the  bilinear 
CL  signature  scheme  [20].  An  earlier  portion  of  the  proof  asserted  that  a  group  membership  test  would  be 
done  prior  to  checking  the  final  equation.  Here  the  value  g  is  a  generator  of  a  bilinear  group,  the  values  X,  Y 
are  part  of  the  public  key,  a  signature  is  a  tuple  (a,  6,  c)  and  the  message  signed  is  m. 

3.3  Security  and  Machine- Aided  Analysis 

Efficiency  Analysis.  Efficiency  of  the  batch  verifiers  is  computed  in  two  separate  ways.  During  the 
PBFS  algorithm,  the  Batcher  uses  the  batch  size  specified  by  the  user  to  compute  an  estimate  of  the 
runtime  for  all  batch  verifiers.  The  resulting  estimates  enable  selection  of  an  efficient  batch  verifier  from 
many  candidate  verifiers.  As  indicated  in  Algorithm  2,  the  estimates  are  calculated  using  a  database  of 
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average  operation  times  measured  at  library  initialization.  Once  the  Batcher  has  selected  the  most  efficient 
batch  equation,  it  performs  another  analysis  to  determine  a  “crossover  point”,  i.e. ,  the  batch  size  where 
batch  verification  becomes  more  efficient  than  individual  verification.  This  analysis  is  done  by  counting 
the  number  of  operations  required  as  a  function  of  the  batch  size.  These  operations  also  include  group 
operations,  pairings,  hashes,  as  well  as  random  element  generation.  It  then  combines  this  operation  count 
with  the  database  of  average  operation  times  to  compute  the  crossover  point. 

Security  Analysis.  We  have  two  points  to  make  regarding  the  security  of  AutoBatch.  First,  we  argue 
that  the  algorithm  used  by  AutoBatch  to  produce  a  batch  verification  equation  unconditionally  satisfies 
Definition  2.2.  That  is,  the  batch  verification  equation  will  hold  if  and  only  if  each  of  the  individual  signatures 
would  have  passed  the  individual  verification  test  (up  to  a  negligible  error  probability).11 

Theorem  3.1  (Security  of  AutoBatch)  Let  an  AutoBatch  algorithm  be  generalized  as  any  algorithm  that 
transforms  an  individual  pairing-based  signature  verification  test  with  perfect  correctness  into  a  pairing-based 
batch  verification  equation  as  follows: 

1.  Check  the  group  membership  of  all  input  elements,  and  if  no  errors,  apply  Techniques  Oa  and  1  to  the 
individual  verification  equation(s)  using  security  parameter  A  to  obtain  a  single  equation  X . 

2.  Apply  any  of  Techniques  2-8  to  X  to  obtain  equation  X'  and  set  X  :=  X' . 

3.  Repeat  previous  step  any  number  of  times  to  X . 

4 ■  Check  if  there  are  loops  in  X  and  the  bounds  are  known,  then  apply  Technique  Ob  with  security  parameter 
X  to  X  and  further  attempt  Technique  3b  if  applicable.  Then,  return  X . 

Then  all  AutoBatch  algorithms  unconditionally  satisfy  Definition  2.2,  where  the  probability  of  accepting 
an  invalid  batch  is  at  most  2~x  ,  where  A'  <  A  +  2. 


Proof.  We  analyze  this  proof  in  three  parts.  First,  after  Step  1  (the  application  of  Techniques  Oa  and  1), 
there  will  be  one  batch  equation  X  (possibly  with  a  loop  over  it)  and  it  will  satisfy  the  security  requirements 
of  Definition  2.2  with  error  probability  2~A.  These  two  techniques  combine  a  set  of  equations  (possibly  with 
loops  over  them)  into  a  single  equation  (possibly  with  loops  over  them)  using  the  small  exponents  test  with 
security  parameter  A.  Ferrara  et  al.  [28,  Theorem  3.2]  prove  that  this  equation  will  verify  if  and  only  if  all 
individual  equations  from  the  set  verify,  except  with  probability  at  most  2~x .  By  default  in  AutoBatch,  we 
set  A  =  80. 

Second,  given  a  single  arbitrary,  pairing-based  equation  X  (possibly  with  a  loop  over  it),  we  apply  one 
of  Techniques  2-8  (in  Steps  2  and  3).  For  each  Technique  2-8,  we  argue  that  the  output  equation  X'  holds 
if  and  only  if  the  input  equation  X  holds;  that  is,  the  equations  are  identical  up  to  algebraic  manipulations. 
If  this  is  true,  the  final  batch  equation  output  by  AutoBatch  satisfies  Definition  2.2  with  the  same  error 
probability  as  the  equation  output  after  Techniques  Oa  and  1  were  applied,  completing  the  theorem. 

It  remains  to  argue  that  for  each  Technique  2-8,  it  is  indeed  the  case  that  the  input  and  output  equations 
are  identical,  up  to  algebraic  manipulations.  Techniques  2,  3,  4,  6  and  8  follow  relatively  straightforwardly 
from  the  bilinearity  of  the  groups.  As  an  example,  consider  Technique  3b  which  claims  that  e(a,  g )  •  e{b ,  g)  = 
e(a  •  b,g),  for  all  a,b  £  G\  and  g  £  G2  where  o  /  1  A  t  ^  1.  Let  b  =  ak  for  some  k  £  Zp.  Then  we  have 
e(a,g)  ■  e{ak,g)  as  the  LHS,  which  is  e(a,g )  •  e(a,g)k  by  the  bilinearity,  which  is  e(a,  g)k+1  by  multiplication 
in  Gt ■  The  RHS  is  similarly  e(a-  ak,g)  =  e(ak+1,g)  =  e{a,g)k+1.  Technique  5  requires  only  associativity  in 
Gt ■  Technique  7  pre-computes  and  caches  values  instead  of  re-computing  them  on  the  fly. 

Finally,  we  come  to  Step  4  with  a  single  equation  X ,  possibly  having  a  loop  over  it.  If  bounds  for  the 
loop  are  known,  then  this  step  unrolls  the  loop  using  Technique  Ob,  whereby  a  loop  representing  i  =  1  to  t 
iterations  over  an  equation  Xi  is  replaced  logically  by  the  set  of  those  equations  {X\,  X2, . . . ,  Xt}.  This  set  of 

11  The  security  of  the  underlying  signature  scheme  depends  on  a  computational  assumption,  but  the  batcher  unconditionally 
maintains  whatever  security  is  offered  by  the  scheme. 
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equations  is  then  combined  into  a  single  equation  using  the  small  exponents  test,  as  described  above.  Finally, 
Technique  3b  is  applied  if  applicable;  as  discussed  above,  this  technique  is  a  simple  algebraic  manipulation 
of  the  equation  and  does  not  change  it. 

An  error  of  2X  is  introduced  with  each  small  exponents  test  in  Technique  Oa,  1  and  then  Ob,  thus  the 
total  batch  verification  error  is  at  most  3(2~ A).  This  completes  the  theorem.  □ 

To  offer  transparency  on  how  AutoBatch  derived  any  given  batch  verifier,  the  Batcher  produces  both  an 
SDL  file  and,  optionally,  a  human-readable  proof  that  the  resulting  batch  verifier  is  as  secure  as  verifying 
the  signatures  individually.  This  proof  is  a  LaTeX  file  that  includes  the  individual  and  batch  verification 
equations,  with  an  enumeration  of  the  various  steps  used  to  convert  the  former  into  the  latter.  Thus,  while 
Theorem  3.1  already  argues  that  this  proof  is  valid,  this  provides  a  means  for  independently  verifying  the 
security  of  any  given  batching  equation.  Interestingly,  the  first  proof  for  the  batch  verification  of  the  HW 
signatures  [36]  was  produced  automatically  by  AutoBatch. 

We  show  a  fragment  of  this  human-readable  proof  for  the  Camenisch-Lysyanskaya  (CL)  scheme  [20]  in 
Figure  5.  Full  proofs  for  the  Hohenberger- Waters  (HW)  scheme  [36],  the  Camenisch-Lysyanskaya  (CL) 
scheme  [20],  and  the  Verifiable  Random  Functions  (VRF)  scheme  [37]  are  given  in  Appendices  B,  ??,  and  C, 
respectively.  In  Appendix  D,  we  detail  the  results  of  AutoBatch  on  the  Waters09  scheme  (derived  from 
the  Waters  Dual-System  IBE  of  [66]);  because  this  scheme  has  a  negligible  correctness  error  our  automated 
proof  techniques  do  not  directly  apply,  although  we  conjecture  that  the  resulting  scheme  is  secure  up  to  an 
additional  negligible  error  rate.  In  particular,  there  will  be  a  negligible  chance  that  the  batcher  will  output 
reject  on  a  set  of  valid  signatures. 

The  security  analysis  provided  in  this  section  applies  to  the  mathematics  only.  AutoBatch  goes  on  to 
convert  this  mathematical  batching  equation  into  code,  which  could  potentially  introduce  software  errors. 
However,  our  hope  is  that  the  deliberate  process  by  which  AutoBatch  generates  code  would  actually  help 
reduce  software  errors  by  systematically  including  steps,  such  as  the  group  membership  test,  which  could 
easily  be  accidentally  omitted  by  a  human  implementor. 

3.4  Code  Generation 

The  output  of  the  Batcher  is  a  batch  verification  equation  encoded  in  SDL.  This  file  defines  all  of  the 
datatypes  for  the  signature,  message  and  public  key  (or  identity  and  public  parameters  in  the  case  of  an 
identity-based  signature).  The  Code  Generator  converts  this  SDL  representation  into  usable  Python  or  C+- 1- 
source  code  that  can  operate  on  real  batch  inputs.  The  SDL  representation  consists  of  the  individual  and 
batch  verification  equations  including  logic  for  the  following  components: 

1.  Group  membership  tests.  For  each  element  in  the  signature  (and  optionally  the  public  key,  if  the 
user  requests)12  the  membership  to  the  group  is  tested  using  an  exponentiation.  Section  2.2  discusses 
the  importance  and  details  of  this  test. 

2.  Pre-computation.  Several  values  often  will  be  re-used  within  a  verification  equation.  When  this 
happens,  the  batch  verifier  can  pre-compute  certain  results  once,  rather  than  needlessly  compute  them 
several  times. 

3.  Verification  method.  For  relatively  small  batch  sizes,  it  may  be  more  efficient  to  bypass  the  batch 
verifier  and  simply  verify  the  signatures  using  the  individual  verification  function.  For  this  reason,  our 
Code  Generator  generates  this  function  as  well  (the  output  of  the  Batcher  contains  both  functions), 
and  adds  logic  to  programmatically  choose  between  batch  and  individual  verification  when  the  batch 
size  is  below  a  crossover  point  automatically  determined  in  the  Analysis  phase. 

4.  Invalid  signature  detection.  To  handle  the  presence  of  invalid  signatures  in  a  batch,  our  batch 
verifier  code  includes  a  recursive  divide- and- conquer  strategy  to  recover  from  a  batching  failure  (see 

12In  many  applications  we  can  assume  that  the  public  keys  are  trusted,  thus  we  can  omit  group  membership  testing  on  these 
values. 
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e.g,.  [28]  for  a  discussion  of  this).  On  failure,  this  verifier  divides  the  signature  collection  into  two 
halves  and  recurses  by  repeating  verification  on  each  half  until  all  of  the  invalid  signatures  have  been 
identified. 

The  Code  Generator  consists  of  two  “back-end”  modules,  which  produce  Clrarm/Pytlron  and  Charm/C++ 
representations  of  the  batch  verifiers.  It  would  be  relatively  easy  to  extend  this  module  to  add  support  for 
additional  languages  and  settings. 

3.5  Code  Parsing 

While  SDL  is  the  primary  input  language  for  our  batcher,  we  also  support  batching  from  a  pre-existing 
implementation  of  a  signature  scheme.  To  facilitate  this,  we  provide  a  Code  Parsing  engine  that  inter¬ 
prets  signature  schemes  written  in  a  high  level  language,  derives  their  verification  equation  and  data  types, 
and  produces  a  resulting  SDL  file.  While  our  techniques  should  work  with  various  languages  (provided 
that  the  signature  implementation  is  somewhat  constrained),  our  prototype  implementation  is  based  on 
Charm/Python.  This  means  we  can  take  advantage  of  a  relatively  large  library  of  pre-existing  Charm  imple¬ 
mentations.  Additionally,  in  this  setting  we  are  assisted  by  the  Python  interpreter,  which  grants  programatic 
access  to  the  Python  Abstract  Syntax  Tree  via  the  compiler. ast  module. 

While  Charm  implementations  are  relatively  constrained  in  terms  of  their  structure,  a  challenging  aspect 
of  code  parsing  is  identifying  the  type  of  each  variable.  We  stress  that  this  problem  is  not  unique  to  Python: 
indeed,  many  standard  libraries  (such  as  the  the  C-based  Stanford  Pairing-Based  Crypto  library  [47])  employ 
abstract  data  types  to  represent  group  elements.  Interpreting  code  written  using  these  languages  will  also 
require  techniques  similar  to  the  ones  we  use. 

Code  parsing  consists  of  the  following  stages.  First,  we  parse  the  entire  signature  scheme  file  to  identify 
the  AST  node  of  the  signature  verifyQ  method,  and  then  identify  the  equality  comparisons  in  this  function 
that  are  fundamentally  responsible  for  the  signature  verification  process.  We  next  build  a  map  of  variable 
names,  types,  structure,  and  operations.  For  each  assignment,  we  check  the  properties  of  that  assignment 
using  a  further  set  of  heuristics.  If  we  determine  that  a  given  assignment  is  relevant,  we  extract  certain 
information  about  it,  such  as  the  type  of  the  variables.  We  obtain  this  information  by  applying  known  rules 
to  infer  types.  For  example,  we  know  that  certain  hash  calls  indicate  an  element  of  Gi,  a  pairing  indicates 
an  element  in  G t,  random  element  generation  calls  typically  indicate  the  type  of  element  being  generated, 
and  so  on.13 

To  simplify  the  parsing,  we  restrict  the  subset  of  Python  converted  to  SDL.  In  particular,  we  do  not 
support  the  use  of  functional  constructs  in  Python  such  as  lambda  functions.  Our  database  currently 
includes  signatures  for  the  following  types: 

1.  All  pairings  and  their  parameters  and  types. 

2.  All  hashes  and  their  parameters  and  types. 

3.  All  Python  dictionaries,  their  key  names,  their  value  names,  and  their  types.  Charm  makes  extensive 
use  of  this  data  structure,  so  this  is  important. 

4.  All  constant  numbers  and  strings. 

4  Implementation  &;  Performance 

Subsequent  to  our  initial  publication  of  the  conference  version  of  this  work  [2],  we  identified  a  software  bug 
in  the  group  membership  function  of  Charm  v0.42  that  affected  our  results.  The  results  in  this  paper  include 
the  corrections  to  the  affected  group  membership  test  which  reduces  the  efficiency  gains  of  batch  verification 
in  all  our  test  cases.  In  particular,  there  are  noticeable  reductions  in  performance  for  CL  [20],  Waters09  [66] 
and  HW  (with  different  signers)  [36].  Although  an  optional  feature,  our  membership  tests  include  public 

1  5  We  believe  that  this  approach  may  also  be  useful  in  the  future  for  static  checking  and  formal  verification  of  dynamically- 
typed  cryptographic  implementations. 
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Scheme 

Type 

Model  Ind- Verify 

By  Hand 

Batch- Verify  Reference 

By  AutoBatch 
Batch- Verify 

Techniques 

1.  Boyen-Lynn-Shacham  (BLS)  (ss) 

S 

RO 

2  V 

2 

[16] 

2 

1,2,3a 

2.  Camenisch  et  al.  (CHP)  (same  period) 

S 

RO 

3  V 

3 

[19] 

3 

1,2, 3a, 5, 3a 

3.  Camenisch-Lysyanskaya  (CL)  (ss) 

S 

P 

5  Tj 

5r] 

none 

3 

Oa, 1,2, 3b, 3b, 3a, 5, 3a 

4.  Hohenberger- Waters  (HW)  (ss) 

S 

P 

2  V 

2V 

none 

4 

1,2, 3a, 8, 6, 5, 3a 

5.  Hohenberger- Waters  (HW) 

S 

P 

2  V 

2V 

none 

4 

1,2, 3a, 5, 3a 

6.  Waters09  (ss) 

S 

P 

9  rj 

9r) 

none 

13 

1,2, 8, 5, 3a, 6, 3b 

7.  Hess 

I 

RO 

2  V 

2 

[28] 

2 

1,2,3a 

8.  Cha-Cheon  (ChCh) 

I 

RO 

2  V 

2 

[42] 

2 

1,2,3a 

9.  Waters05 

I 

P 

3  V 

z  +  3 

[19] 

2  +  3 

1,2, 3a, 8, 6, 5, 3a, 4, 3b 

10.  Chow-Yiu-Hui  (CYH) 

IR 

RO 

2  V 

2 

[28] 

2 

1,2, 3a, 2 

11.  Boyen  (same  ring) 

R 

P 

tri  + 1 

u+\ 

[28] 

U  +  l 

1,2, 8, 4, 3b, 8, 5, 3a 

12.  Boneh-Boyen-Shacham  (BBS) 

G 

RO 

5  r) 

2 

[28] 

2 

1,2, 3b, 3b, 5, 3a 

13.  VRF  equations  1,3,4  &;  2  (ss) 

V 

P 

3?;  +  2i 

31  +  1 

[37] 

1  +  3  Oa,  3b,  1,2, 3a,  1,2, 3a,  5, 3a,  3b,  Ob,  3b 

14 ■  ChCh  and  Hess  together 

M 

RO 

2V 

4 

none 

2 

Oa, 1,2, 3a, 5, 3a, 3b 

Table  2:  Digital  Signature  Schemes  used  as  test  cases  in  AutoBatch.  We  show  a  comparison  between  naive 
batch  verifiers  designed  by  hand  or  discovered  in  the  literature  and  ones  found  by  AutoBatch.  Scheme  names 
followed  by  an  “ss”  were  only  batched  for  the  same  signers;  otherwise,  different  signers  were  allowed.  For 
types,  S  stands  for  regular  signature,  I  stands  for  identity-based,  M  stands  for  a  batch  that  contains  a  mix 
of  two  different  types  of  signatures,  R  stands  for  ring,  G  stands  for  group  and  V  stands  for  verifiable  random 
function.  For  models,  RO  stands  for  random  oracle  and  P  stands  for  plain.  Let  £  be  either  the  size  of 
the  ring  or  the  number  of  bits  in  the  VRF  input.  Let  z  be  a  security  parameter  for  the  Waters  hash  [65] 
and  can  be  set  to  5  in  practice.  To  approximate  verification  performance,  we  count  the  total  number  of 
pairings  needed  to  process  r\  valid  signatures.  Unless  otherwise  noted,  the  inputs  are  from  different  signers. 
The  final  column  indicates  the  order  of  the  techniques  from  Section  3  that  AutoBatch  applied  to  obtain  the 
resulting  batch  verifier.  The  rows  in  bold  are  the  schemes  where  AutoBatch  discovered  new  or  improved 
algorithms.  Finally,  the  italicized  row  represents  the  ability  of  AutoBatch  to  construct  batch  verifiers  for 
different  signature  types.  This  is  an  instance  of  cross-scheme  batching  and  we  compare  it  to  batching  naively 
per  signature  type. 


keys  to  reflect  the  worst  case  performance  of  batch  verification  without  invalid  signatures  in  the  batch.  See 
Figure  6  for  the  new  graphs. 

4.1  Experimental  Setup 

To  evaluate  the  performance  of  our  techniques  we  implemented  them  as  part  of  the  Charm  prototyping 
framework  [1],  Charm  is  a  Python-based  cryptographic  prototyping  framework,  and  provides  native  support 
for  bilinear-map  based  cryptography  and  other  useful  primitives,  e.g.,  hashing  and  serialization.  We  used  a 
version  of  Charm  that  implements  all  bilinear  group  operations  using  the  C-based  MIRACL  library  [59]. 14 
The  necessary  MIRACL  calls  are  accessed  from  within  our  Python  code  via  the  C  module  interface. 

To  determine  the  performance  of  our  system  in  isolation,  we  first  conducted  a  number  of  experiments 
on  various  components  of  our  code.  First,  we  used  the  code  parsing  component  to  convert  several  Python 
signature  implementations  into  our  intermediate  SDL  representation.  Next,  we  applied  our  batcher  to  the 
SDL  result  in  order  to  obtain  an  optimized  equation  for  a  batch  verifier.  We  then  applied  our  code  generator 
to  convert  this  representation  into  a  functioning  batch  verifier  program,  which  we  applied  to  various  test 
data  sets. 

Hardware  configuration.  For  consistent  results  we  ran  all  of  our  experiments  on  a  single  hardware  platform: 
a  2  x  2.66  GHz  6-Core  Intel  Xeon  Macintosh  Pro  running  MacOS  version  10.7.3  with  12GB  of  RAM.  We  ran 
all  of  our  tests  within  a  single  thread,  and  thus  used  resources  from  only  a  single  core  of  the  Intel  processor. 

14The  version  of  Charm  we  used  (0.42)  can  be  found  in  the  Charm  github  repository  at  www.charm-crypto.com.  It  uses 
MIRACL  5.5.4  for  bilinear  group  operations. 
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Approx.  Signature  Size 

MIRACL 

w/  BN256 

RELIC  w/  BN256 

MNT160 

BN256 

Individual 

Batched* 

Individual 

Batched* 

I  Signatures 

BLS  [16]  (same  signer) 

160  bits 

256  bits 

26.6  ms 

2.2  ms 

11.9  ms 

1.5  ms 

CHP  [19]  (same  time  period) 

160  bits 

256  bits 

46.1  ms 

7.2  ms 

24.0  ms 

7.8  ms 

HW  [36]  (same  signer) 

320  bits 

512  bits 

40.5  ms 

4.7  ms 

22.4  ms 

3.0  ms 

HW  [36]  (diff  signer) 

320  bits 

512  bits 

40.5  ms 

61.1  ms 

22.4  ms 

29.2  ms 

Waters09  [66,  §6.1]  (same  signer) 

6240  bits 

6912  bits 

153.2  ms 

33.1  ms 

93.7  ms 

44.2  ms 

CL  [20]  (same  signer) 

480  bits 

768  bits 

72.0  ms 

15.9  ms 

34.6  ms 

18.0  ms 

|  ID-Based  Signatures 

Hess  [35] 

1120  bits 

3328  bits 

32.7  ms 

22.0  ms 

17.1  ms 

8.4  ms 

ChCh  [24] 

320  bits 

512  bits 

27.5  ms 

4.6  ms 

12.6  ms 

2.4  ms 

Waters05  [65] 

480  bits 

768  bits 

45.3  ms 

11.8  ms 

21.5  ms 

11.0  ms 

|  Group,  Ring  and  ID-based  Ring  Signatures 

BBS  [13]  Group  signature 

2400  bits 

5376  bits 

99.9  ms 

31.2  ms 

63.9  ms 

18.7  ms 

Boyen  [18]  Ring  signature,  3- member  ring 

960  bits 

1536  bits 

64.2  ms 

15.0  ms 

41.5  ms 

9.8  ms 

CYH  [27]  Ring  signature,  10-member  ring 

1760  bits 

2816  bits 

34.2  ms 

22.3  ms 

20.7  ms 

16.2  ms 

|  VRFs 

|HW  VRF  [Hohenberger- Waters  2010]  (same  signer,  t  =  8)  2240  bits 

5120  bits 

251.4  ms 

36.1  ms 

112.5  ms 

18.3  ms 

1  Combinations 

|  ChCh  +  Hess 

1440  bits 

3840  bits 

55.6  ms 

26.2  ms 

25.7  ms 

10.4  ms 

*  Verification  time  per  signature  when  batching  100  signatures. 


Table  3:  Cryptographic  overhead  and  verification  time  for  all  of  the  pairing-based  signatures  in  an  alternative 
implementation  of  AutoBatch.  RELIC  is  faster  on  12  of  14  schemes,  but  MIRACL  is  better  on  CL  and 
Waters09.  We  speculate  that  this  is  because  modular  exponentiation  in  Gi  and  G2  is  slightly  slower  in 
RELIC  compared  to  MIRACL.  Since  RELIC  is  an  actively  developed  library,  we  believe  this  issue  can  be 
addressed  in  future  versions.  In  the  case  of  HW  (with  different  signers),  individual  verification  outperforms 
batch  verification  in  both  libraries  because  batch  time  is  dominated  by  group  membership  tests. 


We  instantiated  all  of  our  cryptographic  implementations  using  a  160-bit  MNT  elliptic  curve  and  a  256-bit 
Barreto-Naelrrig  (BN)  curve  provided  with  MIRACL.  Results  are  shown  in  Table  3  and  Figure  6. 

A  note  on  the  library.  We  chose  MIRACL  because  it  is  mature  and  well  supported.  However,  some  research 
libraries  like  RELIC  [4]  provide  alternative  pairing  implementations  that  may  outperform  MIRACL  in  specific 
settings.  We  note  that  our  results  will  apply  to  any  implementation  where  there  is  a  substantial  difference 
between  group  operation  and  pairing  times.  In  our  experiments  with  RELIC  using  a  provided  BN256  curve, 
we  observed  a  6-to-l  differential  between  pairings  and  operations  in  Gi.  Our  main  results  do  hold  in  this 
setting,  and  in  fact  improve  the  overall  performance  in  that  we  can  process  a  higher  number  of  signatures 
with  batch  verification.  We  provide  the  details  of  this  alternative  version  of  AutoBatch  and  a  complete 
comparison  against  the  BN256  curve  MIRACL  implementation  in  Table  3. 

4.2  Signature  Schemes  Used  as  Test  Cases  and  Summary  of  the  Results 

We  ran  our  experiments  using  two  sets  of  test  cases.  The  first  set  was  comprised  of  a  variety  of  existing 
schemes,  including  regular,  identity-based,  ring  and  group  signatures,  as  well  as  verifiable  random  functions. 
To  make  AutoBatch  as  robust  as  possible,  we  also  tested  it  on  a  second  set  of  fabricated  pairing-product 
equations  that  we  designed  by  hand  to  trigger  many  different  orderings  on  the  techniques.  We  summarize 
AutoBatch’s  performance  on  existing  schemes  in  Table  2. 

In  eight  cases,  the  batching  algorithm  output  by  AutoBatch  matched  the  prior  best  known  result.  In  the 
remaining  cases,  AutoBatch  provided  a  faster  algorithm.  We  now  describe  these  cases  in  more  detail. 

We  briefly  recall  the  verification  equations  in  VRF  [37].  The  public  key  is  represented  by  U,U,gi,g2,h, 
the  signature  is  represented  by  y,  n  =  7To7Ti,  . . . ,  ire,  and  the  message  is  x  =  x\, ...  ,xe,  where  £  denotes  the 
number  of  bits  in  the  VRF  input.  The  equations  are  as  follows: 
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1-  e(Tri, g2)  =  e{g^  Xl)-U*1,U) 

2.  for  t  —  2  to  £  it  holds:  e(7Tt,  (72)  =  e(7Tji^at\ g2)  •  e(n^1,  Ut) 

? 

3-  e(7r0,32)  =  e(7r/,C/0) 

? 

4.  e(7r0,  /i)  =  y 

AutoBatch  first  realized  a  batching  algorithm  for  the  VRF  [37]  that  takes  only  two-thirds  the  time  of  the 
one  provided  in  [37]  (or  2£  +  2  total  pairings).  Then,  after  we  double-checked  this  result  by  hand,  we  realized 
that  the  verification  of  equation  2  could  be  further  optimized  to  only  £  —  1  pairings  by  unrolling  the  loop 
and  combining  the  individual  verification  equations  checked  at  each  iteration.  Moreover,  a  portion  of  the 
unrolled  loop  with  the  g2  term  could  be  combined  with  the  corresponding  term  in  the  combined  equations 
1,3,4  for  a  total  pairing  count  of  only  £  +  3  pairings  to  batch  an  arbitrary  number  of  VRF  proofs  for  t-bit 
inputs.  We  implemented  this  loop  unrolling  technique,  incorporated  it  into  AutoBatch  and  automatically 
applied  it  to  VRF  to  obtain  l  +  3  pairings.  The  VRF  batching  algorithm  and  proof  appear  in  Appendix  C. 

In  test  case  14  shown  in  Table  2  (ChCh  [24]  and  Hess  [35]  together),  we  simulated  a  scenario  where 
a  batch  contains  a  mix  of  two  different  types  of  signatures.  In  this  case,  the  batch  consisted  of  both 
ChCh  [24]  signatures  and  Hess  [35]  signatures  in  a  randomized  order.  Instead  of  sorting  the  signatures 
into  two  groups  and  batching  them  individually,  AutoBatch  automatically  looked  for  the  common  algebraic 
structure  between  the  two  distinct  schemes  and  applied  the  batching  techniques  described  in  Section  3.1. 
As  a  generalized  example,  if  two  signature  schemes  both  use  the  same  generator  g,  where  the  first  signature 
scheme  uses  e(A,  g )  in  its  verification  equation  and  the  second  signature  scheme  uses  e(B,  g)  in  its  verification 
equation,  then  AutoBatch  will  apply  Technique  6  to  obtain  e(A  ■  B,g)  in  the  combined  verification  equation 
(as  well  as  apply  the  small  exponents  test).  In  the  case  of  the  ChCh  [24]  and  Hess  [35]  batch,  this  cuts 
the  total  number  of  pairings  in  half.  To  the  best  of  our  knowledge,  this  is  the  first  documented  result  for 
cross-scheme  signature  batch  verification. 

For  the  Hohenberger- Waters  signatures  [36],  we  assume  that  each  public  key  includes  the  precomputed 
values  as  suggested  in  [36,  Section  4.2].  For  the  case  of  different  signers,  we  assume  that  the  base  group 
elements  g ,  u ,  v ,  d,  w,  z ,  h  are  chosen  by  a  trusted  third  party  and  shared  by  all  users.  The  Waters09  scheme 
is  derived  from  the  Waters  Dual-System  IBE  of  [66]  using  the  technique  described  by  Naor  [14].  Because 
the  decryption  algorithm  of  this  IBE  scheme  has  a  negligibly  small  correctness  error,  the  resulting  signature 
scheme  also  has  a  negligible  correctness  error.  That  is,  there  is  a  small  chance  that  a  valid  signature  will 
be  rejected  by  the  verification  test.  Although  this  means  that  our  automated  proof  techniques  do  not 
immediately  apply,  we  still  wanted  to  run  the  program  on  this  complicated  test  case  to  see  how  efficient 
of  a  candidate  batching  scheme  it  could  produce.  The  details  of  these  batching  algorithms  appear  in 
Appendices  B  and  D  respectively. 

4.3  Microbenchmarks 

To  evaluate  the  efficiency  of  AutoBatch,  we  implemented  several  pairing-based  signature  schemes  in  Charm. 
We  ran  AutoBatch  to  extract  an  SDL-based  intermediate  representation  of  the  scheme’s  verification  equation, 
an  optimized  batch  verifier  for  the  scheme,  and  Python  and  C++  code  for  implementing  the  batch  verifier. 
We  measured  the  processing  time  for  each  of  the  above  steps.  Our  timings,  averaged  over  100  runs,  are 
presented  in  Table  4. 

To  obtain  our  microbenchmarks,  we  ran  AutoBatch  on  several  exemplary  pairing-based  schemes  as  listed 
in  Table  2.  We  then  experimented  with  these  schemes  at  different  batch  sizes,  in  order  to  evaluate  their  raw 
performance.  The  results  are  presented  in  Figure  6. 

Each  graph  shows  the  average  per-signature  verification  time  for  a  batch  of  77  signatures,  for  77  ranging 
from  1  to  100.  We  conducted  these  tests  by  first  generating  a  collection  of  77  keypairs  and  random  messages,15 

15We  used  100-byte  random  strings  for  each  message.  In  the  case  of  the  stateful  HW  signature,  we  batched  only  signatures 
with  the  same  counter  value. 
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Figure  6:  Signature  scheme  microbenchmarks  for  Waters09  [66],  HW  [36]  and  CL  [20]  public-key  signatures 
(same  signer),  the  VRF  [37]  (with  block  size  of  8),  combined  verification  of  ChCh+Hess  IBS  [24,35],  and 
Boyen  ring  signature  (3  signer  ring)  [18].  Per-signature  times  were  computed  by  dividing  total  batch  ver¬ 
ification  time  by  the  number  of  signatures  verified.  All  trials  were  conducted  with  10  iterations  and  were 
instantiated  using  a  160-bit  MNT  elliptic  curve.  Variation  in  running  time  between  trials  of  the  same  signa¬ 
ture  size  were  minimal  for  each  scheme.  Note  that  in  one  HW  case,  all  signatures  are  formulated  by  the  same 
signer  (as  for  certificate  generation).  All  other  schemes  are  without  such  restrictions.  Individual  verification 
times  are  included  for  comparison. 


then  computing  a  valid  signature  over  each  message.  We  fed  each  collection  to  the  batch  verifier.  ID-based 
signatures  were  handled  in  a  similar  manner,  although  we  substitute  random  identities  in  place  of  keys.  For 
the  Boyen  ring  signature,  we  generated  a  group  of  three  signing  keys  to  construct  our  ring.  In  each  case,  we 
averaged  our  results  over  100  experimental  runs  and  computed  verification  time  per  signature  by  dividing 
the  total  batching  time  by  the  number  of  signatures  batched. 

4.4  Batch  Verification  in  Practice 

Prior  works  considered  the  implication  of  invalid  signatures  in  a  batch,  e.g.,  [28,42,50,51,69].  Mainly, 
these  works  estimated  raw  signature  verification  times  under  various  conditions.  To  evaluate  how  signature 
batching  might  work  in  real  life,  we  constructed  a  simulation  to  determine  the  resilience  of  our  techniques 
to  various  denial  of  service  attacks  launched  by  an  adversary. 

Basic  Model.  For  this  experiment,  we  simulated  a  server  that  verifies  incoming  signed  messages  read  from 
a  network  connection.  This  might  be  a  reasonable  model  for  a  busy  server-side  TLS  endpoint  using  client 
authentication  or  for  a  car-to-car  communications  base  station. 

Our  server  is  designed  to  process  as  many  signatures  as  possible,  and  is  limited  only  by  its  computa¬ 
tional  resources.16  Signatures  are  drawn  off  of  the  “wire”  and  grouped  into  batches,  with  each  batch  size 
representing  the  expected  number  of  signatures  that  can  be  verified  in  one  second.  Initially  this  number  is 
simply  a  guess,  which  is  adjusted  upwards  or  downwards  based  on  the  time  required  to  verify  each  batch.1' 
This  approach  can  lead  to  some  transient  errors  (batches  that  require  significantly  more  or  less  than  one 

16This  models  a  server  that  delays,  drops  or  redirects  the  signatures  that  it  cannot  handle  (e.g.,  via  load  balancing). 

1 '  The  adjustment  is  handled  in  a  relatively  naive  way:  the  server  simply  computes  the  next  batch  size  by  extrapolating  based 
on  its  time  to  compute  the  previous  batch. 
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Process 

BLS 

CHP 

CL 

HW-diff  Waters09  Waters05  ChCh/Hess 

CYH  Boyen 

BBS 

VRF 

Batcher 

103.1 

90.1 

295.2 

126.1 

578.9 

1859.2 

160.1 

101.2 

545.1 

443.5 

419.5 

Partial-Codegen 

124.3 

171.7 

152.2 

242.3 

361.6 

291.2 

162.0 

242.8 

321.2 

315.1 

251.2 

Full-Codegen 

491.7  757.8 

785.9 

1481.6 

3405.8 

1507.1 

798.6 

876.3 

1233.5 

1998.3  2748.3 

Table  4:  Time  in  milliseconds  required  by  the  Batcher  and  Code  Generator  to  process  a  variety  of  signa¬ 
ture  schemes  (averaged  over  100  test  runs).  Batcher  time  includes  search  time  for  the  technique  ordering, 
generating  the  proof  and  estimating  the  crossover  point  between  individual  and  batch  verification.  The 
Partial-Codegen  time  represents  the  generation  of  the  batch  verifier  code  from  a  partial  SDL  description  and 
Charm  implementation  of  the  scheme  in  Python.  The  Full-Codegen  time  represents  the  generation  of  code 
from  a  full  SDL  description  only.  The  running  times  are  a  product  of  the  complexity  of  each  scheme  as  well 
as  the  number  of  unique  paths  uncovered  by  our  search  algorithm.  In  all  cases,  the  standard  deviation  in 
the  results  were  within  ±3%  of  the  average. 


AutoBatch  Performance  During  DoS  Attack 


Figure  7:  Simulated  service  denial  attacks  against  a  batch  verifier  (BLS  signatures,  single  signer).  The 
“Invalid  Signatures  as  Fraction  of  Total”  line  (right  scale)  shows  the  fraction  of  invalid  signatures  in  the 
stream.  Batcher  throughput  is  measured  in  signatures  per  second  (left  scale).  The  “Batch-Only  Verifier” 
line  depicts  a  standard  batch  verifier.  The  solid  line  is  a  batch  verifier  that  automatically  switches  to 
individual  verification  when  batching  becomes  suboptimal. 


second  to  evaluate)  when  the  initial  guess  is  wrong,  or  when  conditions  change.  In  normal  usage,  however, 
this  approach  converges  on  an  appropriate  batch  size  within  1-2  seconds. 

4.4.1  Basic  DoS  Attacks 

A  major  concern  when  using  a  batch  verifier  is  the  possibility  of  service  denial  or  degradation,  resulting 
from  the  presence  of  some  invalid  signatures  in  the  batch.  As  described  in  Section  3,  each  of  our  batch 
verifiers  incorporates  a  recursive  divide-and-conquer  strategy  for  identifying  these  invalid  signatures,  which 
is  borrowed  from  Law  and  Matt  [42].  This  recursion  comes  at  a  price;  the  presence  of  even  a  small  number 
of  invalid  signatures  can  seriously  degrade  the  performance  of  a  batch  verifier. 

To  measure  this,  we  simulated  an  adversary  who  injects  invalid  signatures  into  the  input  stream.  Under 
the  assumption  that  these  signatures  are  well-mixed  with  the  remaining  valid  signatures,18  we  measured 
the  verifier’s  throughput.  Our  adversary  injects  no  invalid  signatures  for  the  first  several  seconds  of  the 
experiment,  then  gradually  ramps  up  its  output  until  the  number  of  invalid  signatures  received  by  the 
verifier  approaches  50%. 

18In  practice,  this  is  not  a  strong  assumption,  as  a  server  can  simply  randomize  the  order  of  the  signatures  it  receives. 
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A  switch  to  individual  verification.  Our  experiments  indicate  that  batch  verification  performance  exceeds  that 
of  individual  verification  even  in  the  presence  of  a  relatively  large  fraction  of  invalid  signatures.  However,  at 
a  certain  point  the  batch  verifier  inevitably  begins  to  underperform  individual  verification.19  To  address  this, 
we  implemented  a  “countermeasure”  in  our  batch  verifier  to  automatically  switch  to  individual  verification 
whenever  it  detects  the  presence  of  a  significant  fraction  of  invalid  signatures. 

Analysis  of  results.  We  tested  the  batch  verifier  on  the  single-signer  BLS  scheme  with  and  without  the 
individual-verification  countermeasure.  See  Figure  7.  Throughput  is  quite  sensitive  to  even  small  numbers 
of  invalid  signatures  in  the  input  stream.  Yet,  when  comparing  batch  verification  to  individual  verification 
throughput,  even  under  a  significant  attack  batch  verification  dramatically  outperforms  individual  verifica¬ 
tion  (up  to  approximately  15%  ratio  of  invalid  signatures).  Similarly,  the  switch  to  individual  verification  is  a 
useful  countermeasure  for  attacks  that  exceed  approximately  20%  invalid  signatures.  While  these  threshold 
switches  do  not  thwart  DoS  attacks,  they  do  provide  some  mitigation  of  the  potential  damage. 

5  AutoBatch  Toolkit 

The  AutoBatch  source  code  and  test  cases  described  in  this  paper  are  publicly  available  in  the  github 
repository  at  https  :  / / github  .  com/  JHUISI/ auto-tools. 


6  Conclusion 

The  batch  verification  of  pairing-based  signatures  is  a  great  fit  for  applications  where  short  signatures  are  a 
design  requirement  and  yet  high  verification  throughput  is  required,  such  as  car-to-car  communications  [23, 
60] .  This  work  demonstrates  for  the  first  time  that  the  design  of  these  batching  algorithms  can  be  efficiently 
and  securely  automated. 

The  next  step  is  to  tackle  the  automated  design  of  more  complex  functionalities,  where  it  may  be  infeasible 
to  replicate  a  theorem  like  Theorem  3.1  arguing  that  automated  design  process  unconditionally  preserves 
security.  In  this  case,  one  might  instead  focus  on  having  the  design  tool  also  output  a  proof  sketch  that  could 
be  fed  into  and  verified  by  EasyCrypt  [10]  or  a  similar  proof  checking  tool.  Indeed,  what  are  the  natural 
settings  where  the  creativity  of  the  design  process  can  be  feasibly  replaced  by  an  extensive  computerized 
search  (perhaps  with  smart  pruning)?  Can  the  “proof  sketches”  needed  for  verification  by  EasyCrypt  be 
generated  automatically  for  these  designs?  These  are  exciting  questions  which  could  fundamentally  change 
cryptography. 

On  the  implementation  of  AutoBatch,  future  work  could  be  more  resilient  to  DoS  and  related  attacks 
by  implementing  alternative  techniques  for  recognizing  invalid  signatures  in  a  batch,  e.g.,  [42,50,51,69].  We 
are  continuously  on  the  lookout  for  more  efficient  means  of  computing  in  bilinear  groups.  Future  versions  of 
AutoBatch  will  support  MIRACL’s  API  for  computing  “multipairings”  (efficient  products  of  multiple  bilinear 
pairings).  It  would  be  interesting  to  understand  how  this  and  future  inclusions  may  impact  performance. 
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A  Machine-Generated  Batch  Verification  Equations 

In  Figure  8,  we  provide  the  final  batch  verification  equations  output  by  AutoBatch  for  each  of  the  signature  schemes  tested. 


B  A  machine-generated  proof  for  HW 

The  following  proof  was  automatically  generated  by  the  Batcher  while  processing  the  HW  signature  scheme  [36]. 
This  execution  allows  signatures  on  different  signing  keys. 


B.l  Definitions 


This  document  contains  a  proof  that  HW.  Batch  Verify  is  a  valid  batch  verifier  for  the  signature  scheme  HW. 
Let  U,  V,  D1  g ,  w,  z,  h  be  values  drawn  from  the  key  and/or  parameters,  and  M,  cti,  02,  r,  i  represent  a  message 
(or  message  hash)  and  signature.  The  individual  verification  equation  HW. Verify  is: 

e(<n,g)  =  UM  ■  Vr  ■  D  ■  e(a2,  ullgW1  •  zf  ■  h) 

Let  77  be  the  number  of  signatures  in  a  batch,  and  r)'i ....  6V  £  [l,  2A  —  l]  be  a  set  of  random  exponents  chosen 
by  the  verifier.  The  batch  verification  equation  HW.  Batch  Verify  is: 
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We  will  now  formally  define  a  batch  verifier  and  demonstrate  that  HW.  Batch  Verify  is  a  secure  batch  verifier 
for  the  HW  signature  scheme. 


Definition  B.l  (Pairing-based  Batch  Verifier)  Let  BSetup(lr)  — ►  (q,g,G,GT,e).  For  each  j  £  [1,77], 
where  77  £  poly(r),  let  X^  be  a  generic  pairing-based  claim  and  let  Verify  be  a  pairing  based  verifier.  We 
define  pairing-based  batch  verifier  for  Verify  a  probabilistic  poly(r)-time  algorithm  which  outputs  accept  if 
holds  for  all  j  £  [1,77]  whereas  it  outputs  reject  if  X^  does  not  hold  for  any  j  £  [1 , 77]  except  with 
negligible  probability. 


Theorem  B.2  HW.  Batch  Verify  is  a  batch  verifier  for  the  HW  signature  scheme. 
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Scheme 

Signatures 

BLS  [16]  (same  signer) 

CHP  [19]  (same  time  period) 
HW  [36]  (same  signer) 

HW  [36]  (different  signers) 

Waters09  [66]  (same  signer) 


CL  [20]  (same  signer) 
ID-based  Signatures 
Hess  [35] 

ChCh  [24] 

Waters05  [65] 


Group,  Ring,  and  ID-based  Ring  Signatures 
BBS  [13] 

Boyen  [18]  (same  ring) 

CYH  [27] 

TRFs 

HW  VRF  [37]  (same  signer) 


Combinations 
ChCh  +  Hess 


Batch  Verification  Equation  output  by  AutoBatch 
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Figure  8:  These  are  the  final  batch  verification  equations  output  by  AutoBatch.  Due  to  space,  we  do  not 
include  the  full  schemes  or  further  describe  the  elements  of  the  signature  or  our  shorthand  for  them,  such  as 
setting  h  =  H(M)  in  BLS.  However,  a  reader  could  retrace  our  steps  by  applying  the  techniques  in  Section  3 
to  the  original  verification  equation  in  the  order  specified  in  Figure  2.  “Combined  signatures”  refers  to  the 
combined  batching  of  multiple  signature  verification  equations  that  share  algebraic  structure. 
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B.2  Proof 


Proof.  Via  a  series  of  steps,  we  will  show  that  if  HW  is  a  secure  signature  scheme,  then  BatchVerify  is  a 
secure  batch  verifier.  Recall  our  batch  verification  software  will  perform  a  group  membership  test  to  ensure 
that  each  group  element  of  the  signature  is  a  member  of  the  proper  subgroup,  so  here  will  we  assume  this 
fact.  We  begin  with  the  original  verification  equation. 

e{<n,g)  =UM  ■  Vr  ■  D  ■  e(a2,w^s^  ■  zi  ■  h)  (1) 

Step  1:  Combine  r)  signatures  (technique  1): 

f[  e(atll,g)  =  f[  UZM>  ■  Vzr*  ■  Dz  ■  e(az,2,  ^s(b)f  •  ^  •  h)  (2) 

Z  =  1  Z=  1 

Step  2:  Apply  the  small  exponents  test,  using  exponents  c>i, . . .  Sv  €  [l,  2A  —  l] : 


v  v 

In  tt  m.-5z 


n  eKi  ,g)s‘ = n  u*Mz'5*  •  n  v^Sm  ■  n  °*z  •  n  eK2  .  *** . 

Z=  1  Z=1  Z  —  1  Z  —  l  Z—l 

Step  3:  Move  exponent(s)  inside  the  pairing  (technique  2): 
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Step  4:  Move  products  inside  pairings  to  reduce  77  pairings  to  1  (technique  3a): 
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Step  5:  Distribute  products  (technique  5): 
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Step  6:  Move  products  inside  pairings  to  reduce  rj  pairings  to  1  (technique  3a): 
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Steps  1  and  2  form  the  Combination  Step  in  [28],  which  was  proven  to  result  in  a  secure  batch  verifier 
in  [28,  Theorem  3.2].  We  observe  that  the  remaining  steps  are  merely  reorganizing  terms  within  the  same 
equation.  Hence,  the  final  verification  equation  (7)  is  also  batch  verifier  for  HW.  □ 


C  A  Machine-Generated  Proof  for  VRF 

The  following  proof  was  automatically  generated  by  the  Batcher  while  processing  the  VRF  signature  scheme  [37]. 
This  execution  was  restricted  to  signatures  on  a  single  signing  key. 
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C.l  Definitions 


This  document  contains  a  proof  that  VRF.BatchVerify  is  a  valid  batch  verifier  for  the  signature  scheme  VRF. 
Let  U,  U,  gi,  g2,  h  be  values  drawn  from  the  key  and/or  parameters,  and  x,Tr,  y  represent  a  message  (or 
message  hash)  and  signature.  The  £  parameter  represents  the  t-bit  input  size  of  VRF  and  varies  in  practice. 
We  have  shown  an  example  of  £  =  8  to  simplify  the  proof.  The  individual  verification  equation  VRF. Verify 
is: 


e(7Ti ,g2)  =  e{g[1  'll)  •  Uf\U)  and  e(7r 0,92)  =  e{TVi,U0)  and  e(7r 0,h)  =  y  and 

for  t  =  2  to  t  it  holds:  e(Trt,g2)  =  52)  ■  e(7T ff1,Ut) 

Let  77  be  the  number  of  signatures  in  a  batch,  and  . . .  5Vti  £  [l,  2A  —  l]  be  a  set  of  random  exponents 
chosen  by  the  verifier.  Since  the  input  size  of  £  =  8,  then  i  =  9.  The  batch  verification  equation  for  VRF  is: 
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v  v 


(l-x1)-Sz 

9i 


u\ 


Xl-Sz 


-6, 


(1  —xz 


)~Sz 


-Sz 

Tz,3 


(l-X*,3)-5a,4--l  -Sz,B 
n  z  2  n  z  4 


(1  —  Xz>4)-  —  6Z 

n z ,3 


2=1 


2= 1 


—  5Z 
wz,5 

,6  (1—  Xz  5)-—  Sz  6'  —  1 

•7^,4 

-Sz,7 
nz,  6 

( 1  X  z 

•^2,5 

,s)-S, 

i,7  —  1  — <b,f 

'WZ,7 

i  (1  —  Xzj)-  —  Sz,8'~  1  —  $z, 
•^2,6  ^2,8 

3  ,7—f 1  3 
'nz,  7 

92 )  : 

V 

V 

V 

V 

(f[ 

2=1 

*iT’uo)-I[yzs’A 

z= l 

e(f[ 

2  =  1 

-Sz,l 
nz,  0  5 

9rh) 

■e<lK r 
2  =  1 

■**’,u2m  IK;/'5*’4" 

2=1 

~\u3) 

•e(n<3 

2=1 

A‘&z,  5*  — 

V 

V 

V 

V 

/TT  Xzk-Szr-- 
e([[  ^2,4 

~\u5) 

<11 

Xz,6‘ 

nz,5 

5^~\U6) 

e(]J 

X z  8 ,9 * 

Kz,7 

\US) 

,U4) 


2=1 


2  =  1 


2  =  1 


2=1 


We  will  now  formally  define  a  batch  verifier  and  demonstrate  that  VRF.BatchVerify  is  a  secure  batch  verifier 
for  the  VRF  signature  scheme. 

Definition  C.l  (Pairing-based  Batch  Verifier)  Let  BSetup(lT)  — >■  (q,  g,  <G,  Gt,  e).  For  each  j  £  [1,77], 
where  77  £  poly(r),  let  be  a  generic  pairing-based  claim  and  let  Verify  be  a  pairing  based  verifier.  We 
define  pairing-based  batch  verifier  for  Verify  a  probabilistic  poly(r)-time  algorithm  which  outputs  accept  if 
holds  for  all  j  £  [1, 77]  whereas  it  outputs  reject  if  X^  does  not  hold  for  any  j  £  [1, 77]  except  with 
negligible  probability. 

Theorem  C.2  VRF  BatchVerify  is  a  batch  verifier  for  the  VRF  signature  scheme. 


C.2  Proof 

Proof.  Via  a  series  of  steps,  we  will  show  that  if  VRF  is  a  secure  signature  scheme,  then  BatchVerify  is  a 
secure  batch  verifier.  Recall  our  batch  verification  software  will  perform  a  group  membership  test  to  ensure 
that  each  group  element  of  the  signature  is  a  member  of  the  proper  subgroup,  so  here  will  we  assume  this 
fact.  We  begin  with  the  original  verification  equation. 


e(7Ti ,g2)  =  e(g[1  Xl)  ■  Uf\U)  and  e(7r0,52)  =  e(ni,U0)  and  e(7r0,/i)  =  y  and 
for  t  =  2  to  £  it  holds:  e(irtlg2)  =  e(7 92)  •  e('irff1,Ut) 

EQ1  Step  1  :  Consolidate  the  verification  equations  (technique  Oa),  merge  pairings  with  common  first  or 
second  argument  (technique  3b),  and  apply  the  small  exponents  test  as  follows:  For  each  of  the  z  =  1  to  77 
signatures,  choose  random  <5i,  62  £  [1,  2A  —  1]  and  compute  for  each  equation: 

e(ffi1~Xl)  ■  UXl,U)s 2  •  e(ir1,g2)~52  =  e{Tn,U0)Sl  ■  ySl  ■  e{n 0,g2  ■  h)~Sl  (8) 


31 

Approved  for  Public  Release;  Distribution  Unlimited. 

328 


EQ1  Step  2  :  Combine  rj  signatures  (technique  1),  move  exponent  (s)  inside  pairing  (technique  2): 
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EQ1  Step  3:  Move  products  inside  pairings  to  reduce  rj  pairings  to  1  (technique  3a): 

e(lK-BlH-a  '  ur5*'2,u)  ■  e(fK^)  =  e(Y[n5zzf,U0)  •  ff  Vz6*’1  ■  e(  ff  , 92  ■  h) 
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EQ2  Step  4:  Combine  r]  signatures  (technique  1): 
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EQ2  Step  5:  Apply  the  small  exponents  test,  using  exponents  Si,. .  .5^  G  [l,  2A] : 
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EQ2  Step  6:  Move  exponent (s)  inside  the  pairing  (technique  2): 

for  t  =  2  to  l  it  holds:  ff  e(nsz zt,g2)  =  ff  e(n£t ,  g2)  ■  e(7r**t'lf*,  Ut) 
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EQ2  Step  7:  Move  products  inside  pairings  to  reduce  rj  pairings  to  1  (technique  3a): 
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EQ2  Step  8:  Distribute  products  (technique  5): 
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EQ2  Step  9:  Move  products  inside  pairings  to  reduce  77  pairings  to  1  (technique  3a): 

for  t  =  2  to  l  it  holds:  e(ff  tt f*t,  g2)  =  e(ff  ,  g2)  ■  e(ff  Tr^'f* ,  Ut) 

Z=1  Z—l  Z—l 

EQ2  Step  10:  Merge  pairings  with  common  first  or  second  argument  (technique  3b): 
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EQ2  Step  11:  Unroll  for  loop  (technique  Ob)  and  choose  random  S3, . . .  ,Sq  G  [1,  2A  —  1]  for  each  z 
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rj  equations: 
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Step  12:  Combine  equations  1  and  2,  then  pairings  within  final  equation  (technique  3b): 
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Steps  1  and  2  form  the  Combination  Step  in  [28],  which  was  proven  to  result  in  a  secure  batch  verifier 
in  [28,  Theorem  3.2].  We  observe  that  the  remaining  steps  are  merely  reorganizing  terms  within  the  same 
equation  except  for  the  application  of  technique  Ob,  which  applies  the  small  exponents  test  again  while 
unrolling  the  loop.  Hence,  the  final  verification  equation  (19)  is  also  batch  verifier  for  VRF.  □ 


D  A  machine-generated  candidate  batch  algorithm  for  WATERS09 

The  following  candidate  batching  algorithm  was  automatically  generated  by  the  Batcher  while  processing  the 
WATERS09  signature  scheme  [66,  67].  This  execution  was  restricted  to  signatures  on  a  single  signing  key. 

D.l  Definitions 

Let  gi ,  g2  be  values  drawn  from  the  key  and/or  parameters,  and  M,  U\ ,  a2 , 03 ,  (74 , 175 ,  ag ,  <77 ,  ctk ,  ta<7fc  represent 
a  message  (or  message  hash)  and  signature.  Select  Si,  s2,t,tagc  variables  at  random  in  Zq  and  the  variables 
9,  A  are  computed  as  follows:  9  =  1  /{tagc  —  tagk),A  =  e(g,  g)a'ai  b.  The  individual  verification  equation 
WATERS09. Verify  [§6.1]20  is: 

e(5ibs,cri)  •  e(gib'aiSl,a2)  ■  e(gi“lSl ,  <r3)  •  e(g1b  a2S2,  a4)  ■  e(gia2S2 ,ab)  = 

e(a6,r 1s1  •  r|2)  •  e(a7,n6si  •  r2bs 2  ■  w~*)  ■  (e(a7,uM't  ■  wta^  ■  h*)  ■  e{gf\aK))e  • 

20For  simplicity,  Waters  [67]  presents  this  verification  equation  as  a  series  of  calculations.  We  have  merely  combined  these 
calculations,  reorganized  a  few  terms  in  the  verification  equation  and  turned  division  operations  into  multiplication. 
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Let  77  be  the  number  of  signatures  in  a  batch,  and  Si,...Sv  £  { 1 , 2 A  —  1 }  be  a  set  of  random  exponents  chosen 
by  the  verifier.  The  batch  verification  equation  WATERS09.BatchVerify  is: 
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We  conjecture  that  this  scheme  satisfies  a  relaxation  of  Definition  2.2  to  allow  for  two-sided  negligible  error; 
that  is,  where  there  is  also  a  chance  that  a  set  of  valid  signatures  will  be  rejected  by  the  Batcher. 


D.2  Details  on  How  Candidate  Construction  was  Derived 

Via  a  series  of  steps,  we  show  how  the  above  batching  algorithm  was  derived.  We  begin  with  the  original 
verification  equation. 


e(5ibs,cri)  •  e{g1 b'aiSl,a2)  ■  e(5iaiSl,<r3)  •  e(giba2S2,  a4)  ■  e(gi“2S2,  a5)  = 


e(cr6 ,TiSl  •  T22)  •  e(cr7,ribsi  •  t282  •  w  *) 


(e(a7,  u ■  wta ■  h*)  ■  e(g?,  aK))e  •  A*2  (20) 


Step  1:  Combine  g  signatures  (technique  1): 

e(5ibsVo-2,i)  •  e{gi"lSz'\az,2)  ■  e(giai8zA,  az,3)  •  e{g1ba28z-2,azA)  •  e{gia28z'2,  azA)  = 


e(cr,,6,r1s*'1  •  t^'2)  •  e(crZi7,ribs-1  •  t2Sz’2  ■  w  tz) 

Z=  1 

■  (e(trZj7, uMz'tz  ■  W**9.,c-U  .  htM) .  e(g-tz,az,K))6z  ■  A8-2  (21) 

Step  2:  Apply  the  small  exponents  test,  using  exponents  Si,  ,  . .  Srl  £  [l,  2A  —  l] : 


H  (e(5ibsV^,i)  •  e(gib  a^\az,2)  •  e(9l“‘^‘,a,3)  •  e(5lb  “2S-2,  azA)  ■  e(9la2Sz-2,  az,5))Sz  = 


Z=l 


n  (e(az,6,TlzA  ■  t8z-2)  ■  e(az>7,  r1bSz’1  ■  T2bSz’2  ■  w  tz) 

Z=  1 

•  (e(crZ)7, uMz'tz  ■  wta^tz  ■  htz)  ■  e{gitz,cjZ)K))0z  ■  A8z*2)5z  (22) 

Step  3:  Move  exponent(s)  inside  the  pairing  (technique  2): 


n  <gibSz-Sz,azA)  ■  e(9lbai8z’i-5z,az,2)  ■  e{gia^Sz ,  az,3)  ■  e(giba28^Sz  ,azA)  •  e(9la28z’2Sz  ,azA)  = 


II  ■  t**’2)  ■  e(azzT,T1bSz‘1  ■  r2b8z  2  ■  w~tz) 


Z=1 


■  e(cr0z7Sz  ,uMz'tz  ■  wta9z^tz  ■  htz)  ■  e{gitz  0z'5z,az,K)  ■  A8*-2'Sz  (23) 
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Step  4:  Split  pairings  (technique  8): 


II  e(5ibs*"S^,i)  •  e(9ibaiS*’l  5*,<Tz,2 )  •  e(9la's^s*,<Tz,3)  •  e(5l6^s— **,azA)  •  <tz,5)  = 

2=1 

V 

nt  Sz  sz,i\  (  Sz  sz,2\  (  8Z  bsz  i  \  (  sz  bsz  2\  /  <^2  —tz\  (  0z-8z  Mz‘tz\ 

e(<7Z*6>Tl  )*e(^6»T2  )*e(^>5rl  ,)*e(^>»r2  *) 

2  =  1 

•  •  e{aez^,h^)  ■  e{g^tM,az,K)  ■  A°^s*  (24) 

Step  5:  Distribute  products  (technique  5): 


2=1  2=1  2=1  2=1  2=1 

e(<Tf(6’  ri*’1)  ‘  e(azfii  t2Z’2)  '  e(azz,7i  TibSz’1)-  e(azy,  T2bSz'2)  ■  e(azy,  w~tz)-  e(azySz ,  uM*'tz) 
2=1  2=1  2  =  1  2=1  2  =  1  2  =  1 

■fleioitf-,™**”**-)  ■  f[e(<rex^,h^)  ■  f[e(g^tM  ,az,K)  -f[A^  (25) 

2  =  1  2  =  1  2=1  2  =  1 

Step  6:  Move  products  inside  pairings  to  reduce  g  pairings  to  1  (technique  3a)  and  move  product  to 

summation  on  precomputed  pairing  (technique  6): 
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(26) 


Step  7:  Merge  pairings  with  common  first  or  second  argument  (technique  3b): 


e(ffA  ]J  az%5z)  ’  e(9ib'ai,  II  aSz%l6z) '  e(9ia\\\_  '  e(gib'a2,  as//'5z)  ■  e{gia 2,  jj 
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E  SDL  Grammar 

We  provide  a  full  description  of  our  SDL  grammar  below: 

( assign-statement )  ::=  ( single- assignment )  \  (func- call- statement) 

{group -as sign- statement)  \  { diet- statement )  \  {random- statement)  \  {hash- statement)  \  {pair- statement) . 


35 

Approved  for  Public  Release;  Distribution  Unlimited. 

332 


( single-assignment )  ::=  (variable-target)  ( assign-op )  (expr- statement)  \  (variable-target) . 
(variable-target)  ::=  (keywords)  \  (variable-name). 

(group-assign-statement)  ::=  (variable-name)  (assign-op)  (type). 

(June- call- statement)  ::=  (variable-name)  (assign-op)  (variable-name)  ‘(’  (arg-list)  “)’. 

(arg-list)  ::=  (arg-name)  \  (arg-name)  V  (arg-list). 

(arg-name)  ::=  (variable-name). 

(random- statement)  ::=  (variable-name)  (assign-op)  (random-func-name)  ‘(’  (group-type) 

(hash- statement)  ::=  (variable-name)  (assign-op)  (hash-func-name)  ‘(’  (arg-list)  (group-type) 

(diet-statement)  ::=  (variable-name)  (assign-op)  ‘list{’  (arg-list)  |  ‘expand{’  (arg-list) 

(dot-prod-statement)  ::=  iprod{‘  (single-assignment)  (single- assignment)  on’  (expr- statement) . 

(sum- of- statement)  ::=  ‘sum{’  (single-assignment)  (single-assignment)  ‘}  of’  (expr- statement) 

(for- statement)  ::=  (proc-token)  (block-sep)  ‘for’ 

‘for{‘  (as sign- statement)  ,  (as sign- statement)  [(new-line)  (expr- statement)]* 
forall{  (assign-statement)  ,  (assign-statement)  [(new-line)  (expr- statement)]* . 

(conditional- statement)  ::=  (proc-token)  (block-sep)  ‘if’ 

‘if{’  (cond- statement)  [(new-line)  (expr-statement)]  + 

‘else’  [(new-line) (expr- statement)]+ . 

(expr- statement)  ::=  (pair- statement)  \  (exprO- statement) . 

(exprO-statement)  ::=  (exprO-statement)  (group-op)  (exprO- statement) 

(exp  1- statement) 

(variable-name). 

(cond- statement)  ::=  (cond- statement)  [(bool-op)  (cond- statement)]*  \  (expr- statement) . 

(pair- statement)  ::=  ‘e(’  (expr- statement)  ‘ (expr- statement)  *)’ 

(pair- statement)  (group-op)  (pair- statement) 

(pair- statement)  (exp)  (exp  1- statement) . 

(exp  1- statement)  ::=  (exp  1- statement)  (exp)  (exp 2- statement)  \  (expr 2- statement) 

(exp2-statement)  ::=  (expr- statement)  (exp-ops)  (expr- statement) 

(expr- statement)  (group-op)  (expr- statement) 

(negate-op)  [(exp2-statement)  \  (integer)]. 

(element-type)  ::=  None  |  int  |  str  |  ZR  |  G1  |  G2  |  GT 

(type)  ::=  (element-type)  \  ‘list{‘  (element-type),  [  (element-type)  ]* 

‘expand{’  (element-type),  [  (element-type)  ]* 

(type-list). 
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(■ type-list )  ::=  {type)  ( type-list )  |  (type). 

{ procedure )  ::=  ( proc-token )  { block-sep )  ( procedure-name ). 

{ procedure-name )  ::=  { variable-name )  |  ‘func:’  ( procedure-name ). 

( variable-name }  ::=  [0-9,  a-z,  A-Z, (sym&oZs)]* 

{symbols)  ::=  y  |  ‘#’  |  '?’  |  *$’ 

{proc-token)  ::=  ‘BEGIN’  j  ‘END’ 

{block-sep)  ::=  ‘ ’ 

{random-func-name)  ::=  ‘random’ 

{hash-func-name)  ‘H’ 

{keywords)  ::=  ‘N’  |  ‘verify’  |  ‘constant’  |  ‘public’  |  ‘signature’  |  ‘message’  |  ‘public_count’  |  ‘signature_count' 
|  ‘message_count’  |  ‘latex’  |  ‘precompute’  |  ‘types’  |  ‘name’  |  ‘setting'  |  ‘symmetric’  |  ‘asymmetric’ 

{assign-op)  ‘:=’ 

{exp)  ::= 

{exp-ops)  ::=  “+’  |  ‘-’  |  {group-op) 

{group-op)  ::=  ‘*’  |  ‘/’ 

{bool-op)  ::=  ‘I’  |  ‘and’  |  ‘or’  |  ‘==’  |  '!=’  |  ‘<’  |  “<=’  |  ‘>’  |  >=’ 

{negate-op)  ‘-’ 

F  Semantics  of  SDL 

We  provide  a  brief  overview  of  our  domain  specific  language  and  examples  of  how  schemes  are  written  in  it. 

SDL  can  accommodate  a  full  description  of  pairing  schemes  in  situations  where  an  existing  implementation 
of  a  signature  scheme  does  not  exist  or  a  developer  prefers  to  code  their  scheme  directly  in  SDL.  This 
information  is  used  to  inform  AutoBatch  on  details  needed  to  generate  the  scheme  implementation  and  the 
batch  algorithm.  The  SDL  hie  consists  of  two  parts. 

The  first  part  is  a  full  representation  of  the  signature  scheme  which  consists  of  the  descriptions  of  each 
algorithm  such  as  keygen,  sign,  verify  and  a  types  section.  This  information  is  used  to  generate  executable 
code  for  the  scheme  either  in  Python  or  C++. 

The  second  part  is  a  broken  down  version  of  the  verification  algorithm  in  a  form  for  AutoBatch  to  derive 
the  desired  batch  verification  algorithm.  To  this  end,  there  are  several  keywords  used  to  provide  context  for 
AutoBatch.  Public,  signature  and  message  keywords  are  used  to  identify  the  public  key  variables  and  the 
signature  and  message  variables.  Additionally,  the  public  count  keyword  is  used  to  determine  whether 
public  keys  belong  to  the  same  or  different  signers.  The  signature  count  and  message  count  keywords 
describe  the  number  of  signatures  and  messages  expected  per  batch.  The  constants  keyword  describes 
variables  in  the  scheme  shared  by  signers  such  as  the  generators  of  a  group.  Precompute  section  represents 
computation  steps  necessary  before  each  verification  check.  The  verify  keyword  is  used  to  describe  the 
verification  equation  as  a  mathematical  expression.  Finally,  we  include  a  block  for  LaTeX  to  assist  the  proof 
generator  map  variables  in  SDL  to  equivalent  LaTeX  representation. 
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Our  abstract  language  is  capable  of  representing  a  variety  of  programming  constructs  such  as  dot  products, 
for  loops,  summation,  and  boolean  operators.  Thus,  very  complex  schemes  can  be  described  using  our  SDL 
and  to  reflect  this  we  provide  full  SDL  descriptions  below  for  BLS  [16]  and  CL04  [20].  See  our  github 
repository  for  other  full  SDL  examples. 

########################################################## 

##  BLS  signature  scheme  ## 

########################################################## 
name  :=  bis 

#  expected  batch  size  per  some  time  period 
N  :=  100 

setting  :=  asymmetric 

#  types  for  variables  used  in  verification. 

#  all  other  variable  types  are  inferred  by  SDL  parser 
BEGIN  : :  types 

M  :=  Str 
END  : :  types 

#  description  of  key  generation,  signing,  and  verification  algorithms 
BEGIN  ::  func: keygen 

input  :=  listfNone} 

#  choose  random  generator  in  a  prime  order  group  G2 
g  :=  random(G2) 

#  choose  random  integer  modulo  prime  r 
x  :=  random (ZR) 

pk  :=  g"x 
sk  :  =  x 

#  keygen  returns  a  tuple  consisting  of  three  elements 
output  :=  listfpk,  sk,  g} 

END  ::  func: keygen 

BEGIN  ::  func: sign 
input  :=  listfsk,  M} 

#  H  is  a  general  purpose  hash  function  that  maps  its  inputs 

#  (consisting  of  strings,  group  elements,  etc) 

#  to  a  particular  target  group  (either  ZR,  G1  or  G2) 
sig  :=  (H(M,  Gl)“sk) 

output  :=  sig 
END  ::  func: sign 

BEGIN  ::  func: verify 
input  :=  listfpk,  M,  sig,  g} 
h  :=  H(M,  Gl) 

BEGIN  : :  if 

if  {e(h,  pk)  ==  e(sig,  g)> 
output  : =  True 

else 

output  :=  False 
END  : :  if 

END  ::  func: verify 


38 

Approved  for  Public  Release;  Distribution  Unlimited. 

335 


#  Batcher  SDL  input 
constant  :=  g 
public  :=  pk 
signature  :=  sig 
message  :=  h 

#  same  signer 
BEGIN  : :  count 

message_count  :=  N 
public_count  :=  one 
signature_count  :=  N 
END  : :  count 

#  variables  computed  before  each  signature  verification 
BEGIN  : :  precompute 

h  :=  H(M,  Gl) 

END  : :  precompute 

#  verification  equation 

verify  :=  {e(h,  pk)  ==  e(sig,  g)> 


########################################################## 
##  CL  signature  scheme  ## 

########################################################## 
name  :=  cl04 
N  :=  100 

setting  :=  asymmetric 

BEGIN  : :  types 
M  :=  Str 

#  represents  a  list  of  elements  in  group  G2 
sig  :=  list{G2} 

END  : :  types 

BEGIN  ::  func: setup 
input  :=  list{None} 
g  :=  random(Gl) 
output  : =  g 
END  : :  func : setup 

BEGIN  ::  func: keygen 
input  :=  list{g} 
x  :=  random (ZR) 
y  :=  random (ZR) 

X  :=  g'x 
Y  :=  g'y 
sk  :=  list{x,  y} 
pk  :=  list{X,  Y} 
output  :=  list{pk,  sk} 

END  ::  func: keygen 
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BEGIN  ::  func:sign 
input  :=  list{sk,  M} 

#  expand  macro  is  shorthand  for  extracting  the  variables  contained 

#  in  the  list  or  tuple  to  make  them  accessible  within  the  function 
sk  :=  expand{x,  y} 

a  :=  random(G2) 
m  :=  H(M,  ZR) 
b  : =  a~y 

c  :=  a~(x  +  (m  *  x  *  y)) 
sig  :=  list{a,  b,  c} 
output  :=  sig 
END  ::  func:sign 

BEGIN  ::  func: verify 
input  :=  list{pk,  g,  M,  sig} 
pk  :=  expand{X,  Y} 
sig  :=  expand{a,  b,  c} 
m  :=  H(M,  ZR) 

BEGIN  : :  if 

if  {{  e (Y,  a)  ==  e(g,  b)  }  and  {  (e(X,  a)  *  (e(X,  b)“m))  ==  e(g,  c)  }} 
output  : =  True 
else 

output  :=  False 
END  : :  if 

END  ::  func: verify 

#  Batcher  input 
BEGIN  : :  precompute 

m  :=  H(M,  ZR) 

END  : :  precompute 

constant  :=  g 
public  :=  pk 
signature  :=  sig 
message  :=  m 

#  same  signer 
BEGIN  : :  count 

message_count  :=  N 
public_count  :=  one 
signature_count  :=  N 
END  : :  count 

verify  :=  {  e(Y,  a)  ==  e(g,  b)  }  and  {  (e(X,  a)  *  (e(X,  b)“m))  ==  e(g,  c)  } 
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Abstract — Bitcoin  is  the  first  digital  currency  to  see  widespread 
adoption.  While  payments  are  conducted  between  pseudonyms, 
Bitcoin  cannot  offer  strong  privacy  guarantees:  payment  trans¬ 
actions  are  recorded  in  a  public  decentralized  ledger,  from 
which  much  information  can  be  deduced.  Zerocoin  (Miers  et 
al.,  IEEE  S&P  2013)  tackles  some  of  these  privacy  issues  by 
unlinking  transactions  from  the  payment’s  origin.  Yet,  it  still 
reveals  payments’  destinations  and  amounts,  and  is  limited  in 
functionality. 

In  this  paper,  we  construct  a  full-fledged  ledger-based  digital 
currency  with  strong  privacy  guarantees.  Our  results  leverage 
recent  advances  in  zero-knowledge  Succinct  Non-interactive  AR- 
guments  of  Knowledge  (zk-SNARKs). 

First,  we  formulate  and  construct  decentralized  anonymous 
payment  schemes  (DAP  schemes).  A  DAP  scheme  enables  users  to 
directly  pay  each  other  privately:  the  corresponding  transaction 
hides  the  payment’s  origin,  destination,  and  transferred  amount. 
We  provide  formal  definitions  and  proofs  of  the  construction’s 
security. 

Second,  we  build  Zerocash,  a  practical  instantiation  of  our 
DAP  scheme  construction.  In  Zerocash,  transactions  are  less  than 
1  kB  and  take  under  6  ms  to  verify  —  orders  of  magnitude  more 
efficient  than  the  less-anonymous  Zerocoin  and  competitive  with 
plain  Bitcoin. 

Keywords:  Bitcoin,  decentralized  electronic  cash,  zero  knowledge 


I.  Introduction 

Bitcoin  is  the  first  digital  currency  to  achieve  widespread 
adoption.  The  currency  owes  its  rise  in  part  to  the  fact  that, 
unlike  traditional  e-cash  schemes  [1,  2,  3],  it  requires  no  trusted 
parties.  Instead  of  appointing  a  central  bank,  Bitcoin  leverages  a 
distributed  ledger  known  as  the  block  chain  to  store  transactions 
made  between  users.  Because  the  block  chain  is  massively 
replicated  by  mutually-distrustful  peers,  the  information  it 
contains  is  public. 

While  users  may  employ  many  identities  (or  pseudonyms) 
to  enhance  their  privacy,  an  increasing  body  of  research  shows 
that  anyone  can  de-anonymize  Bitcoin  by  using  information  in 
the  block  chain  [4,  5,  6],  such  as  the  structure  of  the  transaction 
graph  as  well  as  the  value  and  dates  of  transactions.  As  a  result, 
Bitcoin  fails  to  offer  even  a  modicum  of  the  privacy  provided 
by  traditional  payment  systems,  let  alone  the  robust  privacy  of 
anonymous  e-cash  schemes. 

While  Bitcoin  is  not  anonymous  itself,  those  with  sufficient 
motivation  can  obfuscate  their  transaction  history  with  the  help 
of  mixes  (also  known  as  laundries  or  tumblers).  A  mix  allows 
users  to  entrust  a  set  of  coins  to  a  pool  operated  by  a  central 


party  and  then,  after  some  interval,  retrieve  different  coins 
(with  the  same  total  value)  from  the  pool.  Yet,  mixes  suffer 
from  three  limitations:  (i)  the  delay  to  reclaim  coins  must  be 
large  to  allow  enough  coins  to  be  mixed  in;  (ii)  the  mix  can 
trace  coins;  and  (iii)  the  mix  may  steal  coins.1  For  users  with 
“something  to  hide,”  these  risks  may  be  acceptable.  But  typical 
legitimate  users  (1)  wish  to  keep  their  spending  habits  private 
from  their  peers,  (2)  are  risk-averse  and  do  not  wish  to  expend 
continual  effort  in  protecting  their  privacy,  and  (3)  are  often 
not  sufficiently  aware  of  their  compromised  privacy. 

To  protect  their  privacy,  users  thus  need  an  instant,  risk-free, 
and,  most  importantly,  automatic  guarantee  that  data  revealing 
their  spending  habits  and  account  balances  is  not  publicly 
accessible  by  their  neighbors,  co-workers,  and  merchants. 
Anonymous  transactions  also  guarantee  that  the  market  value 
of  a  coin  is  independent  of  its  history,  thus  ensuring  legitimate 
users’  coins  remain  fungible.2 

Zerocoin:  a  decentralized  mix.  Miers  et  al.  [8]  proposed 
Zerocoin,  which  extends  Bitcoin  to  provide  strong  anonymity 
guarantees.  Like  many  e-cash  protocols  (e.g.,  [2]),  Zerocoin 
employs  zero-knowledge  proofs  to  prevent  transaction  graph 
analyses.  Unlike  earlier  practical  e-cash  protocols,  however, 
Zerocoin  does  not  rely  on  digital  signatures  to  validate  coins, 
nor  does  it  require  a  central  bank  to  prevent  double  spending. 
Instead,  Zerocoin  authenticates  coins  by  proving,  in  zero- 
knowledge,  that  they  belong  to  a  public  list  of  valid  coins 
(which  can  be  maintained  on  the  block  chain).  Yet,  rather  than 
a  full-fledged  anonymous  currency,  Zerocoin  is  a  decentralized 
mix,  where  users  may  periodically  “wash”  their  bitcoins  via 
the  Zerocoin  protocol.  Routine  day-to-day  transactions  must 
be  conducted  via  Bitcoin,  due  to  reasons  that  we  now  review. 

The  first  reason  is  performance.  Redeeming  zerocoins 
requires  double-discrete-logarithm  proofs  of  knowledge,  which 
have  size  that  exceeds  45  kB  and  require  450  ms  to  verify  (at 
the  128-bit  security  level).3  These  proofs  must  be  broadcast 

'CoinJoin  [7],  an  alternative  proposal,  replaces  the  central  party  of  a  mix 
with  multi-signature  transactions  that  involve  many  collaborating  Bitcoin  users. 
CoinJoin  can  thus  only  mix  small  volumes  of  coins  amongst  users  who  are 
currently  online,  is  prone  to  denial-of-service  attacks  by  third  parties,  and 
requires  effort  to  find  mixing  partners. 

2While  the  methods  we  detail  in  this  paper  accomplish  this,  the  same 
techniques  open  the  door  for  privacy  preserving  accountability  and  oversight 
(see  Section  X). 

3These  published  numbers  [8]  actually  use  a  mix  of  parameters  at  both 
128-bit  and  80-bit  security  for  different  components  of  the  construction.  The 
cost  is  higher  if  all  parameters  are  instantiated  at  the  128-bit  security  level. 
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through  the  network,  verified  by  every  node,  and  permanently 
stored  in  the  ledger.  The  entailed  costs  are  higher,  by  orders 
of  magnitude,  than  those  in  Bitcoin  and  can  seriously  tax  a 
Bitcoin  network  operating  at  normal  scale. 

The  second  reason  is  functionality.  While  Zerocoin  consti¬ 
tutes  a  basic  e-cash  scheme,  it  lacks  critical  features  required 
of  full-fledged  anonymous  payments.  First,  Zerocoin  uses 
coins  of  fixed  denomination:  it  does  not  support  payments 
of  exact  values,  nor  does  it  provide  a  means  to  make  change 
following  a  transaction  (i.e.,  divide  coins).  Second,  Zerocoin 
has  no  mechanism  for  one  user  to  pay  another  one  directly 
in  “zerocoins.”  And  third,  while  Zerocoin  provides  anonymity 
by  unlinking  a  payment  transaction  from  its  origin  address,  it 
does  not  hide  the  amount  or  other  metadata  about  transactions 
occurring  on  the  network. 

Our  contribution.  In  this  work  we  address  the  aforemen¬ 
tioned  issues  via  two  main  contributions. 

(1)  We  introduce  the  notion  of  a  decentralized  anonymous 
payment  scheme,  which  formally  captures  the  functionality  and 
security  guarantees  of  a  full-fledged  decentralized  electronic 
currency  with  strong  anonymity  guarantees.  We  provide  a  con¬ 
struction  of  this  primitive  and  prove  its  security  under  specific 
cryptographic  assumptions.  The  construction  leverages  recent 
advances  in  the  area  of  zero-knowledge  proofs.  Specifically,  it 
uses  zero-knowledge  Succinct  Non-interactive  ARguments  of 
Knowledge  (zk-SNARKs)  [9,  10,  11,  12,  13,  14,  15,  16]. 

(2)  We  achieve  an  implementation  of  the  above  primitive,  via 
a  system  that  we  call  Zerocash.  Compared  to  Zerocoin,  our 
system  (at  128  bits  of  security): 

•  Reduces  the  size  of  transactions  spending  a  coin  by  97.7%. 

•  Reduces  the  spend-transaction  verification  time  by  98.6%. 

•  Allows  for  anonymous  transactions  of  variable  amounts. 

•  Hides  transaction  amounts  and  the  values  of  coins  held  by 
users. 

•  Allows  for  payments  to  be  made  directly  to  a  user’s  fixed 
address  (without  user  interaction). 

To  validate  our  system,  we  measured  its  performance  and 
established  feasibility  by  conducting  experiments  in  a  test 
network  of  1000  nodes  (approximately  of  the  unique  IPs 
in  the  Bitcoin  network  and  |  of  the  nodes  reachable  at  any 
given  time  [17]).  This  inspires  confidence  that  Zerocash  can 
be  deployed  as  a  fork  of  Bitcoin  and  operate  at  the  same 
scale.  Thus,  due  to  its  significantly  improved  functionality  and 
performance,  Zerocash  makes  it  possible  to  entirely  replace 
traditional  Bitcoin  payments  with  anonymous  alternatives. 
Concurrent  work.  The  idea  of  using  zk-SNARKs  in  the 
setting  of  Bitcoin  was  first  presented  by  one  of  the  authors 
at  Bitcoin  2013  [18].  In  concurrent  work,  Danezis  et  al.  [19] 
suggest  using  zk-SNARKs  to  reduce  proof  size  and  verification 
time  in  Zerocoin;  see  Section  IX  for  a  comparison. 

A.  zk-SNARKs 

We  now  sketch  in  more  technical  terms  the  definition  of 
a  zk-SNARK;  see  Section  II  for  more  details.  A  zk-SNARK 
is  a  non-interactive  zero-knowledge  proof  of  knowledge  that 


is  succinct,  i.e.,  for  which  proofs  are  very  short  and  easy  to 
verify.  More  precisely,  let  £  be  an  N  P  language,  and  let  C  be  a 
nondeterministic  decision  circuit  for  £  on  a  given  instance  size 
n.  A  zk-SNARK  can  be  used  to  prove  and  verify  membership 
in  £,  for  instances  of  size  n,  as  follows.  After  taking  C  as 
input,  a  trusted  party  conducts  a  one-time  setup  phase  that 
results  in  two  public  keys:  a  proving  key  pk  and  a  verification 
key  vk.  The  proving  key  pk  enables  any  (untrusted)  prover 
to  produce  a  proof  7r  attesting  to  the  fact  that  x  £  £,  for  an 
instance  x  (of  size  n)  of  his  choice.  The  non-interactive  proof 
7r  is  zero  knowledge  and  a  proof  of  knowledge.  Anyone  can 
use  the  verification  key  vk  to  verify  the  proof  7 r;  in  particular 
zk-SNARK  proofs  are  publicly  verifiable:  anyone  can  verify  7r, 
without  ever  having  to  interact  with  the  prover  that  generated 
7r.  Succinctness  requires  that  (for  a  given  security  level)  7r  has 
constant  size  and  can  be  verified  in  time  that  is  linear  in  \x\ 
(rather  than  linear  in  |C|). 

B.  Decentralized  anonymous  payment  schemes 

We  construct  a  decentralized  anonymous  payment  (DAP) 
scheme,  which  is  a  decentralized  e-cash  scheme  that  allows 
direct  anonymous  payments  of  any  amount.  See  Section  III  for 
a  formal  definition.  Here,  we  outline  our  construction  in  six 
incremental  steps;  the  construction  details  are  in  Section  IV. 

Our  construction  functions  on  top  of  any  ledger-based  base 
currency,  such  as  Bitcoin.  At  any  given  time,  a  unique  valid 
snapshot  of  the  currency's  ledger  is  available  to  all  users. 
The  ledger  is  a  sequence  of  transactions  and  is  append- 
only.  Transactions  include  both  the  underlying  currency’s 
transactions,  as  well  as  new  transactions  introduced  by  our 
construction.  For  concreteness,  we  focus  the  discussion  below 
on  Bitcoin  (though  later  definitions  and  constructions  are 
stated  abstractly).  We  assume  familiarity  with  Bitcoin  [20] 
and  Zerocoin  [8]. 

Step  1:  user  anonymity  with  fixed- value  coins.  We  first 
describe  a  simplified  construction,  in  which  all  coins  have 
the  same  value  of,  e.g.,  1  BTC.  This  construction,  similar 
to  the  Zerocoin  protocol,  shows  how  to  hide  a  payment’s 
origin.  In  terms  of  tools,  we  make  use  of  zk-SNARKs  (recalled 
above)  and  a  commitment  scheme.  Let  COMM  denote  a 
statistically-hiding  non-interactive  commitment  scheme  (i.e., 
given  randomness  r  and  message  m,  the  commitment  is 
c  :=  COMMr(m);  subsequently,  c  is  opened  by  revealing 
r  and  m,  and  one  can  verify  that  COMMr(m)  equals  c). 

In  the  simplified  construction,  a  new  coin  c  is  minted  as 
follows:  a  user  u  samples  a  random  serial  number  sn  and  a 
trapdoor  r,  computes  a  coin  commitment  cm  :=  COMMr(sn), 
and  sets  c  :=  (r,  sn,cm).  A  corresponding  mint  transaction 
tXMint,  containing  cm  (but  not  sn  or  r),  is  sent  to  the  ledger; 
txiviint  appended  to  the  ledger  only  if  u  has  paid  1  BTC 
to  a  backing  escrow  pool  (e.g.,  the  1  BTC  may  be  paid  via 
plaintext  information  encoded  in  tXMint)-  Mint  transactions 
are  thus  certificates  of  deposit,  deriving  their  value  from  the 
backing  pool. 

Subsequently,  letting  CM  List  denote  the  list  of  all  coin 
commitments  on  the  ledger,  u  may  spend  c  by  posting  a  spend 
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transaction  txspend  that  contains  (i)  the  coin’s  serial  number 
sn;  and  (ii)  a  zk-SNARK  proof  7r  of  the  NP  statement  "I  know 
r  such  that  COMMr(sn)  appears  in  the  list  CMList  of  coin 
commitments" .  Assuming  that  sn  does  not  already  appear  on 
the  ledger  (as  part  of  a  past  spend  transaction),  u  can  redeem 
the  deposited  amount  of  1  BTC,  which  u  can  either  keep  for 
himself,  transfer  to  someone  else,  or  immediately  deposit  into 
a  new  coin.  (If  sn  does  already  appear  on  the  ledger,  this  is 
considered  double  spending,  and  the  transaction  is  discarded.) 

User  anonymity  is  achieved  because  the  proof  it  is  zero- 
knowledge:  while  sn  is  revealed,  no  information  about  r 
is,  and  finding  which  of  the  numerous  commitments  in 
CMList  corresponds  to  a  particular  spend  transaction  txspend  is 
equivalent  to  inverting  f(x)  :=  COMMx(sn),  which  is  assumed 
to  be  infeasible.  Thus,  the  origin  of  the  payment  is  anonymous. 

Step  2:  compressing  the  list  of  coin  commitments.  In  the 

above  NP  statement,  CMList  is  specified  explicitly  as  a  list  of 
coin  commitments.  This  naive  representation  severely  limits 
scalability  because  the  time  and  space  complexity  of  most 
protocol  algorithms  (e.g.,  the  proof  verification  algorithm) 
grows  linearly  with  CMList.  Moreover,  coin  commitments 
corresponding  to  already  spent  coins  cannot  be  dropped  from 
CMList  to  reduce  costs,  since  they  cannot  be  identified  (due  to 
the  same  zero-knowledge  property  that  provides  anonymity). 

As  in  [3],  we  rely  on  a  collision-resistant  hash  function  CRH 
to  avoid  an  explicit  representation  of  CMList.  We  maintain 
an  efficiently  updatable  append-only  CRH-based  Merkle  tree 
Tree(CMList)  over  the  (growing)  list  CMList.  Letting  rt  denote 
the  root  of  Tree(CMList),  it  is  well-known  that  updating  rt  to 
account  for  insertion  of  new  leaves  can  be  done  with  time  and 
space  proportional  to  the  tree  depth.  Hence,  the  time  and  space 
complexity  is  reduced  from  linear  in  the  size  of  CMList  to 
logarithmic.  With  this  in  mind,  we  modify  the  NP  statement  to 
the  following  one:  “I know  r  such  that  COMMr(sn)  appears  as 
a  leaf  in  a  CRH  -based  Merkle  tree  whose  root  is  rt”.  Compared 
with  the  naive  data  structure  for  CMList,  this  modification 
increases  exponentially  the  size  of  CMList  which  a  given 
zk-SNARK  implementation  can  support  (concretely,  using  trees 
of  depth  64,  Zerocash  supports  264  coins). 

Step  3:  extending  coins  for  direct  anonymous  payments. 

So  far,  the  coin  commitment  cm  of  a  coin  c  is  a  commitment 
to  the  coin’s  serial  number  sn.  However,  this  creates  a  problem 
when  transferring  c  to  another  user.  Indeed,  suppose  that  a  user 
ua  created  c,  and  ua  sends  c  to  another  user  ub •  First,  since 
ua  knows  sn,  the  spending  of  c  by  ub  is  both  not  anonymous 
(since  ua  sees  when  c  is  spent,  by  recognizing  sn)  and  risky 
(since  ua  could  still  spend  c  first).  Thus,  Ub  must  immediately 
spend  c  and  mint  a  new  coin  c'  to  protect  himself.  Second,  if 
ua  in  fact  wants  to  transfer  to  ub,  e.g.,  100  BTC,  then  doing 
so  is  both  unwieldy  (since  it  requires  100  transfers)  and  not 
anonymous  (since  the  amount  of  the  transfer  is  leaked).  And 
third,  transfers  in  amounts  that  are  not  multiples  of  1  BTC  (the 
fixed  value  of  a  coin)  are  not  supported.  Thus,  the  simplified 
construction  described  is  inadequate  as  a  payment  scheme. 

We  address  this  by  modifying  the  derivation  of  a  coin 


commitment,  and  using  pseudorandom  functions  to  target 
payments  and  to  derive  serial  numbers,  as  follows.  We  use  three 
pseudorandom  functions  (derived  from  a  single  one).  For  a 
seed  x  these  are  denoted  PRF^ddr(-),  PRF*n(-),  and  PRFPk(-). 
We  assume  that  PRFsn  is  moreover  collision-resistant. 

To  provide  targets  for  payments,  we  use  addresses',  each 
user  u  generates  an  address  key  pair  (apk,ask).  The  coins  of 
u  contain  the  value  apk  and  can  be  spent  only  with  knowledge 
of  ask-  A  key  pair  (apk,  ask)  is  sampled  by  selecting  a  random 
seed  ask  and  setting  apk  :=  PRF"ddr(0).  A  user  can  generate 
and  use  any  number  of  address  key  pairs. 

Next,  we  re-design  minting  to  allow  for  greater  functionality. 
To  mint  a  coin  c  of  a  desired  value  v,  the  user  u  first  samples  p, 
which  is  a  secret  value  that  determines  the  coin’s  serial  number 
as  sn  :=  PRF™  (p).  Then,  u  commits  to  the  tuple  (apk,  v ,  p)  in 
two  phases:  (a)  u  computes  k  :=  COMMr(opk||p)  for  a  random 
r;  and  then  (b)  u  computes  cm  :=  COMMs(n||fc)  for  a  random 
s.  The  minting  results  in  a  coin  c  :=  (apk,  v,  p,  r,  s,  cm)  and  a 
mint  transaction  tXMi„t  :=  (»,fc,s,cm).  Crucially,  due  to  the 
nested  commitment,  anyone  can  verify  that  cm  in  tXMint  is 
a  coin  commitment  of  a  coin  of  value  v  (by  checking  that 
COMMs(ti||fc)  equals  cm)  but  cannot  discern  the  owner  (by 
learning  the  address  key  apk)  or  serial  number  (derived  from 
p)  because  these  are  hidden  in  k.  As  before,  tXMint  is  accepted 
by  the  ledger  only  if  u  deposits  the  correct  amount,  in  this 
case  v  BTC. 


Coins  are  spent  using  the  pour  operation,  which  takes  a  set 
of  input  coins,  to  be  consumed,  and  “pours”  their  value  into  a 
set  of  fresh  output  coins  —  such  that  the  total  value  of  output 
coins  equals  the  total  value  of  the  input  coins.  Suppose  that 
u,  with  address  key  pair  (apk,a°kd).  wishes  to  consume  his 
coin  cold  =  (a°ld,  nold,  pold,  rold,  sold,  cmold)  and  produce  two 


new  coins  c 


pk 

new  and  cnew 


,  with  total  value  njew  +  v2ew  =  v' 


new 
2 

respectively  targeted  at  address  public  keys  a"®"  and  a"™. 
(The  addresses  a"™  and  a" may  belong  to  u  or  to  some 
other  user.)  The  user  u,  for  each  i  £  {1,  2},  proceeds  as  follows: 
(i)  u  samples  serial  number  randomness  p"ew;  (ii)  u  computes 
k"e  w  :=  COM  Mrnew  1 1 P^1  ew)  f°r  a  random  ?-"ew;  and  (iii)  u 

computes  cm"™  :=  COMMsnew(tiinew||fc[,ew)  for  a  random  s"ew. 


This  yields  the  coins  c"ew  :=  (a"™,  v"ew ,  p"ew,  rj 


new  c.new 


v)  and 


:=  ( a\ 


pk,2’ 


,P  2  ,  r2 


>«1 
2  )• 


Next,  u  produces  a  zk-SNARK  proof  7rPOuR  for  the  following 
NP  statement,  which  we  call  POUR: 


“Given  the  Merkle-tree  root  rt,  serial  number  snold, 
and  coin  commitments  cmjew,  cm^6™,  I  know  coins 
cold,  cjew,  c"ew,  and  address  secret  key  a°^d  such  that: 

•  The  coins  are  well-formed:  for  cold  it  holds  that  fcoid  = 
COMM rdd 1 1 pold )  and  cmold  =  COMMs„,d(vold||/feold); 
and  similarly  for  cjew  and  c5®w. 

•  The  address  secret  key  matches  the  public  key:  a°Ld  = 
PRF^f(O). 

•  The  serial  number  is  computed  correctly:  snoa  :  = 
PRF^(pold). 

•  The  coin  commitment  cm°  “  appears  as  a  leaf  of  a  Merkle- 
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tree  with  root  rt. 

•  The  values  add  up:  t>Jew  +  z>!!ew  =  vold.” 

A  resulting  pour  transaction  txpour  :=  (rt,  snold,  cm"™, 
cmg6™, 7tPour)  is  appended  to  the  ledger.  (As  before,  the 
transaction  is  rejected  if  the  serial  number  sn  appears  in  a 
previous  transaction.) 

Now  suppose  that  u  does  not  know,  say,  the  address  secret 
key  <4“  that  is  associated  with  the  public  key  a"™.  Then,  u 
cannot  spend  c"ew  because  he  cannot  provide  a"™  as  part  of 
the  witness  of  a  subsequent  pour  operation.  Furthermore,  when 
a  user  that  knows  a"k"  does  spend  c5ew,  the  user  u  cannot 
track  it,  because  he  knows  no  information  about  its  revealed 
serial  number,  which  is  sn?ew  :=  PRF*™,,  (p?ew). 

.sk,l 

Also  observe  that  txpour  reveals  no  information  about  how 
the  value  of  the  consumed  coin  was  divided  among  the  two 
new  fresh  coins,  nor  which  coin  commitment  corresponds  to 
the  consumed  coin,  nor  the  address  public  keys  to  which  the 
two  new  fresh  coins  are  targeted.  The  payment  was  conducted 
in  full  anonymity. 

More  generally,  a  user  may  pour  NM  >  0  coins  into  Nnew  > 
0  coins.  For  simplicity  we  consider  the  case  NM  =  jVnew  =  2, 
without  loss  of  generality.  Indeed,  for  Aoid  <  2,  the  user  can 
mint  a  coin  with  value  0  and  then  provide  it  as  a  “null"  input, 
and  for  Nnew  <  2,  the  user  can  create  (and  discard)  a  new 
coin  with  value  0.  For  NoM  >  2  or  Nnew  >  2,  the  user  can 
compose  log  iVoid  +  log  lVriew  of  the  2-input/2-output  pours. 
Step  4:  sending  coins.  Suppose  that  a"™  is  the  address  public 
key  of  tii.  hi  order  to  allow  u\  to  actually  spend  the  new  coin 
cjew  produced  above,  u  must  somehow  send  the  secret  values 
in  c"ew  to  iii.  One  way  is  for  u  to  send  ui  a  private  message, 
but  the  requisite  private  communication  channel  necessitates 
additional  infrastructure  or  assumptions.  We  avoid  this  “out- 
of-band”  channel  and  instead  build  this  capability  directly  into 
our  construction  by  leveraging  the  ledger  as  follows. 

We  modify  the  structure  of  an  address  key  pair.  Each 
user  now  has  a  key  pair  (addrpk,  addrsk),  where  addrpk  = 
(apk,pkenc)  and  addrsk  =  (ask,skenc)-  The  values  (apk,osk) 
are  generated  as  before.  In  addition,  ( pkenc,  skenc)  is  a  key  pair 
for  a  key-private  encryption  scheme  [21]. 

Then,  u  computes  the  ciphertext  Ci  that  is  the  encryption 
of  the  plaintext  (uj6'",  p5ew,  r[ew ,  s"ew),  under  pk"^  (which 
is  part  of  m’s  address  public  key  addr"“),  and  includes  Ci 
in  the  pour  transaction  txpOUr-  The  user  u±  can  then  find  and 
decrypt  this  message  (using  his  sk"™j)  by  scanning  the  pour 
transactions  on  the  public  ledger.  Again,  note  that  adding  Ci 
to  txpOL,r  leaks  neither  paid  amounts,  nor  target  addresses  due 
to  the  key-private  property  of  the  encryption  scheme.  (The 
user  u  does  the  same  with  and  includes  a  corresponding 
ciphertext  C2  in  txpour.) 

Step  5:  public  outputs.  The  construction  so  far  allows  users 
to  mint,  merge,  and  split  coins.  But  how  can  a  user  redeem 
one  of  his  coins,  i.e.,  convert  it  back  to  the  base  currency 
(Bitcoin)?  For  this,  we  modify  the  pour  operation  to  include  a 
public  output.  When  spending  a  coin,  the  user  u  also  specihes 
a  nonnegative  upub  and  an  arbitrary  string  info.  The  balance 


equation  in  the  NP  statement  POUR  is  changed  accordingly: 
“t)Jew  +  vt|ew  +  i>pUb  =  i)old”.  Thus,  of  the  input  value  tiold, 
a  part  upub  is  publicly  declared,  and  its  target  is  specified, 
somehow,  by  the  string  info.  The  string  info  can  be  used  to 
specify  the  destination  of  these  redeemed  funds  (e.g.,  a  Bitcoin 
wallet  public  key).4  Both  upub  and  info  are  now  included  in  the 
resulting  pour  transaction  txpour.  (The  public  output  is  optional, 
as  the  user  u  can  set  t)pub  =  0.) 

Step  6:  non-malleability.  To  prevent  malleability  attacks  on 
a  pour  transaction  txpour  (e.g.,  embezzlement  by  re-targeting 
the  public  output  of  the  pour  by  modifying  info),  we  further 
modify  the  NP  statement  POUR  and  use  digital  signatures. 
Specifically,  during  the  pour  operation,  the  user  u  (i)  samples 
a  key  pair  (pksig,  sksjg)  for  a  one-time  signature  scheme; 
(ii)  computes  hsig  :=  CRH(pksig);  (iii)  computes  the  two  values 
hi  :=  PRF^d^^Sig)  and  h2  :=  PRF^ (Asig),  which  act  as 
MACs  to  “tie”  hs\g  to  both  address  secret  keys;  (iv)  modifies 
POUR  to  include  the  three  values  hsig,hi,h2  and  prove  that 
the  latter  two  are  computed  correctly;  and  (v)  uses  sksjg  to  sign 
every  value  associated  with  the  pour  operation,  thus  obtaining 
a  signature  a,  which  is  included,  along  with  pksig,  in  txpour. 
Since  the  a°(,d!;  are  secret,  and  with  high  probability  h$ \g  changes 
for  each  pour  transaction,  the  values  hi ,  h2  are  unpredictable. 
Moreover,  the  signature  on  the  N  P  statement  (and  other  values) 
binds  all  of  these  together. 

This  ends  the  outline  of  the  construction,  which  is  summarized 
in  part  in  Figure  1.  We  conclude  by  noting  that,  due  to 
the  zk-SNARK,  our  construction  requires  a  one-time  trusted 
setup  of  public  parameters.  The  trust  affects  soundness  of  the 
proofs,  though  anonymity  continues  to  hold  even  if  the  setup 
is  corrupted  by  a  malicious  party. 

C.  Zerocash 

We  outline  Zerocash,  a  concrete  implementation,  at  128 
bits  of  security,  of  our  DAP  scheme  construction;  see  Sec¬ 
tion  V  for  details.  Zerocash  entails  carefully  instantiating 
the  cryptographic  ingredients  of  the  construction  to  ensure 
that  the  zk-SNARK,  the  “heaviest”  component,  is  efficient 
enough  in  practice.  In  the  construction,  the  zk-SNARK  is 
used  to  prove/verify  a  specific  NP  statement:  POUR.  While 
zk-SNARKs  are  asymptotically  efficient,  their  concrete  effi¬ 
ciency  depends  on  the  arithmetic  circuit  C  that  is  used  to 
decide  the  N  P  statement.  Thus,  we  seek  instantiations  for  which 
we  can  design  a  relatively-small  arithmetic  circuit  CPOur  for 
verifying  the  NP  statement  POUR. 

Our  approach  is  to  instantiate  all  of  the  necessary  cryp¬ 
tographic  ingredients  (commitment  schemes,  pseudorandom 
functions,  and  collision-resistant  hashing)  based  on  SHA256. 
We  first  design  a  hand-optimized  circuit  for  verifying  SHA256 
computations  (or,  more  precisely,  its  compression  function, 

4These  public  outputs  can  be  considered  as  an  “input”  to  a  Bitcoin-style 
transaction,  where  the  info  string  contains  the  Bitcoin  output  scripts.  This 
mechanism  also  allows  us  to  support  Bitcoin's  public  transaction  fees. 
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(a)  Merke  tree  over  (cm1,cin2,... ) 
rt 


(b)  coin 

c  =  (<apk-Pkenc)’  v-  P-  r-  s>  cm) 

(c)  coin  commitment  (d)  serial  number 


cm,  cm,  cm,  cm,  cm,  cm,  cm,  cm. 


rt  =  Merkle-tree  root 
cm  =  coin  commitment 
sn  =  serial  number 
v  =  coin  value 
r,  s  =  commitment  rand. 
p  =  serial  number  rand. 
(apk,pkenc)  =  address  public  key 
(ask,skenc)  =  address  secret  key 


Fig.  1:  (a)  Illustration  of  the  CRH-based  Merkle  tree  over  the  list  CMList  of  coin  commitments,  (b)  A  coin  c.  (c)  Illustration  of  the  structure 
of  a  coin  commitment  cm.  (d)  Illustration  of  the  structure  of  a  coin  serial  number  sn. 


which  suffices  for  our  purposes).5  Then,  we  use  this  circuit  in 
constructing  Cpour,  which  verifies  all  the  necessary  checks  for 
satisfying  the  NP  statement  CVour- 

This,  along  with  judicious  parameter  choices,  and  a  state-of- 
the-art  implementation  of  a  zk-SNARK  for  arithmetic  circuits 
[16]  (see  Section  II-C),  results  in  a  zk-SNARK  prover  running 
time  of  few  minutes  and  zk-SNARK  verifier  running  time  of 
few  milliseconds.  This  allows  the  DAP  scheme  implementation 
to  be  practical  for  deployment,  as  our  experiments  show. 

Zerocash  can  be  integrated  into  Bitcoin  or  forks  of  it 
(commonly  referred  to  as  “altcoins”);  we  later  describe  how 
this  is  done. 

D.  Paper  organization 

The  remainder  of  this  paper  is  organized  as  follows. 
Section  II  provides  background  on  zk-SNARKs.  We  define 
DAP  schemes  in  Section  III,  and  our  construction  thereof  in 
Section  IV.  Section  V  discusses  the  concrete  instantiation  in 
Zerocash.  Section  VI  describes  the  integration  of  Zerocash 
into  existing  ledger-based  currencies.  Section  VII  provides 
microbenchmarks  for  our  prototype  implementation,  as  well 
as  results  based  on  full-network  simulations.  Section  VIII 
describes  optimizations.  We  discuss  concurrent  work  in  Sec¬ 
tion  IX  and  summarize  our  contributions  and  future  directions 
in  Section  X. 

II.  Background  on  zk-SNARKs 

The  main  cryptographic  primitive  used  in  this  paper  is 
a  special  kind  of  Succinct  Non-interactive  ARgument  of 
Knowledge  (SNARK).  Concretely,  we  use  a  publicly-verifiable 
preprocessing  zero-knowledge  SNARK,  or  zk-SNARK  for  short. 
In  this  section  we  provide  basic  background  on  zk-SNARKs, 
provide  an  informal  definition,  and  recall  known  constructions 
and  implementations. 

5 Alternatively,  we  could  have  opted  to  rely  on  the  circuit  generators  [13,  14, 
16],  which  support  various  classes  of  C  programs,  by  writing  C  code  expressing 
the  POUR  checks.  However,  as  discussed  later,  these  generic  approaches  are 
more  expensive  than  our  hand-optimized  construction. 


A.  Informal  definition 

We  informally  define  zk-SNARKs  for  arithmetic  circuit 
satisfiability.  We  refer  the  reader  to,  e.g.,  [11]  for  a  formal 
definition. 

For  a  field  F,  an  F -arithmetic  circuit  takes  inputs  that  are 
elements  in  F,  and  its  gates  output  elements  in  F.  We  naturally 
associate  a  circuit  with  the  function  it  computes.  To  model 
nondeterminism  we  consider  circuits  that  have  an  input  x  £ 
F™  and  an  auxiliary  input  a  £  ¥h,  called  a  witness.  The 
circuits  we  consider  only  have  bilinear  gates.6  Arithmetic 
circuit  satisfiability  is  defined  analogously  to  the  boolean  case, 
as  follows. 

Definition  II.  1.  The  arithmetic  circuit  satisfiability  problem 
of  an  F-arithmetic  circuit  C :  F"  x  ¥h  — >  F(  is  captured  by  the 
relation  IZc  =  {(x,  a)  £  Fn  x  ¥h  :  C(x,  a)  =  0*};  its  language 
is  Cc  =  {x  £  F"  :  3  a  £  Fft  s.t.  C(x,  a)  =  0(}. 

Given  a  field  F,  a  (publicly-verifiable  preprocessing) 
zk-SNARK  for  F-arithmetic  circuit  satisfiability  is  a  triple 
of  polynomial-time  algorithms  (KeyGen,  Prove,  Verify): 

•  KeyGen(lA,  C)  —k  (pk,  vk).  On  input  a  security  parameter 
A  (presented  in  unary)  and  an  F-arithmetic  circuit  C,  the 
key  generator  KeyGen  probabilistically  samples  a  proving 
key  pk  and  a  verification  key  vk.  Both  keys  are  published  as 
public  parameters  and  can  be  used,  any  number  of  times,  to 
prove/verify  membership  in  Cc- 

•  Prove) pk,  x,  a)  -5-  it.  On  input  a  proving  key  pk  and  any 
(x,  a)  £  7 Zc,  the  prover  Prove  outputs  a  non-interactive 
proof  7r  for  the  statement  x  £  Cc- 

•  Verify(vk,  x,  n)  —>  b.  On  input  a  verification  key  vk,  an  input 
x,  and  a  proof  n,  the  verifier  Verify  outputs  b  =  1  if  he  is 
convinced  that  x  £  Cc- 

A  zk-SNARK  satisfies  the  following  properties. 
Completeness.  For  every  security  parameter  A,  any  F- 
arithmetic  circuit  C,  and  any  (x,  a)  £  IZc,  the  honest  prover 

6 A  gate  with  inputs  yi,...,ym  £  F  is  bilinear  if  the  output  is 
(a,  (l,i/i, . . .  ,ym))  ■  (b,{l,yi,-..,ym))  for  some  a,  b  6  Fm+1.  These 
include  addition,  multiplication,  negation,  and  constant  gates. 
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can  convince  the  verifier.  Namely,  6=1  with  probabil¬ 
ity  1  —  negl(A)  in  the  following  experiment:  (pk,  vk)  <— 
KeyGen(lA,  C);  n  <—  Prove(pk,  x,  a);  b  <—  Verify(vk,  x,  tv). 

Succinctness.  An  honestly-generated  proof  tv  has  Oa(1)  bits 
and  Verify(vk,  x,  tv)  runs  in  time  Oa(|^|)-  (Here,  0\  hides  a 
fixed  polynomial  factor  in  A.) 


Proof  of  knowledge  (and  soundness).  If  the  verifier  accepts 
a  proof  output  by  a  bounded  prover,  then  the  prover  “knows” 
a  witness  for  the  given  instance.  (In  particular,  soundness 
holds  against  bounded  provers.)  Namely,  for  every  poly(A)- 
size  adversary  A,  there  is  a  poly(A)-size  extractor  £  such  that 
Verify(vk,  x,  tv)  =  1  and  (x,a)  0  TZc  with  probability  negl(A) 
in  the  following  experiment:  (pk,  vk)  <—  KeyGen(lA,  C)\ 
(x,  tv)  <—  *4(pk,  vk);  a  «—  £(pk,  vk). 

Perfect  zero  knowledge.  An  honestly-generated  proof  is  per¬ 
fect  zero  knowledge.7  Namely,  there  is  a  poly(A)-size  simulator 
Sim  such  that  for  all  stateful  poly(A)-size  distinguishers  T>  the 
following  two  probabilities  are  equal: 

•  The  probability  that  T>( n)  =  1  on  an  honest  proof. 


Pr 


(a:,  a)  e  Tic 
V(tv)  =  1 


(pk,vk)  <—  KeyGen(C) 
( x ,  a)  <—  2?(pk,  vk) 
tv  Prove(pk,  x,  a) 


that  supports  programs  that  modify  their  own  code  (e.g.,  for 
runtime  code  generation);  their  implementation  also  reduces 
costs  for  programs  of  larger  size  and  allows  for  universal  key 
pairs. 

Each  of  the  works  above  also  achieves  zk-SNARKs  for 
arithmetic  circuit  satisfiability  as  a  stepping  stone  towards 
their  respective  higher-level  efforts.  In  this  paper  we  are  only 
interested  in  a  zk-SNARK  for  arithmetic  circuit  satisfiability, 
and  we  rely  on  the  implementation  of  [16]  for  such  a 
zk-SNARK.9  The  implementation  in  [16]  is  itself  based  on  the 
protocol  of  Parno  et  al.  [13].  We  thus  refer  the  interested  reader 
to  [13]  for  details  of  the  protocol,  its  intuition,  and  its  proof  of 
security;  and  to  [16]  for  the  implementation  and  its  performance. 
In  terms  of  concrete  parameters,  the  implementation  of  [16] 
provides  128  bits  of  security,  and  the  field  F  is  of  a  256-bit 
prime  order  p. 

III.  Definition  of  a  decentralized  anonymous 

PAYMENT  SCHEME 

We  introduce  the  notion  of  a  decentralized  anonymous 
payment  scheme  (DAP  scheme),  extending  the  notion  of 
decentralized  e-cash  [8].  Later,  in  Section  IV,  we  provide 
a  construction. 


•  The  probability  that  T>{tv)  =  1  on  a  simulated  proof. 

(pk,  vk,  trap)  Sim(C) 

( x ,  a)  <—  T>( pk,  vk) 

7r  -=  Sim(pk,  x,  trap) 

B.  Known  constructions  and  security 

There  are  many  zk-SNARK  constructions  in  the  literature 
[9,  10,  11,  12,  13,  14,  15,  16].  We  are  interested  in  zk-SNARKs 
for  arithmetic  circuit  satisfiability,  and  the  most  efficient  ones 
for  this  language  are  based  on  quadratic  arithmetic  programs 
[12,  11,  13,  14,  16];  such  constructions  provide  a  linear-time 
KeyGen,  quasilinear-time  Prove,  and  linear-time  Verify. 

Security  of  zk-SNARKs  is  based  on  knowledge-of-exponent 
assumptions  and  variants  of  Diffie-Hellman  assumptions  in 
bilinear  groups  [9,  22,  23].  While  knowledge-of-exponent 
assumptions  are  fairly  strong,  there  is  evidence  that  such 
assumptions  may  be  inherent  for  constructing  zk-SNARKs 
[24,  25], 

C.  zk-SNARK  implementations 

There  are  three  published  implementations  of  zk-SNARKs: 
(i)  Parno  et  al.  [13]  present  an  implementation  of  zk-SNARKs 
for  programs  having  no  data  dependencies;8  (ii)  Ben-Sasson 
et  al.  [14]  present  an  implementation  of  zk-SNARKs  for 
arbitrary  programs  (with  data  dependencies);  and  (iii)  Ben- 
Sasson  et  al.  [16]  present  an  implementation  of  zk-SNARKs 


A.  Data  structures 

We  begin  by  describing,  and  giving  intuition  about,  the  data 
structures  used  by  a  DAP  scheme.  The  algorithms  that  use  and 
produce  these  data  structures  are  introduced  in  Section  III-B. 

Basecoin  ledger.  Our  protocol  is  applied  on  top  of  a  ledger- 
based  base  currency  such  as  Bitcoin;  for  generality  we  refer 
to  this  base  currency  as  Basecoin.  At  any  given  time  T,  all 
users  have  access  to  Lt,  the  ledger  at  time  T,  which  is  a 
sequence  of  transactions.  The  ledger  is  append-only  (i.e.,  T  < 
T'  implies  that  Lt  is  a  prefix  of  Lt').w  The  transactions  in 
the  ledger  include  both  Basecoin  transactions  as  well  as  two 
new  transaction  types  described  below. 

Public  parameters.  A  list  of  public  parameters  pp  is  available 
to  all  users  in  the  system.  These  are  generated  by  a  trusted  party 
at  the  “start  of  time”  and  are  used  by  the  system’s  algorithms. 

Addresses.  Each  user  generates  at  least  one  address  key 
pair  (addrpk,  addrsk).  The  public  key  addrpk  is  published  and 
enables  others  to  direct  payments  to  the  user.  The  secret  key 
addrsk  is  used  to  receive  payments  sent  to  addrpk.  A  user  may 
generate  any  number  of  address  key  pairs. 

Coins.  A  coin  is  a  data  object  c,  to  which  we  associate  the 
following: 

•  A  coin  commitment ,  denoted  cm(c):  a  string  that  appears 
on  the  ledger  once  c  is  minted. 


Pr 


(x,  a)  6  Tic 
V(tv)  =  1 


7While  most  zk-SNARK  descriptions  in  the  literature  only  mention  statistical 
zero  knowledge,  all  zk-SNARK  constructions  can  be  made  perfect  zero 
knowledge  by  allowing  for  a  negligible  error  probability  in  completeness. 

8  They  only  support  programs  where  array  indices  are  restricted  to  be  known 

compile-time  constants;  similarly,  loop  iteration  counts  (or  at  least  upper 
bounds  to  these)  must  be  known  at  compile  time. 


9In  [16],  one  optimization  to  the  verifier’s  runtime  requires  preprocessing 
the  verification  key  vk;  for  simplicity,  we  do  not  use  this  optimization. 

10In  reality,  the  Basecoin  ledger  (such  as  the  one  of  Bitcoin)  is  not  perfect 
and  may  incur  temporary  inconsistencies.  In  this  respect  our  construction  is 
as  good  as  the  underlying  ledger.  We  discuss  the  effects  of  this  on  anonymity 
and  mitigations  in  Section  VI-C. 
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•  A  coin  value ,  denoted  v(c):  the  denomination  of  c,  as 
measured  in  basecoins,  as  an  integer  between  0  and  a 
maximum  value  umax  (which  is  a  system  parameter). 

•  A  coin  serial  number,  denoted  sn(c):  a  unique  string 
associated  with  the  c,  used  to  prevent  double  spending. 

•  A  coin  address,  denoted  addrpk(c):  an  address  public  key, 
representing  who  owns  c. 

Any  other  quantities  associated  with  a  coin  c  (e.g.,  various 
trapdoors)  are  implementation  details. 

New  transactions.  Besides  Basecoin  transactions,  there  are 
two  new  types  of  transactions. 

•  Mint  transactions.  A  mint  transaction  tXMint  is  a  tuple 
(cm,  v,  *),  where  cm  is  a  coin  commitment,  v  is  a  coin  value, 
and  *  denotes  other  (implementation-dependent)  information. 
The  transaction  tXMint  records  that  a  coin  c  with  coin 
commitment  cm  and  value  v  has  been  minted. 

•  Pour  transactions.  A  pour  transaction  txpour  is  a  tuple 
(rt,  sn°ld,  sn?^,  cm"ew,  cm“,  wpub.  info,  *),  where  rt  is  a  root 
of  a  Merkle  tree,  sn°ld ,  sn^1, d  are  two  coin  serial  numbers, 
cmjew,cm!)ew  are  two  coin  commitments,  ripub  is  a  coin 
value,  info  is  an  arbitrary  string,  and  *  denotes  other 
(implementation-dependent)  information.  The  transaction 
txpour  records  the  pouring  of  two  input  (and  now  consumed) 
coins  c°ld,C2ld,  with  respective  serial  numbers  sn°ld,sn2ld, 
into  two  new  output  coins  cjew,c!)ew,  with  respective  coin 
commitments  cmjew,  cm^6™,  as  well  as  a  public  output  i>pub 
(which  may  be  zero).  Furthermore,  txpour  also  records  an 
information  string  info  (perhaps  containing  information  on 
who  is  the  recipient  of  i>pub  basecoins)  and  that,  when  this 
transaction  was  made,  the  root  of  the  Merkle  tree  over  coin 
commitments  was  rt  (see  below). 

Commitments  of  minted  coins  and  serial  numbers  of  spent 
coins.  For  any  given  time  T, 

•  CM  List ^  denotes  the  list  of  all  coin  commitments  appearing 
in  mint  and  pour  transactions  in  Lt', 

»  SNListj’  denotes  the  list  of  all  serial  numbers  appearing  in 
pour  transactions  in  Lt- 

While  both  of  these  lists  can  be  deduced  from  Lt,  it  will  be 
convenient  to  think  about  them  as  separate  (as,  in  practice, 
these  may  be  separately  maintained  due  to  efficiency  reasons). 
Merkle  tree  over  commitments.  For  any  given  time  T, 
Tree^  denotes  a  Merkle  tree  over  CM  List ^  and  rt^  its  root. 
Moreover,  the  function  Path;r(cm)  gives  the  authentication 
path  from  a  coin  commitment  cm  appearing  in  CMListy  to 
the  root  of  Treer-11  For  convenience,  we  assume  that  Lt  also 
stores  rtr'  for  all  T'  <  T  (i.e.,  it  stores  all  past  Merkle  tree 
roots). 

B.  Algorithms 

A  DAP  scheme  II  is  a  tuple  of  polynomial-time  algorithms 

(Setup,  CreateAddress,  Mint,  Pour,  VerifyTransaction, 
Receive) 

11  While  we  refer  to  Mekle  trees  for  simplicity,  it  is  straightforward  to  extend 
the  definition  to  allow  other  data  structures  representing  sets  with  fast  insertion 
and  short  proofs  of  membership. 


with  the  following  syntax  and  semantics. 

System  setup.  The  algorithm  Setup  generates  a  list  of  public 
parameters: 

Setup 

•  INPUTS:  security  parameter  A 
_#  OUTPUTS:  public  parameters  pp 

The  algorithm  Setup  is  executed  by  a  trusted  party.  The 
resulting  public  parameters  pp  are  published  and  made  available 
to  all  parties  (e.g.,  by  embedding  them  into  the  protocol’s 
implementation).  The  setup  is  done  only  once',  afterwards,  no 
trusted  party  is  needed,  and  no  global  secrets  or  trapdoors  are 
kept. 

Creating  payment  addresses.  The  algorithm  CreateAddress 
generates  a  new  address  key  pair: 

CreateAddress 

•  INPUTS:  public  parameters  pp 

•  OUTPUTS:  address  key  pair  (addrpk,  addrsk) 

Each  user  generates  at  least  one  address  key  pair 
(addrpk,  addrsk)  in  order  to  receive  coins.  The  public  key  addrpk 
is  published,  while  the  secret  key  addrs|<  is  used  to  redeem 
coins  sent  to  addrpi<.  A  user  may  generate  any  number  of 
address  key  pairs;  doing  so  does  not  require  any  interaction. 
Minting  coins.  The  algorithm  Mint  generates  a  coin  (of  a 
given  value)  and  a  mint  transaction: 

Mint 

•  INPUTS: 

-  public  parameters  pp 

-  coin  value  v  €  {0, 1, ... ,  t;max} 

-  destination  address  public  key  addrpi< 

_•  OUTPUTS:  coin  c  and  mint  transaction  tXMint 

A  system  parameter,  umax,  caps  the  value  of  any  single  coin. 
The  output  coin  c  has  value  v  and  coin  address  addrpi<;  the 
output  mint  transaction  tx^int  equals  (cm,t>,*),  where  cm  is 
the  coin  commitment  of  c. 

Pouring  coins.  The  Pour  algorithm  transfers  value  from 
input  coins  into  new  output  coins,  marking  the  input  coins 
as  consumed.  Moreover,  a  fraction  of  the  input  value  may  be 
publicly  revealed.  Pouring  allows  users  to  subdivide  coins  into 
smaller  denominations,  merge  coins,  and  transfer  ownership 
of  anonymous  coins,  or  make  public  payments.12 

Pour 

•  INPUTS: 

-  public  parameters  pp 

-  the  Merkle  root  rt 

-  old  coins  c°ld,c°ld 

-  old  addresses  secret  keys  add r^,  add r°jj.d2 

-  authentication  path  pathx  from  commitment  cm(c°id)  to 
root  rt, 

12 We  consider  pours  with  2  inputs  and  2  outputs,  for  simplicity  and  (as 
discussed  in  Section  I-B)  without  loss  of  generality. 
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authentication  path  path2  from  commitment  cm(c2ld)  to 
root  rt 

-  new  values  v"ew,v£ew 

-  new  addresses  public  keys  addr^™,  addrp™ 

-  public  value  i>put> 

-  transaction  string  info 

_•  OUTPUTS:  new  coins  c"ew.  c!)ew  and  pour  transaction  txpour 

Thus,  the  Pour  algorithm  takes  as  input  two  distinct  input 
coins  c°ld,C2ld,  along  with  corresponding  address  secret  keys 
add r°|I.d1 ,  addr^  (required  to  redeem  the  two  input  coins).  To 
ensure  that  c°ld,C2ld  have  been  previously  minted,  the  Pour 
algorithm  also  takes  as  input  the  Merkle  root  rt  (allegedly, 
equal  to  the  root  of  Merkle  tree  over  all  coin  commitments  so 
far),  along  with  two  authentication  paths  pathx,  path2  for  the 
two  coin  commitments  cm(c°ld),  cm(c2ld).  Two  input  values 
ujew,u2ew  specify  the  values  of  two  new  anonymous  coins 
c"ew,C26w  to  be  generated,  and  two  input  address  public  keys 
addr^.addr^™  specify  the  recipients  of  c5'ew,c"ew.  A  third 
value,  Upub,  specifies  the  amount  to  be  publicly  spent  (e.g., 
to  redeem  coins  or  pay  transaction  fees).  The  sum  of  output 
values  Ui  +  t>2  +  uPub  must  be  equal  to  the  sum  of  the  values 
of  the  input  coins  (and  cannot  exceed  umax).  Finally,  the  Pour 
algorithm  also  receives  an  arbitrary  string  info,  which  is  bound 
into  the  output  pour  transaction  txpour. 

The  Pour  algorithm  outputs  two  new  coins  c;ew,c(!ew 
and  a  pour  transaction  txpour.  The  transaction  txpour  equals 
(rt,  sn°ld,  sn°ld,  cmjew,  cm!)ew,  t'pub,  info,  *),  where  cm;™, 
cm"  are  the  two  coin  commitments  of  the  two  output  coins, 
and  *  denotes  other  (implementation-dependent)  information. 
Crucially,  txpour  reveals  only  one  currency  value,  the  public 
value  i>pub  (which  may  be  zero);  it  does  not  reveal  the  payment 
addresses  or  values  of  the  old  or  new  coins. 

Verifying  transactions.  The  algorithm  VerifyTransaction 
checks  the  validity  of  a  transaction: 

VerifyTransaction 

•  inputs: 

-  public  parameters  pp 

-  a  (mint  or  pour)  transaction  tx 

-  the  current  ledger  L 

_•  OUTPUTS:  bit  b,  equals  1  iff  the  transaction  is  valid 

Both  mint  and  pour  transactions  must  be  verified  before  being 
considered  well-formed.  In  practice,  transactions  can  be  verified 
by  the  nodes  in  the  distributed  system  maintaining  the  ledger, 
as  well  as  by  users  who  rely  on  these  transactions. 

Receiving  coins.  The  algorithm  Receive  scans  the  ledger  and 
retrieves  unspent  coins  paid  to  a  particular  user  address: 

Receive 

•  inputs: 

-  recipient  address  key  pair  (addrpk,  addrs|<) 

-  the  current  ledger  L 

_•  OUTPUTS:  set  of  (unspent)  received  coins 


When  a  user  with  address  key  pair  (addrpk,  addrs|<)  wishes  to 
receive  payments  sent  to  addrpk,  he  uses  the  Receive  algorithm 
to  scan  the  ledger.  For  each  payment  to  addrpk  appearing  in  the 
ledger.  Receive  outputs  the  corresponding  coins  whose  serial 
numbers  do  not  appear  on  the  ledger  L.  Coins  received  in 
this  way  may  be  spent,  just  like  minted  coins,  using  the  Pour 
algorithm.  (We  only  require  Receive  to  detect  coins  paid  to 
addrpk  via  the  Pour  algorithm  and  not  also  detect  coins  minted 
by  the  user  himself.) 

Next,  we  describe  completeness  (Section  III-C)  and  security 
(Section  III-D). 

C.  Completeness 

Completeness  of  a  DAP  scheme  requires  that  unspent  coins 
can  be  spent.  More  precisely,  consider  a  ledger  sampler  S 
outputting  a  ledger  L.  If  Ci  and  c2  are  two  coins  whose  coin 
commitments  appear  in  (valid)  transactions  on  L,  but  their 
serial  numbers  do  not  appear  in  L,  then  c  |  and  c2  can  be 
spent  using  Pour.  Namely,  running  Pour  results  in  a  pour 
transaction  txpour  that  VerifyTransaction  accepts,  and  the  new 
coins  can  be  received  by  the  intended  recipients  (by  using 
Receive);  moreover,  txpour  correctly  records  the  intended  vpilb 
and  transaction  string  info.  This  property  is  formalized  via  an 
incompleteness  experiment  INCOMP. 

Definition  III.l.  A  DAP  scheme  II  =  (Setup,  CreateAddress, 
Mint,  Pour,  VerifyTransaction,  Receive)  is  complete  if  no 
polynomial-size  ledger  sampler  S  wins  INCOMP  with  more 
than  negligible  probability. 

D.  Security 

Security  of  a  DAP  scheme  is  characterized  by  three  prop¬ 
erties,  which  we  call  ledger  indistinguishability,  transaction 
non-malleability,  and  balance. 

Definition  III. 2.  A  DAP  scheme  II  =  (Setup,  CreateAddress, 
Mint,  Pour,  VerifyTransaction,  Receive)  is  secure  if  it  satisfies 
ledger  indistinguishability,  transaction  non-malleability,  and 
balance. 

Below,  we  provide  an  informal  overview  of  each  property, 
and  defer  formal  definitions  to  the  extended  version  of  this 
paper  [26]. 

Each  property  is  formalized  as  a  game  between  an  adversary 
A  and  a  challenger  C.  In  each  game,  the  behavior  of  honest 
parties  is  realized  via  a  DAP  scheme  oracle  0D  ,  which 
maintains  a  ledger  L  and  provides  an  interface  for  executing 
CreateAddress,  Mint,  Pour  and  Receive  algorithms  for  honest 
parties.  To  elicit  behavior  from  honest  parties,  A  passes  a  query 
to  C,  which  (after  sanity  checks)  proxies  the  query  to  C?DAP. 
For  each  query  that  requests  an  honest  party  to  perform  an 
action,  A  specifies  identities  of  previous  transactions  and  the 
input  values,  and  learns  the  resulting  transaction,  but  not  any  of 
the  secrets  or  trapdoors  involved  in  producing  that  transaction. 
The  oracle  C?DAP  also  provides  an  Insert  query  that  allows  A 
to  directly  add  aribtrary  transactions  to  the  ledger  L. 
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Ledger  indistinguishability.  This  property  captures  the 
requirement  that  the  ledger  reveals  no  new  information  to 
the  adversary  beyond  the  publicly-revealed  information  (values 
of  minted  coins,  public  values,  information  strings,  total  number 
of  transactions,  etc.),  even  when  the  adversary  can  adaptively 
induce  honest  parties  to  perform  DAP  operations  of  his  choice. 
That  is,  no  bounded  adversary  A  can  distinguish  between  two 
ledgers  L 0  and  L1,  constructed  by  A  using  queries  to  two 
DAP  scheme  oracles,  when  the  queries  to  the  two  oracles  are 
publicly  consistent:  they  have  matching  type  and  are  identical 
in  terms  of  publicly-revealed  information  and  the  information 
related  to  addresses  controlled  by  A. 

Ledger  indistinguishability  is  formalized  by  an  experiment 
L-IND  that  proceeds  as  follows.  First,  a  challenger  samples  a 
random  bit  b  and  initializes  two  DAP  scheme  oracles  (Tq  AP 
and  0°AP,  maintaining  ledgers  L0  and  L±.  Throughout,  the 
challenger  allows  A  to  issue  queries  to  Oq  ap  and  (TPAP,  thus 
controlling  the  behavior  of  honest  parties  on  Lq  and  Lj.  The 
challenger  provides  the  adversary  with  the  view  of  both  ledgers, 
but  in  randomized  order:  L|_eft  :=  L&  and  L^ght  :=  Li-b-  The 
adversary’s  goal  is  to  distinguish  whether  the  view  he  sees 
corresponds  to  (L|_eft,  LRight)  =  ( L0,Li ),  i.e.  b  =  0,  or  to 
(L|_eft, T-Right)  =  (Li,Lo),  i.e.  6—1. 

At  each  round  of  the  experiment,  the  adversary  issues  queries 
in  pairs  Q,  Q'  of  matching  query  type.  If  the  query  type  is 
CreateAddress,  then  the  same  address  is  generated  at  both 
oracles.  If  it  is  to  Mint,  Pour  or  Receive,  then  Q  is  forwarded 
to  L0  and  Q'  to  L\ ;  for  Insert  queries,  query  Q  is  forwarded 
to  L|_eft  and  Q'  is  forwarded  to  LRjght.  The  adversary’s  queries 
are  restricted  in  the  sense  that  they  must  maintain  the  public 
consistency  of  the  two  ledgers.  For  example,  the  public  values 
for  Pour  queries  must  be  the  same,  as  well  as  minted  amounts 
for  Mint  queries. 

At  the  conclusion  of  the  experiment,  A  outputs  a  guess  b' , 
and  wins  when  6  =  6'.  Ledger  indistinguishability  requires  that 
A  wins  L-IND  with  probability  at  most  negligibly  greater  than 
1/2- 

Transaction  non-malleability.  This  property  requires  that 
no  bounded  adversary  A  can  alter  any  of  the  data  stored 
within  a  (valid)  pour  transaction  txpour.  This  transaction  non¬ 
malleability  prevents  malicious  attackers  from  modifying  others’ 
transactions  before  they  are  added  to  the  ledger  (e.g.,  by  re¬ 
targeting  the  Basecoin  public  output  of  a  pour  transaction). 

Transaction  non-malleability  is  formalized  by  an  experiment 
TR-NM.  in  which  A  adaptively  interacts  with  a  DAP  scheme 
oracle  (7DAP  and  then  outputs  a  pour  transaction  tx* .  Letting 
T  denote  the  set  of  pour  transactions  returned  by  (TDAP,  and 
L  denote  the  final  ledger,  A  wins  the  game  if  there  exists 
tx  6  T,  such  that  (i)  tx*  A  tx;  (ii)  tx*  reveals  a  serial  number 
contained  in  tx;  and  (iii)  both  tx  and  tx*  are  valid  with  respect 
to  the  ledger  L'  containing  all  transactions  preceding  tx  on  L. 
In  other  words,  A  wins  the  game  if  tx*  manages  to  modify 
some  previous  pour  transaction  to  spend  the  same  coin  in  a 
different  way. 

Transaction  non-malleability  requires  that  A  wins  TR-NM 
with  only  negligible  probability.  (Note  that  A  can  of  course 


produce  valid  pour  transactions  that  are  unrelated  to  those  in  T ; 
the  condition  that  tx*  reveals  a  serial  number  of  a  previously- 
spent  coin  captures  non-malleability.) 

Balance.  This  property  requires  that  no  bounded  adversary 
A  can  own  more  money  than  what  he  minted  or  received  via 
payments  from  others. 

Balance  is  formalized  by  an  experiment  BAL,  in  which  A 
adaptively  interacts  with  a  DAP  scheme  oracle  (7DAP  and  then 
outputs  a  set  of  coins  Sco\n.  Letting  S’addr  be  set  of  addresses 
returned  by  CreateAddress  queries  (i.e.,  addresses  of  "honest” 
users),  A  wins  the  game  if  the  total  value  he  can  spend  or 
has  spent  (either  as  coins  or  Basecoin  public  outputs)  is 
greater  than  the  value  he  has  received  or  mined.  That  is,  A 
Wins  if  VlJnspent  +  vBasecoin  +  VA-rADDR  >  fMint  +  t’ADDR-i-yt 
where:  (i)  ^unspent  is  the  total  value  of  unspent  coins  in  SCoin; 
(ii)  ^Basecoin  is  the  total  value  of  public  outputs  placed  by  A  on 
the  ledger;  (iii)  fMint  is  the  total  value  of  A’s  mint  transactions; 
(iv)  fADDR^yt  is  the  total  value  of  payments  received  by  A 
from  addresses  in  Saddr;  (v)  ua^addr  is  the  total  value  of 
payments  sent  by  A  to  addresses  in  S'addr- 

Balance  requires  that  A  wins  BAL  with  only  negligible 
probability. 

IV.  Construction  of  a  decentralized  anonymous 

PAYMENT  SCHEME 

We  show  how  to  construct  a  DAP  scheme  (introduced 
in  Section  III)  using  zk-SNARKs  and  other  building  blocks. 
Later,  in  Section  V,  we  give  a  concrete  instantiation  of  this 
construction. 

A.  Cryptographic  building  blocks 

We  first  introduce  notation  for  the  standard  cryptographic 
building  blocks  that  we  use.  We  assume  familiarity  with  the 
definitions  of  these  building  blocks;  for  more  details,  see,  e.g., 
[27].  Throughout,  A  denotes  the  security  parameter. 
Collision-resistant  hashing.  We  use  a  collision-resistant  hash 
function  CRH  :  {0, 1}*  — »  {0, 1}°(AZ 

Pseudorandom  functions.  We  use  a  pseudorandom  function 
family  PRF  =  {PRFX:  {0,1}*  — »  (0,  l}°(Al}a.  where  x  de¬ 
notes  the  seed.  From  PRF^,  we  derive  three  “non-overlapping” 
pseudorandom  functions,  chosen  arbitrarily  as  PRF;}ddr(z)  := 
PRFx(00||z),  PRF}n(z)  :=  PRFs(01||z),  PRF?(z)  := 
PRFx(10||z).  Furthermore,  we  assume  that  PRFsn  is  also 
collision  resistant,  in  the  sense  that  it  is  infeasible  to  find 
(x,z)  ^  {x',z')  such  that  PRF™(z)  =  PRF^(z')- 
Statistically-hiding  commitments.  We  use  a  commitment 
scheme  COMM  where  the  binding  property  holds  computa¬ 
tionally,  while  the  hiding  property  holds  statistically.  It  is 
denoted  (COMMj,:  (0, 1}*  — »  (0, l}°(A)},r  where  x  denotes 
the  commitment  trapdoor.  Namely,  to  reveal  a  commitment  cm 
to  a  value  z,  it  suffices  to  provide  z  and  the  trapdoor  x;  then 
one  can  check  that  cm  =  COMMI,(z). 

One-time  strongly-unforgeable  digital  signatures.  We  use  a 

digital  signature  scheme  Sig  =  (Qs\gi  ACsig,  Ss\g,  Vsig)  that  works 
as  follows. 
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•  0sig(lA)  — >  PPsig-  Given  a  security  parameter  A  (presented 
in  unary),  Qsig  samples  public  parameters  ppenc  for  the 
encryption  scheme. 

•  /Csig(ppsig)  -A  (pksig,sksig).  Given  public  parameters  ppsig, 
/Csig  samples  a  public  key  and  a  secret  key  for  a  single  user. 

•  <Ssig(sksjg,  to)  -a  a.  Given  a  secret  key  sks;g  and  a  message 
m,  iSs;g  signs  m  to  obtain  a  signature  a. 

•  Vsig(pksig,  to,  a)  — >  b.  Given  a  public  key  pksig,  message  m, 
and  signature  a,  Vsig  outputs  b  =  1  if  the  signature  a  is  valid 
for  message  m;  else  it  outputs  6  =  0. 

The  signature  scheme  Sig  satisfies  the  security  property  of 
one-time  strong  unforgeability  against  chosen-message  attacks 
(SUF-1CMA  security). 

Key-private  public-key  encryption.  We  use  a  public-key 
encryption  scheme  Enc  =  (Qenc,  fCenc,  fenc,  2?enc)  that  works 
as  follows. 

•  Qe nc(lA)  — >  PPenc-  Given  a  security  parameter  A  (presented 
in  unary),  Qenc  samples  public  parameters  ppenc  for  the 
encryption  scheme. 

.  /Cenc(PPenc)  (pkenc!  skenc)-  Given  public  parameters  ppenc, 
/Cenc  samples  a  public  key  and  a  secret  key  for  a  single  user. 

•  £enc(pkenc,  to)  -a  c.  Given  a  public  key  pkenc  and  a  message 
to,  Sene  encrypts  to  to  obtain  a  ciphertext  c. 

•  22enc(skenc,  c)  — >  to.  Given  a  secret  key  skenc  and  a  ciphertext 
c,  T>e„c  decrypts  c  to  produce  a  message  to  (or  _!_  if 
decryption  fails). 

The  encryption  scheme  Enc  satisfies  two  security  properties: 
(i)  ciphertext  indistinguishability  under  chosen-ciphertext  attack 
(IND-CCA  security);  and  (ii)  key  indistinguishability  under 
chosen-ciphertext  attack  (IK-CCA  security).  While  the  first 
property  is  standard,  the  second  is  less  known;  informally, 
IK-CCA  requires  that  ciphertexts  cannot  be  linked  to  the  public 
key  used  to  encrypt  them,  or  to  other  ciphertexts  encrypted 
with  the  same  public  key.  For  definitions,  we  refer  the  reader 
to  [21]. 


B.  zk-SNARKs  for  pouring  coins 

As  outlined  in  Section  I-B,  our  construction  invokes  a 
zk-SNARK  for  a  specific  NP  statement,  POUR,  which  we  now 
define.  We  first  recall  the  context  motivating  POUR.  When  a 
user  u  pours  “old”  coins  c{ld,c2ld  into  new  coins  cjew,c(!ew, 
a  corresponding  pour  transaction 


,  /  .  old  old  new  new  ■  r  \ 

txpOUr  =  (rt,sn1  ,  sn2  ,cm1  ,cm2  ,  wpub,  into,  *) 


„old 


is  generated.  In  our  construction,  we  need  to  provide  evidence  in 
that  various  conditions  were  respected  by  the  pour  operation. 
Concretely,  txpour  should  demonstrate  that  (i)  u  owns  c°ld,  c2 d; 
(ii)  coin  commitments  for  c°ld,c2ld  appear  somewhere  on  the 
ledger;  (iii)  the  revealed  serial  numbers  sn°ld,sn2ld  are  of 
c°ld,c2ld;  (iv)  the  revealed  coin  commitments  cm“,cm“ 
are  of  c5ew,c2ew;  (v)  balance  is  preserved.  Our  construction 
achieves  this  by  including  a  zk-SNARK  proof  7rPOuR  for  the 
statement  POUR  which  checks  the  above  invariants  (as  well  as 
others  needed  for  non-malleability). 

The  statement  POUR.  Concretely,  the  NP  statement  POUR 
is  defined  as  follows. 


•  Instances  are  of  the  form  x  =  (rt,  sn°ld,  sn2id,  cm“, 

fpub:  Asig,  hi,  hf)-  Thus,  an  instance  x  specifies  a  root  rt  for 
a  CRH-based  Merkle  tree  (over  the  list  of  commitments  so 
far),  the  two  serial  numbers  of  the  consumed  coins,  two  coin 
commitments  for  the  two  new  coins,  a  public  value,  and 
fields  Asigi  h±,  6-2  used  for  non-malleability. 

•  Witnesses  are  of  the  form  a  =  ( path x ,  path2,  c°ld,  c2ld, 
addr^,  addr^,  c"ew,  c2ew)  where,  for  each  i  €  {1,2}: 


old 

TO 

new 

TO 


(addr^ 

(addr"p^ 


v?d,p?d,r°'d,s?d 


_  old  \ 

T  ) 


new  new  new 

,  Pi  ,  G 


new 

>  TO 


) 


for  the  same  cm-“  as  in  x, 


addr^i  =  (a»lkd,i,pO  > 

addr"ek»  =  (a^,pken-)  , 

addr^^^.sO  . 


Thus,  a  witness  a  specifies  authentication  paths  for  the  two 
new  coin  commitments,  the  entirety  of  coin  information 
about  both  the  old  and  new  coins,  and  address  secret  keys 
for  the  old  coins. 

Given  a  POUR  instance  x,  a  witness  a  is  valid  for  x  if  the 
following  holds: 

1)  For  each  i  £  {1,  2}: 

a)  The  coin  commitment  cm°ld  of  c°ld  appears  on  the 
ledger,  i.e.,  path;  is  a  valid  authentication  path  for 
leaf  cm°ld  with  respect  to  root  rt,  in  a  CRH-based 
Merkle  tree. 

b)  The  address  secret  key  matches  the  address  public 

key  of  c°ld,  i.e.,  =  PRFgJ(O). 

c)  The  serial  number  sn°id  of  c°id  is  computed  correctly, 
i.e.,  sn°ld  =  PRF^>°ld). 

d)  The  coin  c°ld  is  well-formed,  i.e.,  cm°ld  = 

COMMsf(COMMrf(a°'di||p?ld)||u?ld). 

e)  The  coin  c"ew  is  well-formed,  i.e.,  cm"ew  = 

COMM  (COMM  ,.r  (a^ekw;  1 1  p"ew )  1 1  <ew )  • 

f)  The  address  secret  key  a°{d;  ties  h$\g  to  hi,  i.e.,  hi  = 

PRF^d  (hSig). 

sk,i 

2)  Balance  is  preserved:  v"ew  + +  vpub  =  t’ild  +  t’2d  (with 
Z)Jld,  V^d  >  0  and  U°ld  +  U2d  <  Umax). 

Recall  that  in  this  paper  zk-SNARKs  are  relative  to  the 
language  of  arithmetic  circuit  satisfiability  (see  Section  II); 
thus,  we  express  the  checks  in  POUR  via  an  arithmetic  circuit, 
denoted  Cpour-  In  particular,  the  depth  dtree  of  the  Merkle 
tree  needs  to  be  hardcoded  in  CVour,  and  we  thus  make  it 
a  parameter  of  our  construction  (see  below);  the  maximum 
number  of  supported  coins  is  then  2d,r“. 


C.  Algorithm  constructions 

We  proceed  to  describe  the  construction  of  the  DAP  scheme 
II  =  (Setup,  CreateAddress,  Mint,  Pour,  VerifyTransaction, 
Receive)  whose  intuition  was  given  in  Section  I-B.  Figure  2 
gives  the  pseudocode  for  each  one  of  the  six  algorithms  in  II, 
in  terms  of  the  building  blocks  introduced  in  Section  IV-A  and 
Section  IV-B.  In  the  construction,  we  hardcode  two  quantities: 
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Setup 

•  INPUTS:  security  parameter  A 

•  OUTPUTS:  public  parameters  pp 

1)  Construct  Cpour  for  POUR  at  security  A. 

2)  Compute  (pkP0DR,  vkp0DR)  :=  KeyGen(l\ Cpour). 

3)  Compute  ppenc  :=<?enc(lA). 

4)  Compute  ppsig  :=  0sig(lA)- 

5)  Set  pp  :=  (pkP0UE,vkP0UR,  PPenc  PPsig)- 

6)  Output  pp. 

CreateAddress 

•  INPUTS:  public  parameters  pp 

•  OUTPUTS:  address  key  pair  (addrpk,  addrsk) 

1)  Compute  (pkenc,skenc)  := /Cenc(ppenc)- 

2)  Randomly  sample  a  pRFaddr  seed  as k. 

3)  Compute  apk  =  PRFaddr(0). 

4)  Set  addrpk  :=  (opk,  pkenc). 

5)  Set  addrsk  :=  (ask,skenc). 

6)  Output  (addrpk,  add^k). 

Mint 

•  INPUTS: 

-  public  parameters  pp 

-  Coin  value  V  £  {0,  1,  .  .  .  ,  "Umax} 

-  destination  address  public  key  addrpk 

•  OUTPUTS:  coin  c  and  mint  transaction  tx^int 

1)  Parse  addrpk  as  (apk,  pkenc). 

2)  Randomly  sample  a  PRFsn  seed  p. 

3)  Randomly  sample  two  COMM  trapdoors  r,  s. 

4)  Compute  k  :=  COMMr(apk||p). 

5)  Compute  cm  :=  COMMs(v||fc). 

6)  Set  c  :=  (addrpk,  v,  p,  r,  s,  cm). 

7)  Set  tXMint  :=  (cm,v,*),  where  *  :=  (k,s). 

8)  Output  c  and  tXMint- 

VerifyTransaction 

•  INPUTS: 

-  public  parameters  pp 

-  a  (mint  or  pour)  transaction  tx 

-  the  current  ledger  L 

•  OUTPUTS:  bit  b,  equals  1  iff  the  transaction  is  valid 

1)  If  given  a  mint  transaction  tx  =  tXMjnt: 

a)  Parse  tXMint  as  (cm,-u,  *),  and  *  as  (k,  s). 

b)  Set  cm'  :=  COMMs(i?||fc). 

c)  Output  b  :=  1  if  cm  =  cm',  else  output  b  :=  0. 

2)  If  given  a  pour  transaction  tx  =  txpour: 

a)  Parse  txpour  as  (rt,  sn°ld,  sn2ld,  cmjew,  cm^,  upub,  info,  *),  and  *  as 
(pksig,/ii,/i2,7TpouR,  Ci,  C2,<r). 

b)  If  sn°ld  or  sn2ld  appears  on  L  (or  sn5ld  =  sn|ld),  output  b  :=  0. 

c)  If  the  Merkle  root  rt  does  not  appear  on  L,  output  b  :=  0. 

d)  Compute  h s\g  :=  CRH(pksig). 

e)  Set  x  :=  (rt,  sn°ld,  sn2ld,  cm"ew,  cm2ew,  Vpub,  ^Sig?  ^2)- 

f)  Set  m  :=  (x,  7Tpour,  info,  Ci,  C2) 

g)  Compute  b  :=  Vsjg(pksig,  m,  a). 

h)  Compute  b'  :=  Verify(vkPouRj  x,  ttpour)*  and  output  b  A  b' . 


Pour 

•  INPUTS: 

-  public  parameters  pp 

-  the  Merkle  root  rt 

-  old  coins  c°ld ,  c2ld 

-  old  addresses  secret  keys  addr^.^,  addr°k2 

-  path  path]^  from  commitment  cm(c°ld)  to  root  rt, 
path  path2  from  commitment  cmjc^)  to  root  rt 

-  new  values  ^;ew,  ^ew 

-  new  addresses  public  keys  addrjJJ^,  addr^w2 

-  public  value  vpub 

-  transaction  string  info 

•  OUTPUTS:  new  coins  c5ew,c2ew  and  pour  transaction  txpol 

1)  For  each  i  £  {1,  2}: 

. ,  cm°ld). 


,,old  „old  ,,old  Oold 


a)  Parse  c°ld  as  (addr°£v,  , pv1 

b)  Parse  addr*  as  (a^,  sk°JV). 

c)  Compute  sn°ld  :=  PRFs“ld  (p°ld). 

d)  Parse  addr^"  as  (a"'",’ pk^J. 

e)  Randomly  sample  a  PRFsn  seed  pjew. 

f)  Randomly  sample  two  COMM  trapdoors  r"ew, 

g)  Compute  /c?ew  :=  COMMrnew  (a^wJp"ew). 

h)  Compute  cm£ew  :=  COMIvf^ew (vJew||A:Jew). 


:=  (addrj 


new 

pk,i’  ui 
new  ^ 


,  cm-c 
*?"))■ 


i)  Set  cj' 

j)  Set  C i  :=  ^enc(pkei 

2)  Generate  (pksig,  sksig)  :=  /Csig(ppsig). 

3)  Compute  hs\g  :=  CRH(pksig). 

4)  Compute  hi  :=  PRFpJjd  (hs ig)  and  h2  :=  PRFpJjd  (hS\g). 


5)  Set  x  :=  (rt,  sn°ld,  sn2ld,  cm"ew,  cm2ew,  r;pub,  hs\g,  hi,  h2). 

6)  Set  a  :=  (pathl5  path2,  c°ld,  c2ld,  addr®^,  addr°j!.d2,  cjew,  c2ew). 

7)  Compute  7tPour  :=  Prove(pkP0UR,  x,  a). 

8)  Set  m  :=  (x,  7tPour,  info,  Ci,  C2). 

9)  Compute  a  :=  »Ssjg  (sksjg,  m). 

10)  Set  txpour  :=  (rt,  sn°ld,  sn2ld,  cmjew,  cm2ew,  t!pub,  info,  *),  where 
*  :=  (pksjg,  hi,h2, 7rpouRj  Ci,  C2,  <7). 

11)  Output 


Receive 

•  INPUTS: 

-  public  parameters  pp 

-  recipient  address  key  pair  (addrpk,  addrsk) 

-  the  current  ledger  L 

•  OUTPUTS:  set  of  received  coins 

1)  Parse  addrpk  as  (apk,  pkenc). 

2)  Parse  addrsk  as  (ask,skenc)- 

3)  For  each  Pour  transaction  txpour  on  the  ledger: 

a)  Parse  txpour  as  (rt,  snl(ld,  sn£ld,  cm"ew,  cmj™,  t)pub>  info,  *), 
and  *  as  (pksi  hi,  fe2> ttpohri  Ci,  C2,  <r). 

b)  For  each  i  £  { 1 , 2} : 

i)  Compute  (vt,  Pi,  n,  Si)  :=  X>enc(skenc,  Ci). 

ii)  If  2?enc’s  output  is  not  ,  verify  that: 

.  cmaew  equals  COMMSi  (ud|COMMri  (apk||ft)); 

•  sn,  :=  PRF-  (p,)  does  not  appear  on  L. 

iii)  If  both  checks  succeed,  output 

c i  :=  (addrpk,  Vi,  pi,  n,  Si,  cm™™). 


Fig.  2:  Construction  of  a  DAP  scheme  using  zk-SNARKs  and  other  ingredients. 


the  maximum  value  of  a  coin,  vmax,  and  the  depth  of  the 
Merkle  tree,  dtree. 

D.  Completeness  ancl  security 

Our  main  theorem  states  that  the  above  construction  is  indeed 
a  DAP  scheme. 

Theorem  IV.  1.  The  tuple  n  =  (Setup,  CreateAddress,  Mint, 
Pour,  VerifyTransaction,  Receive),  as  defined  in  Section  IV-C, 


is  a  complete  (cf.  Definition  III.  1)  and  secure  (cf.  Defini¬ 
tion  III. 2)  DAP  scheme. 

We  provide  a  proof  of  Theorem  IV.  1  in  the  extended  version  of 
this  paper  [26].  We  note  that  our  construction  can  be  modified  to 
yield  statistical  (i.e.,  everlasting)  anonymity;  see  the  discussion 
in  the  extension  section  of  the  full  version  of  this  paper. 

Remark  (trusted  setup).  Security  of  II  relies  on  a  trusted  party 
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running  Setup  to  generate  the  public  parameters  (once  and  for 
all).  This  trust  is  needed  for  the  transaction  non-malleability 
and  balance  properties  but  not  for  ledger  indistinguishability. 
Thus,  even  if  a  powerful  espionage  agency  were  to  corrupt 
the  setup,  anonymity  will  still  be  maintained.  Moreover,  if 
one  wishes  to  mitigate  the  trust  requirements  of  this  step,  one 
can  conduct  the  computation  of  Setup  using  secure  multiparty 
computation  techniques;  we  leave  this  to  future  work. 

V.  Zerocash 

We  describe  a  concrete  instantiation  of  a  DAP  scheme;  this 
instantiation  forms  the  basis  of  Zerocash.  Later,  in  Section  VI, 
we  discuss  how  Zerocash  can  be  integrated  with  existing  ledger- 
based  currencies. 

A.  Instantiation  of  building  blocks 

We  instantiate  the  DAP  scheme  construction  from  Section  IV 
(see  Figure  2),  aiming  at  a  level  of  security  of  128  bits.  Doing 
so  requires  concrete  choices,  described  next. 

CRH,  PRF,  COMM  from  SHA256.  Let  H  be  the  SHA256 
compression  function,  which  maps  a  512-bit  input  to  a  256- 
bit  output.  We  mostly  rely  on  H,  rather  than  the  “full” 
hash,  since  this  suffices  for  our  fixed-size  single-block  inputs, 
and  it  simplifies  the  construction  of  CPOur-  We  instantiate 
CRH,  PRF.  COMM  viaTf  (under  suitable  assumptions  on  H). 

First,  we  instantiate  the  collision-resistant  hash  function  CRH 
as  'H(z)  for  2  £  {0,  l}512;  this  function  compresses  “two-to- 
one”,  so  it  can  be  used  to  construct  binary  Merkle  trees.13 

Next,  we  instantiate  the  pseudorandom  function  PRFa;(2)  as 
H(x\\z),  with  x  £  {0,  l}256  as  the  seed,  and  2  £  {0,  l}256  as 
the  input.14  Thus,  the  derived  functions  are  PRF^ddr(2)  := 
U{x\\00\\z),  PRF^(2)  :=  H(x\\01\\z)  and  PRFf(2)  := 
%(xjjl0||2),  with  x  £  {0,  l}256  and  2  £  {0,  l}254. 

As  for  the  commitment  scheme  COMM,  we  only  use  it  in 
the  following  pattern: 

k  :=  COMMr(apk||/3) 
cm  :=  COMMs(n||fc) 

Due  to  our  instantiation  of  PRF,  apk  is  256  bits.  So  we  can 
set  p  also  to  256  bits  and  r  to  256  +  128  =  384  bits;  then  we 
can  compute  k  :=  COMMr(aPk||p)  as  H(r\\  [%(apk||p)]i28)- 
Above,  [-]  128  denotes  that  we  are  truncating  the  256-bit  string 
to  128  bits  (say,  by  dropping  least-significant  bits,  as  in  our 
implementation).  Heuristically,  for  any  string  x  £  {0,  l}128, 
the  distribution  induced  by  T-L(r\\x)  is  2_128-close  to  uniform, 
and  this  forms  the  basis  of  the  statistically-hiding  property.  For 
computing  cm,  we  set  coin  values  to  be  64-bit  integers  (so  that, 
in  particular,  t)max  =  26'1  —  1  in  our  implementation),  and  then 
compute  cm  :=  COMMs(n||fc)  as  7/(fc||0192||u).  Noticeably, 

13A  single  exception:  we  still  compute  hsig  according  to  the  full  hash 
SHA256,  rather  than  its  compression  function,  because  there  is  no  need  for 
this  computation  to  be  verified  by  Cpour. 

14This  assumption  is  reminiscent  of  previous  works  analyzing  the  security 
of  hash-based  constructions  (e.g.,  [28]).  However  in  this  work  we  assume 
that  a  portion  of  the  compression  function  is  the  seed  for  the  pseudorandom 
function,  rather  than  using  the  chaining  variable  as  in  [28]. 


above  we  are  ignoring  the  commitment  randomness  s.  The 
reason  is  that  we  already  know  that  k,  being  the  output  of  a 
statistically-hiding  commitment,  can  serve  as  randomness  for 
the  next  commitment  scheme. 

Instantiating  the  NP  statement  POUR.  The  above  choices 
imply  a  concrete  instantiation  of  the  NP  statement  POUR 
(see  Section  IV-B).  Specifically,  in  our  implementation,  POUR 
checks  that  the  following  holds,  for  each  i  £  {1,2}: 

•  path;  is  an  authentication  path  for  leaf  cm°ld  with  respect 
to  root  rt,  in  a  CRH-based  Merkle  tree; 

•  <i  =  ^(«smII°256); 

.  sn°id=H(<J|01||[p°ld]254); 

.  cmold  =^(^(rold||[H(ao,d!;||po,d)]i28)||0192||wold); 

.  cmrw  =  H(^(rrw||[H(a"ekWil|pr)]i28)||0192||«rw);  and 
.  hi=H«1j||10||[hSig]254). 

Moreover,  POUR  checks  that  v Jiew  +  i>2ew  +  t>pub  =  n°ld  +  v2ld, 
with  vfd,  v%'d  >  0  and  v?ld  +  n§ld  <  264. 

Finally,  as  mentioned,  in  order  for  Cpour  to  t>e  well-defined, 
we  need  to  fix  a  Merkle  tree  depth  dtree.  In  our  implementation, 
we  fix  dtree  =  64,  and  thus  support  up  to  264  coins. 
Instantiating  Sig.  For  the  signature  scheme  Sig,  we  use 
ECDSA  to  retain  consistency  and  compatibility  with  the 
existing  bitcoind  source  code.  However,  standard  ECDSA  is 
malleable:  both  (r,  s)  and  (r,  —s)  verify  as  valid  signatures.  We 
use  a  non-malleable  variant,  where  s  is  restricted  to  the  “lower 
half”  of  field  elements.  While  we  are  not  aware  of  a  formal 
SUF-CMA  proof  for  this  variant,  its  use  is  consistent  with 
proposals  to  resolve  Bitcoin  transaction  malleability  [29]. 15 
Instantiating  Enc.  For  the  encryption  scheme  Enc,  we  use 
the  key-private  Elliptic-Curve  Integrated  Encryption  Scheme 
(ECIES)  [30,  31];  it  is  one  of  the  few  standardized  key-private 
encryption  schemes  with  available  implementations. 

For  further  details  about  efficiently  realizing  these  in  the 
arithmetic  circuit  for  POUR,  see  the  full  version  of  this  paper. 

VI.  Integration  with  existing  ledger-based 
CURRENCIES 

Zerocash  can  be  deployed  atop  any  ledger  (even  one  main¬ 
tained  by  a  central  bank.)  Here,  we  briefly  detail  integration 
with  the  Bitcoin  protocol.  Unless  explicitly  stated  otherwise, 
in  the  following  section  when  referring  to  Bitcoin ,  and  its  unit 
of  account  bitcoin  (plural  bitcoins),  we  mean  the  underlying 
protocol  and  software,  not  the  currency  system.  (  The  discussion 
holds,  with  little  or  no  modification,  for  many  forks  of  Bitcoin, 
a.k.a.  “altcoins”,  such  as  Litecoin.) 

By  introducing  new  transaction  types  and  payment  semantics, 
Zerocash  breaks  compatibility  with  the  Bitcoin  network.  While 
Zerocash  could  be  integrated  into  Bitcoin  (the  actual  currency 
and  its  supporting  software)  via  a  “flag  day”  where  a  super- 
majority  of  Bitcoin  miners  simultaneously  adopt  the  new 
software,  we  neither  expect  nor  advise  such  integration  in  the 
near  future  and  suggest  using  Zerocash  in  a  separate  altcoin. 

15In  practice,  one  might  replace  this  ECDSA  variant  with  an  EC-Schnorr 
signature  satisfying  SUF-CMA  security  with  proper  encoding  of  EC  group 
elements;  the  performance  would  be  similar. 
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Integrating  Zerocash  into  Bitcoin  consists  of  adding  a  new 
transaction  type,  Zerocash  transactions,  and  modifying  the 
protocol  and  software  to  invoke  Zerocash’s  DAP  interface  to 
create  and  verify  these  transactions.  Two  approaches  to  doing 
so  are  described  next,  followed  by  a  discussion  of  anonymizing 
the  network  layer. 

A.  Integration  by  replacing  the  base  currency 

One  approach  is  to  alter  the  underlying  system  so  that 
all  monetary  transactions  are  done  using  Zerocash,  i.e.,  by 
invoking  the  DAP  interface  and  writing/reading  the  associated 
transactions  in  the  distributed  ledger. 

As  seen  in  Section  III,  this  suffices  to  offer  the  core 
functionality  of  payments,  minting,  merging,  splitting,  etc., 
while  assuring  users  that  all  transactions  using  this  currency 
are  anonymous.  However,  this  has  several  drawbacks:  all 
transactions  incur  the  cost  of  generating  a  zk-SNARK  proof; 
the  scripting  feature  of  Bitcoin  is  lost;  and  Bitcoin’s  ability  to 
spend  unconfirmed  transactions  is  lost. 

B.  Integration  by  hybrid  currency 

A  different  approach  is  to  extend  Bitcoin  with  a  parallel, 
anonymized  currency  of  “zerocoins,”  existing  alongside  bit- 
coins,  using  the  same  ledger,  and  with  the  ability  to  convert 
freely  between  the  two.  The  behavior  and  functionality  of 
regular  bitcoins  is  unaltered;  in  particular,  they  may  support 
functionality  such  as  scripting. 

In  this  approach,  the  Bitcoin  ledger  consists  of  Bitcoin-style 
transactions,  containing  inputs  and  outputs  [20].  Each  input  is 
either  a  pointer  to  an  output  of  a  previous  transaction  (as  in  plain 
Bitcoin),  or  a  Zerocash  pour  transaction  (which  contributes  its 
public  value,  wpub.  of  bitcoins  to  this  transaction).  Outputs 
are  either  an  amount  and  destination  public  address/script 
(as  in  plain  Bitcoin),  or  a  Zerocash  mint  transaction  (which 
consumes  the  input  bitcoins  to  produce  zerocoins).  The  usual 
invariant  over  bitcoins  is  maintained  and  checked  in  plain 
view:  the  sum  of  bitcoin  inputs  (including  pours’  t)pub)  must 
be  at  least  the  sum  of  bitcoin  outputs  (including  mints’  v), 
and  any  difference  is  offered  as  a  transaction  fee.  However, 
the  accounting  for  zerocoins  consumed  and  produced  is  done 
separately  and  implicitly  by  the  DAP  scheme. 

C.  Additional  anonymity  considerations 

Zerocash  only  anonymizes  the  transaction  ledger.  Network 
traffic  used  to  announce  transactions,  retrieve  blocks,  and 
contact  merchants  will  still  leak  identifying  information  (e.g., 
IP  addresses).  Thus  users  need  some  anonymity  network  to 
safely  use  Zerocash.  The  most  obvious  way  to  do  this  is  via 
Tor  [32].  Given  that  Zerocash  transactions  are  not  low  latency 
themselves,  Mixnets  (e.g.,  Mixminion  [33])  are  also  a  viable 
way  to  add  anonymity  (and  one  that  is  not  as  vulnerable  to 
traffic  analysis  as  Tor).  Using  mixnets  that  provide  email-like 
functionality  has  the  added  benefit  of  providing  an  out-of-band 
notification  mechanism  as  a  replacement  to  Receive. 

Additionally,  although  in  theory  all  users  have  a  single 
view  of  the  block  chain,  a  powerful  attacker  could  potentially 


fabricate  an  additional  block  solely  for  a  targeted  user.  Spending 
any  coins  with  respect  to  the  updated  Merkle  tree  in  this 
“poison-pill”  block  will  uniquely  identify  the  targeted  user.  To 
mitigate  such  attacks,  users  should  check  with  trusted  peers 
their  view  of  the  block  chain  and,  for  sensitive  transactions, 
only  spend  coins  relative  to  blocks  further  back  in  the  ledger 
(since  creating  the  illusion  for  multiple  blocks  is  far  harder). 

VII.  Experiments 

To  measure  the  performance  of  Zerocash.  we  ran  several 
experiments.  First,  we  benchmarked  the  performance  of  the 
zk-SNARK  for  the  NP  statement  POUR  (Section  VII- A)  and 
of  the  six  DAP  scheme  algorithms  (Section  VII-B).  Second, 
we  studied  the  impact  of  a  higher  block  verification  time  via  a 
simulation  of  a  Bitcoin  network  (Section  VII-C). 

A.  Performance  of  zk-SNARKs  for  pouring  coins 

Our  zk-SNARK  for  the  NP  statement  POUR  is  obtained  by 
constructing  an  arithmetic  circuit  <7POur  for  verifying  POUR, 
and  then  invoking  the  generic  implementation  of  zk-SNARK 
for  arithmetic  circuit  satisfiability  of  [16]  (see  Section  II-C). 
The  arithmetic  circuit  CVour  is  built  from  scratch  and  hand- 
optimized  to  exploit  nondeterministic  verification  and  the  large 
field  characteristic. 

Figure  3  reports  performance  characteristics  of  the  resulting 
zk-SNARK  for  POUR.  This  includes  three  settings:  single¬ 
thread  performance  on  a  laptop  machine;  and  single-thread 
and  multi-thread  performance  on  a  desktop  machine.  (The 
time  measurements  are  the  average  of  10  runs,  with  standard 
deviation  under  2.5%.) 

B.  Performance  of  Zerocash  algorithms 

In  Figure  4  we  report  performance  characteristics  for  each 
of  the  six  DAP  scheme  algorithms  in  our  implementation.  Note 
that  these  numbers  do  not  include  the  costs  of  maintaining  the 
Merkle  tree  because  doing  so  is  not  the  responsibility  of  these 
algorithms.  Moreover,  for  VerifyTransaction,  we  separately 
report  the  cost  of  verifying  mint  and  pour  transactions  and,  in 
the  latter  case,  we  exclude  the  cost  of  scanning  L  (as  this  cost 
depends  on  L).  Finally,  for  the  case  of  Receive,  we  report  the 
cost  to  process  a  given  pour  transaction  in  L. 

C.  Large-scale  network  simulation 

Because  Bitcoin  mining  typically  takes  place  on  dedicated 
GPUs  or  ASICs,  the  CPU  resources  to  execute  the  DAP  scheme 
algorithms  are  often  of  minimal  consequence  to  network 
performance.  There  is  one  potential  exception  to  this  rule:  the 
VerifyTransaction  algorithm  must  be  run  by  all  of  the  network 
nodes  in  the  course  of  routine  transaction  validation.  The  time 
it  takes  to  perform  this  verification  can  have  significant  impact 
on  network  performance. 

In  the  Zerocash  implementation  (as  in  Bitcoin),  every  Zero- 
cash  transaction  is  verified  at  each  hop  as  it  is  forwarded  though 
the  network  and,  potentially,  again  when  blocks  containing  the 
transaction  are  verified.  Verifying  a  block  consists  of  checking 
the  proof  of  work  and  validating  the  contained  transactions. 
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Fig.  3:  Performance  of  our  zk-SNARK  for  the  NP  statement  POUR. 

(IV  =  10,  cr  <  2.5%) 

Thus  Zerocash  transactions  may  take  longer  to  spread  though 
the  network  and  blocks  containing  Zerocash  transactions  may 
take  longer  to  verify.  While  we  are  concerned  with  the  first 
issue,  the  potential  impact  of  the  second  issue  is  cause  for 
greater  concern.  This  is  because  Zerocash  transactions  cannot 
be  spent  until  they  make  it  onto  the  ledger. 

Because  blocks  are  also  verified  at  each  hop  before  they  are 
forwarded  through  the  network,  delays  in  block  verification 
slow  down  the  propagation  of  new  blocks  through  the  network. 
This  causes  nodes  to  waste  CPU-cycles  mining  on  out-of-date 
blocks,  reducing  the  computational  power  of  the  network  and 
making  it  easier  to  mount  a  “51%  attack”  (dishonest  majority 
of  miners)  on  the  distributed  ledger. 

It  is  a  priori  unclear  whether  this  potential  issue  is  a 
real  concern.  Bitcoin  caches  transaction  verifications,  so  a 
transaction  that  was  already  verified  when  it  propagated  through 
the  network  need  not  be  verified  again  when  it  is  seen  in  a 
block.  The  unknown  is  what  percentage  of  transactions  in  a 
block  are  actually  in  any  given  node’s  cache.  We  thus  conduct 
a  simulation  of  the  Bitcoin  network  to  investigate  both  the 
time  it  takes  Zerocash  transactions  to  make  it  onto  the  ledger 
and  establish  the  effects  of  Zerocash  transactions  on  block 
verification  and  propagation.  We  find  that  Zerocash  transactions 
can  be  spent  reasonably  quickly  and  that  the  effects  of  increased 
block  validation  time  are  minimal. 

Simulation  design.  Because  Zerocash  requires  breaking 
changes  to  the  Bitcoin  protocol,  we  cannot  test  our  protocol  in 
the  live  Bitcoin  network  or  even  in  the  dedicated  testnet.  We 
must  run  our  own  private  testnet.  For  efficiency  and  cost  reasons, 
we  would  like  to  run  as  many  Bitcoin  nodes  as  possible  on  the 
least  amount  of  hardware.  This  raises  two  issues.  First,  reducing 
the  proof  of  work  to  practical  levels  while  still  preserving  a 
realistic  rate  of  new  blocks  is  difficult  (especially  on  virtualized 
hardware  with  variable  performance).  Second,  the  overhead  of 
zk-SNARK  verification  prevents  us  from  running  many  Bitcoin 

16346B  of  this  are  due  to  the  ciphertexts  Ci,  Cb-  Future  implementations 
may  significantly  reduce  this  overhead  or  discard  these  (cf.  Section  VI-C). 

17We  note  that  a  for  both  Mint  and  VerifyTransaction  (mint)  is  higher 
than  2.5%  due  to  the  variability  at  such  short  timescales.  Respectively,  it  is 
3.3  ps  and  1.9  ps. 


Fig.  4:  Performance  of  Zerocash  algorithms. 

(N  =  10,  a  <  2.5%17) 

nodes  on  one  virtualized  server. 

The  frequency  of  new  blocks  can  be  modeled  as  a  Poisson 
process  with  a  mean  of  A  block  seconds.  To  generate  blocks 
stochastically,  we  modify  bitcoind  to  fix  its  block  difficulty 
at  a  trivial  level  and  run  a  Poisson  process,  on  the  simulation 
control  server,  which  trivially  mines  a  block  on  a  randomly 
selected  node.  This  preserves  the  distribution  of  blocks,  without 
the  computational  overhead  of  a  real  proof  of  work.  Another 
Poisson  process  triggering  mechanism,  with  a  different  mean 
Atx,  introduces  new  transactions  at  random  network  nodes. 

To  differentiate  which  transactions  represent  normal  Bitcoin 
expenditures  vs.  which  contain  Zerocash  pour  transactions, 
simulated  Zerocash  transactions  pay  a  unique  amount  of 
bitcoins  (we  set  this  value  arbitrarily  at  7  BTC).  If  a  trans¬ 
action's  output  matches  this  preset  value,  and  it  is  not  in 
verification  cache,  then  our  modified  Bitcoin  client  inserts 
a  10ms  delay  simulating  the  runtime  of  VerifyTransaction.18 
Otherwise  transactions  are  processed  as  specified  by  the  Bitcoin 
protocol.  We  vary  the  amount  of  simulated  Zerocash  traffic  by 
varying  the  number  of  transactions  with  this  particular  output 
amount.  This  minimizes  code  changes  and  estimates  only  the 
generic  impact  of  verification  delays  and  not  of  any  specific 
implementation  choice. 

Methodology.  Recent  research  [17]  suggests  that  the  Bitcoin 
network  contains  16,000  distinct  nodes  though  most  are  likely 
no  longer  participating:  approximately  3,500  are  reachable 
at  any  given  time.  Each  node  has  an  average  of  32  open 
connections  to  randomly  selected  peers.  As  of  November  2013, 
the  peak  observed  transaction  rate  for  Bitcoin  is  slightly  under 
one  transaction  per  second  [34], 

In  our  simulation,  we  use  a  1000-node  network  in  which 
each  node  has  an  average  of  32  peers,  transactions  are  generated 
with  a  mean  of  Atx  =  1  s,  a  duration  of  1  hour,  and  a  variable 
percentage  e  of  Zerocash  traffic.  To  allow  for  faster  experiments, 
instead  of  generating  a  block  every  10  minutes  as  in  Bitcoin, 
we  create  blocks  at  an  average  of  every  A block  =  150  s  (as  in 
Litecoin,  a  popular  altcoin). 

18Subsequent  optimizations  lowered  the  cost  of  VerifyTransaction  below 
this,  after  our  experiments. 
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(a)  Transaction  latency 


(b)  Block  propagation  time 


(c)  Block  verification  time 


Fig.  5:  The  average  values  of  the  three  metrics  we  study,  as  a  function  of  e,  the  percentage  of  transactions  that  are  Zerocash  transactions.  Note 
that,  in  (a),  latency  is  undefined  when  e  =  0  and  hence  omitted. 


We  run  our  simulation  for  different  traffic  mixes,  where 
e  indicates  the  percentage  of  Zerocash  transactions  and  e  G 
{0%,  25%,  50%,  75%,  100%}.  Each  simulation  is  run  on  200 
Amazon  EC2  general-purpose  ml  .medium  instances,  in  one 
region  on  a  10.10./16  private  network.  On  each  instance, 
we  deploy  5  instances  ofbitcoind. 

Results.  Transactions  are  triggered  by  a  blocking  function  call 
on  the  simulation  control  node  that  must  connect  to  a  random 
node  and  wait  for  it  to  complete  sending  a  transaction.  Because 
the  Poisson  process  modeling  transactions  generates  delays 
between  such  calls  and  not  between  the  exact  points  when  the 
node  actuals  sends  the  transactions,  the  actual  transaction  rate 
is  skewed.  In  our  experiments  the  real  transaction  rate  shifts 
away  from  our  target  of  one  per  second  to  an  average  of  one 
every  1.4  seconds. 

In  Figure  5  we  plot  three  metrics  for  e  G  (0%,  25%,  50%, 
75%,  100%}.  Each  is  the  average  defined  over  the  data  from 
the  entire  run  of  the  simulation  for  a  given  e  (i.e.,  they  include 
multiple  transactions  and  blocks).19  Transaction  latency  is  the 
interval  between  a  transaction’s  creation  and  its  inclusion  in 
a  block.  Block  propagation  time  comes  in  two  flavors:  1)  the 
average  time  for  a  new  block  to  reach  a  node  computed  over 
the  times  for  all  nodes,  and  2)  the  same  average  computed 
over  only  the  last  node  to  see  the  block. 

Block  verification  time  is  the  average  time,  over  all  nodes, 
required  to  verify  a  block.  If  verification  caching  was  not 
effective,  we  would  expect  to  see  a  marked  increase  in  both 
block  verification  time  and  propagation  time.  Since  blocks 
occur  on  average  every  150  s,  and  we  expect  approximately 
one  transaction  each  second,  we  should  see  150  x  10  ms  = 
1500  ms  of  delay  if  all  transactions  were  non-cached  Zerocash 
transactions.  Instead,  we  see  worst  case  80  ms  and  conclude 
caching  is  effective.  This  results  in  a  negligible  effect  on  block 
propagation  (likely  because  network  operations  dominate). 

The  time  needed  for  a  transaction  to  be  confirmed,  and  hence 

19Because  our  simulated  Bitcoin  nodes  ran  on  shared  EC2  instances,  they 
were  subject  to  variable  external  load,  limiting  the  benchmark  precision.  Still,  it 
clearly  demonstrates  that  the  mild  additional  delay  does  not  cause  catastrophic 
network  effects. 


spendable,  is  roughly  190  s.  For  slower  block  generation  rates 
(e.g.,  Bitcoin’s  block  every  10  minutes)  this  should  mean  users 
must  wait  only  one  block  before  spending  received  transactions. 

VIII.  Optimizations  and  extensions 

See  the  extended  version  of  this  paper  [26]  for  extensions 
on  everlasting  anonymity,  batched  Merkle  tree  updates,  faster 
block  propagation,  and  scaling  to  264  serial  numbers. 

IX.  Concurrent  work 

Danezis  et  al.  [19]  suggest  using  zk-SNARKs  to  reduce 
proof  size  and  verification  time  in  Zerocoin.  Our  work  differs 
from  [19]  in  both  supported  functionality  and  scalability. 

First,  [19]’s  protocol,  like  Zerocoin,  only  supports  fixed- value 
coins,  and  is  best  viewed  as  a  decentralized  mix.  Instead,  we 
define,  construct,  and  implement  a  full-fledged  decentralized 
electronic  currency,  which  provides  anonymous  payments  of 
any  amount. 

Second,  in  [19],  the  complexity  of  the  zk-SNARK  generator, 
prover,  and  verifier  all  scale  superlinearly  in  the  number  of 
coins,  because  their  arithmetic  circuit  computes,  explicitly, 
a  product  over  all  coins.  In  particular,  the  number  of  coins 
“mixed  together”  for  anonymity  cannot  be  large.  Instead,  in  our 
construction,  the  respective  complexities  are  poly  logarithmic, 
polylogarithmic,  and  constant  in  the  number  of  coins;  our 
approach  supports  a  practically-unbounded  number  of  coins. 

X.  Conclusion 

Decentralized  currencies  should  ensure  a  user’s  privacy  from 
his  peers  when  conducting  legitimate  financial  transactions. 
Zerocash  provides  such  privacy  protection,  by  hiding  user 
identities,  transaction  amounts,  and  account  balances  from 
public  view.  This,  however,  may  be  criticized  for  hampering 
accountability,  regulation,  and  oversight.  Yet,  Zerocash  need 
not  be  limited  to  enforcing  the  basic  monetary  invariants  of 
a  currency  system.  The  underlying  zk-SNARK  cryptographic 
proof  machinery  is  flexible  enough  to  support  a  wide  range  of 
policies.  It  can,  for  example,  let  a  user  prove  that  he  paid  his  due 
taxes  on  all  transactions  without  revealing  those  transactions, 
their  amounts,  or  even  the  amount  of  taxes  paid.  As  long 
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as  the  policy  can  be  specified  by  efficient  nondeterministic 
computation  using  NP  statements,  it  can  (in  principle)  be 
enforced  using  zk-SNARKs,  and  added  to  Zerocash.  This 
can  enable  privacy-preserving  verification  and  enforcement 
of  a  wide  range  of  compliance  and  regulatory  policies  that 
would  otherwise  be  invasive  to  check  directly  or  might  be 
bypassed  by  corrupt  authorities.  This  raises  research,  policy, 
and  engineering  questions  over  what  policies  are  desirable  and 
practically  realizable. 

Another  research  question  is  what  new  functionality  can 
be  realized  by  augmenting  the  capabilities  already  present  in 
Bitcoin’s  scripting  language  with  zk-SNARKs  that  allow  fast 
verification  of  expressive  statements. 
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Abstract.  Zerocoin  proposed  adding  decentralized  cryptographically 
anonymous  e-cash  to  Bitcoin.  Given  the  increasing  popularity  of  Bitcoin 
and  its  reliance  on  a  distributed  pseudononymous  public  ledger,  this 
anonymity  is  important  if  only  to  provide  the  same  minimal  privacy 
protections  from  nosy  neighbors  offered  by  conventional  banking.  Unfor¬ 
tunately,  at  25KB,  the  non-interactive  zero-knowledge  proofs  for  spending 
a  zerocoin  are  nearly  prohibitively  large.  In  this  paper,  we  consider  several 
improvements.  First,  we  strengthen  Zerocoin’s  anonymity  guarantees, 
making  them  independent  of  the  size  of  these  proofs.  Given  this  freedom, 
we  explore  several  techniques  for  drastically  reducing  proof  size  while 
ensuring  that  forging  a  single  zerocoin  is  more  difficult  than  the  block 
mining  process  used  to  maintain  Bitcoin’s  distributed  ledger.  Provided 
a  zerocoin  is  worth  less  than  the  reward  for  a  Bitcoin  block,  forging  a 
coin  is  not  an  economically  rational  action.  Hence  we  preserve  Zerocoin’s 
absolute  anonymity  guarantees  while  achieving  drastic  reductions  in  proof 
size  by  limiting  ourselves  to  security  against  rational  attackers. 

Keywords:  Privacy,  e-cash 


1  Introduction 

Bitcoin  is  an  electronic  currency  built  atop  a  distributed  transaction  ledger. 
While  Bitcoin  has  achieved  widespread  success,  it  has  significant  weaknesses 
related  to  transaction  privacy  [16,21].  Zerocoin  [17]  attempts  to  address  these 
issues  by  extending  Bitcoin  with  a  new  form  of  anonymous  electronic  cash.  To 
add  privacy  while  retaining  Bitcoin’s  decentralized  nature,  Zerocoin  uses  a  novel 
construction  based  on  digital  commitments  and  efficient  zero-knowledge  proofs 
that  a  commitment  is  in  a  list  of  commitments.  While  this  construction  achieves 
strong  anonymity  and  prevents  double  spending,  it  can  incur  significant  costs.  In 
particular,  to  achieve  cryptographically  strong  protection  against  double  spending, 
Zerocoin  uses  large  “spend  proofs”  that  grow  rapidly  as  A,  the  resistance  of  the 
proofs  to  forgery,  increases.  Even  for  the  modest  A  =  80  security  level  (ensuring 
forgery  effort  of  280  operations),  Zerocoin  spend  proofs  exceed  25KB.  Since  these 
proofs  must  be  stored  in  the  block  chain,  the  large  size  of  these  proofs  makes  it 
challenging  to  deploy  Zerocoin  in  practice. 

In  this  work  we  explore  extensions  to  Zerocoin  that  may  substantially  decrease 
the  size  of  these  proofs.  Our  key  observation  is  a  need  for  revised  assumptions. 
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Zerocoin  was  designed  on  the  assumption  that  all  proofs  must  by  computationally 
infeasible  to  forge.  We  observe  that  this  requirement  is,  in  a  certain  sense,  an 
anachronism  of  cryptographic  formalism.  For  example,  in  the  real  world  we 
do  not  require  that  physical  money  be  impossible  to  forge,  merely  that  it  be 
impossible  to  forge  while  making  a  profit.  Indeed  this  is  already  true  of  Zerocoin: 
the  Bitcoin  block  chain,  upon  which  Zerocoin’s  integrity  depends,  does  not  itself 
provide  strong  cryptographic  guarantees  against  powerful  attackers.  Instead,  the 
Bitcoin  protocol  depends  on  the  weaker  assumption  that  an  attacker  cannot 
amass  more  than  50%  of  the  Bitcoin  network’s  computational  power.1  Thus  in 
some  sense,  cryptographically  unforgeable  zerocoins  are  simply  impossible:  even 
if  the  Zerocoin  primitives  resist  forgery,  Bitcoin’s  block  chain  can  be  manipulated 
to  provide  the  same  effect.  However,  the  standard  game-based  approaches  of 
the  type  used  in  the  original  security  analysis  of  Zerocoin  do  not  provide  us  any 
insight  into  safely  reducing  the  Zerocoin  security  parameter.  Given  that  this 
would  offer  a  substantial  performance  improvements,  it  is  interesting  to  consider 
new  methods  of  analysis. 

A  primary  contribution  of  this  paper  is  a  new  methodology  for  examining 
the  computational  cost  of  forging  non-interactive  zero-knowledge  proofs  relative 
to  the  computational  costs  of  Bitcoin  mining.  Our  main  result  is  as  follows:  by 
using  the  payout  from  mining  a  new  block  as  a  baseline,  we  can  actually  quantify 
the  cost  of  forging  a  non- interactive  zero-knowledge  proof.  As  a  result,  we  are 
able  to  construct  game  theoretic  arguments  for  Zerocoin’s  resistance  to  forgery 
assuming  a  rational  actor  who  wishes  to  profit  from  forging  such  a  coin. 

In  and  of  itself,  unfortunately,  this  new  perspective  does  not  allow  us  to  lower 
the  security  parameter  A  as  far  as  we  would  like  nor,  consequently,  realize  the 
full  reduction  in  proof  size  and  increase  in  proof  performance.  To  fully  realize 
these  savings,  we  examine  two  different  techniques  for  increasing  the  cost  of  coin 
forgery  without  raising  Zerocoin’s  proof  sizes.  In  our  new  model,  the  security 
parameters  are  chosen  based  on  economic  considerations  —  such  as  the  value  of 
a  zerocoin. 

An  immediate  concern  with  our  new  approach  is  that  there  exist  other  factors 
that  cannot  be  priced  as  easily  as  coin  forgery.  One  such  factor  is  the  user’s 
anonymity.  There  are  no  known  techniques  for  pricing  the  value  of  a  user’s  long¬ 
term  transaction  privacy,  since  this  price  is  subjective  and  may  vary  from  user 
to  user.  Moreover,  we  cannot  easily  predict  the  future  cost  of  de-anonymization 
attacks.  Indeed,  since  Zerocoin  transcripts  may  be  retained  for  long  periods 
of  time,  the  cost  of  executing  an  offline  attack  on  a  user’s  anonymity  may 
decrease  enormously  over  time  as  new  computational  techniques  (e.g.,  quantum 
computers)  become  available.  We  must  be  careful  in  our  protocol  changes,  since 
even  a  minor  weakening  of  the  zero-knowledge  characteristics  of  Zerocoin’s  proofs 
could  have  significant  long-term  impact  on  the  anonymity  of  users.  Thus  a 
necessary  prerequisite  of  our  above  analysis  is  an  explicit  separation  of  Zerocoin’s 
security  as  a  real-world  currency  from  its  anonymity  as  a  “pure”  cryptographic 
protocol. 

1  Some  recent  results  raise  questions  about  this  50%  number  [9]. 
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Fortunately  we  are  able  to  address  this  concern  in  our  work.  In  fact,  through 
some  simple  enhancements  to  the  Zerocoin  protocol,  we  are  able  to  provide  an 
even  stronger  guarantee  than  what  is  provided  by  the  original  Zerocoin  paper. 
Specifically,  our  new  construction  ensures  that  proofs  will  provide  long-term 
statistical  zero-knowledge  even  when  the  hash  function  they  are  instantiated  with 
proves  to  be  non-ideal,  i.e.,  it  behaves  very  differently  from  a  random  oracle.2 
Our  analysis  is  somewhat  unusual  in  that  it  applies  only  to  the  zero-knowledge 
property  of  the  proofs;  we  continue  to  analyze  the  soundness  of  the  proofs  under 
the  assumption  of  an  ideal  hash.  The  key  benefit  of  our  approach  is  that  we  are 
able  to  retain  the  efficiency  of  the  original  Fiat-Shamir  proofs  while  ensuring  that 
user  anonymity  is  protected  over  long  periods  of  time.  This  gives  us  everlasting 
anonymity  in  the  common  reference  string  model. 

Finally,  as  an  independent  contribution,  we  outline  a  construction  for  divisible 
Zerocoin.  The  original  Zerocoin  protocol  proposes  a  new  form  of  electronic  cash 
in  which  individual  coins  all  have  the  same  value.  While  the  Bitcoin-equivalent 
value  of  each  zerocoin  can  be  adjusted  by  protocol  convention  (and  multiple 
denominations  of  Zerocoin  can  be  instantiated  simultaneously),  this  property 
can  still  be  quite  restrictive.  In  this  work  we  show  how  to  modify  the  Zerocoin 
protocol  to  create  divisible  coins,  such  that  every  zerocoin  can  contain  an  arbitrary 
individual  denomination  which  may  subsequently  be  “subdivided”  into  new  coins 
of  arbitrary  value. 

2  Background 

2.1  Bitcoin 

Bitcoin  is  a  distributed  e-cash  system  that  operates  without  trusted  parties  or 
signing  authorities.  Indeed,  the  only  cryptographic  keys  necessary  for  the  system 
to  operate  are  held  by  individual  users  and  used  to  authenticate  fund  transfers. 

At  a  high  level,  Bitcoin  is  a  set  of  transaction  semantics  built  on  top  of  a 
distributed  ledger  which  is  known  as  the  block  chain.  The  exact  semantics  of 
the  transactions  are  irrelevant  here,  so  for  a  more  detailed  discussion  of  them 
and  the  modifications  necessary  for  Zerocoin,  we  direct  the  reader  to  the  original 
Zerocoin  paper  by  Miers  et  al.  [17]  or  the  original  Bitcoin  paper  [19].  Of  extreme 
importance  to  our  proposed  modifications  to  Zerocoin,  however,  is  the  mechanism 
by  which  Bitcoin’s  ledger  is  maintained.  We  detail  it  here. 

Consider  a  version  of  Bitcoin  where  there  were  a  fixed  number  of  network 
nodes.  In  this  case,  we  could  simply  have  the  nodes  vote  on  the  correct  version  of 
the  ledger.  Under  the  assumption  that  the  majority  of  the  nodes  are  honest,  this 
results  in  a  correct  ledger  and  hence  a  valid  currency  system.  Effectively,  this  is 
the  consensus  technique  used  in  Byzantine  systems.  However,  Bitcoin  is  not  such 

2  Specifically,  we  are  concerned  with  future  vulnerabilities  in  hash  functions  such  as 
SHA256  that  might  allow  for  practical  attacks  on  the  zero-knowledge  property  of 
Fiat-Shamir  proofs.  While  this  concern  seems  rarified,  existing  analyses  do  not  allow 
us  to  rule  out  such  attacks. 
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a  closed  network:  anyone  can  download  the  software,  fire  up  an  instance,  and 
join  the  network.  In  particular,  one  individual  can  fire  up  numerous  instances 
and  mount  a  Sybil  attack,  effectively  stuffing  the  ballot  box. 

Bitcoin’s  approach  to  solving  this  issue  is  perhaps  most  intuitively  described  as 
the  one-CPU-cyle-one-vote  approach.  Instead  of  having  each  node  vote,  consider 
a  version  of  Bitcoin  that  places  a  computational  requirement  on  voting  and 
updating  consensus.  Mounting  a  Sybil  attack  would  be  costly.  Bitcoin  takes 
this  one  step  further  and  instead  of  voting,  actually  requires  a  computationally 
intensive  process  to  propose  an  update  and  has  updates  accepted  only  if  they 
add  on  to  the  maximally  difficult  set  of  updates.  Under  the  assumption  that  the 
majority  of  the  computational  power  of  the  network  is  held  by  honest  nodes  and 
the  requirements  that  honest  nodes  only  build  updates  on  valid  updates,  the 
longest  chain  of  updates  will  be  the  correct  consensus  value  of  the  ledger.  Bitcoin 
calls  this  process  mining,  and  we  describe  it  below. 

In  Bitcoin,  each  node  competes  to  produce  an  update  to  the  block  chain, 
known  as  a  block,  containing  new  transactions.  The  block  contains  a  partial  hash 
collision  over  1)  the  previous  block  hash  (hence  block  chain),  2)  the  hash  of  the 
transactions,  and  3)  a  nonce.  This  proof  of  work  is  'Hb{data\\nonce)  <  t  where  t 
is  the  difficulty  target.  The  target  is  picked  by  the  network  every  two  weeks  in 
order  to  cause  the  rate  at  which  blocks  are  created  to  average  10  minutes  given 
the  network’s  current  computational  power.  As  of  November  2013,  the  current 
difficulty  is  609,482,679.89  s=s  229.  The  number  of  expected  hash  calculations 
required  to  generate  a  block  is  given  as  difficulty*  232.  As  a  result,  it  takes  261 
expected  hash  calls  to  generate  a  single  Bitcoin  block.  Bitcoin  uses  the  double 
application  of  SHA256  as  its  hash  function  7 %. 

Bitcoin,  however,  goes  yet  one  step  further  to  ensure  block  chain  integrity:  a 
block  is  not  fully  trusted  until  it  has  a  certain  number  of  confirmations  (typically 
six),  meaning  that  there  are  six  blocks  on  top  of  it.  As  a  result,  the  effort  required 
to  manipulate  a  block  and  completely  ensure  it  stays  on  the  block  chain  is  at 
least  261  *  6  «  263  hash  calls. 


2.2  Zero-Knowledge  Proofs 


In  a  zero-knowledge  protocol  [11]  a  user  (the  prover)  proves  a  statement  to 
another  party  (the  verifier)  without  revealing  anything  about  the  statement  other 
than  that  it  is  true. 

A  three-round  example  of  a  zero-knowledge  protocol  is  often  referred  to 
as  a  Sigma  protocol  because  £  represents  the  flow  of  the  protocol.  The  three 
steps  can  be  described  in  the  following  manner:  1)  commitment,  2)  challenge, 
and  3)  response.  A  popular  and  well-known  example  of  this  is  the  technique  of 
Schnorr  [22],  used  to  prove  knowledge  of  a  discrete  logarithm.  The  protocol  works 
as  follows  (Figure  1): 

Given  a  cyclic  group  G  of  order  q  with  generator  g  and  y  =  gx,  prove 
knowledge  of  x. 
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Prover  Verifier 


Choose  r  Gr  Zq 

Calculate  t  =  gr 

Send  t 

- 

Choose  c  Gr  Zq 

Send  c 
- 

Calculate  s  =  xc  +  r  (mod  q) 

Send  s 

- ^ 

Accept  if  gs  =  tyc 

Figure  1:  Schnorr  protocol  for  proving  knowledge  of  a  discrete  logarithm. 

While  zero-knowledge  protocols  are  normally  viewed  in  the  “general  cheating 
verifier”  setting,  where  no  matter  the  strategy  of  the  verifier  he  learns  no  additional 
information,  we  can  also  consider  the  “honest  verifier”  (or  semi-honest  verifier) 
setting.  An  honest  verifier  must  follow  the  protocol  specifications  exactly  but 
maintains  the  ability  to  keep  a  record  of  the  entire  interaction  [12].  This  is  of  use 
to  us  because  the  Fiat-Shamir  heuristic  [10]  allows  us  to  transform  any  three- 
round  (Sigma)  honest-verifier  zero-knowledge  protocol  into  a  non-interactive 
(one-round)  zero-knowledge  proof  of  knowledge  with  the  use  of  a  hash  function 
modeled  as  a  random  oracle.  We  demonstrate  an  example  of  the  application  of 
the  Fiat-Shamir  heuristic  using  the  Schnorr  protocol  in  Figure  2  below: 


Prover  Verifier 


Choose  r  Gr  1q 

Calculate  t  =  gr 

Compute  c  =  'H(t) 

Calculate  s  =  xc+  r  (mod  q ) 

Send  (t,s) 

- 

Compute  c  =  H(t) 
Accept  if  gs  =  tyc 

Figure  2:  The  Fiat-Shamir  heuristic  as  applied  to  the  Schnorr  protocol. 

When  referring  to  the  aforementioned  proofs  we  will  use  the  notation  of 
Camenisch  and  Stadler  [7].  For  instance,  NIZKPoK{(:r, y)  :  h  =  gx  A  c  =  gv} 
denotes  a  non- interactive  zero-knowledge  proof  of  knowledge  of  the  elements  x 
and  y  that  satisfy  both  h  =  gx  and  c  =  gv .  All  values  not  enclosed  in  ()’s  are 
assumed  to  be  known  to  the  verifier. 

2.3  Zerocoin 

The  original  Zerocoin  protocol  added  anonymous  currency  to  Bitcoin  that  was 
backed  by  bitcoins.  A  zerocoin  was  a  commitment  to  a  serial  number  S.  Zerocoins 
were  minted  when  a  user  submitted  a  transaction  spending  a  fixed  amount  of 
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bitcoins  (e.g.,  1  bitcoin)  and  outputting  a  new  zerocoin.  The  bitcoins  were  placed 
in  an  escrow  pool  and  the  new  zerocoin  added  to  a  list  of  all  zerocoins.  Zerocoins 
could  be  spent  to  withdraw  the  same  fixed  bitcoins  from  the  escrow  pool  by 
revealing  the  serial  number  of  the  coin  and  proving  it  came  from  the  list  of  coins. 
This  proof  was  examined  by  the  distributed  network  running  Bitcoin  and,  if  valid 
and  the  serial  number  unused,  the  correct  amount  of  bitcoins  were  transferred. 
Specifically,  the  proof  was  a  zero-knowledge  proof  that  1)  some  coin  had  that 
serial  number  and  2)  that  that  coin  was  on  the  list  of  minted  coins.  Because  the 
proof  is  zero-knowledge,  any  given  coin  spend  cannot  be  traced  to  its  withdrawal 
and  hence  is  anonymous. 

The  naive  version  of  this  proof,  instantiated  as  “either  this  coin,  or  this  coin, 
or  this  coin,  or  ...  ”,  is  of  size  0(n).  The  principal  cryptographic  contribution 
of  the  original  paper  was  finding  a  compact  representation  of  the  list  of  coins 
that  still  admitted  a  commitment  scheme  containing  a  serial  number.  Miers  et  al. 
accomplished  this  by  using  a  cryptographic  accumulator  [3]  to  represent  the  list 
of  coins  as  one  group  element,  a  proof  due  to  Camenisch  and  Lysyanskaya  [6]  to 
prove  that  a  committed  value  is  accumulated,  and  finally  a  double  discrete  log 
proof  [8]  to  prove  that  the  committed  value  is  actually  a  commitment  to  a  serial 
number.  This  results  in  a  proof  that  is  constant  size  regardless  of  the  number  of 
coins  on  the  list. 

Unfortunately,  the  double  discrete  log  proof  is  constructed  using  cut-and- 
clioose  methods  which  effectively  repeat  a  single  proof  multiple  times  to  decrease 
the  probability  of  forgery.  As  a  result,  the  proof  is  of  size  A  •  2k  where  k  is  the 
size  of  a  single  field  element  and  A  is  the  soundness  parameter  of  the  proof.  For 
1024  bit  commitments  and  an  80  bit  security  level,  this  results  in  a  20KB  double 
discrete  log  proof  and  a  total  proof  size  (including  the  accumulator  proof)  of 
25KB.  Moreover,  single  threaded  runtime  for  both  verification  and  generation  of 
the  proof  runs  in  0( A  •  k). 

Finally,  as  the  proofs  for  spending  a  zerocoin  need  to  be  publicly  verifi¬ 
able  to  allow  the  withdrawal  of  bitcoins  form  the  escrow  pool,  they  must  be 
non-interactive.  To  accomplish  this,  Zerocoin  uses  the  Fiat-Shamir  heuristic  to 
transform  the  above  interactive  proofs  into  non-interactive  ones.  Moreover,  the 
proof  is  actually  used  as  a  signature  of  knowledge,  not  just  spending  a  coin, 
but  also  signing  the  Bitcoin  address  where  the  withdrawn  bitcoins  should  be 
deposited. 

3  Everlasting  Anonymity 

The  original  zero-knowledge  proofs  in  Zerocoin  were  non-interactive  Fiat-Shamir 
proofs  where  both  the  soundness  and  zero-knowledge  property  held  only  in  the 
random  oracle  model.  This  is  a  rather  large  concern  since,  at  some  point  in  the 
future,  it  seems  likely  SHA256  will  be  broken  in  a  way  that  makes  it  utterly 
unsuitable  for  instantiating  a  random  oracle,  just  as  MD5  and  MD2  have  been 
broken.  Old  Zerocoin  proofs  using  that  function  will  still  be  around,  and  their 
anonymity  should  be  preserved  if  possible.  Intuitively,  this  should  not  be  an  issue, 
however,  absent  further  analysis,  one  cannot  be  sure  anonymity  is  maintained. 
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Rather  than  attempting  such  an  analysis,  we  take  the  expedient  of  detailing  a 
simple  modification  to  the  proofs  that,  while  still  only  achieving  soundness  in  the 
random  oracle  model,  achieves  at  least  statistical  zero-knowledge  in  the  common 
reference  string  model.  In  the  original  (non-interactive)  proofs,  the  challenge  (i.e. , 
the  second  move  in  a  standard  three-way  “sigma”  interactive  zero-knowledge 
proof)  was  obtained  by  hashing  what  would  have  been  the  first  move  in  the 
interactive  version.  In  the  random  oracle  model,  a  simulator  can  program  a  hash 
function  to  output  arbitrary  results.  Accordingly,  such  a  simulator  could  induce 
a  verifier  to  accept  a  “proof”  even  though  the  simulator  knew  no  witness  to  the 
statement  being  proved.  Thus  the  original  proof  was  zero-knowledge.  Obviously 
when  instantiated  with  an  actual  hash  function,  this  property  no  longer  strictly 
holds. 


Prover 


Verifier 


Choose  r  £r  Z9 
Calculate  t  —  gr 
Compute  d  =  'Hit) 

Choose  r'  ^R1q 

Calculate  com  =  gc  hr  (mod  p) 

Compute  c  =  T-L(com) 

Calculate  s  =  xc  +  r  (mod  q) 


Send  (t,com,r'  ,s) 


Compute  c'  =  H(t) 
Compute  c  =  'H(com) 
Accept  if  ga  =  tyc  and 
com  =  gc  hr  (mod  p) 


Figure  3:  Dishonest  verifier  Schnorr  Protocol  with  Fiat-Shamir. 


To  fix  this  we  propose  applying  a  standard  modification  for  converting  from 
(interactive)  honest  verifier  zero-knowledge  proofs  to  (interactive)  non-honest 
verifier  proofs  before  applying  the  Fiat-Shamir  heuristic:  instead  of  making  the 
first  move  in  the  protocol  public,  first  commit  to  it  and  then  reveal  the  move  only 
after  the  challenge  is  output.  Specifically,  instead  of  hashing  the  first  move  of  the 
transcript  to  create  a  challenge  value,  we  hash  a  commitment  to  (the  hash  of)  the 
first  move  of  the  transcript.  See  Figure  3  for  an  example  using  the  Schnorr  protocol. 
As  a  result,  any  simulator  who  can  control  the  common  reference  string  can 
construct  the  commitment  scheme  such  that  they  can  ecprivocate  and  decommit  to 
a  first  move  that  satisfies  the  generated  challenge.  This  is  not  a  typical  approach 
as  Fiat-Shamir  proofs  rely  on  the  random  oracle  model  themselves.  However,  by 
using  this  approach  we  get  proofs  that  are  at  least  statistical  zero-knowledge  in 
the  common  reference  string  model,  even  if  soundness  still  requires  the  random 
oracle  model,  i.e,  from  the  point  of  view  of  a  privacy  critical  system,  the  proofs 
fail  safe. 
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4  Cost  Effective  Security  Against  Forgery  and  Double 
Spending 

Conceptually,  payment  systems  are  subject  to  three  types  of  attacks:  theft  of  funds, 
forgery  of  funds,  and  double  (or  more)  spending  of  legitimate  attacker  controlled 
funds.  These  are  major  issues  for  both  theoretical  and  extent  currency  and 
payment  systems,  and  there  are  a  broad  range  of  solutions  which  vary  considerably 
in  terms  of  both  cost  and  effectiveness.  On  one  end  of  the  spectrum,  e-cash 
schemes  typically  avoid  all  three  attacks  through  the  use  of  secure  cryptographic 
primitives  which  require  a  staggeringly  prohibitive  amount  of  computational 
power  to  break.  In  contrast,  on  the  decidedly  low  end  of  the  spectrum,  debit  cards 
in  the  US  provide  little-to-no  security  against  theft/cloning.  Instead  they  leverage 
fraud  detection  and  minimization  procedures  to  get  the  costs  of  such  attacks  to 
acceptable  levels  without  imposing  too  high  an  overhead  on  transactions  (e.g., 
verifying  multiple  forms  of  ID  for  every  single  transaction) . 

Certainly,  the  cryptographic  approach  is  superior  provided  it  is  achievable  with 
little  overhead.  Unfortunately  for  Zerocoin,  it  is  neither  completely  achievable 
nor  cheap:  as  mentioned  previously,  spends  for  even  modest  security  parameters 
reach  25KB  and  take  0.5  seconds  to  verify.  Moreover,  even  if  Zerocoin  was 
cryptographically  secure  against  such  attacks,  Bitcoin,  upon  which  it  depends, 
is  not.  Both  double  spends  and  forgery  of  zerocoins  can  be  accomplished  by 
breaking  Bitcoin  and  without  ever  touching  Zerocoin’s  underlying  cryptographic 
primitives. 

However,  the  approaches  used  by  centralized  credit  card  companies  are  anti¬ 
thetical  to  the  decentralized  nature  of  Bitcoin.  Moreover,  we  prefer  not  to  incur 
the  administrative  overhead,  merchant  fees,  and  chargebacks  inherent  in  the 
fraud-management  approach  used  by  debit  cards.  Instead  we  opt  for  a  middle 
ground:  we  create  cryptographic  primitives  that  are  not  cost  effective  to  break. 

4.1  The  Homo-Economicus  Security  Model 

Homo-economicus  is  a  species  of  rational  and  narrowly  self-interested  actors 
typically  found  in  economic  papers.  Since  our  construction  provides  everlasting 
anonymity  in  the  common  reference  string  model,  we  can  safely  ignore  the  thorny 
question  of  placing  a  monetary  value  on  privacy  and  hence  safely  consider  theft, 
forgery,  and  double  spending  attacks  under  the  assumption  that  our  attacker 
is  a  member  of  the  species  homo-economicus.  This  leads  to  a  simple  security 
requirement:  the  expected  return  from  stealing,  forging,  or  double  (or  more) 
spending  a  zerocoin  should  be  less  than  the  expected  cost  of  mounting  the 
required  attack.  In  general,  while  potentially  promising,  this  model  has  some 
large  drawbacks.  Estimating  the  real  cost  of  a  cryptographic  attack  is  prohibitively 
difficult,  requiring  both  considerable  work  in  the  concrete  security  model  and  an 
accurate  cost  function  for  generic  computation.  The  theoretically  elegant  and 
simple  solution  to  our  problem  is  not  to  alter  the  Zerocoin  construction  at  all. 
Instead,  we  would  construct  a  game  that,  given  an  attacker  who  can  forge  a 
zerocoin,  extracts  the  computational  effort  required.  One  would  then  assign  a 
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monetary  value  to  this  work  and  ensure  it  is  worth  more  than  the  resulting  forged 
coin. 

We  make  no  such  attempt  here.  Instead,  we  model  our  construction  only  in 
the  expected  number  of  calls  an  attacker  must  make  to  a  hash  oracle  and  use  the 
reward  for  mining  a  Bitcoin  block  to  establish  the  market  value  of  computation. 
While  this  approach  is  inherently  linked  to  Bitcoin,  it  serves  our  limited  purposes 
well. 

Of  course,  such  a  model  discounts  the  possibility  of  someone  who  is  not 
financially  motivated  (e.g.,  a  government)  wanting  to  destroy  the  currency.  While 
this  may  be  a  legitimate  concern,  we  note  that  an  attacker  who  merely  wants  to 
disrupt  Zerocoin  could  also  easily  attack/block  the  underlying  Bitcoin  network 
and  likely  at  far  lower  cost. 

4.2  Zerocoin  Attack  Surface 

We  examine  how  the  choice  of  various  security  parameters  interacts  with  attacks 
on  Zerocoin  and  how  to  minimize  these  parameters  in  light  of  that.  Again,  due 
to  everlasting  anonymity,  we  neglect  attacks  on  Zerocoin’s  anonymity  properties. 

Theft  Actually  stealing  a  user’s  zerocoin  entails  spending  a  coin  with  the  same 
serial  number.  Since  the  Pedersen  commitment  containing  a  serial  number  (i.e. , 
the  coin)  is  information  theoretically  hiding,  an  attacker  who  cannot  compromise 
a  user’s  computer  and  wallet  can  only  guess  blindly.  This  is  a  very  low  probability 
event  and  can  be  made  arbitrarily  small  by  increasing  the  serial  number  length. 
If  as  an  absolute  minimal  bound  we  assume  512  bit  commitments,  then  we  can 
have  512  bit  serial  numbers  or,  in  the  case  of  divisible  coins,  512  —  64  =  448  bit 
serial  numbers.  A  theft  probability  of  1  in  2448  is  too  small  to  consider  practically 
and  hence  we  discount  theft  as  a  worry. 

A  second  technical  consideration  for  Zerocoin  is  that  proof  forgeries  can 
deplete  the  escrow  pool  of  bitcoins  that  zerocoins  are  exchanged  for.  This  would 
effectively  steal  someone’s  coins.  A  simple  solution  to  this  is  to  operate  with  no 
explicit  escrow  pool,  opting  instead  to  destroy  bitcoins  when  minting  a  zerocoin 
and  create  fresh  bitcoins  when  spending  one.  As  a  result,  forgery  of  a  zerocoin 
results  only  in  inflation.  If  forgery  is  very  rare,  this  is  a  manageable  problem. 

Forgery  Factoring  the  accumulator’s  RSA  modulus  allows  an  attacker  to  forge 
the  coin  membership  proof  and  hence  forge  an  unlimited  number  of  coins.  This 
is  perhaps  the  single  biggest  target  in  Zerocoin.  As  a  result,  we  have  little  choice 
but  to  recommend  a  large  modulus,  say  3072  bits. 

A  second  avenue  for  forging  a  coin  is  to  forge  the  zero-knowledge  proof  in  a 
spend.  Each  such  forgery  results  in  one  and  only  one  forged  coin  (since  even  a 
forged  proof  has  a  unique  serial  number).  As  such,  we  want  to  make  the  cost  of 
conducting  n  forgeries  more  than  the  value  of  n  coins.  The  bulk  of  the  remaining 
portion  of  this  section  will  focus  on  techniques  to  accomplish  this. 

Double  spending  To  double  spend  a  coin,  one  must  assign  the  coin  two  different 
serial  numbers.  This  is  equivalent  to  causing  the  commitment  to  open  to  two 
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separate  values.  Unfortunately,  for  simple  Pedersen  commitments,  computing 
a  single  discrete  log  value  —  log9(/i)  or  logh(g)  —  allows  this  to  be  done  an 
infinite  number  of  times,  again  giving  us  a  single  point  of  failure.  We  will  discuss 
a  modification  to  Pedersen  commitments  that  makes  this  attack  more  expensive 
per  instance,  though  does  not  eliminate  entirely  the  aggregate  effect. 

4.3  Raising  the  Cost  of  Proof  Forgeries 

Forging  a  zero-knowledge  proof  implies  guessing  the  challenge  value  prior  to 
starting  the  protocol.  For  Fiat-Shamir  based  non-interaction  zero-knowledge 
proofs,  where  the  challenge  is  provided  by  the  hash  of  the  first  move  of  the 
protocol,  the  only  way  to  do  this  —  assuming  the  hash  function  is  a  random  oracle 
—  is  to  repeatedly  query  the  hash  function  until  you  get  lucky.  If  the  challenge 
value  has  length  A  then  the  probability  of  forging  the  proof  is  P(f)  =  2~A. 
Normally  for  zero-knowledge  proofs  we  choose  A  such  that  P(f)  is  negligible,  and 
hence,  even  with  a  concerted  offline  attack,  a  forgery  is  not  feasible. 

Suppose  it  takes  b  expected  evaluations  of  He  to  mine  a  Bitcoin  block.  If  v 
is  the  value  of  a  coin  and  p  is  the  payout  from  mining  a  block  in  terms  of  reward 
and  collected  transaction  fees,  then  we  need  it  to  take  q  expected  queries  of  Hb 
to  forge  the  proof  such  that: 

p  v 

V, 

I.e.,  it  pays  more  per  hash  calculation  to  try  and  mine  a  block  than  “mine”  a 
proof  forgery.  Unfortunately,  this  analysis  yields  only  a  small  reduction  in  the 
security  parameter.  The  payout  for  mining  a  block  in  terms  of  transactions  fees 
and  the  reward  is  roughly  24.3  Mining  such  a  block  at  current  difficulty  levels 
takes  261  calls  to  7 -Lb-  Assuming  a  zerocoin  is  worth  one  bitcoin,  solving  the 
above  equation  gives  us  q  =  257  and  hence  A  =  57. 

Proof  of  work  Instead  of  a  simple  query  to  Hb  ,  we  can  make  a  single  instance 
of  the  zero-knowledge  proof  hash  function  make  a  tunable  number  of  calls  w 
to  Hb  in  much  the  same  manner  as  PBKDF2.  Thus  it  takes  q  =  2 xw  expected 
queries  to  Hb  to  forge  a  proof. 

As  a  result,  we  end  up  with  a  different  boundary  condition  for  forgery 
unprofitability: 

(2  xw)p 
b  >  V 

Again  assuming  the  current  reward  of  25  bitcoins  per  block  plus  transaction 
fees,  261  invocations  of  Hb  to  find  a  block,  and  A  =  40  bit  proofs,  we  end  up 
with  approximately  ^2  2^2  >  v.  If  zerocoins  are  each  worth  one  bitcoin,  this 
necessitates  a  value  of  w  of  roughly  217  or  about  130  thousand  hash  calls.  Since 
Hb  is  the  double  SHA256  computation  used  by  Bitcoin,  we  can  use  the  extensive 
comparisons  of  Bitcoin  mining  power  across  hardware  to  estimate  the  cost  of 
this  approach.  A  low  end  Intel  core  i3  can  compute  1.8  million  hashes  a  second, 
a  now  more  than  a  decade  old  Pentium  IV  can  compute  between  0.85  and  1.29 

3  This  is  discounted  to  allow  for  lower  payouts  from,  e.g.,  a  mining  cartel’s  cut. 
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depending  on  the  model,  and  an  AMR  Cortex  A-9  such  as  found  in  the  Samsung 
Galaxy  SII  can  do  1.3  million  hashes  a  second  [1],  As  such,  this  approach  is 
surprisingly  viable  even  for  very  modest  hardware. 

This  approach  has  one  major  limitation:  it  gets  worse  as  mining  difficulty 
increases,  and  mining  difficulty  has  been  increasing  very  rapidly  as  application 
specific  integrated  circuits  (ASIC)  mining  hardware  comes  online.  Although  one 
could  easily  (and  should)  exclude  ASICs  from  forging  proofs  via  trivial  changes 
to  the  hash  function  (e.g.,  changing  the  padding  or  using  triple  SHA256)  that 
invalidate  the  ASICs  but  do  not  affect  hash  throughput  on  a  general  purpose 
computer,  this  does  not  solve  the  problem.  We  can  do  nothing  to  address  the  drop 
in  payout  per  hash  that  ASICs  introduce  by  upping  the  number  of  hashes  needed 
to  mine  a  block  but  not  changing  the  reward.4  Thus  we  would  still  eventually 
have  to  increase  w  beyond  levels  feasible  on  non  specialized  hardware. 

Since  the  first  move  in  the  proof  reveals  nothing  and  our  proofs  allow  for 
dishonest  verifiers,  this  computation  can  be  outsourced.  However,  paying  for 
that  outsourcing  represents  a  catch-22:  how  do  you  anonymously  pay  to  spend 
anonymous  currency?  While  there  are  potential  solutions  to  this  involving  small 
anonymous  face-to-face  Bitcoin  transactions  as  a  bootstrapping  mechanism,  they 
are  less  than  ideal. 

Rate-limiting  forgeries  A  second  option  that  does  not  place  a  computational 
or  financial  burden  on  individuals  is  to  rate  limit  the  proof’s  hash  function.  To  do 
this,  we  split  the  proof  over  n  +  1  blocks.  The  first  block  encodes  the  first  moves 
of  the  protocol.  The  nth  block  encodes  responses  to  the  challenge  value.  The  A 
bit  challenge  value  is  generated  by  taking  the  first  4  bits  from  each  block  of  the 
1, . . . ,  n  blocks  and  hashing  them  to  produce  a  challenge.  For  an  honest  prover, 
this  entails  no  additional  work  (unlike  the  proof  of  work  system)  as  they  can 
satisfy  the  proof  for  any  challenge  and  thus  must  merely  wait  for  the  block  chain 
to  advance  before  computing  the  proof.  A  dishonest  prover,  on  the  other  hand, 
must  get  a  specific  challenge.  As  such,  they  must  either  mount  many  parallel 
attempts  each  with  a  different  guess  at  the  challenge  value  or  control  the  block 
hashes  and  hence  the  challenge.  The  former  can  be  prevented  by  merely  limiting 
the  number  of  transactions  in  a  block  (Bitcoin  already  effectively  does  this  by 
limiting  the  size  of  a  block). 

The  likelihood  that  a  challenge  value  is  the  one  guessed  is  still  2-A.  However, 
assuming  a  maximum  of  1000  Zerocoin  transactions  per  block,  attempts  can  only 
be  made  every  half  second.  If  we  assume  40  bit  security  levels  for  the  proofs,  we 
need  an  expected  240  hash  calls  and  thus  making  a  single  forged  zerocoin  would 
take  239  seconds  or  roughly  seventeen  thousand  years.  Even  at  Bitcoin’s  current 
unrealized  theoretical  maximum  transaction  throughput  of  seven  transactions  a 
second  [14]  this  would  still  take  over  2400  years.  This  seems  both  a  prohibitive 
amount  of  time  for  mounting  an  attack  and,  as  a  practical  matter,  an  acceptable 
rate  of  coin  forgery. 

4  Recall  that  the  difficulty  of  mining  a  block  adjusts  to  keep  blocks  spaced  at  10  minute 
intervals.  Hence  greater  hashing  power  necessitates  more  hashes  needed  per  block. 
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Manipulating  the  block  chain  to  produce  the  correct  challenge  is  even  more 
difficult.  An  attacker  must  generate  far  more  than  n  blocks  in  order  to  get  the 
correct  challenge.  They  must  first  generate  all  n  blocks,  complete  with  proof  of 
work  for  each,  and  extract  the  challenge.  The  overwhelmingly  likely  case  is  that 
the  challenge  is  wrong,  and  they  must  repeat  the  process.  If  this  was  done  for 
n  =  2  blocks  and  all  bits  were  extracted  only  from  the  last  block,  this  would 
require  the  attacker  to  compute  2A  expected  blocks  to  get  the  right  challenge 
and  hence  make  2A+61  calls  to  Hb  at  Bitcoin’s  current  difficulty.  The  situation, 
however,  is  actually  worse  than  that  since  the  last  block  only  contributes  ^  bits 
as  input  to  the  hash  function  the  attacker  is  trying  to  get  to  output  the  guessed 
challenge  value.  Thus  the  attacker  cannot  merely  generate  2A  fresh  ?rth  blocks 
knowing  that  by  the  pigeonhole  principle  one  of  those  will  result  in  the  right 
challenge.  Instead,  they  must  actually  start  with  a  fresh  first  block  and  generate 
the  entire  sequence  before  checking  if  it  works.5  Not  just  does  this  increase 
the  difficulty  of  mounting  such  an  attack  substantially,  but  because  each  block 
depends  on  the  previous  one,  it  adds  in  a  sequential  bottleneck  that  prevents  fully 
parallelizing  the  attack  process.  Recall  that  six  blocks  is  the  threshold  for  normal 
Bitcoin  transactions  to  be  considered  confirmed  and  as  such  the  mere  ability  to 
compute  six  blocks  efficiently,  let  alone  2A  •  6  blocks,  constitutes  a  massive  attack 
on  Bitcoin. 

4.4  Raising  the  Cost  of  Double  Spends 

In  the  original  Zerocoin  construction  of  Miers  et  ah,  computing  a  single  discrete 
log  of  logg(h)  or  logh(g)  broke  the  binding  property  of  Pedersen  commitments 
completely  and  allowed  arbitrary  double  spends.  This  is  undesirable  since  a 
single  1024  bit  discrete  log  instance  may  be  in  the  range  of  things  solvable  by 
a  well-funded  organization  in  six  months  to  a  year.  We  wish  to  avoid  such  an 
attack  without  using  larger  moduli. 

Instead  of  using  a  fixed  g,h  £  G  for  our  commitment  group,  we  hash  the 
serial  number  into  G  to  select  g ,  h  at  random  using  two  different  hash  functions, 
When  spending  a  coin,  we  provide  these  bases  in  the  proof  and  then  the 
verifier  both  checks  the  proof  and  that  the  bases  result  from  the  hash  of  the  serial 
number.  As  a  result,  assuming  TL.Ti1  are  collision  resistant,  double  spends  occur 
exactly  once  for  any  given  discrete  log  computation. 

We  accomplish  this  by  using  the  hash  of  the  coin  serial  number  S  to  select 
g  and  h  at  random.  This  is  enforced  at  verification  time  by  the  verifier  simply 
checking  that  g  =  T~L(S)  and  h  =  'H'(S)  for  the  provided  public  proof  inputs.  We 
briefly  outline  why  this  modification  preserves  both  the  blinding  and  binding 
properties  of  a  Pedersen  commitment. 

Pedersen  commitments  are  information  theoretically  blinding  because  for  a 
fixed  commitment  c  and  any  given  value  x,  there  is  randomness  r  that  opens 

5  It  is  possible  to  prune  some  of  this  work  by  checking  if  given,  e.g.,  the  first  two  of  n 
blocks,  any  assignment  of  the  remaining  bits  would  hash  to  the  correct  challenge.  We 
leave  to  future  work  the  analysis  of  this  strategy  along  with  the  best  way  to  skew 
the  sampling  of  bits  from  the  n  blocks  to  minimize  it. 
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the  commitment  to  that  value  and  all  such  r  values  are  equally  likely,  i.e. ,  for 
a  given  gx,  there  exists  an  r  such  that  c  =  gxkr  rnodp.  If  we  replace  h  with 
h'  =  H' (x\\ pad),  then  we  merely  shift  the  randomness  r  by  logh'(h)  and  do  not 
change  the  distribution  on  r.  Hence  this  still  holds. 

Pedersen  commitments  are  computationally  binding  if  the  discrete  log  problem 
is  hard.  Given  a  commitment  c  that  opens  to  two  different  values  x,  x'  with 
randomness  r,r',  one  can  compute  the  discrete  log  of  h  with  respect  to  g  by 
substituting  in  gl  =  h  and  solving  x  +  Ir  =  xr  +  lr'  since  gxglr  =  gx  glr  = 
gX+ir  _  gX  +w  _  gince  g  and  h  are  n0  longer  fixed  public  parameters  in  our  case, 
we  cannot  use  a  single  violation  of  the  blinding  property  to  break  an  instance 
of  the  discrete  log  problem  in  G.  It  is  probably  possible  to  construct  a  security 
proof  based  on  the  assumption  that  the  hash  function  is  collision  resistant  and 
the  discrete  log  problem  is  hard.  As  the  rest  of  our  constructions  depend  on  the 
random  oracle  model  for  soundness,  we  take  the  expedient  of  programing  the 
hash  function  to  output  the  appropriate  generators.  This  is  sufficient  for  our 
purposes. 

Of  course,  solving  l  discrete  logs  in  a  fixed  G  is  not  as  hard  as  solving  l 
discrete  logs  in  distinct  Gi, . . .  ,G The  exact  security  of  this  appears  not  to 
have  been  well  studied.  Some  preliminary  results  indicate  that  for  Pollard’s  Rho 
algorithm,  the  difficulty  of  computing  l  <  effN  discrete  logs  is  approximately 
\J2NL  where  N  is  the  order  of  the  group  and  0  <  e  <  1  [2] .  The  far  faster  class 
of  index  calculus  methods  are  still  sub-exponential  when  run  on  a  fixed  group. 
Specifically,  they  run  in  g)  instead  of  Lp(l,  |)  with  a  sub-exponential  space 
requirement  Lp(I,  [18].  What  this  means  in  practice  is  an  interesting  question. 
We  note  that  both  SSH  and  the  Internet  Key  Exchange  protocol  used  in  IPv6 
use  groups  for  Diffie-Hellman  that  are  fixed  for  far  longer  timespans  than  we  are 
contemplating. 

5  Divisible  Cash 

The  original  Zerocoin  construction  did  not  make  particularly  efficient  use  of  the 
fact  that  coins  are  an  information  theoretically  blinding  and  computationally 
binding  commitment  that  can  contain  arbitrary  data.  These  commitments  were 
merely  used  as  a  container  for  a  serial  number.  Yet  there  are  a  whole  number 
of  techniques  for  proving  far  more  interesting  statements  about  commitments. 
These  techniques  allow  us  to  construct  divisible  coins.  We  are  aware  of  an 
unpublished  result  that  makes  this  observation  in  the  context  of  a  different 
Zerocoin  construction  entirely.  Our  purpose  in  this  document  is  not  to  introduce 
divisibility  but  to  point  out  how  it  can  be  achieved  using  the  existing  cryptographic 
construction. 

Intuition.  Instead  of  a  coin  being  a  commitment  to  a  serial  number,  we  propose 
committing  to  a  serial  number  S  and  a  balance  B.  The  coin  owner  can  divide 
the  balance  Bq  in  an  existing  coin  Co  into  two  new  coins  C\  and  c2  with  balances 
Bi  and  B2  respectively.  She  does  so  by  creating  two  new  coins,  proving  that 
B0  =  B\  +  B2,  and  revealing  the  serial  number  Sq  of  the  divided  coin  cq.  Note 
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that  because  we  do  not  reveal  the  balance  of  any  coin  in  this  construction  and 
by  the  original  Zerocoin  construction  the  spends  for  the  resulting  Ci  and  c2  are 
unlinkable  to  their  minting,  we  lose  nothing  by  explicitly  identifying  the  original 
coin  Co-  As  such,  we  do  not  need  to  provide  the  expensive  proof  used  for  a  spend, 
we  can  just  identify  the  coin  outright.  This  results  in  a  highly  efficient  proof. 

The  technical  question  left  to  answer  is  how  do  we  encode  both  the  balance 
and  the  serial  number  in  the  coin?  There  are  two  possible  constructions: 

—  We  use  multi-message  commitments  where  one  message  is  the  serial  number 
and  one  is  the  balance. 

—  We  encode  both  the  balance  and  serial  number  in  one  value  in  the  commit¬ 
ment. 

While  conceptually  elegant,  multi-message  commitments  are  problematic.  In  the 
case  of  Pedersen  commitments  [20] ,  a  commitment  to  a  vector  m  of  messages  n 
is  ailUsD^-  Since  the  coin  is  then  g’[llg^l2hr,  the  double  discrete  log  proof 
used  for  a  coin  spend  must  prove  knowledge  of  three  exponents  instead  of  two. 
This  adds  approximately  10KB  to  the  proof.  With  the  encoding  case,  we  can 
encode  the  balance  as  the  l  low  order  bits  of  the  original  serial  number  and  use 
the  high  2l~e  as  the  actual  serial  number.  We  merely  open  the  coin  using  the 
existing  spend  proof,  reveal  the  encoded  value,  and  then  anyone  can  extract  out 
the  serial  number  and  balance. 

Dividing  a  coin  c0  is  not  as  straightforward.  We  must  prove  that  B0  =  Bx  +  B2 
and  reveal  the  existing  coin’s  serial  number  So  without  revealing  anything  about 
the  serial  numbers  for  the  new  coins.  We  do  this  as  follows: 

7r  =  NIZKPoK{(5i,52,ro,ri,r2,Bo,Bi,B2)  : 

(B0  =B±+  B2)  A*=0  (a  =  gBi+2l+'Sihri  A  0  <  Bt  <  2l  A  0  <  St  <  21)} 

This  proof  can  be  accomplished  with  a  variety  of  standard  techniques  for  effi¬ 
ciently  proving  range  restrictions  [4,5,13,15].  The  granularity  of  the  ranges  these 
techniques  admit  vary  and  will  define  both  the  size  l  of  the  serial  number  and 
balance  and  space  e  between  the  two  values. 

6  Conclusion 

We  demonstrate  several  useful  extensions  to  Zerocoin.  First,  by  removing  the 
random  oracle  assumption  for  the  zero-knowledge  property  of  the  proofs,  we  get 
everlasting  security  in  the  common  reference  string  model.  Second,  and  most 
importantly,  we  provide  a  means  to  model  the  cost  of  forging  a  coin  and  hence 
allow  for  cryptographic  parameters  to  be  picked  to  make  such  forgery  uneconomic. 
As  a  result,  we  argue  that  one  can  safely  reduce  the  soundness  of  the  proofs 
from  80  bits  to  40,  reducing  proof  size  from  25KB  to  10KB  and  nearly  halving 
proof  generation  and  verification  time  on  a  single  threaded  implementation  (or 
increasing  throughput  on  a  multithreaded  one) .  The  techniques  used  to  accomplish 
this  are  specific  both  to  Bitcoin  and  certain  instantiations  of  hash  functions  for 
Fiat-Slramir  proofs.  We  are  hopeful  future  work  will  provide  a  general  model  for 
game-theoretic  security  for  e-cash. 
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Abstract 

Our  main  result  gives  a  way  to  instantiate  the  random  oracle  with  a  concrete  hash  function  in  “full 
domain  hash”  applications. 

The  term  full  domain  hash  was  first  proposed  by  Bellare  and  Rogaway  [BR93,  BR96]  and  referred 
to  a  signature  scheme  from  any  trapdoor  permutation  that  was  part  of  their  seminal  work  introducing 
the  random  oracle  heuristic.  Over  time  the  term  full  domain  hash  has  (informally)  encompassed  a 
broader  range  of  notable  cryptographic  schemes  including  the  Boneh-Franklin  [BF01]  IBE  scheme  and 
Boiieh-Lynn-Shacham  (BLS)  [BLS01]  signatures. 

All  of  the  above  described  schemes  required  a  hash  function  that  had  to  be  modeled  as  a  random 
oracle  to  prove  security.  Our  work  utilizes  recent  advances  in  indistinguishability  obfuscation  to  construct 
specific  hash  functions  for  use  in  these  schemes.  We  then  prove  security  of  the  original  cryptosystems 
when  instantiated  with  our  specific  hash  function. 

Of  particular  interest,  our  work  evades  the  impossibility  result  of  Dodis,  Oliveira,  and  Pietrzak  [DOP05], 
who  showed  that  there  can  be  no  black-box  construction  of  hash  functions  that  allow  Full-Domain  Hash 
Signatures  to  be  based  on  trapdoor  permutations.  This  indicates  that  our  techniques  applying  indistin¬ 
guishability  obfuscation  may  be  useful  in  the  future  for  circumventing  other  such  black-box  impossibility 
proofs. 
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1  Introduction 


Since  the  introduction  of  the  Random  Oracle  Model  by  Bellare  and  Rogaway  [BR93],  a  major  effort  in 
cryptography  has  been  to  understand  when  and  if  random  oracles  can  be  instantiated  with  families  of 
actual  hash  functions  while  maintaining  security.  Over  the  years,  we  have  seen  real  progress  in  this  effort: 
Firstly  we  have  seen  the  discovery  of  alternative  schemes  that  do  not  require  random  oracles  but  achieve 
the  same  security  properties  as  earlier  schemes  that  do  require  random  oracles.  For  example,  Cramer  and 
Shoup  [CS98]  achieved  efficient  chosen  ciphertext  security  from  DDH  hard  groups.  As  another  example 
Canetti,  Halevi,  and  Katz  [CHK07]  achieved  secure  IBE  without  random  oracles,  following  the  seminal 
work  of  [BF01]  giving  IBE  in  the  Random  Oracle  Model.  More  recently,  we  have  seen  the  discovery  of 
schemes  that  not  only  work  in  the  standard  model  without  random  oracles,  but  work  in  a  manner  very 
similar  to  the  original  schemes  that  used  random  oracles  (e.g.  [HSW13,  FHPS13]  following  schemes  in  the 
random  oracle  model  [BF01,  BLS01]).  However,  all  of  these  schemes  proven  secure  without  random  oracles 
required  changing  the  underlying  cryptographic  scheme  in  addition  to  instantiating  the  random  oracle  with 
a  concrete  hash  function.  Thus,  despite  these  advances,  the  following  basic  question  has  remained  open: 

Can  we  instantiate  the  random  oracle  with  an  actual  family  of  hash  functions  for  existing  cryptographic 
schemes  in  the  random  oracle  model,  such  as  Full  Domain  Hash  signatures? 

In  other  words,  can  we  achieve  security  without  changing  the  underlying  cryptographic  scheme  at  all,  but 
only  by  replacing  the  random  oracle  with  a  specific  family  of  hash  functions?  In  this  work,  we  give  the 
first  positive  answer  to  this  question.  We  do  this  by  leveraging  the  notion  of  indistinguishability  obfusca¬ 
tion  [BGI+01,  BGI+12]  that  was  recently  achieved  in  the  work  of  [GGH+13]. 

Our  result  is  particularly  interesting  in  light  of  negative  results  on  the  Random  Oracle  Model  [CGH98, 
GK03,  BBP04]  which  have  called  into  question  the  secure  applicability  of  the  Random  Oracle  Model.  Our 
work  is  the  first  to  show  natural  examples  of  schemes  that  were  originally  invented  with  the  Random  Oracle 
Model  in  mind,  that  nevertheless  remain  secure  when  the  random  oracle  is  specifically  instantiated. 

In  particular,  our  work  evades  the  impossibility  result  of  Dodis,  Oliveira,  and  Pietrzak  [DOP05],  who 
showed  that  there  can  be  no  black-box  construction  of  hash  functions  that  allow  Full-Domain  Hash  Signatures 
to  be  based  on  trapdoor  permutations.  Because  we  make  use  of  obfuscation,  our  constructions  are  inherently 
non-black-box,  and  thus  are  not  ruled  out  by  this  type  of  black-box  impossibility  result.  This  indicates  that 
our  techniques  applying  indistinguishability  obfuscation  may  be  useful  in  the  future  for  circumventing  other 
such  black-box  impossibility  proofs. 

Our  Result.  Our  main  result  gives  a  way  to  instantiate  the  random  oracle  with  a  concrete  hash  function 
in  “full  domain  hash”  signatures.  The  full  domain  hash  signature  scheme  was  first  proposed1  in  the  original 
Bellare-Rogaway  [BR93]  paper  as  a  way  to  build  a  signature  scheme  from  any  trapdoor  permutation  using 
the  introduced  random  oracle  heuristic.  This  work  was  very  influential  and  formed  the  foundation  for  part  of 
the  PKCS=#=1  standard  [KS98] .  While  the  terminology  of  “full-domain  hash”  (FDH)  originally  applied  to  the 
trapdoor  permutation  signature  scheme  of  Bellare  and  Rogaway,  over  time  it  has  (informally)  encompassed 
a  broader  range  of  notable  cryptographic  schemes  including  the  Boneh-Franklin  [BF01]  IBE  scheme,  the 
Cock’s  IBE  scheme  [CocOl],  and  Boneh-Lynn-Shacham  (BLS)  [BLS01]  signatures.  Although  these  schemes 
exist  in  different  algebraic  domains  and  have  different  aims,  they  share  common  construction  and  proof 
structures  that  uses  random  oracle  programming  in  very  similar  ways. 

Our  work  develops  a  methodology  for  replacing  the  programming  of  a  random  oracle  in  these  construction 
using  indistinguishable  obfuscation  in  a  novel  manner.  We  begin  by  describing  a  scheme  that  replaces  the  RO 
hash  function  in  the  original  Bellare-Rogaway  trapdoor  permutation  (TDP)  signature  scheme.  Our  newly 
instantiated  scheme  is  then  proven  to  be  selectively  secure. 

Let’s  begin  by  informally  recalling  the  Bellare-Rogaway  TDP-based  full  domain  hash  scheme.  The  sig¬ 
nature  setup  algorithm  generates  a  trapdoor  permutation  pair  of  functions  <7pk,  <?sk-  In  addition,  it  chooses 

1  The  terminology  “full-domain  hash”  was  actually  introduced  by  Bellare-Rogaway  in  1996  [BR96].  They  applied  this  label 
to  the  noted  signature  scheme  of  their  earlier  work. 
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a  hash  function  if(-)  that  maps  from  the  message  space  to  the  domain  (and  co-domain)  of  the  permutation. 
The  permutation  gpK  and  hash  function  are  published  as  the  verification  key  and  the  inverse  is  kept 
secret.  To  sign  a  message  m,  the  signer  computes  g^_(H(m)).  To  verify  a  signature  <j  on  message  m,  the 

verifier  simply  checks  whether  gpK(c)  =  H(m). 

The  proof  of  the  Bellare-Rogaway  FDH  system  utilizes  the  random  oracle  heuristic  to  model  H(-)  as  a 
programmable  random  oracle.  Suppose  a  poly-time  attacker  makes  at  most  Qh  oracle  queries.  One  can 
create  a  reduction  algorithm  to  the  security  of  the  trapdoor  permutation  as  follows.  For  all  but  one  of  the 
(unique)  queries  of  a  message  m  to  the  oracle,  the  reduction  algorithm  chooses  a  random  value  t  from  the 
domain  and  outputs  gpK(t)  as  the  result  of  the  query.  For  any  of  these  messages  it  is  easy  for  the  reduction 
algorithm  to  generate  a  signature  on.  It  simply  outputs  t.  However,  at  one  query  point  m*  it  programs 
the  output  of  the  random  oracle  to  be  z*  =  <?pk(G)  where  z*  was  given  from  the  trapdoor  permutation 
challenger.  If  the  attacker  forges  at  this  message,  then  the  forgery  will  be  t*  which  is  immediately  the 
solution  for  the  trapdoor  permutation  inversion. 

Our  first  result  is  creating  a  replacement  hash  function  for  the  oracle  H(-)  and  developing  a  security  proof 
without  relying  on  the  random  oracle  heuristic.  To  keep  with  our  original  goals,  our  only  modifications  will  be 
to  H(-)  and  we  will  use  the  signature  system  construction  as  is,  with  no  changes  to  the  underlying  trapdoor 
permutation  family.  The  two  main  tools  we  use  to  build  H(-)  are  an  indistinguishability  obfuscator  [BGI+01, 
GGH+13]  and  a  recently  introduced  [BW13,  BGI13,  KPTZ13]  primitive  certain  called  constrained  PRFs.  In 
short,  a  constrained  PRF  key  is  a  secret  key  I\  that  allows  the  evaluator  to  evaluate  the  a  PRF  at  a  limited 
set  of  points,  while  the  rest  will  appear  pseudorandom  to  him.  For  our  results,  we  only  need  a  simple  form 
of  constrained  PRFs  called  “punctured  PRFs”  [SW13].  In  this  setting  a  private  key  will  be  associated  with 
a  polynomial  set  S,  where  a  key  K(S)  can  evaluate  the  PRF  F{K,x)  at  all  x  except  when  x  €  S.  For  our 
proofs  we  only  ever  need  S'  to  be  a  singleton  set. 

We  now  overview  the  hash  function  construction  and  how  we  prove  it  to  be  selectively  secure.  (One 
could  use  the  usual  complexity  leveraging  arguments  to  claim  adaptive  security,  but  we  will  address  adap¬ 
tive  security  in  a  direct  way  shortly.)  To  create  the  hash  function  the  reduction  algorithm  first  chooses 
a  puncturable  PRF  key  K  (note  this  “master  key”  can  evaluate  the  PRF  at  all  points).  Next,  the  hash 
function  itself  will  be  an  obfuscation  of  the  program  which  on  input  m  computes  gp^{F{K,  m)).  That  is 
the  program  simply  computes  the  PRF  at  point  m  and  then  applies  the  trapdoor  permutation.  We  call  this 
program  Full  Domain  Hash.  To  prove  security  we  will  apply  the  “punctured  programs”  method  of  Sahai  and 
Waters  [SW13],  where  we  surgically  remove  a  key  element  of  a  program,  but  in  a  way  that  does  not  alter 
input /output  functionality. 

Our  security  proof  is  formed  from  a  sequence  of  hybrids.  In  the  first  hybrid,  we  replace  the  obfuscation 
of  the  program  Full  Domain  Hash  with  an  obfuscation  of  an  equivalent  program  called  Full  Domain  Hash*. 
This  program  operates  the  same  as  the  original  except  on  input  m* ,  where  m*  is  the  message  the  attacker 
selectively  chose  to  attack  (before  seeing  the  verification  key).  At  this  point  instead  of  computing  F(K,m*) 
the  program  is  simply  hardwired  to  output  a  constant  z*  to  output  where  z*  is  set  to  be  F(K,m*).  Since 
2*  =  F{K,m*),  the  input/output  behavior  is  identical.  In  addition,  the  program  is  not  given  the  full  PRF 
key  K,  but  instead  is  given  a  punctured  PRF  key  K({m*}).  By  the  security  of  indistinguishable  obfuscation 
the  advantage  of  any  poly-tinre  attacker  must  be  negligibly  close  between  these  hybrids.  In  the  next  hybrid 
experiment  we  replace  z*  with  a  random  value  chosen  from  the  domain/range  of  the  permutation.  The 
advantage  between  of  this  hybrid  must  also  be  close  due  to  the  constrained  PRF  security.  Now  we  are  finally 
in  a  position  where  we  can  reduce  to  the  security  of  the  trapdoor  permutation.  The  reduction  algorithm 
receives  a  TDP  challenge  z*  and  hardcodes  that  in  as  the  output  of  H(m*).  It  can  use  a  signature  on  this  to 
invert  the  challenge.  At  all  other  points  it  knows  the  punctured  PRF  key  and  can  therefore  compute  valid 
signatures  without  knowing  the  inverse  of  the  trapdoor  permutation. 

We  remark  that  our  reduction  actually  shares  some  of  the  spirit  of  the  original  random  oracle  reduction, 
where  a  challenge  is  programmed  in  at  one  point  and  signatures  are  made  by  knowing  the  pre  images  at  all 
others.  A  key  aspect  is  that  the  obfuscation  hides  the  fact  that  at  a  certain  hybrid  m*  is  treated  differently. 
If  an  attacker  were  able  to  see  inside  the  obfuscation  it  could  actually  see  the  preimages  and  break  the 
scheme.  Another  interesting  aspect  is  that  our  proof  does  not  leverage  the  fact  that  the  function  gpn{-)  is  a 
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permutation.  It  would  go  through  equally  well  if  we  only  assumed  that  it  was  an  injective  trapdoor  function. 

Overcoming  the  black-box  impossibility  We  can  now  see  more  precisely  why  our  work  evades  the 
impossibility  result  of  Dodis,  Oliveira,  and  Pietrzak  [DOP05].  Our  hash  function  is  obfuscation  of  code 
that  runs  the  underlying  permutation.  The  obfuscation  will  intuitively  hide  the  evaluation  of  this  code.  In 
particular,  no  attacker  can  tell  if  the  trapdoor  permutation  was  actually  computed  on  an  input  or  whether 
it  was  a  special  point  where  the  output  was  hardcoded  in.  In  the  DOP  negative  result,  they  build  an  attack 
oracle  that  specifically  leverages  the  black  box  access  to  the  TDP  to  watch  whenever  it  is  called.  It  is 
interesting  to  see  this  very  strong  correlation  between  the  negative  result  and  how  non-black  box  access  to 
a  primitive  and  indistinguishability  obfuscation  can  combine  to  circumvent  it. 

Getting  Adaptive  Security.  For  our  next  result  we  show  how  to  get  adaptive  (or  standard)  signature 
security  without  complexity  leveraging  for  the  case  where  the  trapdoor  permutation  is  the  RSA  function. 
The  use  of  RSA  as  a  trapdoor  permutation  candidate  was  suggested  in  Bellare-Rogaway’93  [BR93]  and 
explicitly  given  in  Bellare-Rogaway’96  [BR96].  The  public  parameters  in  their  scheme  are  an  RSA  modulus 
N  =  pq  for  hidden  primes  p,  q  and  an  RSA  exponent  e  chosen  such  that  gcd(<p(N),  e)  =  1.  The  secret  key  is 
the  integer  d  where  d  ■  e  =  1  mod  A  signature  on  message  m  is  of  the  form  H(m)d  mod  N  and  one 

verifies  a  signature  a  by  checking  if  H(m)  =  ae  mod  N. 

We  develop  a  different  set  of  techniques  that  can  leverage  the  particular  structure  of  the  RSA  function. 
The  first  new  ingredient  is  use  of  admissible  hash  functions  first  introduced  in  the  context  of  Identity-Based 
Encryption  by  Boneh-Boyen  [BB04a].  We  use  a  simplification  due  to  Freire  et.  al.  [FHPS13].  At  a  high  level 
the  system  is  a  pair  of  a  hash  function  h  :  {0, — >  {0, that  hashes  from  the  message  space  to  n 
bit  strings  and  an  efficient  randomized  algorithm  AdmSample.  The  sampling  algorithm  takes  in  the  security 
parameter  as  well  as  second  parameter  Q  which  intuitively  corresponds  to  the  number  of  signature  queries 
an  attacker  makes.  It  outputs  a  string  u  £  {0,1,  T}".  Informally,  we  say  that  the  system  is  admissible  if 
the  following  conditions  hold.  Consider  any  sequence  of  Q  values  X\ ,xq  and  x*  ^  aq .  The  event  we 
consider  is  where  the  string  /i(aq)  has  a  bit  in  common  with  u  in  at  least  one  position,  but  h(x*)  is  different 
from  u  at  all  positions.  (Note,  if  Uj  =  J_  then  it  is  different  at  position  j  from  all  bit  strings.)  If  this  event 
occurs  with  non-negligible  probability,  we  say  it  is  an  admissible  system.  Intuitively,  when  used  in  a  proof 
of  a  signature  scheme,  the  admissible  hash  function  is  utilized  to  partition  the  message  space  into  messages 
that  can  be  signed  in  the  query  phase  and  those  that  can  be  used  in  the  challenge  phase.  A  sampled  string  u 
corresponds  to  a  particular  partition.  When  running  a  reduction,  one  hopes  that  the  actual  signature  oracle 
ciueries  and  forgery  message  align  with  a  partition,  and  the  reduction  aborts  otherwise. 

To  build  the  hash  function  candidate,  the  setup  first  chooses  a  random  v  £  Z*N  as  well  as  exponents  a^b 
chosen  randomly  in  [0,  <j>(N)],  for  all  i  £  [1,  n],  b  £  {0, 1}.  Next,  it  builds  the  hash  function  as  an  obfuscation 
of  the  program  RSA  Hash.  The  program  will  first  compute  in'  =  h(m).  Then,  it  computes  and  outputs 

Our  proof  proceeds  in  a  few  hybrid  steps.  In  the  first  hybrid  experiment  the  challenger  creates  a  partition 
internally  by  calling  AdmSample(lA,  Q)  — ►  u  for  an  attacker  that  makes  at  most  Q  =  Q( A)  queries.  The 
game  aborts  and  declares  the  attacker  unsuccessful  if  any  of  the  query  messages  or  forgery  message  violates 
the  partition.  The  property  of  admissible  hashes  states  any  attacker  with  non-negligible  advantage  in  the 
real  game  will  also  have  non-negligible  advantage  here.  In  the  next  hybrid,  we  change  the  way  we  sample 
the  exponents  a^b-  One  first  chooses  random  y^b  €  [1 ,  iV] .  Then  for  when  m  =  b  we  set  c^b  =  e  •  y^b-  If 
Ui  ^  b  we  set  c^b  =  e  •  y^b  +  1.  Note  in  the  first  case  is  a  multiple  of  e  and  in  the  second  case  e  j  c^b- 
The  values  a^b  =  c*;b  mod  <j>(N).  We  show  that  this  way  of  choosing  a  values  is  statistically  close  to  the 
previous  uniform  way,  because  gcd (<f>(N),e)  =  1. 

Next,  we  use  an  alternative  program  where  we  directly  use  the  c^b  values  in  place  of  the  a^b  values.  Since 
the  group  Z*N  is  of  order  (j>(N)  we  have  that  ac™'  _  wnie[„]  Am'  for  au  Therefore  the  input/output 

behavior  is  the  same  between  the  two  programs  and  we  can  argue  the  advantage  in  the  hybrids  for  poly¬ 
time  attackers  must  be  close  by  indistinguishability  obfuscation.  This  is  the  critical  hybrid  experiment 
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in  that  it  most  radically  departs  from  previous  such  proofs,  by  leveraging  indistinguishability  obfuscation. 
Observe  that  this  hybrid  experiment  eliminates  the  need  for  the  reduction  to  know  (j>(N),  which  is  crucial 
to  the  reduction,  since  it  uses  c,;y  values  instead  of  a ,,5  values.  However,  if  the  values  c,.;,  were  completely 
visible  to  an  attacker,  they  would  be  trivially  distinguishable  from  the  “true”  uniform  cqy  values.  However, 
indistinguishability  obfuscation  guarantees  that  these  values  are  hidden  from  the  attacker,  and  that  indeed 
the  attacker  cannot  distinguish  this  hybrid  from  the  previous  one. 

Finally,  we  show  that  any  attacker  that  is  successful  in  the  last  hybrid  can  be  used  to  break  the  RSA 
assumption.  For  any  signature  query  message  m  that  respects  the  partition,  the  reduction  will  view  H(m) 
as  v  raised  to  some  integer  that  is  a  multiple  of  e  and  taking  the  e-tli  root  is  then  easy.  Any  forgery  on  in* 
that  respects  the  partition,  the  reduction  will  view  H(m*)  as  vz  for  some  z  where  gcd(e,  z)  =  1  and  from 
this  can  derive  v 1'e. 

BLS  Signatures  and  More  We  extend  our  techniques  to  replacing  the  random  oracle  in  the  BLS  [BLS01] 
signature  scheme.  In  Section  5  we  give  a  candidate  that  has  a  selective  proof  of  security  based  on  the 
computational  Diffie-Hellman  problem  (along  with  indistinguishability  obfuscation).  In  Section  6,  we  give 
an  adaptive  proof  of  security  based  on  an  assumption  equivalent  to  the  n-Diifie-Hellman  inversion  assumption. 
The  high  level  structures  of  these  are  similar  to  the  respective  selective  and  adaptive  construction  and  proof 
methods  above.  The  lower  level  mechanisms  are  adapted  to  the  context  of  bilinear  groups.  Finally,  in 
Section  7  we  sketch  how  the  BLS  ideas  extend  to  the  Boneh-Franklin  IBE  scheme. 

1.1  Other  Related  Work 

Recently,  the  work  of  [BHK13]  looked  at  a  complementary  question  of  identifying  a  definitional  abstraction 
to  replace  the  random  oracle  heuristic  in  many  random  oracle-based  constructions.  The  abstraction  is  a 
notion  of  security  called  UCE  (Universal  Computational  Extractor).  The  authors  emphasize  that  a  random 
oracle  is  known  not  to  exist  and  “behaves  like  a  random  oracle”  is  not  a  rigorously  defined  property,  whereas 
UCE  is  a  well  defined  property  of  a  hash  function.  They  then  show  how  several  previous  constructions  proven 
secure  in  the  random  schemes  can  be  proven  secure  if  we  assume  the  hash  functions  are  UCE  secure.  One 
can  then  conjecture  that  standard  cryptographic  hash  functions  like  SHA-256  may  satisfy  the  UCE  security 
notion.  In  contrast,  our  work  is  focused  on  providing  new  candidate  constructions  for  hash  functions,  that 
allow  for  a  security  proof  to  work  with  the  original  constructions  in  the  random  oracle  model.  Interestingly, 
the  work  of  [BHK13]  does  not  encompass  the  case  of  Full  Domain  Hash  signatures,  arguably  one  of  the  most 
natural  and  well-studied  constructions  in  the  Random  Oracle  Model,  that  we  address  here. 

2  Preliminaries 

In  this  section,  we  define  indistinguishability  obfuscation,  and  variants  of  pseudo-random  functions  (PRFs) 
that  we  will  make  use  of.  All  the  variants  of  PRFs  that  we  consider  will  be  constructed  from  one-way 
functions. 

2.1  Indistinguishability  Obfuscation 

The  definition  below  is  from  [GGH+13];  there  it  is  called  a  “family-indistinguishable  obfuscator”,  however 
they  show  that  this  notion  follows  immediately  from  their  standard  definition  of  indistinguishability  obfus¬ 
cator  using  a  non-uniform  argument. 

Definition  1  (Indistinguishability  Obfuscator  (iO)).  A  uniform  PPT  machine  iO  is  called  an  indistinguisha¬ 
bility  obfuscator  for  a  circuit  class  {C>}  if  the  following  conditions  are  satisfied: 

•  For  all  security  parameters  A  €  N,  for  all  C  £  C\,  for  all  inputs  x,  we  have  that 

Pr [C'(x)  =  C(x)  :  C'  <-  iO{ A,  C)\  =  1 
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•  For  any  (not  necessarily  uniform)  PPT  adversaries  Samp ,  D ,  there  exists  a  negligible  function  a  such 
that  the  following  holds:  if  Pr[Vx,  C'o(x)  =  C±(x)  :  (Co,  C\,  r)  •<—  S'amp(lA)]  >  1  —  a(A),  then  we  have: 


Pr  [D(t,  iO(X,  Cq))  =  1  :  (C0,Ci,t)  Sampf!^ 


-Pr  \D(r,iO( A,  CO) 


1  :  (C0,Ci,r)  •<—  5'amp(lA) 


<  a(A) 


In  this  paper,  we  will  make  use  of  such  indistinguislrability  obfuscators  for  all  polynomial-size  circuits: 

Definition  2  (Indistinguishability  Obfuscator  for  P/poly).  A  uniform  PPT  machine  iO  is  called  an  indis- 
tinguishability  obfuscator  for  P/poly  if  the  following  holds:  Let  C\  be  the  class  of  circuits  of  size  at  most  A. 
Then  iO  is  an  indistinguishability  obfuscator  for  the  class  {Ca}- 

Such  indistinguishability  obfuscators  for  all  polynomial-size  circuits  were  constructed  under  novel  alge¬ 
braic  hardness  assumptions  in  [GGH+13]. 


2.2  Constrained  PRFs 

We  first  consider  some  simple  types  of  constrained  PRFs  [BW13,  BGI13,  KPTZ13],  where  a  PRF  is  only 
defined  on  a  subset  of  the  usual  input  space.  We  focus  on  puncturable  PRFs,  which  are  PRFs  that  can  be 
defined  on  all  bit  strings  of  a  certain  length,  except  for  any  polynomial-size  set  of  inputs: 

Definition  3.  A  puncturable  family  of  PRFs  F  mapping  is  given  by  a  triple  of  Turing  Machines  KeyF, 
Puncture^,  and  EvalF,  and  a  pair  of  computable  functions  n(-)  and  m(-),  satisfying  the  following  conditions: 

•  [Functionality  preserved  under  puncturing]  For  every  PPT  adversary  A  such  that  A  (1 A )  outputs 
a  set  S  C  {0, 1}”(A),  then  for  all  x  €  {0, 1}”(A)  where  x  ^  S,  we  have  that: 

Pr  [Evali?(-R, x)  =  Eval f(Ks,x)  :  K  KeyF(lA),  Ks  =  PunctureF(R',  £)]  =  1 


•  [Pseudorandom  at  punctured  points]  For  every  PPT  adversary  (Ai,^)  such  that  A (1 A )  out¬ 
puts  a  set  S  C  {0, 1}”A)  ancj  state  r,  consider  an  experiment  where  K  <—  KeyF(lA)  and  Ks  = 
PunctureF(A',  S).  Then  we  have 


Pr  [A2(t,Ks,S,  EvalF(JL,  S))  =  l] 


Pr  [A2(t,  Ks,  S,  f/m(A).|s|)  =  l] 


negl(X) 


where  EvalF(A",  S)  denotes  the  concatenation  of  EvalF(AT,  xi)), . . . ,  EvalF(AT,  Xk))  where  S  =  {xi, . . . ,  Xk} 
is  the  enumeration  of  the  elements  of  S  in  lexicographic  order,  negl(-)  is  a  negligible  function,  and  XJt 
denotes  the  uniform  distribution  over  t  bits. 


For  ease  of  notation,  we  write  F(K,x)  to  represent  EvalF(AA  x).  We  also  represent  the  punctured  key 
PunctureF(A',5)  by  K(S). 

The  GGM  tree-based  construction  of  PRFs  [GGM84]  from  one-way  functions  are  easily  seen  to  yield 
puncturable  PRFs,  as  recently  observed  by  [BW13,  BGI13,  KPTZ13].  Thus  we  have: 

Theorem  1.  [GGM84,  BW13,  BGI13,  KPTZ13]  If  one-way  functions  exist,  then  for  all  efficiently  computable 
functions  n( A)  and  m( A),  there  exists  a  puncturable  PRF  family  that  maps  n( A)  bits  to  m( A)  bits. 

Next  we  consider  families  of  PRFs  that  are  with  high  probability  injective: 
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2.3  RSA  Assumption  and  Shamir’s  Lemma 

We  begin  by  recalling  (one  of  the)  standard  versions  of  the  RSA  assumption  [RSA78]. 

Assumption  1  (RSA).  Let  A  be  the  security  parameter.  Let  positive  integer  N  be  the  product  of  two 
A-bit,  distinct  odd  primes  p,  q.  Let  e  be  a  randomly  chosen  positive  integer  less  than  and  relatively  prime 
to  (j>(N)  =  (p  —  1)(<7  —  1).  Given  (N,  e)  and  a  random  y  £  Z*N,  it  is  hard  to  compute  x  such  that  xe  =  y 
mod  N. 

We  also  make  use  of  the  following  lemma  due  to  Shamir. 

Lemma  1  (Shamir  [Sha83]).  Given  x,y  £  Zjss  together  with  e  Z  such  that  xa  =  yb  (mod  N)  and 
gcd(a,  b)  =  1,  there  is  an  efficient  algorithm  for  computing  z  £  Z^  such  that  za  =  y  (mod  N ). 

2.4  Bilinear  Groups  and  the  CDH  Assumption 

Let  G  and  G t  be  groups  of  prime  order  p.  A  bilinear  map  is  an  efficient  mapping  e  :  G  x  G  — ►  G t  which 
is  both:  ( bilinear )  for  all  g  £  G  and  a,b  <—  Zp,  e(ga,gb)  =  e(g,g)ab;  and  (non- degenerate)  if  g  generates  G, 
then  e(g,g)  ^  1. 

Assumption  2  (Computational  Diffie-Hellman).  Let  g  generate  a  group  G  of  prime  order  p  £  0(2A).  For 
all  p.p.t.  adversaries  A,  the  following  probability  is  negligible  in  A: 

Pr[a,  b  ■£-  Zp;z£-  A(g,ga,gb)  :  z  =  gab}. 

2.5  The  n-Difhe-Hellman  Inversion  Assumption  and  Equivalent  Formulation 

Our  Section  6  construction  of  adaptively  secure  BLS  signatures  makes  use  of  the  n-Diffie-Hellman  Inversion 
assumption  [BB04b].  This  is  a  parameterized  family  of  assumptions,  where  the  number  of  group  elements 
involved  increases  with  n.  (In  our  application  of  Section  6  n  will  be  dependent  only  on  the  security  param¬ 
eter.) 

Assumption  3  (n-Diffie-Hellman  Inversion).  Let  h  generate  a  group  G  of  prime  order  p  £  0(2A).  For  all 
p.p.t.  adversaries  A,  the  following  probability  is  negligible  in  A: 

Pr[&  <-  Zp-  z  <-  A(h,  hb,hb2,...,hbn):z  =  g1/b}. 

We  will  actually  use  an  equivalent  assumption,  which  is  easier  to  work  with  in  our  proof.  We  call  the 
assumption  the  n-DHI  Equivalent  assumption  for  the  purposes  of  this  paper.  The  assumption  is  stated  as 
follows. 

Assumption  4  (?r-DHI  Equivalent).  Let  g  generate  a  group  G  of  prime  order  p  £  0(2A).  For  all  p.p.t. 
adversaries  A,  the  following  probability  is  negligible  in  A: 

Pr[o  ^Zp;z£-  A(g,ga,ga2 ,...,gaU)  :  z  =  £a"+1]. 

We  briefly  sketch  why  an  attacker  A  on  the  new  assumption  implies  an  attacker  on  the  n-DHI  assumption. 
Suppose,  that  an  algorithm  B  is  given  a  DHI  instance  h,hb,hb  , ,  hb  .  Then,  it  creates  an  instance  for  A 
by  setting  g  =  hb  ,ga  =  gb  , . . . ,  ga  =  h.  Essentially,  this  sets  g  =  hb  and  implicitly  a  =  6_1.  Therefore, 
ga  =  h 1/h.  Thus  an  efficient  attacker  to  the  n-DHI  Equivalent  problem  implies  one  to  the  n-DHI  problem. 
The  other  direction  of  equivalence  follows  in  an  analogous  manner. 
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3  Full-Domain  Hash  Signatures  (Selectively  Secure) 

In  this  section,  we  revisit  the  Bellare-Rogaway  Full-Domain  Hash  (FDH)  signature  scheme  [BR93,  BR96], 
and  show  how  to  make  it  selectively  secure  in  the  standard  model  by  instantiating  the  random  oracle  in  a 
specific  way.  We  stress  that  we  do  not  modify  the  Bellare-Rogaway  FDH  signature  scheme  in  any  way;  the 
only  new  aspect  of  our  construction  is  our  instantiation  of  the  random  oracle  with  a  specific  function  whose 
description  becomes  part  of  the  public  key. 

Recall  that  the  Bellare-Rogaway  FDH  signature  scheme  required  a  trapdoor  permutation  family.  Our 
method,  in  fact,  not  only  applies  to  trapdoor  permutation  families,  but  indeed  to  any  injective  trapdoor 
function  family.  We  prove  the  selective  security  of  the  FDH  signature  scheme  based  on  the  security  of  the 
indistinguishability  obfusctor,  the  security  of  a  puncturable  PRF  family,  and  the  security  of  an  injective 
trapdoor  function  family. 

For  simplicity  of  exposition,  we  assume  that  there  is  a  polynomial  £(A)  which  denotes  the  length  of 
messages  to  be  signed;  we  denote  this  message  space  by  M  =  {0, 1}^A).  More  generally,  a  collision-resistant 
hash  function  may  be  used  to  hash  messages  to  this  size. 

-  Setup(lA)  :  The  setup  algorithm  first  runs  TDFSetup(lA)  and  that  produces  a  public  index  PK  along 
with  a  trapdoor  SK,  yielding  the  map  gpK  :  {0, 1}"  — >  {0, 1}W  together  with  its  inverse.  Next,  the 
setup  algorithm  chooses  a  puncturable  PRF  key  K  for  F  where  F(K,  •)  :  {0, 1}^A1  — >  {0, 1}™.  Then, 
it  creates  an  obfuscation  of  the  of  the  program  Full  Domain  Hash  Figure  1.  The  size  of  the  program 
is  padded  to  be  the  maximum  of  itself  and  the  program  Full  Domain  Hash*  of  Figure  2.  We  refer  to 
the  obfuscated  program  as  the  function  H  :  {0, 1}^A)  — ►  {0, 1}™,  which  acts  as  the  random  oracle  type 
hash  function  in  the  Bellare-Rogaway  scheme. 

The  verification  key  VK  consists  of  the  trapdoor  index  PK  as  well  as  the  hash  function  H(-).  The 
secret  key  is  the  trapdoor  SK  as  well  as  H(-). 

-  Sign(SK, m  £  M)  :  The  signature  algorithm  outputs  cr  =  g^{H(m))  €  {0, 1}”. 

? 

-  Verify(VK,  m,  a)  The  verification  algorithm  tests  if  5pk(c)  =  H(m)  and  outputs  accept  if  and  only  if 
this  holds. 


Full  Domain  Hash 

Constants:  PRF  key  K ,  trapdoor  function  index  PK. 

Input:  Message  m. 

1.  Output  <7pk(-F(A',  m)). 


Figure  1:  Full  Domain  Hash 


Full  Domain  Hash* 

Constants:  Punctured  PRF  key  K({m*}),  m*  £  M,  z*  £  {0, 1}“,  trapdoor  function  index  PK. 
Input:  Message  m. 

1.  If  m  =  m*  output  z*  and  exit. 

2.  Else  output  gpK(F(K,  m)). 


Figure  2:  Full  Domain  Hash* 

Theorem  2.  If  our  obfuscation  scheme  is  indistingishuably  secure,  F  is  a  secure  punctured  PRF,  and  the 
injective  trapdoor  function  is  secure,  then  the  above  signature  scheme  is  selectively  secure. 

We  describe  a  proof  as  a  sequence  of  hybrid  experiments  where  the  first  hybrid  corresponds  to  the  original 
signature  security  game.  We  prove  that  a  poly-time  attacker’s  advantage  must  be  negligibly  close  between 
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each  successive  one.  Then,  we  show  that  any  poly-time  attacker  in  the  final  experiment  that  succeeds  in 
forging  with  non-negligible  probability  can  be  used  to  invert  the  injective  trapdoor  function. 

•  Hyb0  :  In  the  first  hybrid  the  following  game  is  played: 

1.  The  attacker  selectively  gives  the  challenger  the  message  to*. 

2.  The  TDF  index  is  chosen  by  the  challenger  running  TDFSetup(lA). 

3.  K  is  chosen  as  a  key  for  the  puncturable  PRF. 

4.  The  hash  function  H(-)  is  created  as  an  obfuscation  of  the  program  Full  Domain  Hash. 

5.  The  attacker  queries  the  sign  oracle  a  polynomial  number  of  times  on  messages  m  ^  to*.  It  receives 
back  g^{H(m))  =  F(K,m).  (Note  the  equality  holds  since  the  function  gPK  is  injective.) 

6.  The  attacker  sends  a  forgery  cr*  and  wins  if  Verify (VK,  to*,  a*)  =  1. 

•  Hyb1  :  Is  the  same  as  Hyb0  except  we  let  z*  =  gP^{F{K,m*))  and  let  VK  be  the  obfuscation  of  the 
program  Verify  Signature*  of  Figure  2. 

•  Hyb2  :  Is  the  same  as  Hy^  except  z*  =  gpK.(t)  for  t  chosen  uniformly  at  random  in  {0, 1}”. 

Lemma  2.  If  our  obfuscation  scheme  is  indistinguishability  secure,  then  the  advantage  of  a  poly-tinre 
attacker  in  Hyb0  is  negligibly  close  to  the  advantage  in  Hyb1. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  indistinguishability  security  of  the  obfuscator.  To 
do  so,  we  must  build  the  two  algorithms  Samp  and  D. 

Samp{  1A)  behaves  as  follows:  It  invokes  the  adversary  to  obtain  m*  and  the  adversary’s  state  r'.  It 
runs  TDFSetup(lA)  to  obtain  PK  and  SK.  It  then  chooses  K  as  a  key  for  the  puncturable  PRF.  It  sets 
=  gpK(F(K,m*)).  It  sets  r  =  (to*,  PK,  SK,  K,  t')  and  builds  C\  as  the  program  for  Full  Domain  Hash, 
and  C2  as  the  program  for  Full  Domain  Hash*. 

Before  describing  D ,  we  observe  that  by  construction  and  the  functionality  preservation  property  of 
puncturable  PRFs,  the  circuits  C\  and  C2  always  behave  identically  on  every  input.  Because  of  padding,  both 
Ci  and  C2  have  the  same  size.  Thus,  Samp  satisfies  the  conditions  needed  for  invoking  the  indistinguishability 
property  of  the  obfuscator. 

Now,  we  can  describe  the  algorithm  D ,  which  takes  as  input  r  as  given  above,  and  either  the  obfuscation  of 
Ci,  which  is  the  program  Full  Domain  Hash,  or  C2,  which  is  the  program  Full  Domain  Hash*.  D  creates  the 
verification  key  for  the  signature  scheme  by  combining  PK  with  the  obfuscated  program  as  the  hash  function 
description.  It  then  invokes  the  adversary  on  this  verification  key,  and  the  adversary  then  makes  requests  for 
signatures  on  messages  m  ^  to*  .  For  each  such  message,  D  constructs  the  signatures  g^{H{m))  =  F(K,  to), 
through  its  knowledge  of  K  within  r.  Finally,  the  attacker  sends  a  forgery  a*  and  wins  if  Verify  (to*,  a*)  =  1. 
If  the  attacker  wins,  D  outputs  1. 

By  construction,  if  D  receives  an  obfuscation  of  Ci,  then  the  probability  that  D  outputs  1  is  exactly  the 
probability  of  the  adversary  winning  in  hybrid  Hyb0.  On  the  other  hand,  if  D  receives  an  obfuscation  of  C2, 
then  the  probability  that  D  outputs  1  is  the  probability  of  the  adversary  winning  in  hybrid  Flyb^ 

The  lemma  follows.  B 

Lemma  3.  If  our  confined  PRF  is  secure,  then  the  advantage  of  a  poly-time  attacker  in  Hy^  is  negligibly 
close  to  the  advantage  in  Hyb2. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  pseudorandomness  property  at  punctured  points 
for  punctured  PRFs.  To  do  so,  we  must  build  the  algorithms  A\  and  A2. 

Hi(lA)  simply  invokes  the  adversary  to  obtain  the  challenge  message  m*  and  state  r',  and  outputs  the 
singleton  set  S  =  {to*}  and  r  =  (lA,r'). 

A2  obtains  as  input  r,  the  punctured  key  Kg,  the  singleton  set  S  =  {to*},  and  either  a  value  t*  = 
F(K,m*)  or  a  uniformly  random  value  t*.  Then,  A2  invokes  TDFSetup(lA)  to  obtain  PK  and  SK.  Now 
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given  £*,  it  can  compute  z*  =  gpK(t*)-  Note  that  this  yields  either  the  value  computed  in  hybrid  Hyb1 
or  in  hybrid  Hyb2.  Since  it  knows  Kg,  now  A 2  can  obfuscate  the  program  Full  Domain  Hash*,  and  then 
execute  the  adversary  and  answer  its  signature  queries  using  the  punctured  key  Kg.  Finally,  A 2  outputs  1 
if  the  adversary  succeeds. 

By  construction,  the  pseudorandomness  property  for  punctured  PRFs  implies  the  lemma.  B 

Lemma  4.  If  our  injective  trapdoor  function  is  hard  to  invert,  then  the  advantage  of  a  poly-time  attacker 
in  Hyb2  is  negligible. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  one-wayness  of  the  injective  trapdoor  function.  To 
do  so,  we  build  an  inverting  algorithm  Inv. 

Inv  takes  as  input  a  public  index  PK  for  an  injective  trapdoor  function,  and  a  target  z*  =  <?pk(I*)  for 
some  (as  yet  unknown)  random  value  t* .  The  algorithm  Inv  then  invokes  the  adversary  to  obtain  m* ,  and 
chooses  a  PRF  key  K  and  builds  the  punctured  key  K(S)  where  S  =  {to*}.  It  uses  this  key,  together 
with  PK  and  z* ,  to  obfuscate  the  program  Full  Domain  Hash*.  It  can  then  execute  the  adversary,  and 
use  its  knowledge  of  K(S)  to  answer  all  adversary  signing  queries.  The  adversary  then  terminates  with  an 
attempted  forgery  a*  on  message  to*.  By  the  definition  of  the  program  Full  Domain  Hash*,  this  forgery  can 
only  be  valid  if  3pk(<7*)  =  z* ,  and  because  §pk  is  injective,  this  can  only  happen  if  a*  =  t*.  Thus  if  the 
adversary  is  successful,  Inv  can  output  ex*  as  a  valid  pre-image  of  z*. 

We  observe  that  by  construction  of  Inv,  the  probability  of  success  of  Inv  is  exactly  the  probability  that 
the  attacker  succeeds  in  hybrid  Hyb2.  The  lemma  follows.  jfl} 

These  three  lemmas  together  yield  our  main  theorem  that  the  above  full  domain  hash  signature  scheme 
is  selectively  secure. 

4  Adaptively  Secure  RSA  Full  Domain  Hash  Signatures 

We  first  describe  at  a  high  level  what  advantage  indistinguishability  obfuscation  gives  us  in  this  situation:  In 
several  previous  constructions  of  adaptively  secure  schemes  in  the  plain  model  starting  with  the  adaptively 
secure  IBE  scheme  of  [BB04a] ,  a  special  hash  function  was  chosen  that  allowed  for  a  “partitioning”  proof  of 
security.  In  essence,  for  this  to  work,  the  hash  function  should  have  two  “modes” : 

•  In  the  “normal”  mode,  the  hash  function’s  parameters  are  typically  just  chosen  at  random,  and  it 
behaves  like  an  ordinary  hash  function. 

•  In  the  “partitioning”  mode,  the  hash  function  parameters  are  chosen  according  to  a  special  distribution. 
This  special  distribution  allows  for  the  efficient  computation  of  the  inverse  of  the  hash  value  for  a  large 
fraction  of  points,  but  it  has  the  property  that  computing  the  inverse  of  the  hash  value  at  any  other 
point  is  computationally  hard. 

It  is  crucial  that  the  input/output  functionality  of  the  hash  function  should  be  identical  in  the  two  modes, 
and  we  will  also  use  this  property.  However,  in  previous  proofs  (like  [BB04a]),  it  was  also  critical  that  the 
hash  function  parameters  in  “partitioning”  mode  be  information  theoretically  indistinguishable  from  the 
parameters  in  “normal”  mode,  and  thus  the  partition  should  be  hidden  from  the  adversary  even  when  given 
the  hash  function  parameters.  This  restriction  significantly  limited  the  applicability  of  this  technique,  as 
it  could  only  be  applied  with  algebraic  structures  that  allowed  for  such  “pseudorandom”  hash  parameters. 
Thanks  to  indistinguishability  obfuscation,  however,  we  can  avoid  this  restriction  by  obfuscating  the  hash 
function  description.  Thus,  even  if  the  natural  hash  function  parameters  in  “partitioning”  mode  clearly  reveal 
the  partition  and  thus  are  distinguishable  from  normal  parameters,  because  the  resulting  hash  function  is 
functionally  identical  to  a  hash  function  in  “normal”  mode,  the  obfuscated  hash  function  must  hide  the 
partition,  and  this  allows  the  proof  of  adaptive  security  to  go  through. 

In  describing  our  signature  scheme,  For  simplicity  of  exposition,  we  assume  that  there  is  a  polynomial 
£?(A)  which  denotes  the  length  of  messages  to  be  signed;  we  denote  this  message  space  by  M  =  {0, . 
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More  generally,  a  collision-resistant  hash  function  may  be  used  to  hash  messages  to  this  size.  Below,  for  any 
polynomial  in  A,  after  the  first  mention  of  this  polynomial,  we  will  often  suppress  the  dependence  on  A  for 
ease  of  notation.  Thus,  below  often  we  will  simply  refer  to  the  size  of  messages  to  be  signed  by  £. 

Before  describing  our  construction,  we  first  recall  a  (simplified)  description  of  the  notion  of  admissible 
hash  functions  due  to  [BB04a].  Our  definition  is  a  slight  variation  of  the  simplified  definition  due  to  [FHPS13]. 

Definition  4.  Let  £,  n  and  9  be  efficiently  computable  univariate  polynomials.  We  say  that  an  efficiently 
computable  function  h  :  {0,  — >■  {0, 1}"^,  and  an  efficient  randomized  algorithm  AdmSample,  is  6- 

admissible  if  the  following  condition  holds: 

For  any  u  £  ({0, 1}  U  {J_})ra,  define  Pu  :  {0, 1 }e  {0, 1}  as  follows:  Pu{x)  =  0  iff  Vi  :  h(x)i  ^  Ui,  and 

otherwise  (if  3 i  :  h(x)i  =  Ui)  we  have  Pu(x)  =  1. 

Then  we  require  that  for  any  efficiently  computable  polynomial  Q(A),  for  all  x\, . . . ,  xq,  z  £  {0, 1}( ,  where 
2  £  {xi},  we  have  that 

Pr  [Pu(x r)  =  Pu{x2)  =■■■=  Pu(xQ)  =  1  A  Pu{z)  =  0]  >  1/0(Q) 
where  the  probability  is  taken  only  over  u  -£-  AdmSample(lA,  Q). 

Theorem  3  (Admissible  Function  Families  [BB04a],  see  also  [FHPS13]  for  a  simple  proof).  For  any  effi¬ 
ciently  computable  polynomials  £,  n,  there  exists  an  efficiently  computable  polynomial  9  such  that  there  exist 
9— admissible  function  families  mapping  £  bits  to  n  bits. 

We  now  show  that  we  can  leverage  the  structure  of  the  RSA  trapdoor  permutation  to  prove  adaptive 
security.  The  use  of  RSA  as  a  candidate  for  a  trapdoor  permutation  was  first  discussed  in  the  original  Bellare- 
Rogaway  [BR93]  paper,  however,  it  was  in  [BR96]  that  Bellare  and  Rogaway  gave  an  explicit  full  domain 
hash  RSA  construction.  This  construction  formed  the  basis  for  part  of  the  standard  PKCS#1  [KS98]. 

-  Setup(lA)  :  The  setup  algorithm  first  runs  an  RSA  type  setup.  It  chooses  random  primes  p,  q  of  A  bits 
each.  We  define  N  =  p  ■  q  and  4>(N)  =  (p  —  1  )(q  —  1).  We  let  e  be  a  random  chosen  integer  between  1 
and  cj)(N )  such  that  gcd(<3(-/V),  e)  =  1. 

Next,  it  chooses  integers  (a^o,  aip), . . . ,  (anp,  anji)  each  uniformly  at  random  from  the  range  [1,  4>(N)  — 
I].  In  addition,  it  chooses  a  group  element  v  £  7j*n.  It  then  creates  an  obfuscation  of  the  of  the  program 
RSA  Hash  of  Figure  3.  The  size  of  the  program  is  padded  to  be  the  maximum  of  itself  and  the  program 
RSA  Hash*  of  Figure  4.  We  refer  to  the  obfuscated  program  as  the  function  H(-).  This  function  H(-) 
will  replace  the  random  oracle  in  the  RSA  full  domain  hash  scheme,  but  no  other  part  of  the  scheme 
is  modified. 

The  verification  key  VK  consists  of  the  integers  N,  e  as  well  as  the  hash  function  H  :  {0,  ljVl-V  — >•  Z*N. 
The  secret  key  is  the  integer  d  where  e  •  d  =  1  mod  4>(N). 

-  Sign(SK,m  £  M)  :  The  signature  algorithm  outputs  a  =  H(M)d  mod  N. 

-  Verify  (VK,  m,  a)  The  verification  algorithm  tests  if  ae  =  H(m)  mod  N  and  outputs  accept  if  and  only 
if  this  holds. 


Remark  1.  For  simplicity  of  exposition  we  describe  computing  the  programs  output  by  first  computing  a 
integer  Tr(m')  as  a  product  of  n  integers  and  then  raising  v  to  this  mod  N.  In  practice,  it  might  be  more 
efficient  to  incrementally  raise  an  accumulated  value  to  each  aijm' . 

Theorem  4.  If  our  obfuscation  scheme  is  indistingishuably  secure  and  the  RSA  assumption  holds,  the  above 
signature  scheme  is  existentially  unforgeable  against  chosen  message  attacks. 

We  describe  a  proof  as  a  sequence  of  hybrid  experiments  where  the  first  hybrid  corresponds  to  the  original 
signature  security  game.  In  the  first  hybrid  step  we  do  a  “partitioning”  of  the  message  space.  Consider  a 
poly-time  attacker  that  makes  Q  =  Q(A)  signature  queries  m i, . . .  ,toq  and  attempts  to  forge  on  message 
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RSA  Hash 

Constants:  RSA  modulus  N,  integers  (ai,o,  01,1),  •  •  • ,  (an,o,  On.i)  each  in  [1,  0(iV)  —  1],  and  v  £  T,*N. 
Input:  Message  m. 

1.  Compute  m'  =  h(m). 

2.  Compute  the  integer  n(m')  =  n,:6[n] 

3.  Output  v ,r*m  ^  (mod  N). 

Figure  3:  RSA  Hash 

RSA  Hash* 

Constants:  RSA  modulus  N,  integers  (ci,o,  cyi), . . . ,  (cn,o,  cn,i)  each  chosen  as  in  Hyb2,  and  v  £  T,*N. 
Input:  Message  m. 

1.  Compute  m!  —  h(m). 

2.  Compute  the  integer  n(m')  =  ni£rn]  ci  m/. 

3.  Output  v 'K(-rn  ^  (mod  N). 


Figure  4:  RSA  Hash* 

m*  to,;  for  all  i.  Roughly,  at  the  beginning  of  Hy^  the  challenger  will  now  (behind  the  scenes)  partition 
the  message  space  such  that  a  large  fraction  of  messages  will  fall  into  a  “query”  space  and  a  much  smaller, 
but  still  non-negligible  fraction  of  messages  will  fall  into  the  “challenge”  space.  Furthermore,  in  this  new 
game  the  attacker  is  only  considered  to  have  won  if  he  both  forged  a  signature  and  all  his  signature  queries 
mi , . . . ,  mn  fall  into  the  query  space  and  m*  falls  into  the  challenge  space.  We  can  show  that  if  an  attacker 
succeeds  in  the  original  security  game  (that  does  not  have  these  additional  restrictions  on  winning)  with 
non-negligible  advantage,  then  if  will  succeed  in  Hy^  with  non-negligible  advantage.  Our  system  uses  the 
Boneh-Boyen  [BB04a]  admissible  hash  function  defined  above,  where  if  an  attacker  has  advantage  e  in  Hyb0, 
he  will  have  advantage  e/6{Q)  in  Hy^. 

After  the  first  proof  step  we  prove  that  a  poly-time  attacker’s  advantage  must  be  negligibly  close  between 
each  successive  hybrid  experiment.  We  finally  show  that  any  poly-time  attacker  in  the  final  experiment  that 
succeeds  with  non-negligible  probability  can  be  used  to  break  the  RSA  assumption. 

•  Hyb0  :  In  the  first  hybrid  the  following  game  is  played. 

1.  The  challenger  sets  N  =  p  ■  q  and  <p{N )  =  (jp  —  l)(q  —  1).  It  chooses  e  as  a  random  chosen  integer 
between  1  and  q J(iV )  such  that  gcd(0(Ar),e)  =  1. 

2.  The  challenger  chooses  integers  (aqo,  aqi), . . . ,  (a^o,  an,i)  each  uniformly  at  random  from  the 
range  [1, 4>(N)  —  1]. 

3.  The  variable  v  is  chosen  uniformly  at  random  in  Z *N . 

4.  The  hash  function  H(-)  is  created  as  an  obfuscation  of  the  program  RSA  Hash. 

5.  The  attacker  queries  the  signing  oracle  at  most  Q  times  on  messages  to i,  . . . ,  toq.  In  its  zth  query, 
it  receives  back  H{rni)d  (mod  N). 

6.  The  attacker  finally  chooses  a  message  to*,  sends  a  forgery  cr*,  and  wins  if  Verify(VK,  to*,  a*)  =  1. 

•  Hyb1  :  Is  the  same  as  Hyb0  except  the  challenger  begins  by  sampling  a  string  u  £  ({0, 1,  _L})"  by  calling 
AdmSample(lA,  Q)  — >  u ,  where  Q  is  an  upper  bound  on  the  number  of  queries  made  by  the  adversary 
(this  could,  for  example,  be  the  running  time  of  the  adversary).  At  the  end  of  the  experiment,  the 
attacker  is  only  considered  to  be  successful  if  both  Verify(VK,  to*,  a*)  =  1  and  Pu(m*)  =  0  and  for  all 
messages  to  queried,  Pu{m)  =  1.  If  the  attacker  is  successful  but  this  condition  is  not  satisfied,  we  say 
that  the  hybrid  “aborts.” 
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•  Hyb2  :  Is  the  same  as  Hy^  except  the  for  the  following  modification.  After  sampling  it,  the  challenger 
chooses  integers  (cpo,  cpi), . . . ,  (cn, o,  Cn,  1)  hr  the  following  way.  For  i  £  [n]  and  b  €  {0, 1},  yi ^  is  chosen 
uniformly  at  random  from  all  integers  in  [1,  iV] .  The  challenger  then  sets 


Ci,b  — 


e  *  Vi,b 

e  •  Vi,b  +  1 


if  b  =  Ui 
if  b  Ui 


Observe  that  gcd(e,  e  •  yi ^  +  1)  =  1,  for  all  i,  b.  We  note  that  if  b  ^  m,  then  either  m  =  1  —  b  or  m  =  _L. 
Then  for  i  £  [n]  and  b  £  {0, 1},  it  sets  cq ,b  =  (c,^  mod  <f>(N)). 

•  Hyb3  :  Is  the  same  as  Hyb2  except  the  challenger  creates  the  hash  function  H(-)  as  an  obfuscation 
of  the  program  RSA  Hash*  using  the  values  (cpo,  cpi), . . . ,  (cnj o,  c„, i).  The  “a”  values  are  no  longer 
computed  or  used. 


Lemma  5.  Consider  a  attacker  that  makes  at  most  a  polynomial  of  queries  Q  =  Q{ A)  in  Hyb0.  If  the 
advantage  of  an  attacker  in  Hyb0  is  e(A),  then  the  advantage  of  the  attacker  in  Hyb1  will  be  at  least  e(A)/0(<2). 
In  particular,  any  poly-tinre  attacker  with  non  negligible  advantage  in  Hyb0  will  also  have  non-negligible 
advantage  in  Hy^. 

Proof.  The  lemma  follows  immediately  from  the  function  h  satisfying  the  definition  of  a  0-admissibility,  since 
the  only  the  independent  choice  of  u  <—  AdmSample(T\  Q)  determines  whether  or  not  the  hybrid  aborts. 


Lemma  6.  The  advantage  of  any  attacker  in  Hy^  is  negligibly  close  to  the  advantage  in  Hyb2. 

Proof.  Fix  i,  b,  and  consider  the  cqy,  value  that  results  from  the  choice  of  c^b  in  hybrid  Hyb2.  First,  observe 
that  the  random  choice  of  j/,;.b  from  the  range  [1,  N]  is  negligibly  statistically  close  to  a  random  choice  of 
2/qb  in  the  range  [1,  <j>(N)  —  1],  since  N  —  <p(N)  =  p  +  q  —  1.  Thus,  for  the  remainder  of  the  argument,  we 
can  assume  that  each  yi>b  is  chosen  uniformly  from  the  range  [1,</>(7V)  —  1],  Next,  since  gcd(e,  =  1, 

we  have  that  both  (e  •  yi  b  mod  4>{N))  and  (e  •  +  1  mod  4>(N))  are  distributed  uniformly  in  the  range 

[1,  4>(N)  —  1],  and  the  lemma  follows.  HI 

Lemma  7.  If  our  obfuscation  scheme  is  indistinguishability  secure,  then  the  advantage  of  any  poly-tinre 
algorithm  in  Hyb2  is  negligibly  close  to  the  advantage  in  Hyb3. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  indistinguishability  security  of  the  obfuscator.  To 
do  so,  we  must  build  the  two  algorithms  Samp  and  D. 

Samp(  1A)  behaves  as  follows:  It  invokes  the  adversary  to  obtain  the  adversary’s  state  r'.  It  runs  the 
RSA  type  setup  as  in  the  real  scheme  to  generate  primes  p,  q  and  sets  N  =  p  ■  q  and  =  (p  —  1  )(q  —  1). 

It  chooses  e  as  a  random  integer  between  1  and  <j>(N)  such  that  gcd(^(AT),e)  =  1.  It  sets  integer  d  where 
e  •  d  =  1  mod  4>(N).  It  chooses  v  £  JPN  as  a  random  element.  It  chooses  (cpcnCpi),  . . . ,  (cHjo,  c„,i) 
and  (dyo,  dip), . . . ,  (anji,  an,o)  derived  from  them,  as  in  Hyb2.  It  sets  r  =  (N,p,  q,  e,  d,  (cpo,  ci,i), . . . , 
{cn,oicn,i)Aai,Oiai,i)i- ■  ■  Aan,hO'n,o)iv,T')  and  builds  C\  as  the  program  for  RSA  Hash,  and  Ci  as  the 
program  for  RSA  Hash*. 

Before  describing  D,  we  observe  that  by  construction,  the  circuits  C\  and  Ci  always  behave  identically 
on  every  input.  To  show  program  equivalence,  note  that  since  JPN  is  of  order  <j)(N)  for  all  m! ,  we  have  that 

vUiCi^  (mod  N)  =  u(n‘c*W}  <mod*<JV»  (mod  IV)  = 

«n.(c-'  (mod^(JV)))  (mod  N)  =  (mod  N). 

With  suitable  padding,  both  C\  and  C2  have  the  same  size.  Thus,  Samp  satisfies  the  conditions  needed  for 
invoking  the  indistinguishability  property  of  the  obfuscator. 
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Now,  we  can  describe  the  algorithm  D ,  which  takes  as  input  r  as  given  above,  and  either  the  obfuscation  of 
Ci,  which  is  the  program  RSA  Hash,  or  C2,  which  is  the  program  RSA  Hash*.  D  then  invokes  the  adversary, 
which  makes  requests  for  signatures  on  messages.  D  constructs  the  signatures  H{m)d ,  through  its  knowledge 
of  d  within  r.  Finally,  the  attacker  sends  a  forgery-message  pair  ( a*,m *)  and  wins  if  Verify(VK,  to* ,  a*)  =  1. 
If  the  attacker  wins,  D  outputs  1. 

By  construction,  if  D  receives  an  obfuscation  of  Ci,  then  the  probability  that  D  outputs  1  is  exactly  the 
probability  of  the  adversary  winning  in  hybrid  Hyb0.  On  the  other  hand,  if  D  receives  an  obfuscation  of  C2, 
then  the  probability  that  D  outputs  1  is  the  probability  of  the  adversary  winning  in  hybrid  Hyb^ 

The  lemma  follows.  J5 

Lemma  8.  If  the  RSA  assumption  holds,  then  the  advantage  of  an  poly-time  algorithm  in  Hyb3  is  negligible. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  RSA  problem.  To  do  so,  we  build  algorithm  B. 

B  takes  as  input  an  RSA  challenge  ( N ,  e,  v)  where  N  is  the  product  of  two  (unknown)  primes  p ,  q ,  e  is 
randomly  chosen  from  [1,  4>(N)]  such  that  gcd ((f(N),e)  =  1  and  v  £  Z*N.  Next,  B  calls  AdmSample(lA,  Q)  — >■ 
u,  where  Q  is  an  upper  bound  on  the  number  of  queries  made  by  the  adversary.  Then  B  chooses  integers 
(ci,o>  Ci,i))  •  •  • ,  (cnjo,  cn>  1)  in  the  following  way.  For  i  €  [n]  and  b  £  {0, 1}  if  b  =  iq  then  first  2/i,h  is  chosen 
uniformly  at  random  from  all  integers  in  [1,  AT],  and  c^f,  =  e  •  Otherwise  is  chosen  uniformly  at 
random  from  all  integers  in  [l,iV],  and  c^f,  =  e  •  +  1-  Finally,  B  creates  the  hash  function  H(-)  as  an 

obfuscation  of  the  program  RSA  Hash*  using  the  N  and  values  (c^o,  cpi), . . . ,  (cn)o,  c^i)  above,  and  the 
value  v  in  the  RSA  Hash*  program  will  be  the  value  v  in  the  RSA  challenge.  All  these  steps  together  simulate 
the  setup  phase  of  Hyb3.  Now,  it  runs  the  attacker  using  the  initial  parameters  generated  above. 

The  attacker  will  then  make  at  most  Q  signing  queries  each  for  a  message  to.  We  denote  m!  =  h(m)  and 
the  integer  7 t(to')  =  Iliefn]  ci,m'  •  If  Pu(m)  /16  aborts  and  quits.  Otherwise,  Pu(m)  =  1  and  there  exists 
an  i  where  e  |  CjjTO'  and  therefore  e  |  n(m').  B  can  then  compute  the  integer  t  =  n(m')/e  and  compute  the 
(unique)  signature  on  m  as  v*. 

Finally,  the  attacker  will  output  an  attempted  forgery  a*  on  some  message  in*  that  is  distinct  from  all  the 
messages  in  the  query  phase.  B  first  checks  if  the  signature  verifies  and  aborts  if  it  does  not.  Next,  it  checks 
if  Pu(m*)  7^  0  and  aborts  if  that  is  the  case.  Otherwise,  Pu(m*)  =  0  and  for  all  i  we  have  gcd(e,  ci>m/»)  =  1 
and  therefore  gcd(e, =  1.  Following  Shamir’s  theorem  [Sha83],  the  attacker  applies  the  Euclidean 
Algorithm  to  obtain  integers  a  and  /3  such  that  a  ■  e  +  /3  •  7r(m/*)  =  1.  Therefore,  since  (tr*)e  =  v 7I’(m  \  it 
sets  z  =  va  •  (cr*)P ,  and  we  have  that  ze  =  ?;ae+/Mm  )  =  v_  xf  a*  was  a  successful  forgery,  then  this  value  z 
is  a  solution  to  the  RSA  challenge. 

We  observe  that  by  construction  of  B ,  the  probability  of  success  of  B  is  exactly  the  probability  that  the 
attacker  succeeds  in  hybrid  Hyb3.  Importantly,  whenever  B  aborted,  the  attacker  by  the  rules  of  Hyb3  was 
not  considered  to  be  successful  since  his  queries  or  forgery  violated  the  partition.  The  lemma  follows. 


Pulling  together  these  four  lemmas  immediately  gives  our  the  main  theorem  that  the  above  RSA  full 
domain  hash  signature  scheme  is  (adaptively)  secure. 

5  Selectively  Secure  BLS  Signatures 

We  now  give  a  concrete  construction  for  the  hash  function  modeled  as  a  random  oracle  in  the  Boneli-Lynn- 
Shaclram  (BLS)  signature  scheme.  BLS  signatures  fall  into  a  broad  interpretation  (see  e.g.,  [Boy08])  of  the 
full  domain  hash  paradigm  of  Bellare  and  Rogaway. 

Below  we  give  the  BLS  signature  scheme  with  a  concrete  hash  function  built  from  an  indistinguishability 
obfuscator.  We  prove  the  signature  scheme  selectively  secure  based  on  the  computational  Diffie-Hellman 
problem  in  bilinear  groups  and  a  indistinguishability  obfuscator. 

On  a  technical  level  this  selective  proof  of  security  follows  a  very  similar  structure  to  that  of  our  selectively 
secure  scheme  from  trapdoor  functions  from  Section  3.  The  main  difference  is  that  here  we  deal  with 
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the  mechanics  of  an  algebraic  bilinear  group  instead  of  a  trapdoor  function.  We  present  the  scheme  for 
simplicity  in  terms  of  a  symmetric  bilinear  group,  however,  we  remark  that  moving  to  asymmetric  groups  is 
straightforward. 

As  in  Section  3,  we  assume  that  there  is  a  polynomial  £(X)  which  denotes  the  length  of  messages  to  be 
signed;  we  denote  this  message  space  by  M.  =  {0,  l}^Ab  More  generally,  a  collision-resistant  hash  function 
may  be  used  to  hash  messages  to  this  size. 

-  Setup(lA)  :  The  setup  algorithm  first  runs  the  group  generator  on  input  1A  to  produce  a  description 
of  groups  G,  G t  of  prime  order  p  along  with  generator  g  £  <&.  These  groups  are  related  by  a  bilinear 
map  e:GxG-)  G  t-  Next,  it  chooses  a  random  exponent  a  £  Zp.  Then,  the  setup  algorithm  chooses 
a  puncturable  PRF  key  K  for  F  where  F(K,  •)  :  {0, — x  Zp.  Finally,  it  creates  an  obfuscation  of 
the  program  BLS  Selective  Hash  of  Figure  5.  The  size  of  the  program  is  padded  to  be  the  maximum 
of  itself  and  the  program  BLS  Selective  Hash*  of  Figure  6.  We  refer  to  the  obfuscated  program  as  the 
function  H  :  {0, 1}^  —X  G,  which  acts  as  the  random  oracle  type  hash  function  in  the  BLS  scheme. 

The  verification  key  VK  consists  of  the  group  descriptions  G,G t,  the  order  p,  the  generator  g  and 
A  =  ga  as  well  as  the  hash  function  H(-).  The  secret  key  is  a  £  Zp  as  well  as  H(-). 

-  Sign(SK, m  £  M)  :  The  signature  algorithm  outputs  cr  =  H(M)a  £  G. 

? 

-  Verify(VK,  m,  a)  The  verification  algorithm  tests  if  e(a,g)  =  e{A1H{m))  and  outputs  accept  if  and 
only  if  this  holds. 

Remark  2.  The  confined  PRFs  from  [BW13]  use  the  GGM  tree  and  get  PRFs  in  range  {0,1}"  for 
some  n,  whereas  our  PRFs  need  to  hash  to  T,p.  One  can  achieve  a  punctured  PRF  for  the  proper  range 
by  simply  setting  n  >  2  lg(p)  and  taking  interpreting  the  GGM  output  as  an  integer  that  is  then  mod 
by  p.  This  is  sufficient  since  sampling  an  integer  in  [0,  2"  —  1]  and  then  reducing  it  mod  p  is  statistically 
close  to  choosing  an  integer  in  [0,  p  —  1] . 


BLS  Selective  Hash 

Constants:  PRF  key  K,  group  generator  g  £  G. 

Input:  Message  m. 

1.  Output  gF(K'™\ 

Figure  5:  BLS  Selective  Hash 

BLS  Selective  Hash* 

Constants:  Punctured  PRF  key  K({m*}),  m*  £  M,  z*  £  G  and  group  generator  g  £  G. 
Input:  Message  m. 

1.  If  m  =  m*  output  z*  and  exit. 

2.  Output 


Figure  6:  BLS  Selective  Hash* 

Theorem  5.  If  our  obfuscation  scheme  is  indistingishability  secure,  F  is  a  secure  punctured  PRF,  and  the 
computational  Diffie-Hcllman  problem  holds  in  bilinear  groups,  then  the  above  signature  scheme  is  selectively 
secure. 

We  describe  a  proof  as  a  sequence  of  hybrid  experiments  where  the  first  hybrid  corresponds  to  the  original 
signature  security  game.  We  prove  that  a  poly-time  attacker’s  advantage  must  be  negligibly  close  between 
each  successive  one.  Then,  we  show  that  any  poly-time  attacker  in  the  final  experiment  that  succeeds  in 
forging  with  non-negligible  probability  can  be  used  to  break  the  computational  Diffie-Hellman  assumption 
in  bilinear  groups. 
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•  Hyb0  :  In  the  first  hybrid  the  following  game  is  played: 

1.  The  attacker  selectively  gives  the  challenger  the  message  m*. 

2.  The  challenger  runs  the  group  generator  to  produce  bilinear  groups  G,  G t  of  order  p  with  generator 
g  £  G.  It  then  chooses  a  random  exponent  a  £  Zp  for  the  secret  key  and  sets  A  =  ga  as  part  of 
the  verification  key. 

3.  I\  is  chosen  as  a  key  for  the  puncturable  PRF. 

4.  The  hash  function  H(-)  is  created  as  an  obfuscation  of  the  program  BLS  Selective  Hash. 

5.  The  attacker  queries  the  sign  oracle  a  polynomial  number  of  times  on  messages  m  yf  m* .  It 
receives  back  H(m)a  =  AF^K,m\ 

6.  The  attacker  sends  a  forgery  cr*  and  wins  if  Verify(?n*,  a*)  =  1. 

•  Hyb1  :  Is  the  same  as  Hyb0  except  we  let  z*  =  gF(K’m  )  and  let  VK  be  the  obfuscation  of  the  program 
BLS  Selective  Hash*  of  Figure  6. 

•  Hyb2  :  Is  the  same  as  Hybj  except  2*  =  gl  for  t  chosen  uniformly  at  random  in  Zp. 

Lemma  9.  If  our  obfuscation  scheme  is  indistinguishability  secure,  then  the  advantage  of  an  poly-tinre 
algorithm  in  Hyb0  is  negligibly  close  to  the  advantage  in  Hyb^ 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  indistinguishability  security  of  the  obfuscator.  To 
do  so,  we  must  build  the  two  algorithms  Samp  and  D. 

Samp(  1A)  behaves  as  follows:  It  invokes  the  adversary  to  obtain  m*  and  the  adversary’s  state  r'.  It  runs 
the  bilinear  group  setup  on  1A  to  obtain  the  group  descriptions  G,Gt,  order  p  and  generator  g.  It  then 
chooses  a  random  a  £  Zp  and  sets  A  =  ga.  It  then  chooses  K  as  a  key  for  the  puncturable  PRF.  It  sets 
2*  =  gF(K’m  ).  It  sets  r  =  (■ m*,z*,g,p,A,K,r ')  and  builds  C\  as  the  program  for  BLS  Selective  Hash,  and 
C2  as  the  program  for  BLS  Selective  Hash*. 

Before  describing  D ,  we  observe  that  by  construction  and  the  functionality  preservation  property  of 
puncturable  PRFs,  the  circuits  C\  and  C2  always  behave  identically  on  every  input.  Because  of  padding,  both 
Ci  and  C2  have  the  same  size.  Thus,  Samp  satisfies  the  conditions  needed  for  invoking  the  indistinguishability 
property  of  the  obfuscator. 

Now,  we  can  describe  the  algorithm  D ,  which  takes  as  input  r  as  given  above,  and  either  the  obfuscation 
of  Ci,  which  is  the  program  BLS  Selective  Hash,  or  C2,  which  is  the  program  BLS  Selective  Hash*.  D  creates 
the  verification  key  for  the  signature  scheme  with  the  obfuscated  program  as  the  hash  function  description. 
It  then  invokes  the  adversary  on  this  verification  key,  and  the  adversary  makes  requests  for  signatures  on 
messages  m  yf  to*.  For  each  such  message,  D  constructs  the  signatures  H(m)a  =  AFIK’rC .  through  its 
knowledge  of  K  and  A  within  r.  Finally,  the  attacker  sends  a  forgery  a*  and  wins  if  Verify  (to*,  a*)  =  1.  If 
the  attacker  wins,  D  outputs  1. 

By  construction,  if  D  receives  an  obfuscation  of  C\,  then  the  probability  that  D  outputs  1  is  exactly  the 
probability  of  the  adversary  winning  in  hybrid  Hyb0.  On  the  other  hand,  if  D  receives  an  obfuscation  of  C2, 
then  the  probability  that  D  outputs  1  is  the  probability  of  the  adversary  winning  in  hybrid  Hyb^ 

The  lemma  follows.  jj| 

Lemma  10.  If  our  confined  PRF  is  secure,  then  the  advantage  of  an  poly-tinre  algorithm  in  Hy^  is  negligibly 
close  to  the  advantage  in  Hyb2. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  pseudorandomness  property  at  punctured  points 
for  punctured  PRFs.  To  do  so,  we  must  build  the  algorithms  A\  and  A2. 

Hi(lA)  simply  invokes  the  adversary  to  obtain  the  challenge  message  m*  and  state  r',  and  outputs  the 
singleton  set  S  =  {to*}  and  r  =  (1a,t'). 

A2  obtains  as  input  r,  the  punctured  key  Ks ,  the  singleton  set  S  =  {to*},  and  either  a  value  t*  = 
F(K,m*)  or  a  uniformly  random  value  t*  £  Zp.  Then,  A2  runs  the  group  generator  on  1A  to  obtain 
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(G,G T,P,g)i  chooses  a  random  a  €  Zp,  and  sets  A  =  ga  to  establish  portions  of  VK  and  SK.  Now  given  t* , 
it  can  compute  z*  =  gl  .  Note  that  this  yields  either  the  z*  value  computed  in  hybrid  Hy^  or  in  hybrid  Hyb2. 
Since  it  knows  now  A 2  can  obfuscate  the  program  BLS  Selective  Hash*,  and  then  execute  the  adversary 
and  answer  its  signature  queries  using  the  punctured  key  K$.  Finally,  A2  outputs  1  if  the  adversary  succeeds. 
By  construction,  the  pseudorandomness  property  for  punctured  PRFs  implies  the  lemma.  B 

Lemma  11.  If  the  computational  Difhe-Hellman  assumption  holds  in  bilinear  groups,  then  the  advantage 
of  an  poly-time  algorithm  in  Hyb2  is  negligible. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  hardness  of  the  Computational  Difhe-Hellman 
problem  in  the  bilinear  group  G.  To  do  so,  we  build  a  CDH  attacker  B. 

B  takes  as  input  the  tuple  ( g ,  ga ,  gb)  for  a  group  G  of  prime  order  p  with  a  bilinear  map  e:GxG->  Gr¬ 
it  sets  A  =  ga  as  part  of  the  verification  key  VK.  The  algorithm  B  then  invokes  the  adversary  to  obtain  to*, 
and  chooses  a  PRF  key  I\  and  builds  the  punctured  key  K(S)  where  S  =  {to*}.  It  uses  this  key,  together 
with  VK  and  2*  =  gb ,  to  obfuscate  the  program  BLS  Selective  Hash*.  It  can  then  execute  the  adversary, 
and  use  its  knowledge  of  K(S)  to  answer  all  adversary  signing  queries.  The  adversary  then  terminates  with 
an  attempted  forgery  a*  on  message  to*.  By  the  definition  of  the  program  BLS  Selective  Hash*,  this  forgery 
can  only  be  valid  if  a*  =  ( z*)a  =  gab .  Thus  if  the  adversary  is  successful,  B  can  output  cr*  as  the  solution 
to  the  CDH  problem. 

We  observe  that  by  construction  of  B ,  the  probability  of  success  of  B  is  exactly  the  probability  that  the 
attacker  succeeds  in  hybrid  Hyb2.  The  lemma  follows.  Q 

Pulling  together  these  three  lemmas  immediately  gives  our  the  main  theorem  that  the  above  full  domain 
hash  signature  scheme  is  selectively  secure. 

6  Adaptively  Secure  BLS  Signatures 

We  now  give  a  hash  function  for  BLS  signatures  that  can  be  used  to  prove  adaptive  (or  standard)  security. 
Our  proof  structure  will  follow  in  a  similar  path  to  that  of  our  adaptively  secure  RSA  full  domain  hash 
signatures  in  Section  4.  In  particular,  we  will  again  apply  an  admissible  hash  function  to  partition  the 
message  space  in  our  proof.  At  the  same  time,  there  are  important  distinctions  and  corresponding  challenges 
that  arise  in  this  setting. 

Again,  for  simplicity  of  exposition,  we  assume  that  there  is  a  polynomial  £(X)  which  denotes  the  length 
of  messages  to  be  signed;  we  denote  this  message  space  by  M.  =  {0, 1}^A)  ancl  we  wiH  often  simply  refer  to 
the  size  of  messages  to  be  signed  by  t.  As  in  Section  4,  we  use  a  function  h  :  {0, 1}^A)  —X  {0, 1}”^A\  and  an 
efficient  randomized  algorithm  AdmSample  that  is  9-  admissible. 

Our  construction  is  identical  to  that  given  in  Section  6  with  the  exception  of  how  the  setup  creates  the 
hash  function.  The  setup  first  chooses  uniformly  at  random  (c^o,  Cqi), . . . ,  (cnjoi  cn,i)  each  in  Zp.  Then  it 
obfuscates  the  program  BLS  Adaptive  Hash  of  Figure  7  where  the  size  of  the  program  is  padded  to  be  the 
maximum  of  itself  and  the  program  BLS  Adaptive  Hash*  of  Figure  8.  The  obfuscated  program  is  used  as 
the  function  H  :  {0, 1}^A)  — >•  G,  which  acts  as  the  random  oracle  type  hash  function  in  the  BLS  scheme. 

Our  proof  of  security  relies  on  i n d i s t i n u i s h ab i  1  i t y  obfuscation  and  our  Difhe-Hellman  Inversion  equivalent 
assumption.  Namely,  that  given  g,  ga ,  ga  , . . . ,  ga  €  G,  it  is  hard  to  compute  ga 

Theorem  6.  If  our  obfuscation  scheme  is  indistinguishability  secure  and  the  Difhe-Hellman  Inversion  as¬ 
sumption  holds  in  bilinear  group  G,  the  above  signature  scheme  is  existentially  unforgeable  against  chosen 
message  attacks. 

We  describe  a  proof  as  a  sequence  of  hybrid  experiments  where  the  first  hybrid  corresponds  to  the  original 
signature  security  game.  As  in  Section  4,  in  the  hrst  hybrid  step  we  do  a  “partitioning”  of  the  message  space. 
After  the  hrst  proof  step,  we  prove  that  any  poly-time  attacker’s  advantage  must  be  negligibly  close  between 
each  successive  hybrid  experiment.  We  finally  show  that  any  poly-time  attacker  in  the  final  experiment 
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BLS  Adaptive  Hash 

Constants:  Bilinear  group  G  with  generator  g  and  exponents  (ci,o,ci,i), . 
Input:  Message  m  £  {0, 1}C. 

1.  Compute  to'  =  h(m). 

2.  Output  g|B.  =  1,...,Ti  «,m<  . 

■  • ,  (cn,o,  cn, i)  each  in  Zp. 

Figure  7:  BLS  Adaptive  Hash 

BLS  Adaptive  Hash* 


2  n 

Constants:  Bilinear  group  G,  elements  g,ga,ga  ,...,ga  £  G,  for  i  €  [n\,b  €  {0,1}  exponents  yi,b  £  Zp 
and  u  £  {0, 1}". 

Input:  Message  m  £  {0, 1}C. 

t  Compute  m!  =  h(m). 

2.  Let  g(m)  be  the  set  i  such  that  ^  Ui.  The  algorithm  computes  the  set  size  \g(m)\. 

3.  Output  )"  1 . 


Figure  8:  BLS  Adaptive  Hash* 


that  succeeds  with  non-negligible  probability  can  be  used  to  break  our  assumption  that  is  equivalent  to  the 
Diffie-Hellman  Inversion  assumption.  See  Section  2.5  for  more  on  these  assumptions. 


•  Hyb0  :  In  the  first  hybrid,  the  following  game  is  played: 

1.  The  challenger  runs  the  group  generator  to  produce  bilinear  groups  <G,  Gt  of  order  p  with  generator 
g  £  G.  It  then  chooses  a  random  exponent  a  £  Zp  for  the  secret  key  and  sets  A  =  ga  as  part  of 
the  verification  key. 

2.  It  chooses  uniformly  at  random  (cpo,  cqi), . . . ,  (cnp,  cn> i)  each  in  Zp. 

3.  The  hash  function  H(-)  is  created  as  an  obfuscation  of  the  program  BLS  Adaptive  Hash. 

4.  The  attacker  queries  the  signing  oracle  at  most  Q  times  on  messages  m i, . . . ,  toq.  In  its  zth  query, 
it  receives  back  iL(?n,:)°. 

5.  The  attacker  finally  chooses  a  message  to* ,  sends  a  forgery  cr* ,  and  wins  if  Verify(VK,  to* ,  a* )  =  1. 

•  Hyb1  :  Is  the  same  as  Hyb0  except  the  challenger  begins  by  sampling  a  string  u  £  ({0, 1,  J_})"  by  calling 
AdmSample(lA,  Q)  — >  u ,  where  Q  is  an  upper  bound  on  the  number  of  queries  made  by  the  adversary 
(this  could,  for  example,  be  the  running  time  of  the  adversary).  At  the  end  of  the  experiment,  the 
attacker  is  only  considered  to  be  successful  if  both  Verify(VK,  to*,  a*)  =  1  and  Pu{in*)  =  0  and  for  all 
messages  rm  queried  Pu(rrii)  =  1.  If  the  attacker  is  successful  but  this  condition  is  not  satisfied,  we 
say  that  the  hybrid  “aborts.” 


•  Hyb2  :  Is  the  same  as  Hybj^  except  the  for  the  following  modification.  The  challenger  first  chooses 
exponents  (c^o,  Cyi), . . . ,  (cnjoi  cn,i)  in  the  following  way.  For  i  £  [n],b  £  {0,1}  it  chooses  random 
Vi,b  £  and  then  sets 


Vi,b 
O'  ’  Vi,b 


if  b  =  Ui 
if  b  ^  Ui 


•  Hyb3  :  Is  the  same  as  Hyb2  except  the  challenger  creates  the  hash  function  H(-)  as  an  obfuscation  of 
the  program  BLS  Adaptive  Hash*. 
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Lemma  12.  Consider  a  attacker  that  makes  at  most  a  polynomial  of  queries  Q  =  Q(A)  in  Hyb0.  If  the 
advantage  of  an  attacker  in  Hyb0  is  e(A),  then  the  advantage  of  the  attacker  in  Hyb1  will  be  at  least  e(X)/9(Q). 
In  particular,  any  poly-time  attacker  with  non  negligible  advantage  in  Hyb0  will  also  have  non-negligible 
advantage  in  Hybj. 

Proof.  The  lemma  follows  immediately  from  the  function  h  satisfying  the  definition  of  a  ^-admissibility,  since 
the  only  independent  choice  of  u  ■£-  AdmSample(lA,  Q)  determines  whether  or  not  the  hybrid  aborts.  (This 
argument  is  identical  to  the  corresponding  one  in  the  proof  of  Lemma  5  of  Section  4.)  H 

Lemma  13.  The  advantage  of  any  poly-time  algorithm  in  Hy^  is  the  same  as  its  advantage  in  Hyb2. 

Proof.  The  two  hybrid  experiment  are  equivalent  as  all  £  Zp  values  are  still  chosen  uniformly  at  random 
in  both  hybrids.  (The  step  from  Hy^  to  Hyb2  is  a  notational  reorganization  to  set  up  the  next  proof  step.) 


Lemma  14.  If  our  obfuscation  scheme  is  indistinguishability  secure,  then  the  advantage  of  any  poly-time 
algorithm  in  Hyb2  is  negligibly  close  to  the  advantage  in  Hyb3. 


Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  indistinguishability  security  of  the  obfuscator.  To 
do  so,  we  must  build  the  two  algorithms  Samp  and  D. 

Samp(  1A)  behaves  as  follows:  It  invokes  the  adversary  to  obtain  the  adversary’s  state  r'.  It  runs  the 
bilinear  group  setup  to  obtain  G,  G t,P,  9  and  then  chooses  a  random  a  £  Zp.  For  i  £  [n] ,  b  £  {0, 1}  it  chooses 
random  £  Zp  and  then  sets 


Vi,b  if  b  =  Ui 
a  ■  Vi,b  if  b  ^  Ui 


It  samples  a  string  u  £  ({0, 1,  _!_})"  by  calling  AdmSample(lA,  Q)  — >  u,  where  Q  is  an  upper  bound  on 
the  number  of  queries  made  by  the  adversary.  It  sets  r  =  (G,  g ,  a,  (c^o,  Cyi), . . . ,  (c„,o,  cHj i),  (yi.o,  3/1,1),  -  -  - , 
(2/n,o>  2/n,i))  u,  t')  and  builds  C\  as  the  program  for  BLS  Adaptive  Hash,  and  C2  as  the  program  for  BLS 
Adaptive  Hash*. 

Before  describing  D,  we  observe  that  by  construction,  the  circuits  C\  and  C2  always  behave  identically 
on  every  input.  To  show  program  equivalence,  note  that  for  all  m! ,  we  have  that 


Jl, 


=  9 


Ui  Vi, 


=  (9C 


>(”*')!,  n  iVi: 


With  suitable  padding,  both  C 1  and  C2  have  the  same  size.  Thus,  Samp  satisfies  the  conditions  needed  for 
invoking  the  indistinguishability  property  of  the  obfuscator. 

Now,  we  can  describe  the  algorithm  D ,  which  takes  as  input  r  as  given  above,  and  either  the  obfuscation 
of  Ci,  which  is  the  program  BLS  Adaptive  Hash,  or  C2,  which  is  the  program  BLS  Adaptive  Hash*.  D  then 
invokes  the  adversary,  which  makes  requests  for  signatures  on  messages.  D  constructs  the  signatures  H(m)a, 
through  its  knowledge  of  a  within  r.  Finally,  the  attacker  sends  a  forgery-message  pair  ( a* ,m *)  and  wins  if 
Verify (VK,  m* ,  a*)  =  1.  If  the  attacker  wins,  D  outputs  1. 

By  construction,  if  D  receives  an  obfuscation  of  Ci,  then  the  probability  that  D  outputs  1  is  exactly  the 
probability  of  the  adversary  winning  in  hybrid  Hyb2.  On  the  other  hand,  if  D  receives  an  obfuscation  of  C2, 
then  the  probability  that  D  outputs  1  is  the  probability  of  the  adversary  winning  in  hybrid  Hyb3. 

The  lemma  follows.  B 


Lemma  15.  If  the  Difhe-Hellman  Inversion  Assumption  holds  in  bilinear  group  G,  then  the  advantage  of 
any  poly-time  algorithm  in  Hyb3  is  negligible. 

Proof.  We  prove  this  lemma  by  giving  a  reduction  to  the  Diffie-Hellman  Inversion  problem.  To  do  so,  we 
build  algorithm  B. 
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B  takes  as  input  a  n-DHI  challenge  (g,  ga,ga  , . . . ,  ga  )  from  a  bilinear  group  G  of  prime  order  p ,  where  n 
is  the  same  as  the  output  length  of  the  admissible  hash  function  h(-).  Next,  B  calls  AdmSample(lA,  Q)  — ►  u, 
where  Q  is  an  upper  bound  on  the  number  of  queries  made  by  the  adversary.  For  i  £  [n],b  £  {0, 1},  it 
chooses  random  y^i,  £  Zp. 

Finally,  B  creates  the  hash  function  H{-)  as  an  obfuscation  of  the  program  BLS  Adaptive  Hash*  using  the 
DHI  challenge  values,  the  values  (yi,o>  ■  ■  ■  >  (yn,o,yn,i)  above  and  u.  All  these  steps  together  simulate 
the  setup  phase  of  Hyb3.  Now,  it  runs  the  attacker  using  the  initial  parameters  above,  including  A  =  ga. 

The  attacker  will  then  make  at  most  Q  signing  queries  each  for  a  message  m.  We  denote  m!  =  h(m).  If 
P-u  (rn)  7^  1,  B  aborts  and  quits.  Otherwise,  Pu(m)  =  1  and  there  exists  an  i  where  m'  =  iq,  meaning  that 
the  hash  of  rn'  will  contain  a  power  of  a  that  is  strictly  less  than  n.  Thus,  the  signature  can  be  formed  using 
only  knowledge  of  the  DHI  input  and  the  j/qf,  values. 

Finally,  the  attacker  will  output  an  attempted  forgery  a*  on  some  message  m*  that  is  distinct  from  all  the 
messages  in  the  query  phase.  B  first  checks  if  the  signature  verifies  and  aborts  if  it  does  not.  Next,  it  checks 
if  Pu(m*)  0  and  aborts  if  that  is  the  case.  Otherwise,  Pu(m*)  =  0  and  for  all  i  we  have  h(m*)i  7^  rq.  This 
means  that  the  hash  of  m*  will  be  ga  raised  to  some  known  product  of  ytfi  values.  The  signature  therefore 
contains  ga  +  raised  to  some  known  product  of  yi ^  values,  since  signatures  contain  one  more  factor  of  a  in 
the  exponent  than  their  corresponding  hash  values.  This  value  can  be  recovered  by  taking  the  proper  root 
of  the  signature,  i.e.,  (u*)1/ =  ga "  ;  and  thus  if  a*  was  a  successful  forgery,  then  this  root  of  the 

signature  is  a  solution  to  the  DHI  challenge. 

We  observe  that  by  construction  of  B ,  the  probability  of  success  of  B  is  exactly  the  probability  that  the 
attacker  succeeds  in  hybrid  Hyb3.  Importantly,  whenever  B  aborted,  the  attacker  by  the  rules  of  Hyb3  was 
not  considered  to  be  successful  since  his  queries  or  forgery  violated  the  partition.  The  lemma  follows. 


Pulling  together  these  four  lemmas  immediately  gives  our  the  main  theorem  that  the  above  BLS  signature 
scheme  is  (adaptively)  secure. 

7  Extensions  to  Boneh-Franklin  IBE  and  Aggregate  Signatures 

Boneh- Franklin  IBE  We  can  adapt  our  techniques  for  proving  security  of  BLS  signatures  to  the  Boneh- 
Franklin  [BF01]  Identity-Based  Encryption  system.  BLS  signatures  directly  correspond  to  IBE  private  keys 
in  the  BF  scheme.  The  proof  for  the  BF  adapts  with  a  few  minor  changes: 

•  For  proving  BF  selectively  secure  we  can  use  the  decision  Bilinear  Diffie-Hellman  assumption. 

•  The  second  random  oracle  in  the  BF  scheme  can  be  replaced  with  an  extractor. 

•  For  proving  adaptive  security  we  use  the  following  assumption.  Namely  that  given  g ,  g8 ,  <7°,  ga  , . . . ,  ga 
it  is  hard  to  distinguish  e(g,g)a  s  from  a  random  group  element  in  G t-  We  note  this  assumption  is 
weaker  than  the  decision  Bilinear  Diffie-Hellman  Exponent  assumption  [BGW05]. 

BLGS  Aggregate  Signatures  Boneh,  Gentry,  Lynn  and  Shacham  [BGLS03]  showed  that  the  BLS  signa¬ 
tures  are  aggregateable  by  reduction  to  the  BDH  assumption.  Later  Bellare,  Namprempre  and  Neven  [BNN07] 
showed  how  an  aggregate  signature  scheme  could  built  directly  from  and  reduced  to  the  security  of  BLS  sig¬ 
natures.  Using  their  results  we  immediately  get  an  aggregate  signature  scheme. 
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Abstract 

We  present  a  simple  proof  of  an  optimal  parallel  repetition  theorem  for  public-coin  argu¬ 
ments.  Our  new  proof  additionally  yields  the  first  “Chernoff-type”  parallel  repetition  theorems 
for  public-coin  arguments  that  match  the  parameters  of  the  standard  Chernoff  bound. 


1  Introduction 

Interactive  proof  systems,  introduced  by  Goldwasser,  Micali  and  Rackoff  [GMR89]  and  Babai  and 
Moran  [BM88]  are  one  of  the  central  tools  in  both  modern  cryptography  and  complexity  theory. 
Roughly  speaking,  an  interactive  proof  system  allows  a  prover  P  to  convince  a  verifier  V  that  some 
instance  a;  is  a  member  of  a  language  L. 

Roughly  speaking,  the  completeness  property  of  an  interactive  proof  states  that  if  x  G  L  and 
both  players  follow  their  prescribed  strategies,  the  verifier  accepts  with  some  “high  probability” 
1  —  c(|x|);  the  soundness  property,  on  the  other  hand,  requires  that  if  x  L,  then  no  matter  what 
strategy  an  adversarial  prover  P*  uses,  the  honest  verifier  strategy  V  will  reject  with  some  high 
probability  1  —  s(|x|).  We  refer  to  c(-)  as  the  completeness  error  of  the  interactive  proof  systems, 
and  s(-)  as  the  soundness  error.  While  the  original  notion  of  an  interactive  proof  required  that  the 
soundness  property  holds  against  all ,  even  computationally  unbounded,  cheating  provers,  a  relaxed 
notion — called  interactive  arguments — was  introduced  by  Brassard,  Chaum  and  Crepeau  [BCC88]: 
In  an  interactive  argument,  we  only  require  the  soundness  property  to  hold  against  computationally 
bounded  (technically,  probabilistic  polynomial-time,  or  non-uniform  polynomial-time)  algorithms. 

Ideally,  we  would  like  the  soundness  error  of  an  interactive  proof  or  argument  systems  to  be 
negligible.  But,  in  many  settings,  our  starting  point  is  a  protocol  with  somewhat  large  soundness 
error.  For  example,  to  design  an  interactive  argument  for  a  language  L,  it  may  be  easier  to  first 
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design  a  protocol  with  soundness  error  1/2.  A  natural  approach  to  decrease  the  soundness  error  is 
through  parallel  repetition:  we  run  k  instances  of  the  original  protocol  in  parallel  and  the  verifier 
finally  accepts  if  all  instances  are  accepting.  It  is  known  that  parallel  repetition  decrease  soundness 
error  at  an  optimal  rate  for  the  case  of  interactive  proofs.  For  arguments  (i.e. ,  computational  sound¬ 
ness),  however,  surprising  things  start  happening:  The  works  of  Bellare,  Impagliazzo,  and  Naor 
[BIN97]  and  Petrzak  and  Wikstrom  [PW07]  demonstrate  protocols  for  which  parallel  repetition 
fails  to  amplify  soundness  beyond  a  constant. 

On  the  other  hand,  the  seminal  work  of  Bellare,  Impagliazzo  and  Naor  [BIN97]  demonstrates 
that  parallel  repetition  reduces  the  soundness  error  for  all  three-message  protocols.  The  results  of 
[BIN97]  demonstrated  that  parallel  repetition  reduces  the  soundness  error  of  such  protocols  at  an 
exponential  rate,  but  did  not  establish  an  optimal  rate  (i.e.,  reducing  the  soundness  error  from  e  to 
ek).  Nevertheless,  the  more  recent  work  by  Canetti,  Halevi  and  Steiner  [CHS05]  shows  that  parallel 
repetition  indeed  reduces  the  soundness  error  at  an  optimal  rate  for  this  class  of  protocols. 

More  recently,  Pass  and  Venkitasubramaniam  [PV12]  consider  public-coin  protocols,  and 
demonstrates  that  parallel  repetition  decreases  the  soundness  error  for  constant-round,  public-coin 
protocols  at  an  optimal  rate.  Hastad,  Pass,  Wikstrom  and  Pierzak  [HPWP08]  show  that  parallel 
repetition,  in  fact,  works  for  all  (not  necessarily  constant-round)  public-coin  protocols,  and  de¬ 
creases  the  soundness  error  at  an  exponential  rate;  finally,  Chung  and  Liu  [CLIO]  demonstrate  that 
it  in  fact  decreases  at  an  optimal  rate.  The  non-tight  analysis  of  [HPWP08]  is  quite  natural  and 
modular;  on  the  other  hand,  the  tight  analysis  from  [CLIO]  relies  on  a  rather  complicated  analysis 
involving  directly  upper-bounding  the  success  probability  of  the  complete  reduction  (which  carries 
little  intuition  for  why  the  reduction  works). 

In  this  note  we  revisit  the  works  of  [HPWP08]  and  [CLIO]:  we  present  a  new  and  modular 
tight  analysis  of  parallel  repetition  for  public-coin  protocols.  On  a  high-level,  our  proof  follows  the 
simpler  framework  of  [HPWP08]  (and  thus  enjoys  the  same  modularity  and  simplicity),  yet  at  the 
same  time  providing  a  clear  intuition  for  why  a  tight  analysis  can  be  obtained. 

As  an  additional  application  of  this  new  analysis,  we  obtain  the  first  general  “Chernoff-type” 
parallel  repetition  theorems  for  public-coin  argument  that  matches  the  parameters  of  the  standard 
Chernoff  bound:  Ideally,  we  would  like  to  have  a  way  to  simultaneously  decrease  both  the  com¬ 
pleteness  and  the  soundness  error:  just  as  for  error  reduction  of  the  class  BPP,  the  idea  is  to 
consider  a  threshold  verifier,  who  accept  whenever  the  fraction  of  accepting  sessions  is  greater  than 
a  certain  threshold  (that  is  greater  than  the  soundness  error,  or  else  there  is  no  hope  to  reduce  the 
soundness  error).  For  error  reduction  of  BPP,  it  follows  by  a  standard  Chernoff  bound  that  such 
an  approach  works.  For  interactive  arguments,  such  “Chernoff-type”  parallel  repetition  theorems 
where  first  studied  by  Impagliazzo,  Jaiswal,  and  Kabanets  [IJK09]  for  the  case  of  three- message 
protocols,  tighter  bounds  were  later  established  by  Jutla  [JutlO],  and  finally  optimal  bounds  were 
established  independently  Chung  et  al.  [CLLY10],  and  Holenstein  and  Schoenebeck  [HS11].  Hastad 
et  al.  [HPWP10]  provide  Chernoff-type  parallel  repetition  theorems  for  public-coin  protocols  and 
Chung  and  Liu  [CLIO]  show  Chernoff-type  parallel  repetition  theorems  with  parameters  matching 
the  standard  Chernoff  bound,  but  only  in  the  regime  where  the  threshold  is  a  additive  constant 
larger  than  the  soundness  error  of  the  original  protocol  (and  as  such  do  not  apply  to  protocols 
where  the  soundness  and  completeness  error  are  inverse  polynomials).  Our  new  analysis  yields  the 
same  parameters  as  the  standard  Chernoff  bound  for  any  threshold. 
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2  Preliminaries 

2.1  Interactive  Proofs  and  Arguments 

We  recall  the  definition  of  interactive  proofs  and  arguments. 

Definition  1  (Interactive  Proofs/ Arguments)  A  pair  of  interactive  algorithms  (P,V)  is  an 
interactive  proof  for  a  NP  language  L  with  completeness  error  c  and  soundness  error  s  if 
it  satisfies  the  following  properties: 

•  Completeness:  For  all  x  G  L  with  NP  witness  w, 

Pr[(P(u;),  V)(x)  =  1]  =  1  —  c(|x|). 

•  Soundness:  For  all  adversarial  provers  P* ,  and  for  every  all  x  /  L, 

Pr [(P*,V)(x)  =  1]  <  s(|x|). 

where  (P,V)(x)  denotes  the  output  of  V  after  communicating  with  P  if  both  players  get  x  as  a 
common  input.  (P,  V)  is  an  interactive  argument  for  L  if  the  soundness  property  holds  only 
against  all  non-uniform  polynomial-time  adversarial  provers  P* . 


2.2  KullbackLeibler  divergence 

Lemma  2  (chain  rule)  Let  (Xi,  X2)  and  (Y\ ,  Yf)  be  random  variables.  We  have 
KL((A1,A2)||(r1,y2))  =  KL(A1||y1)+  E  [KL(A2|Xl=a;||y2|y1=;r)]. 


Lemma  3  Let  X  be  a  random  variable  and  W  a  (probabilistic)  event. 

KL(X\W\\X)  <log:  1 


Pr[W] ' 

Lemma  4  Let  X  =  (X\ . . . . ,  X^)  be  independent  random  variables,  and  W  a  (probabilistic)  event. 


^KLiXilwWXi)  <  KL(X\W\\X) 


i= 1 


Lemma  5  For  every  p,q,S  G  (0, 1)  such  that  6  <  p/2,  we  have 

KL(p\\q)  -  KL (p  -  5||g)  <  6  ■  log  -  +  log  ^  +  2 


Proof.  By  definition, 

KL(p|k)  =  P log  -  +  (1  —  P)  log  7 — - 

q  1-q 

1 


1 


KLCp-%)  = 


plogp  +  plog-  +  (1  -p)log(l  —p)  +  (1  —p)  log  ■ 

q  1~q 

(p  -  d)  log  - — -  +  (1  -p  +  S)  log  P  +  ^ 
q  1-q 

(p  -  5)  log (p  -  5)  +  (p  -  6)  log  ^  +  (1  -  p  +  8)  log(l  -  p  +  5)  +  (1  -  p  +  5)  log  ^  1 
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By  further  expanding,  we  have 


(p  ~  5)  log(p  -  5) 

(p  -  5)  log  - 

q 

(1  -p  +  5)  log(l  -p  +  5) 

(1  -p  +  6)  log 
Therefore, 


p\og(p  —  5)  —  8  \og(p  —  8) 

£ 

plogp  + p log ( 1 - )  —  <51og(p  —  8) 

P 

p  log - 8  log  - 

q  q 

(1  -p)  log(l  -p  +  8)  +  <51og(l  -  p  +  5 ) 

(1  -p)  log(l  -p)  +  (l-p)  log(l  +  - - )  +  e)log(l  -  p  +  5) 

1  —  p 

(1  -p)  log  -  - - 1-  5  log  — ^ — 

i  —  (/  i -q 


KL(p||g)-KL(p-%) 

S  \  8 

=  -plog(l - )  +  5log(p  -  5)  +  <51og - (1  -  p)  log(l  +  - - )  -  (51og(l  -  p  +  5) 

p  q  1  —  p 

<  —  plog(l  —  -)  +  (5  log  -  —  (51og(l  —  p  +  5) 

p  q 

<  25  +  8 log  -  -  8 log  5  =  5  ■  (log  -  +  log  \  +  2), 

q  q  8 


5  log 


where  the  first  inequality  follows  by  dropping  negative  terms,  the  second  inequality  follows  by  the 
monotonicity  of  logarithm  and  using  Taylor  expansion.  I 


2.3  A  Lemma  on  Sampling 

Lemma  6  Let  ( X ,  Y)  be  a  joint  distribution  over  some  finite  domain.  Let  W  be  a  deterministic 
event  on  (X,Y).  Consider  the  following  experiment: 

•  Sample  x  4—  X\yy. 

•  Sample  y  <—  Y\w/\x=x  using  rejection  sampling;  i.e.,  sample  i.i.d.  2/i ,  2/2 ,  -  •  -  •*—  Y\x=x  and 
outputs  the  first  yt  such  that  ( x,yt )  £  W. 

Let  T  be  the  number  of  sample  used  in  the  rejection  sampling.  We  have  E[T]  = 


Proof. 


The  lemma  follows  by  the  following  calculation. 

E[T]  =  ^2+i[X  =  x\W]  ■  E[T\X  =  x\ 

X 


-  E 

X 

=  E 

X 

-  E 


Pr[A  =  x\  W]-- 
Pr[A  =  x  AW] 


1 

Pv\W\X  =  x] 
Pr[X  =  x] 


Pr  [W]  Pr  [W  A  X  =  x) 

Pr[A  =  x\  1 
Pr[W]  =  Pr  [VP] ' 
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p* 


pk* 


vk 


internal  internal 


V 


JC  =  Xj 

y  =  yi7 


Figure  1:  Interaction  between  P*  and  V :  P*  embeds  the  external  verifier  V  in  session  i  of  Vk  and 
internally  emulates  Pk*  and  the  remaining  k  —  1  sessions  —i  of  Vk  while  forwarding  Pfc*’s  message 
y  for  session  i  to  V. 

3  Parallel  Repetition  of  Two-message  Public-coin  Protocols 

As  a  starting  point,  we  provide  the  key  elements  needed  to  prove  an  optimal  parallel  repetition 
theorem  for  two-message  public-coin  protocols.  To  set-up  some  notation,  let  us  consider  two- 
message  public-coin  protocols  (P,V),  where  the  verifier  V  sends  a  uniformly  random  first-message 
x  to  P,  receives  back  a  second-message  y.  and  finally  deterministically  decides  to  accept  or  reject 
based  on  the  transcript  (x,y).  We  denote  by  (Pk,Vk)  the  Axfold  parallel  repetition  of  (. P,K ); 
here  Vk  sends  a  message  x  =  (xi, . . . ,  x*,),  receives  back  y  =  (yi, . . . ,  y *.),  and  accepts  iff  (xj,  y\ )  is 
accepting  for  every  coordinate  i  G  [k].  We  refer  to  the  different  parallel  executions  of  the  protocol 
(P,V)  inside  (Pk,Vk)  as  the  parallel  sessions. 

To  prove  that  parallel  repetition  reduces  the  soundness  error,  we  show  how  to  transform  any 
parallel  prover  Pk*  that  convinces  Vk  with  probability  e  to  a  single-instance  prover  P*  that  con¬ 
vinces  V  with  probability  close  to  e1//fc.  This  implies  that  parallel  repetition  reduces  the  soundness 
error  at  an  essentially  optimal  rate  (from  6  to  5k).  We  may  without  loss  of  generality  assume  that 
Pk*  is  deterministic — its  optimal  random  coins  can  always  be  fixed  non- uniformly.1 

More  precisely,  P*  will  internally  emulate  an  execution  of  Pk*  and  use  this  execution  in  order 
to  convince  an  external  verifier  V .  On  a  high-level,  the  idea  is  quite  straight  forward.  P*  picks 
one  of  the  k  sessions,  i\  this  session  will  be  externally  forwarded  (between  Pk*  and  V),  and  all  the 
other  sessions,  —i,  will  be  appropriately  emulated  internally.  In  other  words,  the  external  verifier 
V  is  “embedded”  in  some  session  i  of  Vk,  and  P*  internally  emulates  Pk*  and  the  remaining  k  —  1 
sessions  —  i  of  Vk  while  forwarding  Pk*' s  message  y  for  session  i  to  V;  see  Figure  1. 

Recall  that  since  we  have  assumed  that  Pk*  is  deterministic,  the  interaction  between  Pk*  and 
Vk  is  determined  solely  by  Vk,s  message  x.  Now,  given  an  external  message  x,  P*  needs  to  decide 
the  session ,  i,  into  which  to  embed  R’s  message  x  (letting  x*  =  x),  and  to  choose  the  remaining 
k  —  1  messages  x_j.  Consider  the  following  simple  strategy  for  doing  this:  Upon  receiving  x,  P* 
picks  i  £  [k]  uniformly  at  random,  and  lets  ay  =  x.  P*  then  repeatedly  samples  X-i  at  random  and 
queries  Pk*  with  the  sampled  message  x  =  (xj,x_j)2,  until  Pk*  convinces  Vk  on  the  query  x;  if 
this  happens,  P*  externally  forwards  Pfc*’s  answer  yi  to  V.  Additionally,  if  the  number  of  samples 
exceeds  a  certain  polynomial  bound  M  (to  be  determined  shortly),  P*  gives  up. 

1  Alternatively,  “close  to  optimal”  coins  can  be  uniformly  fixed  by  sampling. 

2This  notation  means  that  Xi  is  put  into  coordinate  i  of  x  and  x~i  are  put  at  coordinates  —  i. 
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To  analyze  the  success  probability  of  P* ,  let  us  first  allow  P*  to  make  an  unbounded  number 
of  samples  (i.e.,  set  M  =  oo).  As  we  shall  see,  if  Pk*  convinces  Vk  with  probability  e,  then  P* 
convinces  V  with  probability  >  e 1/k.  We  then  deal  with  the  bounded-sample  case  at  the  end  of  the 
section  (looking  forward,  as  long  as  we  make  poly(l/e)  queries,  having  such  a  cut-off  only  slightly 
affects  the  success  probability  of  P*). 

The  main  idea  for  analyzing  (the  unbounded  sample  version  of)  P*  is  to  consider  an  Ideal 
experiment,  where  P*  succeeds  with  probability  1  and  next  show  that  the  actual  execution  of 
( P *,  V ),  referred  to  as  the  Real  experiment,  and  the  Ideal  experiment  are  close  (using  an  appropriate 
choice  of  a  distance  measure),  from  which  we  can  conclude  that  P*  succeeds  with  high  probability 
in  the  Real  experiment. 

Let  us  start  by  formalizing  the  Real  experiment. 

The  Real  Experiment  Consider  an  execution  of  (P*,V).  V  starts  by  selecting  a  uniformly 
random  string  x  G  {0,  l}n,  where  n  is  the  length  of  V’s  first  message.  Next,  P* ,  given  x,  selects  a 
random  coordinate  i,  lets  Xi  =  x  and  samples  remaining  k—  1  coordinates  X-i  conditioned  on  Pk*(x) 
convincing  Vk .  If  such  a  string  x-i  exists,  then  P*  succeeds  (since  P*  can  make  an  unbounded 
number  of  queries),  and  P*  fails  otherwise  (formally,  if  no  such  string  exists,  we  let  X-i  =  _L).  The 
output  of  the  experiment  is  defined  to  be  ( i,x ). 

First  note  that  to  prove  that  parallel  repetition  works  (at  an  optimal  rate)  we  need  to  show 
that  P*  convinces  V  in  the  Real  experiment  with  probability  at  least  el/k .  Secondly,  observe  that 
an  equivalent  way  of  defining  the  output  (i.  x)  of  the  experiment  is  as  follows:  uniformly  sample 
i  G  [k],  uniformly  sample  Xi  G  {0,  l}n,  and  finally  uniformly  sample  X-i  G  {0,  conditioned 

on  Pk*(x)  convincing  Vk . 

The  Ideal  Experiment  Let  us  turn  to  defining  the  Ideal  experiment.  The  experiment  is  defined 
identically  to  the  Real  experiment,  except  that  now  we  additionally  select  Xi  conditioned  on  Pk*(x) 
convincing  Vk\  that  is,  uniformly  sample  i  G  [k],  uniformly  sample  Xi  G  {0,  l}n  conditioned  on 
Pk*{x)  convincing  Vk,  and  finally  uniformly  sample  G  {0,  conditioned  on  Pk*{x) 

convincing  Vk\  again,  the  output  of  the  experiment  is  defined  to  be  ( i,x ).  Note  that  an  equivalent 
way  of  defining  the  Ideal  experiment  is  to  uniformly  sampling  i  G  [&],  and  then  directly  uniformly 
sample  x  G  {0,  l}fcr!  conditioned  on  Pk*(x)  convincing  Vk .  Since  Pk*  convinces  Vk  with  positive 
probability,  it  thus  follows  that  in  the  Ideal  experiment  P*  convinces  V  with  probability  1. 

Going  from  Ideal  to  Real  Observe  that  the  only  difference  between  the  Real  and  the  Ideal  ex¬ 
periments  is  that  in  Real  x^  is  sampled  uniformly  at  random,  and  in  Ideal  it  is  sampled  at  random 
conditioned  on  Pk*  convincing  Vk .  Let  W  denote  the  event  that  Pk*  convinces  Vk .  The  statisti¬ 
cal  distance  between  the  two  experiments  is  thus  the  average  (over  i)  statistical  distance  between 
Xi  and  Xi\w-  The  following  lemma  due  to  Ran  Raz  [Raz98],  developed  in  the  context  of  parallel 
repetition  of  two-prover  games  (with  statistical  soundness),  and  first  used  by  Impagliazzo,  Jaiswal 
and  Kabanets  [IJK07]  in  the  context  of  parallel  repetition  of  three-round  arguments,  allows  us  to 
upper  bound  this  distance. 

Lemma  7  (Raz’s  Lemma  [Raz98])  Let  X  =  (X±, . . . ,Xk)  be  independent  random  variables  and 
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W  be  an  event.  Then, 


log(l/Pr[W]) 
k  ' 


Raz’s  Lemma  states  that  conditioning  on  a  not  “too  small”  event  W  cannot  change  the  marginal 
distribution  of  X,-  by  too  much  (on  average).  In  particular,  the  average  statistical  distance  scales 
logarithmically  with  the  probability  of  the  event  W .  Raz’s  Lemma  together  with  the  fact  that  P* 
convinces  V  with  probability  1  in  the  Ideal  experiment  implies  that  P*  convinces  V  in  the  Real 
experiment  with  probability  at  least  1  —  (log(l/  Pr[IK]))/A’,  where  by  definition  Pr[IT]  =  e.  This 
already  suffices  to  prove  that  parallel  repetition  reduces  the  soundness  error  at  an  exponential  rate, 
but  it  does  not  give  the  “tight”  bound  (i.e. ,  e l/k).  The  reason  that  Raz’s  Lemma  does  not  provide 
a  tight  bound  is  that  in  our  context,  statistical  distance  is  not  the  right  distance  measure  between 
the  Real  and  the  Ideal  experiments.  In  fact,  the  proof  of  Raz’s  Lemma  first  provides  a  bound 
on  the  Kullback-Leibler  divergence  (KL  divergence,  for  short)  between  the  random  variables,  and 
then  arrives  a  bound  on  their  statistical  distance  by  relying  on  a  general  bound  between  statistical 
distance  and  KL  divergence.3  The  “translation”  between  KL  divergence  and  statistical  distance, 
however,  incurs  a  quadratic  loss.  By  directly  working  with  KL  divergence,  we  can  avoid  it.4  Let  us 
thus  state  Raz’s  Lemma  in  its  “KL  form”. 


Lemma  8  (Raz’s  Lemma  —  KL  version)  Let  X  =  (X\ , . . .  ,X '*.)  be  independent  random  vari¬ 
ables  and  W  be  an  event.  Then, 


i—  1 

We  omit  the  proof  of  Raz’s  Lemma,  but  let  us  simply  remark  that  the  proof  follows  by  a  few  lines  of 
elementary  (but  clever)  manipulations  of  KL  divergence.  By  the  chain  rule  for  KL  divergence,  it  fol¬ 
lows  that  the  KL  divergence  between  the  Ideal  and  Real  experiments  is  at  most  (log(l/Pr[IT]))/A:.5 
Let  us  now  show  how  to  get  a  lower  bound  on  the  success  probability  of  P*  in  the  Real  experiment. 
Let  SucRea|  and  Sucideal  be  indicator  variables  that  indicate,  respectively,  whether  P*  convinces  V 
in  the  Real  and  the  Ideal  experiments. 

log(l/Pr[IT])  >  KL(|dea|||Rea|)  >  KL(SuC|dea|| |SucRea|)  =  1  •  log  — — — - -v,  (1) 

k  Pr  |SucRea|  =  1J 

which  implies  that  Pr[SucRea|  =  1]  >  e4/fc  since  Pr[VP]  =  e.  The  second  inequality  follows  since 
applying  the  same  function  to  two  distributions  can  only  decrease  their  KL  divergence,  whereas 
the  last  equality  follows  by  the  definition  of  KL  divergence  and  the  fact  that  Pr[SuC|deai  =  1]  =  1. 
This  concludes  that  P*  convinces  V  with  probability  at  least  el^k  in  the  Real  experiment. 

3 Recall  that  KL(X||Y)  =  E*esupP(x)  Pr[X  =  *1  *  Kg 

4A  similar  phenomena  occurred  already  in  the  context  of  parallel  repetition  for  “free”  two-prover  games;  see 
[BRR+09]. 

5 We  note  that  the  KL  divergence  is  not  symmetric,  so  it  does  not  imply  that  the  KL  divergence  between  the  Real 
and  Ideal  experiments  is  small  (in  fact,  it’s  infinite). 
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Handling  The  Bounded-Sample  Case.  In  our  analysis  so  far  we  have  assumed  that  P*  can 
make  an  unbounded  number  of  samples.  Let  us  now  show  that  its  success  probability  is  still  high 
even  if  we  impose  a  polynomial  bound  M  on  the  number  of  samples  it  can  make  (and  thus  P* 
becomes  efficient).  Let  us  first  consider  the  Ideal  experiment.  The  main  observation  is  that,  in 
the  Ideal  experiment,  in  expectation,  P*  only  needs  to  make  1/e  samples  to  pick  x-i  conditioned 
on  Pk*(x)  convincing  Vk  (since  x%  is  also  picked  conditioned  on  Pk*(x)  convincing  Vk ,  and  Pk* 
convinces  Vk  with  probability  e).  Thus,  if  the  allowed  number  of  samples  M  is  sufficiently  larger 
than  1/e,  then  by  the  Markov  inequality,  P*  can  successfully  convince  Vk  with  probability  “almost” 
1,  even  if  we  restrict  P*  to  use  at  most  M  samples.6  Since  the  Ideal  and  the  Real  experiments  are 
statistically  close,  this  directly  yields  a  lower  bound  on  the  success  probability  of  P*  in  the  Real 
experiment.  But  as  we  saw,  working  with  statistical  distance  does  not  give  the  tight  bound. 
To  obtain  a  tight  bound,  we  again  work  with  KL  divergence.  Here,  the  only  difference  is  that 
PrfSucideai  =  1]  is  no  longer  1,  but  can  be  made  arbitrarily  (inverse  polynomially)  close  to  1  by 
increasing  M.  This  is  sufficient  to  conclude  that  Pr[SucRea|  =  1]  can  be  made  arbitrarily  (inverse 
polynomially)  close  to  e1//fe  as  well  (since  the  KL  divergence  of  two  binary  random  variables  is  a 
“smooth”  function  of  the  probabilities  of  both  random  variables) . 

4  Parallel  Repetition  for  General  Public-coin  Protocols 

Let  us  turn  to  demonstrate  a  parallel  repetition  theorem  for  general  public-coin  protocols  with  an 
arbitrary  number  of  rounds.  The  first  question  to  address  is:  What  should  the  strategy  of  P*  be? 
As  before,  we  let  P*  externally  interact  with  V  by  internally  emulating  an  interaction  of  ( Pk *,  Vk ) 
and  embedding  its  external  interaction  with  V  into  a  random  session  i.  Recall  that  for  the  case  of 
two-message  public-coin  protocols,  P*  just  needs  to  select  verifier  messages  for  sessions  —i,  and 
does  so  in  a  way  that  guarantees  that  it  will  convince  V  (if  such  messages  X-i  exist).  For  to- round 
protocols,  P*  needs  to  select  verifier  messages  a h,-i,  ■  ■  ■  for  each  round  j,  but  must  do  so  in 

a  round-by-round  fashion.  That  is,  after  receiving  a  message  x3  from  the  external  verifier  V,  it  sets 
xjti  =  Xj  and  must  pick  Xj-i  before  knowing  what  xy^  is  for  j'  >  to;  as  a  consequence,  we  can 
no  longer  pick  messages  a 'j  -%  that  guarantees  “success”  (even  if  we  have  an  unbounded  number  of 
samples). 

A  first  approach  for  picking  a ’j-i,  explored  by  [PV12],  consists  of  letting  P*  greedily  select 
messages  Xj-i  for  sessions  —i  that  maximize  (or  rather  “approximately”  maximize)  P*' s  probability 
of  convincing  V ;  this  can  be  done  using  a  recursive  sampling  strategy — roughly  speaking,  in  each 
round  j,  P*  needs  to  evaluate  how  well  P*  would  do  in  the  remaining  rounds,  and  picks  the 
best  messages  based  on  this  evaluation  (we  briefly  return  to  this  approach  in  Section  ??).  [PV12] 
shows  that  by  employing  such  a  recursive  sampling  strategy,  a  tight  parallel  repetition  theorem 
can  be  established.  But,  due  to  the  recursive  sampling,  the  running-time  of  the  reduction  becomes 
exponential  in  the  number  of  rounds  to,  and  this  approach  can  thus  only  be  used  to  get  a  parallel 
repetition  theorem  for  constant-round  public-coin  protocols. 

As  it  turns  out,  an  even  simpler  rejection  sampling  strategy,  first  explored  by  [HPWP10],  works: 
We  consider  a  prover,  P*e-,  that  selects  the  session  i  €  [k]  uniformly  at  random  (just  as  before),  and 
then  at  each  round  j ,  upon  receiving  the  external  verifier  K’s  message  xj;l,  P*e ■  selects  Xj-%  using 

6Since  M  >  1/e,  we  only  get  an  efficient  reduction  as  long  as  e  is  an  inverse  polynomial.  As  a  consequence,  parallel 
repetition  of  arguments  cannot  decrease  the  soundness  error  beyond  being  “negligible”.  As  shown  by  [DJMW12], 
under  some  cryptographic  assumptions,  this  is  inherent. 
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Figure  2:  Interaction  between  P*-  and  V. 


rejection  sampling  as  follows:  P*e ■  repeatedly  samples  a  random  continuation  of  (Pk*,Vk)  until  it 
finds  an  accepting  continuation ,  i.e. ,  Vk  accepts  at  the  end  of  interaction  (or  a  certain  a-prior  bound 
M  on  the  number  of  samples  is  reached,  in  which  case  P*  aborts  and  fails).  Then,  P*  selects  the 
corresponding  messages  in  the  accepting  continuation  as  the  messages  of  V—i  at  round  j .  As  for 
the  two-nressage  case,  let  us  first  consider  the  unbounded  sample  case  (when  M  =  oo).  That  is, 
at  each  round  j,  P*e-  simply  selects  Xj-i  conditioned  on  Pk*  convincing  Vk.  See  Figure  2  for  an 
illustration. 

As  we  shall  see  now,  the  analysis  for  the  two-nressage  case  can  be  generalized  to  provide  a  tight 
lower  bound  on  the  success  probability  of  PL.  (The  original  analysis  of  [HPWP10]  relied  on  Ideal 
v.s.  Real  paradigm  considered  in  Section  3,  but  only  showed  that  parallel  repetition  reduces  the 
soundness  error  at  an  exponential  rate;  it  did  not  provide  a  tight  parallel  repetition  theorem.  A  tight 
analysis  was  first  provided  by  [CLIO]  by  directly  (inductively)  analyzing  the  success  probability  of 
P*e-.  [CP13]  provided  an  alternative  tight  analysis  relying  on  Ideal  v.s.  Real  paradigm.)  As  before, 
let’s  consider  a  Real  experiment  where  P*e-  interacts  with  V  (that  is,  at  each  round  j,  xj^  is  uniformly 
sampled  and  Xj-i  is  uniformly  sampled  conditioned  on  Pk*  convincing  Vk).  We  will  argue  that 
if  Pk*  convinces  Vk  with  probability  e,  then  P*e ■  convinces  V  with  probability  >  e in  the  Real 
experiment. 

Again,  let  us  compare  it  to  an  Ideal  experiment  where  the  external  verifier  also,  at  each  round 
j,  uniformly  picks  conditioned  on  Pk*  convincing  Vk .  It  follows  (as  before)  that  in  the  Ideal 
experiment,  P*e-  convinces  V  with  probability  1.  As  before,  let  us  now  bound  the  distance  between 
the  Real  and  the  Ideal  experiments.  Can  we  just  use  Raz’s  Lemma  as  before? 

Consider  a  set  of  m  “hybrid”  experiments,  where  in  Hj ,  the  messages  in  the  first  j  rounds 
are  selected  just  as  in  Ideal  (i.e.,  both  xy^  and  xy-%  for  j'  <  j  are  sampled  conditioned  on  Pk* 
convincing  Vk),  and  the  remaining  m  —  j  rounds  are  selected  just  as  in  Real  (i.e.,  for  f  >  j,  only 
Xj'-i  is  sampled  conditioned  on  Pk*  convincing  Vk,  but  Xf  i  is  uniformly  sampled  without  any 
conditioning).  Clearly  Hq  =  Real  and  Hm  =  Ideal.  Furthermore,  the  only  difference  between  two 
consecutive  hybrids  j  —  1  and  j  is  whether  Xj  i  is  sampled  conditioned  on  Pk*  convincing  Vk  or 
not,  where  i  is  uniformly  chosen.  Thus,  it  would  seem  we  can  just  use  Raz’s  Lemma  exactly  as 
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in  the  two-message  case  to  bound  the  statistical  distance  between  two  such  hybrids.  This  almost 
works.  The  only  difference  from  the  two-nressage  case  is  that  there  now  is  a  “prefix” — the  earlier 
messages — that  the  event  we  condition  on — i.e. ,  Pk*  convincing  Vk — may  depend  on.  The  following 
slight  generalization  of  Raz’s  Lemma  shows  exactly  this. 

Lemma  9  (Raz’s  Lemma — “Prefix-version”  [Raz98])  Let  (H,X)  =  (H,  X\, . . . ,  Xj.)  be  in¬ 
dependent  random  variables  and  W  be  an  event.  Then, 


log(l/  Pr[W]) 


k 


Let  again  W  be  the  event  that  Pk*  convinces  Vk.  The  lemma  directly  implies  that  the  statistical 
distance  between  any  two  consecutive  hybrids  Rj-i  and  Hj  is  at  most  (log ( 1  /  Pr [IT] ))/k.  Thus, 
by  the  triangle-inequality,  the  statistical  distance  between  the  Real  and  the  Ideal  experiments  is  at 
most  m  ■  a/ (log(l/  Pr[W]))/fc,  which  yields  a  lower  bound  on  the  success  probability  of  P*e-  in  the 
Real  experiment  that  suffices  to  demonstrate  that  parallel  repetition  reduces  the  soundness  error 
at  an  exponential  rate. 

Again,  however,  the  bound  is  not  tight  due  to  the  use  of  statistical  distance.  Additionally,  due  to 
the  “hybrid  argument”  we  have  furthermore  incurred  a  linear  loss  in  the  number  of  rounds  m  (thus, 
to  make  the  soundness  error  small  we  need  the  number  of  parallel  repetitions  to  grow  polynomially 
with  the  number  of  rounds  in  the  protocol).  Perhaps  surprisingly,  we  can  still  obtain  a  tight  bound 
by  working  with  KL  divergence.  In  particular,  by  a  few  lines  of  elementary  manipulations  of  KL 
divergence  one  can  show  that  the  KL  divergence  between  the  Ideal  and  the  Real  experiments  is 
upper  bounded  by  the  same  quantity  as  in  the  KL  version  of  Raz  lemma  (Lemma  8). 

Lemma  10  KL(ldea  1 1 1  Rea  I )  <  . 

A  tight  lower  bound  e1^  on  the  success  probability  of  P*e ■  in  the  Real  experiment  can  now  be 
derived  by  identically  the  same  calculation  as  in  Eq.  (1).  Finally,  the  bounded-sample  case  can  be 
handled  in  essentially  the  same  way  as  in  the  two-nressage  case. 


4.1  Formal  Proof 

In  this  section,  we  present  a  formal  proof  of  tight  parallel  repetition  theorem  for  public-coin  proto¬ 
cols. 

Theorem  11  Let  (P,  V)  be  a  public-coin  interactive  argument  for  a  language  L.  There  exists  an 
oracle  adversarial  prover  P^*  such  that  for  every  k  G  N,  input  z  G  {0, 1}*,  every  e,£  G  (0, 1),  and 
every  deterministic  parallel  adversarial  prover  Pk* ,  if 

Pr[(Pk*  ,Vk)(z)  =  1]  >  e, 

then 

Pr l(ptpk*>(k,e,0,V)(z)  =  1]  >  •  (1  -  £). 

Furthermore,  P^*  runs  in  time  poly(|2:|,  k,  e_1,  £-1)  given  oracle  access  to  Pk* . 
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Proof.  Let  m  denote  the  round  complexity  of  (P,  V).  Let  us  consider  a  P^J*  that  interacts  with 
V  by  the  aforementioned  rejection  sampling  with  M  =  0(^log|).  Specifically,  PL,  selects  the 
session  i  E  [k]  uniformly  at  random,  and  then  at  each  round  j,  upon  receiving  the  external  verifier 
P’s  message  Xjti,  P*e j  selects  Xj-i  using  rejection  sampling  as  follows:  P*e ■  repeatedly  samples  a 
random  continuation  of  (Pk*,Vk)  until  it  finds  an  accepting  continuation ,  i.e.,  Vk  accepts  at  the 
end  of  interaction  (or  M  =  0(^log|)  samples  is  reached,  in  which  case  PL  aborts  and  fails). 
Then,  PL  selects  the  corresponding  messages  in  the  accepting  continuation  as  the  messages  of  V-i 
at  round  j. 

By  inspection,  P^*  runs  in  time  poly(|z|,  k,  e-1,  £_1)  on  input  z,  k,  e,  and  £.  It  remains  to  show 
that  if  Pk*  convinces  Vk  with  probability  at  least  e,  then  pk)*  convinces  V  with  probability  at  least 
e •  (1  —  f).  Let  W  denote  the  event  that  Pk*  convinces  Vk  in  the  execution  of  ( Pk *,  Vk)(z).  We 
consider  the  following  Real  experiment,  which  is  the  same  as  the  execution  of  (PL  '  (k,  e,  £),  V)(z) 
except  that  PL  takes  an  unbounded  number  of  samples  (i.e.,  set  M  =  oo). 

The  Real  Experiment  Consider  an  execution  of  (PL,  V)  as  follows.  At  beginning,  PL  selects  a 
random  coordinate  i  E  [k] .  Then  at  each  round  j  E  [rn] ,  V  selects  a  uniformly  random  Xjj,  and  PL 
selects  a  random  xj-i  conditioned  on  W  using  rejection  sampling  (namely,  repeatedly  samples  a 
random  continuation  of  ( Pk *,  Vk)  until  it  finds  an  accepting  continuation ,  i.e.,  Vk  accepts  at  the  end 
of  interaction,  and  selects  the  corresponding  Xj-i )•  Let  Tj  denotes  the  number  of  samples  PL  takes. 
If  no  such  Xj-i  exists,  then  PL  fails ,  and  we  set  Tj  =  oo  and  all  remaining  Xj-i,  Xj+i,  •  •  • ,  xm  =  A. 
PL  succeeds  if  it  does  not  fail.  The  output  of  the  experiment  is  defined  to  be  (i,x i, . . . , xrn). 

Note  that  the  event  that  pl'h  convinces  V  in  (P^pk*'>*(k,e,^),V)(z)  corresponds  to  the  event 
that  in  the  Real  experiment,  P*  succeeds  and  Tj  <  M  for  every  j  E  [m].  Let  SucRea|  be  the  indicator 
random  variable  of  this  event.  Our  goal  is  to  lower  bound 

Pr[(p(pk*>(k,e,0,V)(z)  =  1]  =  Pr[SucReal  =  1], 

We  next  compare  it  with  an  Ideal  experiment,  which  is  identical  to  the  Real  experiment,  execpet 
that  the  messages  x\j, . . . ,  xmj  are  also  selected  conditioned  on  W. 

The  Ideal  Experiment  At  beginning,  PL  selects  a  random  coordinate  i  E  [k].  Then  at  each 
round  j  E  [m],  V  selects  a  random  Xjj  conditioned  on  W,  and  PL  selects  a  random  Xj-i  conditioned 
on  W  using  rejection  sampling.  Let  Tj  denotes  the  number  of  samples  PL  takes.  The  output  of 
the  experiment  is  defined  to  be  (i,  x\, . . . ,  xm). 

Note  that  sampling  random  x\j,  x\-i,  ■  ■  ■  ,xmj,xm-i  conditioned  on  W  step  by  step  is  equiv¬ 
alent  to  sampling  the  whole  xi, . . . ,  xm  conditioned  on  W.  Thus,  the  output  distribution  of  the 
Ideal  experiment  is  simply  a  uniformly  random  coordinate  i  E  [k]  and  a  uniformly  random  accepting 
transcript  (xi, . . .  ,xm),  and  PL  never  fails  in  the  Ideal  experiment.  Let  Sucideal  be  the  correspond¬ 
ing  indicator  random  variable  of  SucRea|  in  the  Ideal  experiment;  that  is,  SuC|dea|  is  the  indicator 
random  variable  of  the  event  that  Tj  <  M  for  every  j  E  [rn\ . 

In  what  follows,  we  will  show  that  (i)  Pr[SuC|deai  =  1]  >  m/Me  and  (ii)  KL(ldeal||Real)  < 
(log(l/Pr[W]))/fe,  and  derive  the  desired  lower  bound  on  Pr[SucRea|  =  1]  from  them. 

Claim  12  Pr[SuC|deai  =  1]  >  1  —  m/Me. 
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Proof.  Note  that  in  the  Ideal  experiment,  for  every  i  £  [k]  and  j  £  [to] ,  the  prefix 
(x\, . . . ,  Xj~i,  Xjti)  is  chosen  randomly  conditioned  on  W  and  then  P*e ■  selects  a  random  Xj-i 
conditioned  on  W  using  rejection  sampling.  Applying  Lemma  6  with  X  =  (Xi, . . . ,  Xj_i,  Xj^), 
Y  =  Xj  i  and  event  W  implies  that  E[7}]  =  l/Pr[VE]  <  1/e  for  every  j  £  [to]  .  By  the  Markov 
inequality,  we  have  Pr[Tj  <  M]  >  1  —  1/Me  for  every  j  £  [to],  and  thus  it  follows  by  an  union 
bound  that  Pr[SuC|deai  =  1]  >  1  —  ( m/Me ).  I 

Claim  13  KL(ldeal||Real)  <  (log(l/Pr[IT]))/£:. 


Proof.  It  is  instructive  to  first  prove  the  one-round  case  (i.e. ,  to  =  1),  which  is  equivalent 
to  the  KL-version  of  Raz’s  Lemma.  In  this  case  by  definition,  Ideal  =  (I,X i\w)  and  Real  = 
(/,  Xij,  /)•  By  applying  chain  rule,  we  have 


KL(ldea  1 1 1  Rea  I )  =  KL(/||/)+E  KL  lXi\w\\(Xij ,  Xi_I\W)Xl} 


1 

-^KL  [xmkx^x^ 

i— 1 


-i\W,Xh 


For  each  term  ~KL{Xi\w\\(Xi^,  Xi-^w^n)),  by  applying  chain  rule  again,  we  have 

KL 

=  KL(Xhi\w\\Xlti)  +  E  \KE(Xi-i\w,xlti\\X\-i\w,Xl'i)\ 

-Xl,i|  W 

=  KL(A1)4|w||Nm). 


Applying  Lemma  4, 

1  k 

j  Y,KL  (XilwlKX^X^-i 


i=  1 


k 

j  Y.KL(Xhl\w\\Xhi)  <  jKLiX^wWXi). 


i=  1 


Therefore,  by  Lemma  3, 

KL(  Idea  1 1 1  Rea  I)  <  -J-KL^IvHl^i)  <  1°g(1/Pr[WD  , 
k  k 

We  proceed  to  consider  the  general  case,  which  is  proved  by  the  same  calculation,  except  that 
we  furst  apply  an  additional  chain  rule  to  break  up  terms  corresponding  to  each  round. 


KL(ldea  1 1  Rea  I )  —  ^  E  1XL(Xj\w  g  \\(Xjj\Wx  <-,  Xj,-i\w,x  Kj,x ;-7)) 

T  V"  I  L  J'1 

j= 1 1<x<j\w 


Now,  for  each  term,  the  same  calculation  as  before  using  Lemma  4  shows  that 


E 

IX<j\w 


KL(^i  I  w,xKj  1 1  I  w,xKj  >  xi-i  I  w,Xcj ,Xj,i )) 


1 

_E 

K  XKj\w 


KL(X 


Jl  W,X<j  \\xj\x^ 
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Applying  another  chain  rule  and  Lemma  3  gives, 


KL(ldeal|  I  Real)  <  \  E  [kL(X 


=  -KL(X<m|w||X<m)  < 


log(l/  Pr[W]) 


We  now  derive  the  desired  lower  bound  on  the  probability  Pr[SucRea|  =  1]  using  Claim  12  and 

13.  Let  q  =  Pr[SucRea|  =  1]  and  5  =  m/Me.  Claim  13  implies  that 

KL(1  -  5\\q)  <  KL(SuC|dea|||SucRea|)  <  KL(ldeal||Real)  <  (log(l/Pr [W]))/k  <  log  , 

where  the  first  inequality  follows  by  Claim  12,  the  second  inequality  follows  since  applying  the  same 

function  to  two  distributions  can  only  decrease  their  KL  divergence,  and  the  last  inequality  follows 

by  the  fact  that  Pr[VF]  >  e.  By  Lemma  5,  we  have 

KL(l||g)  <  KL(1  -  S\\q)  +  j  +  5  log  i  <  log  (e"1^)  +  +  5  log  i 

By  definition,  KL(l||g)  =  log(l/g),  and  thus 

g>e-(log6-1/fe+|+5logi)  >ei/fc.  log  >  e1/^  •  (1  —  ^), 

where  the  second  inequality  uses  e~x  >  1  —  x.  This  completes  the  proof.  I 

Chernoff-type  theorem  here? 
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Online/Offline  Attribute-Based  Encryption 
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Abstract.  Attribute-based  encryption  (ABE)  is  a  type  of  public  key 
encryption  that  allows  users  to  encrypt  and  decrypt  messages  based  on 
user  attributes.  For  instance,  one  can  encrypt  a  message  to  any  user 
satisfying  the  boolean  formula  ( “crypto  conference  attendee”  AND  “PhD 
student” )  OR  “IACR  member” .  One  drawback  is  that  encryption  and  key 
generation  computational  costs  scale  with  the  complexity  of  the  access 
policy  or  number  of  attributes.  In  practice,  this  makes  encryption  and 
user  key  generation  a  possible  bottleneck  for  some  applications. 

To  address  this  problem,  we  develop  new  techniques  for  ABE  that  split 
the  computation  for  these  algorithms  into  two  phases:  a  preparation 
phase  that  does  the  vast  majority  of  the  work  to  encrypt  a  message  or 
create  a  secret  key  before  it  knows  the  message  or  the  attribute  list /access 
control  policy  that  will  be  used  (or  even  the  size  of  the  list  or  policy). 
A  second  phase  can  then  rapidly  assemble  an  ABE  ciphertext  or  key 
when  the  specifics  become  known.  This  concept  is  sometimes  called  “on¬ 
line/offline”  encryption  when  only  the  message  is  unknown  during  the 
preparation  phase;  we  note  that  the  addition  of  unknown  attribute  lists 
and  access  policies  makes  ABE  significantly  more  challenging. 

One  motivating  application  for  this  technology  is  mobile  devices:  the 
preparation  work  can  be  performed  while  the  phone  is  plugged  into  a 
power  source,  then  it  can  later  rapidly  perform  ABE  operations  on  the 
move  without  significantly  draining  the  battery. 


1  Introduction 

Attribute-Based  Encryption  (ABE)  was  introduced  by  Sahai  and  Waters  [20]  as 
a  more  expressive  form  of  encryption  where  one  can  encrypt  according  to  some 
policy.  For  example,  in  a  large  corporate  setting  one  might  encrypt  data  to  the 
policy  of  (  “Procurement”  AND  “Manager”  )  OR  “Accounting”  .  There 
are  two  main  flavors  of  ABE.  In  Key-Policy  ABE  [10],  a  key  is  associated  with  a 
boolean  formula  4>  and  a  ciphertext  with  a  set  S  of  attributes.  One  can  decrypt 
iff  the  set  S  satisfies  the  formula  <f>.  Alternatively,  in  Ciphertext-Policy  ABE  the 
roles  are  flipped;  a  key  is  associated  with  a  set  of  attributes  and  the  ciphertext 
with  an  access  formula. 

One  challenge  in  building  systems  that  use  Attribute-Based  Encryption  is 
that  the  added  functionality  may  come  with  a  significant  cost  compared  to  stan¬ 
dard  public  key  cryptography.  Consider  a  Key-Policy  ABE  system.  Here  the 
encryption  time  will  scale  with  the  number  of  attributes  assigned  to  the  cipher- 
text  and  key  generation  time  will  scale  with  the  size  of  the  boolean  formula 
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ascribed  to  a  user’s  private  key.  These  costs  could  impact  several  applications.  If 
the  encryption  algorithm  is  run  on  a  mobile  device,  encryption  time  and  battery 
power  are  of  large  importance.  In  other  applications,  authority  servers  that  gen¬ 
erate  users’  private  keys  may  become  a  bottleneck.  In  both  of  these  scenarios,  an 
exacerbating  factor  is  that  the  cost  for  operations  may  vary  widely  between  each 
ciphertext  and  key;  thus  forcing  a  system  to  provision  for  a  load  that  matches  a 
worst  case  scenario.  See  [4, 18, 23]  for  further  ABE  performance  cost  details. 

In  this  work,  we  aim  to  mitigate  this  problem  by  introducing  methods  for 
online/offline  encryption  and  key  generation  in  Attribute-Based  Encryption.  By 
moving  the  majority  of  the  cost  of  an  encryption  and  key  generation  into  an 
offline  phase,  a  system  will  be  able  to  smooth  the  computational  (and  power) 
demand  over  a  longer  range  of  time,  and  thus  only  need  the  resources  to  handle 
the  average  case  load. 

Applications  for  this  Technology  One  motivating  application  for  splitting  the 
work  this  way  is  that  a  mobile  device  could  be  programmed  to  automatically 
do  ABE  preparation  work  whenever  it  is  plugged  into  a  power  source,  and  then 
when  it  is  unplugged,  ABE  ciphertexts  could  be  rapidly  formed  with  a  significant 
reduction  in  battery  consumption. 

Another  potential  advantage  of  splitting  work  this  way  is  that  in  some  ap¬ 
plications  the  online  and  offline  work  can  be  performed  in  different  devices.  One 
might  perform  the  offline  work  for  several  encryptions  on  a  high-end  server  and 
store  these  intermediate  ciphertexts  on  a  sensor  device  such  that  the  small  de¬ 
vice  never  needs  to  perform  a  full  encryption.  In  other  applications,  for  security 
reasons  a  designer  might  wish  to  limit  the  number  of  outward  facing  servers  that 
have  access  to  the  master  secret  key  (or  equivalent).  Using  online/offline  tech¬ 
niques  he  could  have  several  servers  performing  offline  operations,  but  relatively 
fewer  required  for  the  final  online  step  to  generate  a  user’s  private  key.  While  a 
corrupted  offline  server  (without  the  master  secret)  could  not  break  the  system, 
in  collusion  it  could  produce  outputs  that  would  allow  an  eventual  key  holder 
to  do  so.  Therefore,  application  of  this  idea  would  require  further  analysis  and 
techniques  to  mitigate  this  scenario. 

Background  on  Online/ Offline  Cryptography  Even,  Goldreich  and  Micali  [9]  ini¬ 
tiated  online/offline  techniques  for  signatures  and  Shamir  and  Tauman  [22]  in¬ 
troduced  a  general  method  using  chameleon  hash  functions.  In  the  context  of 
signatures,  one  would  like  to  perform  most  of  the  work  for  signing  a  message  in 
the  offline  phase,  but  without  knowing  what  the  message  to  be  signed  is.  Later 
in  the  online  phase  the  signer  will  learn  the  message  and  given  the  offline  work 
should  be  able  to  sign  it  relatively  quickly. 

The  focus  of  our  investigation  is  on  moving  encryption  computation  offline. 
In  the  basic  encryption  setting,  the  job  is  to  perform  most  of  the  work  for 
encryption  offline,  before  the  message  is  known.  This  is  one  of  the  reasons  that 
stream  ciphers,  such  as  RC4,  are  sometimes  preferred  over  certain  block  ciphers, 
because  they  operate  by  generating  a  pseudorandom  string  (which  can  be  done 
offline)  and  then  XORing  it  with  the  plaintext  (in  the  online  phase). 


Approved  for  Public  Release;  Distribution  Unlimited. 

406 


Let’s  next  consider  the  task  of  moving  encryption  computation  offline  for 
Identity-Based  Encryption  (IBE),  where  neither  the  message  nor  the  recipient’s 
identity  is  known  during  the  offline  phase.  Guo  et  al.  [12]  give  an  offline  en¬ 
cryption  system  for  Identity- Based  Encryption  (and  other  works  [17,16,8,21] 
proposed  different  variants).  We  illustrate  the  main  idea  as  a  KEM1  variant  of 
the  Boneh-Boyen  [5]  IBE  system.  In  the  offline  phase,  one  will  create  a  cipher- 
text  by  encrypting  to  a  random  identity  ieZp  with  randomness  s  £  Zp.  The 
resulting  BB-type  ciphertext  will  have  the  form  C\  =  gs,C2  =  ( uxh)s  and  the 
encapsulated  key  will  be  e(g,  g)as ,  where  the  bilinear  group  description  <G  of  or¬ 
der  p  and  g ,  u,  h ,  e(g,  g)a  are  in  the  public  parameters.  The  offline  algorithm  will 
store  these  ciphertext  components  as  well  as  remember  x  and  s;  these  together 
will  consist  of  what  we  call  an  intermediate  ciphertext.  In  the  online  phase,  the 
encryptor  will  learn  that  she  wishes  to  encrypt  to  a  certain  identity  X  £  Zp.  To 
do  this,  she  simply  adds  a  small  “correction  factor”  r  ■  (I  —  x)  £  7LV  to  the  ci¬ 
phertext  components  C\,  C2.  The  computation  only  takes  one  multiplication  and 
subtraction  in  Zp.  A  modified  decryption  algorithm  with  the  correct  private  key 
can  then  extract  the  required  symmetric  key.  We  note  that  treating  the  system 
as  a  Key  Encapsulation  Mechanism  allows  us  to  separate  the  issues  of  learning 
the  identity  in  the  online  phase  versus  learning  the  message  in  the  online  phase. 


The  Challenge  for  ABE  From  the  above  description,  one  can  see  that  the  correc¬ 
tion  techniques  critically  rely  on  there  being  well-known  algebraic  relationships 
between  the  Boneh-Boyen  hashes  of  different  identities.  Unfortunately,  these  do 
not  exist  in  most  initial  ABE  systems  [10, 6,  24]  as  an  attribute  for  string  x  would 
typically  be  represented  as  either  a  random  group  element  hx  in  the  parame¬ 
ters  or  as  the  result  of  a  (random  oracle  modeled)  hash  function  H{x).  A  second 
challenge  is  that  the  size  and  structure  of  ciphertext  descriptors  is  more  complex 
in  ABE  systems.  For  instance,  in  a  KP-ABE  system  the  number  of  attributes 
associated  with  a  ciphertext  may  vary  widely  between  each  encryption.  If  one 
encrypts  to  a  small  number  in  each  offline  stage,  the  intermediate  ciphertext  may 
be  not  useable.  If  one  encrypts  to  a  large  or  maximum  number  in  each  offline 
phase,  it  can  result  in  much  wasted  work.  Using  offline  computation  efficiently 
becomes  a  challenge  in  this  setting.  For  ciphertext-policy  ABE,  finding  a  good 
solution  is  more  challenging  as  the  “unknown”  is  an  complex  access  structure. 


Our  Contributions  We  develop  new  techniques  for  online/offline  ABE  encryp¬ 
tion  and  key  generation  that  tackle  these  challenges.  The  first  non-trivial  task 
is  to  identity  ABE  constructions  that  have  the  required  algebraic  structure  to 
enable  online/offline  computation.  Unfortunately,  most  existing  schemes  do  not. 
However,  a  few  do.  We  first  identified  the  recent  “large  universe”  construction  of 
Lewko  and  Waters  [14]  as  a  candidate  base  scheme  due  to  its  algebraic  structure 


1  A  key  encapsulation  mechanism,  where  the  public  key  ciphertext  encapsulates  a 
symmetric  key  which  could  later  be  used  to  symmetrically  encrypt  the  plaintext. 
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that  appears  amenable  to  adding  correction  factors.2  We  finally  decided  to  use  a 
recent  more  efficient  prime-order  variant  due  to  Rouselakis  and  Waters  [19].  (We 
are  not  aware  of  any  other  ABE  schemes  that  can  support  a  similarly  efficient 
online/offline  tradeoff.) 

We  begin  by  designing  online/ offline  encryption  algorithms  for  Key-Policy 
ABE.  For  our  first  construction  we  assume  a  set  number  of  attributes  that  will  be 
associated  with  each  ciphertext.  In  this  setting  we  develop  a  correction  technique 
for  the  KP-ABE  [19]  system.  We  prove  security  by  directly  reducing  to  the 
security  of  [19].  This  has  the  advantage  of  simplicity  in  that  we  do  not  need  to 
revisit  the  guts  of  the  prior  proof.  In  addition,  we  will  automatically  inherenit 
any  future  improvements  in  the  proof  for  the  underlying  scheme. 

For  reasons,  discussed  above  assuming  a  fixed  number  of  attributes  per  ci¬ 
phertext  is  undesirable.  To  this  end  we  come  up  with  a  method  of  “pooling”  work 
done  offline.  In  this  system  an  encryptor  will  continuously  create  offline  cipher- 
text  pieces  and  add  these  to  a  pool.  When  the  encryption  algorithm  later  needs 
to  encrypt  to  a  set  S  of  attributes,  it  grabs  |5|  pieces  from  the  pool  connecting 
each  one  to  a  single  attribute  from  S.  The  work  per  attribute  is  dominated  by 
one  multiplication  in  Z.p.  We  describe  this  as  a  “connect  and  correct”  approach. 

We  extend  our  offline  encryption  approach  to  the  more  complex  case  of 
Ciphertext-Policy  ABE.  The  challenge  here  is  that  a  CP- ABE  ciphertext  is  as¬ 
sociated  with  a  Linear  Secret  Sharing  Scheme  (LSSS)  matrix.  Again,  we  develop 
a  pooling  technique.  However,  in  this  application  for  each  row  of  the  matrix 
M  given  online,  we  will  need  to  correct  each  ciphertext  component  to  an  LSSS 
share  in  the  exponent  and  to  the  corresponding  attribute.  Finally,  we  show  how 
online /offline  key  generation  can  be  derived  from  our  encryption  techniques.  We 
observe  a  symmetry  between  CP- ABE  encryption  and  KP-ABE  key  generation 
that  allows  us  to  develop  an  online/offline  pair  of  algorithms  for  the  latter. 


Combining  with  Outsourcing  for  ABE  We  make  a  brief  detour  here  to  discuss 
how  the  results  of  this  work  might  be  combined  with  prior  ABE  results  to  make 
a  practical  overall  system. 

In  2011,  Green,  Hohenberger  and  Waters  [11]  presented  a  solution  for  out¬ 
sourcing  the  decryption  of  ABE  ciphertexts.  That  is,  they  assumed  that  ABE 
ciphertexts  might  be  stored  in  the  cloud.  They  then  showed  how  a  user  can 
provide  the  cloud  with  a  single  translation  key  that  allows  the  cloud  to  trans¬ 
late  any  ABE  ciphertext  satisfied  by  that  user’s  attributes  into  a  very  short  El 
Gamal-style  ciphertext,  without  the  cloud  being  able  to  read  any  part  of  the 
user’s  messages.  These  transmitted  ciphertexts  are  short  (saving  on  bandwidth 
and  receiving  time) ,  but  also  quick  to  decrypt  (with  roughly  one  or  two  exponen¬ 
tiations).  Thus,  the  ability  to  outsource  decryption  to  the  cloud  allows  a  mobile 
device  to  quickly  decrypt  an  ABE-encrypted  message. 


2  Interestingly,  [14]  aimed  for  a  large  universe  construction  in  the  standard  model  and 
thus  our  use  of  the  schemes’s  additional  structure  is  a  byproduct  of  removing  the 
random  oracles. 
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Conversely,  the  results  of  this  work  allow  a  mobile  device  to  quickly  encrypt  an 
ABE-encrypted  message.  These  two  results  could  be  combined  into  one  system, 
where  a  mobile  device  would  be  fully  ABE  operational  while  drastically  reducing 
the  computational  costs  for  both  decryption  (with  the  help  of  the  cloud)  and 
encryption  (with  the  help  of  a  preparation  phase  while  the  phone  charges).  We 
believe  that  creative  solutions  of  this  sort  can  be  implemented  transparently,  but 
will  provide  noticeably  better  performance  for  users. 


2  Definitions  for  Online/Offline  ABE 


We  work  in  the  key  encapsulation  mechanism  (KEM)  setting,  where  the  attribute- 
based  ciphertext  hides  a  symmetric  session  key  that  can  then  be  used  to  symmet¬ 
rically  encrypt  data  of  arbitrary  length.  The  goal  in  the  online/ offline  setting  is 
to  allow  as  much  precomputation  of  attribute-based  ciphertext  as  possible  with¬ 
out  knowing  the  intended  access  policy  (ciphertext-policy)  or  set  of  attributes 
(key-policy).  We  refer  the  reader  to  [13]  for  a  review  of  access  structures,  linear 
secret  sharing  schemes  (LSSS)  and  related  conventions. 


Definition  1  (Online/Ofiline  Attribute-Based  KEM  Specification).  Let 

S  represent  a  set  of  attributes  and  A  an  access  structure.  For  generality,  we  will 
define  ( Ikey,  Ienc )  as  the  inputs  to  the  extract  and  online  encryption  functions 
respectively.  In  a  KP-ABE  scheme  ( Ikey, Ienc )  '■=  (A, 5),  while  in  a  CP-ABE 
scheme,  we  have  ( Ikey,Ienc )  :=  (<?,  A).  We  define  the  function  f  as  follows: 

!1  if  Ienc  £  Ikey  in  KP-AB  setting 
1  if  ^hey  £  Ienc  in  CP-AB  setting 
0  otherwise. 


An  online/ offline  KP-AB  (resp.,  CP-AB)  key- encapsulation  mechanism  for  ac¬ 
cess  structure  space  Q  is  a  tuple  of  the  following  algorithms: 


Setup(A,  U)  — ►  (PK,MK).  The  setup  algorithm  takes  as  input  a  security  pa¬ 
rameter  A  and  a  universe  description  U,  which  defines  the  set  of  allowed 
attributes  in  the  system.  It  outputs  the  public  parameters  PK  and  the  master 
secret  key  MK. 

Extract(MK,  Ikey)  — ►  SK.  The  extract  algorithm  takes  as  input  the  master  se¬ 
cret  key  MK  and  an  access  structure  (resp.,  set  of  attributes)  Ikey  and  outputs 
a  private  key  SK  associated  with  the  attributes. 

Offline. Encrypt  (PK)  — ►  IT.  The  offline  encryption  algorithm  takes  as  input 
the  public  parameters  PK  and  outputs  an  intermediate  ciphertext  IT. 

Online. Encrypt  (PK,  IT,  Ienc)  (key,  CT)  The  online  encryption  algorithm  takes 

as  input  the  public  parameters  PK,  an  intermediate  ciphertext  IT  and  a  set 
of  attributes  (resp.,  access  structure)  Ienc  and  outputs  a  session  key  key  and 
a  ciphertext  CT. 
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Decrypt(SK,  CT)  — >  key.  The  decryption  algorithm  takes  as  input  a  private  key 
SK  for  Ikey  and  a  ciphertext  CT  associated  with  Ienc  and  decapsulates  ci¬ 
phertext  CT  to  recover  a  session  key  key  if  S  satisfies  A  or  the  error  message 
_L  otherwise. 

For  a  fixed  universe  description  U  and  A  €  N,  the  KP-AB  correctness  prop¬ 
erty  requires  that  for  all  (PK,MK)  £  Setup(A,  U),  all  S  C  U,  all  A  £  Q,  all 
SK  £  Extract(MK,  A),  f/(key,CT)  £  Online. Encrypt(PK,  Offline. Encrypt(PK),  S) 
and  if  S  satisfies  A,  then  Decrypt(SK,  CT)  outputs  key.  CP-AB  correctness  is 
defined  analogously,  with  the  last  inputs  to  Extract  and  On  line.  Encrypt  reversed. 

Security  Model  for  Online/Offline  AB-KEM  Let  77  =  (Setup,  Extract, 

Offline. Encrypt,  Online. Encrypt,  Decrypt)  be  an  AB-KEM  for  access  structure  space 
Q ,  and  consider  the  following  experiment  for  an  adversary  A ,  parameter  A  and 
attribute  universe  U : 

The  Online/ Offline  AB-KEM  experiment  OO-ABKEM-Exp^ .n(\,  U): 

Setup.  The  challenger  runs  the  Setup  algorithm  and  gives  the  public  parame¬ 
ters,  PK  to  the  adversary. 

Phase  1.  The  challenger  initializes  an  empty  table  T,  an  empty  set  D  and  an 
integer  counter  j  =  0.  Proceeding  adaptively,  the  adversary  can  repeatedly 
make  any  of  the  following  queries: 

—  Create(/feey):  The  challenger  sets  j  :=  j  +  1.  It  runs  the  key  generation 
algorithm  on  Ikey  to  obtain  the  private  key  SK  and  stores  in  table  T  the 
entry  (j,Ikey,SK). 

Note:  Create  can  be  repeatedly  queried  with  the  same  input. 

—  Corrupt(f):  If  there  exists  an  ith  entry  in  table  T,  then  the  challenger 
obtains  the  entry  (i,  Ikey,  SK)  and  sets  D  :=  D  U  {Ikey}-  It  then  returns 
to  the  adversary  the  private  key  SK.  If  no  such  entry  exists,  then  it 
returns  _L. 

—  Decrypt/!,  CT):  If  there  exists  an  ith  entry  in  table  T,  then  the  challenger 
obtains  the  entry  (i,Ikey,  SK)  and  returns  to  the  adversary  the  output 
of  the  decryption  algorithm  on  input  (SK,  CT).  If  no  such  entry  exists, 
then  it  returns  _L. 

Challenge.  The  adversary  gives  a  challenge  value  I*nc  such  that  for  all  Ikey  £ 
D,  f{Ikey,I*enc )  7^  T  The  challenger  runs  the  algorithm  Online. Encrypt(PK, 
Offline. Encrypt(PK),  I*nc)  to  obtain  (key*,CT*).  It  then  randomly  selects  a 
bit  b.  If  b  =  0,  it  returns  (key*,CT*)  to  the  adversary.  If  b  =  1,  it  selects  a 
random  session  key  R  in  the  session  key  space  and  returns  (77,  CT*). 

Phase  2.  Phase  1  is  repeated  with  the  restrictions  that  the  adversary  cannot 

—  trivially  obtain  a  private  key  for  the  challenge  ciphertext.  That  is,  it 
cannot  issue  a  Corrupt  query  that  would  result  in  a  value  Ikey  which 
satisfies  f(Ikey,  4*„c)  =  1  being  added  to  D. 

—  issue  a  decryption  query  on  the  challenge  ciphertext  CT*. 

Guess.  The  adversary  outputs  a  guess  b'  of  b.  The  output  of  the  experiment  is 
1  if  and  only  if  b  =  b' . 
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Definition  2  (Online/Offline  AB-KEM  Security).  An  online/ offline  AB- 
KEM  II  is  CCA-secure  (or  secure  against  chosen-ciphertext  attacks,)  for  at¬ 
tribute  universe  U  if  for  all  probabilistic  polynomial-time  adversaries  A ,  there 
exists  a  negligible  function  negl  such  that: 

Pr[00-ABKEM-Exp^  n(X,  U)  =  1]  <  ^  +  negl(X). 

CPA  Security.  We  say  that  a  system  is  CPA- secure  (or  secure  against  chosen- 
plaintext  attacks)  if  we  remove  the  Decrypt  oracle  in  both  Phase  1  and  2. 

Selective  Security.  We  say  that  a  system  is  selectively  secure  if  we  add  an  Init 
stage  before  Start  where  the  adversary  outputs  the  challenge  /*nc  (instead  of 
waiting  until  Challenge). 


3  A  KP-ABE  Scheme  with  Online/Offline  Encryption 

We  now  show  how  to  extend  the  unbounded  KP-ABE  scheme  of  Rouselakis 
and  Waters  [19,  Appendix  C]  to  be  an  online/ offline  system.  We  will  work  in  a 
key  encapsulation  mechanism  (KEM)  model  as  specified  in  Defintion  2,  so  that 
we  can  focus  on  preparing  for  an  unknown  attribute  set.  Any  plaintext  can  be 
encrypted  in  a  hybrid  manner  during  the  online  phase  by  a  symmetric  cipher 
keyed  with  the  encapsulated  key.  We  first  show  a  simple  system  that  assumes  a 
bound  P  on  the  maximum  number  of  attributes  that  can  be  used  to  encrypt  a 
ciphertext.  We  show  how  to  remove  this  bound  in  Section  3.2. 

Setup( A,  U )  The  setup  algorithm  takes  in  a  security  parameter  A  and  a  universe 
U  of  attributes,  chooses  a  bilinear  group  G  of  prime  order  p  £  0(2X).  It  also 
chooses  random  generators  <?,  h,  u,  w  £  G  and  picks  a  random  exponent  a  £  Zp. 
It  then  sets  the  keys  as: 

PIC  =  (G  ,p,g,h,u,w,e(g,g)a),  MSK  =  (PK,a). 

We  assume  that  the  universe  of  attributes  can  be  encoded  as  elements  in  Zp. 

Extract(MSK,  (M,  p))  The  extract  algorithm  takes  as  input  the  master  secret 
key  MSK  and  an  LSSS  access  structure  (A/p).  Let  M  be  an  £  x  n  matrix.  The 
function  p  associates  rows  of  M  to  attributes.  The  algorithm  initially  chooses 
random  values  y2,  ■  ■  ■  ,yn  €  Zp.  It  then  computes  £  shares  of  the  master  secret 
key  as  (Ai,  A2, . . . ,  Xe)  :=  M  ■  (a,  y2, . . . ,  yn)T  (where  T  denotes  the  transpose). 
It  then  picks  £  random  exponents  t\,  t2,  ■  ■  ■  ,t(  £  Zp.  For  i  =  1  to  £,  it  computes 

I<i, 0  :=  gXiwu  Kip  :=  (up(l)h)  *l  Kl/2  :=  gu . 

The  private  key  is  SK  :=  ((M,  p),  {Kifi,  Kitl,  Kit2}ie[ite])- 
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Offline. EncryptfPK.)  The  offline  encryption  algorithm  takes  in  the  public  pa¬ 
rameters  only.  Here  we  describe  the  basic  system  which  assumes  a  maximum 
bound  of  P  attributes  will  be  associated  with  any  ciphertext.  We  describe  more 
advanced  variations  in  Section  3.2.  The  algorithm  first  picks  a  random  s  £  Zf 
and  computes 


key  :=  e(g,  g)as  C0  :=  gs. 

Next,  for  j  =  1  to  P,  it  chooses  random  rj,Xj  £  Z.p  and  computes 
CjA  :=  gri  Cjt 2  :=  (u^h)r^w~s. 

One  can  view  this  as  encrypting  for  a  random  attribute  Xj,  where  this  will  be 
corrected  in  the  online  phase.  The  work  done  in  the  offline  phase  is  roughly 
equivalent  to  the  work  of  the  regular  encryption  algorithm  in  [19,  Appendix  C]. 
The  intermediate  ciphertext  is  IT  :=  (key,  Co,  {rj,  Xj,  Cjp, 


Online.  Encrypt{ PK,  IT,  S)  The  online  encryption  KEM  algorithm  takes  as  input 
the  public  parameters,  an  intermediate  ciphertext  IT,  and  a  set  of  attributes  S  = 
(Ai,  A2, . . . ,  Ak<p).  For  j  =  1  to  k,  it  computes  Cy 3  :=  ( rj  ■  ( Aj  —  Xj ))  mod  p. 
Intuitively,  this  will  correct  to  the  proper  attributes.  It  sets  the  ciphertext: 

CT  :=  (S,  Co,  {Cyi,  Cjp,  Cj',3}je[i,fc]). 

The  encapsulated  key  is  key.  The  dominant  cost  is  one  multiplication  in  per 
attribute  in  S. 


Decrypt( SK,  CT )  The  decryption  algorithm  in  the  KEM  setting  recovers  the  en¬ 
capsulated  key.  It  takes  as  input  a  ciphertext  CT  =  (S,  Co,  {Cyi,  Cy2,  Cj’,3}j£[:L,fc]) 
for  attribute  set  S  and  a  private  key  SK  =  ((M,  p),  {A"ij0,  A"ij2}ie[i,q)  for 
access  structure  ( M,p ).  If  S  does  not  satisfy  this  access  structure,  then  the  al¬ 
gorithm  issues  an  error  message.  Otherwise,  it  sets  /  :=  {i  :  p(i)  £  5}  and 
computes  constants  re,  £  Zp  such  that  Jf  iei  Wi  '  =  (C  0, . . . ,  0),  where  Mj 

is  the  Ath  row  of  the  matrix  M.  Then  it  then  recovers  the  encapsulated  key  by 
calculating  key  := 

H  (e(C0,  Ki: 0)  •  e(Cjtl,Kitl)  ■  e{Cja  ■  uc^,I<h 2))“*  =  e(g,  g)as  (1) 

iei 

where  j  is  the  index  of  the  attribute  p(i)  in  S  (it  depends  on  1).  This  does  not 
increase  the  number  of  pairing  operations  over  [19,  Appendix  C],  although  it 
adds  \I\  exponentiations. 
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Correctness  If  the  attribute  set  S  of  the  ciphertext  is  authorized,  we  have  that 
Wi\  =  a.  Therefore,  key: 


:=  I]  (e(co, Ki, o)  •  e(Cjtl,Kitl)  ■  e(Cjt2  ■  uc’-\Kh 2))m 
iei 


=  I] (e(gs,gX'wu)  ■  e(gr*,(u<*i>h)-t*)  ■  h)r>  w  8 
iei 


u 


rj(p(i)-Xj 


,9U)f 


=  n(e(^5)sA*  •  <gMsU  ■  e(g,u)-r^  ■ 

iei 

e(g,h)~r *  ■  e(g,uyWriU  .  e(g,  h)Tjti  •  e(g,w)~stT' 
=  II  e(g,gyw^=e(g,gYa. 


Recall  that  in  the  symmetric  setting  e(g,u)  =  e(u,g),  for  all  g,u  £  <G,  although 
this  scheme  can  operate  in  an  asymmetric  setting  with  small  alterations. 


3.1  Proof  of  Selective  Security 

Discussion  on  Security.  We  shortly  show  that  the  security  of  our  online/offline 
system  can  be  directly  based  on  the  security  of  the  underlying  Rouselakis- 
Waters  [19,  Appendix  C]  system.  The  Rouselakis- Waters  system  that  we  reduce 
security  to  is  selectively  secure  based  on  a  “q-type”  assumption  in  prime  or¬ 
der  groups.  We  remark  that  our  techniques  appear  to  be  equally  annnenable 
to  transforming  the  Lewko- Waters  [15]  system  to  an  online/offiline  system.  The 
Lewko-Waters  system  is  proven  selectively  secure  from  a  static  assumption  in 
composite  order  groups.  If  such  a  transformation  were  done  (as  well  as  a  reduc¬ 
tion  to  their  scheme),  the  new  scheme  would  inherit  those  assumptions. 

In  [10,  Section  9],  Goyal  et  al.  discuss  how  to  combine  delegation  in  their  ABE 
systems  with  the  techniques  of  Canneti-Halevi-Katz  [7]  to  build  a  CCA  secure 
ABE  scheme  from  a  CPA  one.  We  believe  that  a  similar  delegation  structure 
exists  in  our  schemes,  so  that  similar  techniques  would  likely  work  out  (although 
we  do  not  work  out  the  details  here). 

Theorem  1.  The  above  online/ offline  KP-AB-KEM  scheme  is  selectively  CPA- 
secure  with  respect  to  Definition  2  assuming  that  the  scheme  of  Rouselakis  and 
Waters  [19,  Appendix  C]  is  a  selectively  CPA-secure  KP-ABE  system. 

Proof.  To  prove  the  theorem,  we  will  show  that  any  PPT  attacker  A  with  a 
non-negligible  advantage  in  the  OO-ABKEM-Exp  experiment  against  the  above 
scheme,  which  we  will  denote  IIoo  =  (Setup,  Extract,  Offline. Encrypt,  Online. Encrypt, 
Decrypt),  can  be  used  to  break  the  selective  CPA-security  of  the  Rouselakis- 
Waters  scheme,  which  we  will  denote  IIrw  =  (SetupWH/,  Extract^vv-  Encrypt RW, 
Decryptfll/(/),  with  a  PPT  simulator  B. 

The  simulator  plays  the  challenger  and  interacts  with  A  in  OO-ABKEM-Exp 
with  security  parameter  A  and  the  universe  of  attributes  set  to  U  =  Zp. 
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Initialization  Initially,  B  receives  an  attribute  set  S*  =  {A},  A2, , . . ,  A^.}  C  U 
from  A  and  gives  it  to  the  RW  challenger. 

Setup  Next,  B  receives  the  public  parameters  PK  =  (G,p,  g,  h,  u,  w,  e{g1  g)a) 
from  the  RW  challenger  and  passes  them  to  A  unchanged. 

Phase  1  The  secret  keys  are  the  same  in  both  schemes,  so  any  key  generation 
request  from  A  is  passed  to  the  RW  challenger  to  obtain  the  key. 


Challenge  B  chooses  two  distinct,  random  messages  mo,uii  in  the  RW  message 
space  and  sends  them  to  its  RW  challenger,  and  receives  back  a  challenge  cipher- 
text  =  (£*,  C,  Co,  {Cyi,  Cj,2}je[i,|S*|])-  Here  C  is  the  encrypted  message 

times  e(g,g)as,  Co  =  gs  and  for  each  attribute  Aj  €  S* ,  we  have  Cjj  =  grj  and 
Cjt  2  =  (' UAih)riW~s . 

It  then  selects  random  values  Z\, . . .  ,z\$\  £  and  computes  the  ciphertext 
CTq0  as  (S*,C0)  followed  by 


Cj,i  ■■=  Cjti  =  gr 


Cl 2  :  Cj, 2 


zi  =  (' uAjh)rjw 


Ch  ■■=  *i- 


To  see  why  this  is  a  correctly  formed  ciphertext,  one  needs  to  recall  the  third 
pairing  of  equation  1,  where  one  must  compute  e(C*2  •  uC  i  '3 ,  Ki.'i)-  as  well  as 
observe  that  the  ciphertext  is  randomized  to  have  the  proper  distribution.  The  Zj 
blinding  will  cancel  out  in  this  step.  Next,  B  guess  which  message  was  encrypted 
rg  £  {0,1}  and  computes  keyguess  :=  C/mTB.  Finally,  B  then  sends  to  A  the 
tuple  (keyguess,CTo0). 


Phase  2  B  proceeds  as  in  Phase  1. 


Guess  Eventually,  A  outputs  a  bit  r yp  If  =  0  (meaning  that  A  guesses 
that  keyguess  is  the  key  encapsulated  by  CTq0),  then  B  outputs  rg.  If  r_4  = 
1  (meaning  that  A  guesses  that  keyguess  is  a  random  key),  then  B  outputs 
1  —  rg.  The  distribution  for  A  is  perfect.  Thus,  if  A  has  advantage  e  in  the 
OO-ABKEM-Exp  experiment,  then  B  breaks  the  RW  KP-ABE  system  with  the 
same  probability. 


3.2  A  More  Advanced  System:  Pooling  Attributes  for  an 
Unbounded  System 

Previously,  we  presented  a  system  that  imposed  a  bound  of  P  attributes  asso¬ 
ciated  with  any  ciphertext.  We  presented  P  as  if  it  was  a  system- wide  bound 
for  all  ciphertexts,  for  simplicity.  A  slightly  less  naive  solution  would  involve 
creating  a  set  of  intermediate  ciphertexts  prepared  for  different  sizes  of  attribute 
sets,  and  then  pulling  the  “right-sized  IT”  off-the-shelf  during  the  online  phase 
(e.g.,  create  one  IT  for  a  set  of  size  1,  another  for  a  set  of  size  2,  etc.).  However, 
these  approaches  could  prove  wasteful,  as  certain  ITs  may  be  created  and  stored 
without  being  used. 
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Pooling  Construction.  Instead,  we  introduce  the  idea  of  “pooling”  to  eliminate 
waste  during  the  offline  phase.  The  intermediate  ciphertext  is  now  comprised  of 
two  logical  types  of  objects:  a  main  module  and  an  attribute  module.  During 
the  offline  phase(s),  an  arbitrary  number  of  main  and  attribute  modules  are 
independently  created.  During  the  online  phase  for  attribute  set  S,  one  main 
module  and  \S\  attribute  modules  will  be  consumed.  The  critical  feature  of  this 
approach  is  that  any  attribute  module  can  be  attached  to  any  main  module.  The 
online  phase  uses  exactly  what  it  needs,  and  any  modules  left  in  the  pool  can  be 
used  on  subsequent  ciphertexts. 

Specifically,  during  Offline. Encrypt,  a  main  module  is  computed  as  follows.  It 
picks  a  random  s  £  Zp  and  sets  ITmo,;n  :=  (key,  Co,  Cw ),  where  these  values  are 
computed  as 


key  :=  e(g,g)as  C0  :=  gs  Cw  :=  w  s. 

During  Offline. Encrypt,  an  attribute  module  is  computed  as  follows.  It  picks 
a  random  r,x  €  Zp  and  sets  ITait  :=  (r,  x,  C[,  C2),  where  these  values  are 
computed  as 


C[  :=  gr  C'2  :=  (u*h)r. 


During  Online. Encrypt  for  an  attribute  set  S,  the  algorithm  selects  any  one 
main  module  ITma.;n  :=  (key,  Co,  Cw)  and  any  |Sj  attribute  modules  ITattJ-  := 
(rjiXjjC'jijCj^)  available  in  the  pool.  Finally,  it  computes  CT  as  (5,  Co,  {Cj,i, 
Cj,2,  Cabell, |S|]),  where 


Cj ;,i  :=  q !  =  grj  Cjt 2  :=  C'j2  ■  Cu 


{ux’h)ri  ■  w  s  Cjt 3  :=  rj  ■  (Aj  -  xj). 


The  encapsulated  key  is  key. 


Security  Discussion.  The  dominant  cost  in  the  online  encryption  algorithm  is 
2  modular  multiplications  per  attribute  in  S.  To  formally  capture  the  pooling 
model,  the  specification  and  security  definition  in  Section  2  would  need  to  be  ex¬ 
panded  to  have  the  Offline. Encrypt  algorithm  keep  state  (e.g.,  the  pool)  between 
iterations  and  to  pass  this  state  into  Online. Encrypt  as  well.  Since  pooling  does 
not  impact  the  structure  or  distribution  of  the  final  ciphertexts  over  Section  3 
and  the  adversary  in  the  security  experiment  only  views  final  ciphertexts,  it  is 
relatively  straightforward  to  prove  the  selective  security  of  the  pooling  scheme. 


4  A  CP- ABE  Scheme  with  Online/Offline  Encryption 

We  now  turn  our  attention  to  developing  online/offhne  CP- ABE  systems.  This 
is  intuitively  harder  than  KP-ABE,  because  the  structure  of  ciphertext  is  more 
complex.  We  must  now  be  able  to  create  an  intermediate  ciphertext  in  the  offline 
phase  that  can  be  quickly  be  translated  to  a  ciphertext  for  a  hitherto  unknown 
access  structure.  To  do  this,  we  will  use  and  extend  the  basic  “correction”  and 
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pooling  concepts  introduced  for  KP-ABE.  Our  online/ offline  system  is  based 
on  the  unbounded  CP- ABE  scheme  of  Rouselakis  and  Waters  [19,  Section  4], 
where  again  it  takes  a  special  algebraic  structure  to  make  this  work,  which  most 
other  CP-ABE  systems  do  not  appear  to  have.  As  before,  we  are  working  in 
the  KEM  model.  We’ll  first  show  a  simple  system  that  assumes  a  bound  P  on 
the  maximum  number  of  rows  in  an  LSSS  access  structure  that  will  be  used  to 
encrypt.  We  will  subsequently  discuss  how  to  remove  this  bound. 

Setup( A,  U)  The  setup  algorithm  chooses  a  bilinear  group  G  of  prime  order 
p  €  <9(2a).  It  also  chooses  random  generators  g,  h,  u,  v,  w  €  G  and  picks  a  random 
exponent  a  £  Zp.  It  then  sets  the  keys  as: 

PIC  =  (G  ,p,g,h,u,v,w,e(g,g)a),  MSK  =  (PK,a). 

Again,  we  will  view  the  attribute  universe  as  consisting  of  elements  in  Zp. 

Extract( MSK,  S)  The  extract  algorithm  takes  as  input  the  master  secret  key 
MSK  and  an  attribute  set  S  =  {Ai,  A2, . . . ,  A*,}  C  Zp.  The  algorithm  chooses 
random  values  r,  rq,  r^, . . . ,  r*,  £  Zp.  It  then  computes  Kq  '■=  gawr,Ki  '■=  gr , 
and  for  i  =  1  to  k,  it  computes 

Kit 2  :=  gri  Kit 3  :=  (uA*h)rtv~r. 

The  private  key  is  SK  :=  (5,  K0,  Ki,  {Kia,  A/,3}ie[i,fc])- 

Offline. Encrypt( PK)  The  offline  encryption  algorithm  takes  in  the  public  pa¬ 
rameters  only.  Here  we  describe  the  basic  system  which  assumes  a  maximum 
bound  of  P  rows  in  any  LSSS  access  structure  used  in  a  ciphertext.  We  describe 
more  advanced  variations  in  Section  4.1.  The  algorithm  first  picks  a  random 
s  £  Zp  and  computes 

key  :=  e(g,g)as  C0  :=  gs. 

Next,  for  j  =  1  to  P ,  it  chooses  random  A' ,  Xj ,  tj  €  Zp  and  computes 
CjA  :=  w^iv**  C j  2  :=  Cj>3  :=  g** . 

One  can  view  this  as  encrypting  for  a  random  attribute  Xj  with  a  random  “share” 
A'  of  s,  where  this  will  be  corrected  in  the  online  phase.  We  remark  that  the 
work  done  in  the  offline  phase  is  roughly  equivalent  to  the  work  of  the  regular 
encryption  algorithm  in  [19,  Section  4]. 

Intermediate  ciphertext  is  IT  :=  (key,  s,  Co,  {A/,  tj,  Xj,  Cjti,  Cj ,2,  C/,3}je[i,P])- 

Online. Encrypt(PK,  IT,  The  online  encryption  KEM  algorithm  takes  as 

input  the  public  parameters,  an  intermediate  ciphertext  IT,  and  an  LSSS  ac¬ 
cess  structure  ( M,p ),  where  M  is  an  £  x  n  matrix  and  i  <P.  It  picks  random 
2/2)  •  •  •  j  Un  €  Zp,  sets  the  vector  y  =  (s,yz,...,  yn)T  (where  T  denotes  the  trans¬ 
pose  of  the  matrix)  and  computes  a  vector  of  shares  of  s  as  (Ai, . . . ,  A e)T  =  My. 


Approved  for  Public  Release;  Distribution  Unlimited. 

416 


For  j  =  1  to  £,  it  computes 


Cj,4  Aj  Aj  Cjts  tj  ■  (p(j)  Xj). 

Intuitively,  this  will  correct  to  the  proper  attributes  and  shares  of  s.  It  sets  the 
ciphertext  as: 


CT  :=((M,p),Co,{Cj,i 


Cj,2)  Cjt  3,  Cjt  4,  Cj.slje  [i  ,fe] )  - 


The  encapsulated  key  is  key.  The  dominant  cost  is  one  multiplication  in  Zp  per 
row  of  M. 


Decrypt^ SK,  CT )  The  decryption  algorithm  in  the  KEM  setting  recovers  the 
encapsulated  key.  It  takes  as  input  a  ciphertext  CT  =  ((M,  p),  Co,  Cjt2, 
Cjt 3,  Cjt 4,  Cj,5}je[i,fcl )  f°r  access  structure  (M,  p)  and  a  private  key  SK  =  (S,  {Kip, 
Ki  i,  AA:,2}iG[i,q)  for  access  structure  (. M,p ).  If  5  does  not  satisfy  this  access 
structure,  then  the  algorithm  issues  an  error  message.  Otherwise,  it  sets  /:={*: 
p(i)  £  S}  and  computes  constants  Wi  £  Zp  such  that  JA  f  Wi-Afi  =  (1,  0, . . . ,  0) , 
where  Mt  is  the  i-th  row  of  the  matrix  M.  Then  it  then  recovers  the  encapsulated 
key  by  calculating  key  :=  e(g,g)as  = 


e(C0,K0) 


(WZiei  c^w%Iu)  ■  nieMCi^K i)  ei.cip  ■  uc^,Kj:2)  ■  e[Ci, 3,  Kj,3)Y 


(2) 


where  j  is  the  index  of  the  attribute  p(i)  in  S  (it  depends  on  i).  We  note  that 
this  decryption  algorithm  adds  one  pairing  operation  and  |  J|  + 1  exponentiations 
over  [19,  Appendix  C].  Alternatively,  one  could  re-arrange  the  equation  for  no 
additional  pairings  at  the  cost  of  2\I\  exponentiations. 

In  the  full  version  [13],  we  show  correctness  and  prove  the  below  theorem. 


Theorem  2.  The  above  online/ offline  CP-AB-KEM  scheme  is  selectively  CPA- 
secure  with  respect  to  Definition  2  assuming  that  the  scheme  of  Rouselakis  and 
Waters  [19,  Section  4]  is  a  selectively  CPA-secure  CP- ABE  system. 


4.1  Pooling  Attributes  for  an  Unbounded  Ciphertext-Policy  System 

In  the  previous  section,  we  presented  an  online/offline  system  that  imposed  a 
bound  of  P  rows  on  any  LSSS  access  matrix  associated  with  any  ciphertext.  As 
introduced  in  Section  3.2,  we  now  show  how  to  remove  this  bound  by  creating  a 
“pool”  from  which  to  draw  ready-made  ciphertext  components.  As  before,  the 
intermediate  ciphertext  is  comprised  of  two  logical  types  of  objects:  a  main  mod¬ 
ule  and  an  attribute  module.  During  the  offline  phase(s),  an  arbitrary  number  of 
main  and  attribute  modules  are  independently  created.  During  the  online  phase 
for  LSSS  access  structure  (M,  p),  one  main  module  and  £  attribute  modules  will 
be  consumed,  where  M  is  an  t  x  n  matrix.  Any  attribute  module  can  be  attached 
to  any  main  module. 
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Specifically,  during  Offline. Encrypt,  a  main  module  is  computed  as  follows. 

It  picks  a  random  s  £  Zp  and  sets  TTmain  :=  (key,  Co),  where  these  values  are 
computed  as 

key  :=  e(g,g)as  C0  :=  gs. 

During  Offline. Encrypt,  an  attribute  module  is  computed  as  follows.  It  picks 
a  random  X,x,t  €  Zp  and  sets  ITait  :=  (A,  x,  t,  C\,  C2,  C3),  where  these  values 
are  computed  as 

Ci  :=  wxvt  C2  :=  ( tC/i)4  C3  :=  g\ 

During  On  line.  Encrypt  for  an  LSSS  access  structure  ( M,p ),  where  M  is  an 
£  x  n  matrix,  the  algorithm  selects  any  one  main  module  ITmai„  :=  (key,  Co) 
and  any  £  attribute  modules  TTatt,j  :=  available  in  the 

pool.  It  picks  random  y2,  •  ■  • ,  yn  £  Z p ,  sets  the  vector  y  =  (s,  y2, . . . ,  yn)T  (where 
T  denotes  the  transpose  of  the  matrix)  and  computes  a  vector  of  shares  of  s  as 
(Al5...,A  e)T  =  My. 

Finally,  it  computes  CT  as  ((M,  p),  Co,  {Cyi,  Cy2,  Cj$,  Cj ,4,  Cj;5}je [i,^] ) ,  where 

Cj, 4  ;=  Aj  —  Aj  Cj^  :=  tj  •  (p(j)  —  Xj). 

The  encapsulated  key  is  key.  The  dominant  cost  in  the  online  encryption  algo¬ 
rithm  is  one  modular  multiplication  per  row  in  M .  The  security  discussion  at 
the  end  of  Section  3.2  applies  here  as  well. 

5  Online/Offline  ABE  Key  Generation 

Private  key  generation  in  ABE  systems  requires  the  master  secret  key  MSK. 
This  key  is  so  valuable  that  any  organization  granting  keys  might  do  well  to 
store  it  on  only  a  small  number  of  well-guarded  servers.  At  the  same  time,  this 
could  create  a  bottleneck  in  systems  with  many  users,  especially  when  private 
keys  are  reissued  each  time  period  for  revocation  purposes.  In  this  section,  we 
discuss  how  the  key  generation  operation  in  the  KP-ABE  system  of  Section  3 
and  the  CP- ABE  system  of  Section  4  can  operate  in  an  online/offline  fashion 
as  well.  Thus,  the  bulk  of  the  key  generation  work  can  be  performed  by  servers 
that  are  truly  offline  (or  otherwise  well  secured).  These  pre-computations  can  be 
passed  to  the  online  servers,  where  incoming  requests  can  be  processed  quickly. 

In  the  KP-ABE  setting,  a  private  key  embeds  an  LSSS  access  structure, 
whereas  in  the  CP-ABE  setting,  the  private  key  embeds  a  set  of  attributes.  We 
will  borrow  ideas  from  the  prior  two  sections  to  deal  with  these  objects,  where 
again  we  can  employ  both  the  “correct  and  connect”  and  “pooling”  concepts. 

To  capture  online/offline  key  generation,  one  needs  to  replace  the  Extract 
algorithm  with  an  offline  algorithm  that  takes  in  the  MK  and  produces  a  inter¬ 
mediate  private  key  (or  pool  of  private  key  parts)  and  an  online  algorithm  that 
takes  in  this  intermediate  key  (or  pool)  together  with  an  access  structure  and 
then  produces  the  private  key.  The  security  experiment  is  essentially  unchanged 
except  that  the  Create  oracle  (called  in  Phases  1  and  2)  now  calls  Offline. Extract 
and  Online. Extract  in  sequence  to  create  a  private  key. 
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5.1  Online/Offline  Key  Generation  for  KP-ABE  Keys 

The  Setup  and  encryption  algorithms  remain  the  same  as  Section  3.  We  present 
a  pooling  solution,  and  because  the  structure  of  the  private  keys  change,  so  must 
the  decryption  algorithm. 

Offline.  ExtractfMSK)  There  are  no  “main”  key  modules.  A  “row”  module  is 
computed  by  selecting  random  \',x,t  £  Zp  and  outputting  Irow  :=  (A',  x,  t,  K0, 
Ki,Kf)  where  Kq  :=  gx  w *,  K\  :=  (ux/i)_t  and  K2  :=  g*. 

Online.  Extract(pool,  ( M,p ))  Let  M  be  an  £  x  n  matrix.  The  algorithm  initially 
chooses  random  values  y2,  ■  ■  ■ ,  yn  G  Zp.  It  then  computes  l  shares  of  the  master 
secret  key  as  (Ai,  A2, . . . ,  A^)  :=  M- (a,  y2, . . . ,  yn).  Next  select  any  £  row  modules 
from  the  pool.  For  i  =  1  to  £,  set  A';, 3  :=  Ai  —  A'  and  Kit4  :=  fj  •  (p(i)  —  xf).  The 
private  key  is  SK  :=  ((M,  p),  Ki:1,  Kii2,  Kit3,  The  dominant 

cost  is  one  multiplication  per  row  of  M . 

Decrypt{ SK,  CT )  Using  the  prior  steps  and  notation,  it  recovers  the  encapsulated 
key  :=  U, e/  (e(Cb, Kuo  •  9Ki-3)  ■  e(CjA,Kitl  •  u^i>4 )  •  e(Ci>2  •  Ki>2))m  = 

e(g,g)as.  This  adds  2\I\  exponentiations  over  the  construction  in  Section  3. 

5.2  Online/Offline  Key  Generation  for  CP- ABE  Keys 

The  CP-ABE  system  in  Section  4  can  be  extended  in  a  similar  manner.  In 
that  system,  there  will  be  a  “main”  key  module  which  contains  K{] .  K\  and 
Kv  :=  v~r.  The  attribute  modules  are  identical  to  those  of  Section  3.2  and  the 
keys  are  assembled  as  in  the  online  phase  of  3.2.  The  decryption  equation  is  then 
key  :=  e(C0,Ko)/D ,  where  D  =  e{w^^Ci’iWi ,Kx)  ■  HieI(e{Cui,  Kx)  ■  e(Gij2  ■ 
uCi’5,Kj,2  ■  uK^)  ■  e(Cu3,Kjt3))Wi,  resulting  in  e(g,g)as. 

6  Performance  Analysis 

We  provide  estimates  on  the  performance  of  the  proposed  schemes  in  Figures  1 
and  2.  These  numbers  are  extrapolated  from  operation  times  on  a  256-bit  Bareto- 
Naehrig  curve  using  version  0.3.1  of  the  RELIC  library  [3].  Times  are  measured 
in  milliseconds  (averaged  over  10,000  iterations)  and  were  computed  on  an  Intel 
Core  i7  processor  with  16GB  RAM  [2],  We  ignore  small  numbers  of  operations 
which  will  be  negligible  by  comparison,  such  as  arithmetic  in  Zp. 

A  natural  question  to  ask  is:  how  much  pre-processing  can  I  do  for  an  ABE 
encryption  (similarly,  key  generation)  before  I  know  the  message  I  want  to  en¬ 
crypt  or  the  access  structure  that  I  want  to  encrypt  under?  It  may  come  as 
a  surprise  that  the  results  are  so  drastic.  Indeed,  our  estimates  show  that  the 
answer  to  this  question  is:  you  can  do  almost  all  of  the  encryption  work,  before 
you  know  any  of  the  specifics  of  what /to  whom  you  are  encrypting. 

Indeed,  our  worst- case  for  encryption  was  key-policy  ABE  in  pooling  mode, 
and  even  then  over  99%  of  the  work  could  be  done  offline.  Similarly,  the  worst- 
case  for  key  generation  was  ciphertext-policy  ABE  in  pooling  mode,  and  even 
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Encryption  Algorithm 

Bilinear  Operations 

Est.  Time 
P  =  10 

Est.  Time 
P  =  100 

KP-ABE  from  [19,  App.  C] 

IEt  +  (3P  +  2)Ei  +  2PMi 

.133 

1.134 

KP-Offline  Sec.  3 

IEt  +  (3P  +  2)Ei  +  2PMi 

.133 

1.134 

KP-Online  Sec.  3 

0 

<  .001 

<  .001 

KP-Pool-Offline  Sec.  3.2 

1Et  +  (3P  +  2)Ei  +  PMi 

.133 

1.132 

KP-Pool-Online  Sec.  3.2 

PMi 

<  .001 

.001 

CP-ABE  from  [19] 

1Et  +  (5  P  +  l)Ei  +  2PMi 

.203 

1.870 

CP-Offline  Sec.  4 

1Et  +  (5P  +  l)Ei  +  2PMi 

.203 

1.870 

CP-Online  Sec.  4 

0 

<  .001 

<  .001 

CP-Pool-Offline  Sec.  4.1 

1Et  +  (5  P  +  l)Ei  +  2PMi 

.203 

1.870 

CP-Pool-Online  Sec.  4.1 

0 

<  .001 

.001 

Fig.  1.  Performance  estimates  for  regular  and  online/offline  encryption  algorithms.  We 
mapped  these  algorithms  into  the  asymmetric  bilinear  setting,  placing  the  ciphertexts 
in  Gi  and  keys  in  G2.  Let  E;  (resp.,  Mi)  denote  an  exponentiation  (reps.,  multiplication) 
in  the  group  Gi.  The  bilinear  operations  are  the  dominate  cost,  so  we  ignore  minor 
factors  such  as  arithmetic  in  Zp.  The  variable  P  represents  the  size  of  the  attribute  list 
(in  KP-ABE)  or  the  complexity  of  the  access  policy  (in  CP- ABE).  The  times  are  in 
seconds.  It  is  helpful  to  compare  the  cost  of  the  original  scheme  (with  a  citation)  to  the 
cost  of  the  online  phase  of  the  given  algorithms.  In  three  of  the  four  schemes  presented, 
all  bilinear  group  operations  for  encryption  can  be  shifted  to  the  offline  phase. 


then  over  99%  of  the  work  could  be  done  offline.  It  is  also  worth  noting  that 
the  total  computation  required  between  the  offline  and  online  phases  is  nearly 
identical  to  the  work  required  by  the  original  scheme.  Thus,  the  total  work 
remains  the  same,  but  the  vast  majority  of  it  can  be  shifted  in  time  to  a  moment 
when  the  device  is  least  busy  or  has  access  to  a  power  source. 

We  remark  that  the  operation  counts  given  here  for  the  schemes  in  [19] 
differ  slightly  from  the  summary  given  in  that  work.  The  counts  from  [19]  were 
obtained  from  the  Charm  [1]  benchmarking  utility,  which  may  have  performed 
various  optimizations,  whereas  ours  are  a  strict  count  of  operations  from  the 
algorithms  as  presented  in  the  paper  [19].  We  do  not  expect  these  differences  to 
have  any  significant  impact  on  the  estimates  in  Figures  1  and  2. 

7  Conclusions 

We  are  exploring  methods  to  make  attribute-based  encryption  (ABE)  more  ef¬ 
ficient  for  deployment.  To  this  end,  we  investigated  how  devices  might  quickly 
encrypt  ABE  messages  or  generate  user  keys,  even  for  complex  policies. 

We  developed  new  “connect  and  correct”  techniques  for  ABE  that  split  the 
computation  for  encryption  and  key  generation  into  two  phases:  a  preparation 
phase  that  does  the  vast  majority  of  the  work  to  encrypt  a  message  or  create  a 
secret  key  before  it  knows  the  message  or  the  attribute  list /access  control  policy 
that  will  be  used  (or  even  the  size  of  the  list  or  policy).  A  second  phase  can  then 
rapidly  assemble  an  ABE  ciphertext  or  key  when  the  specifics  become  known. 
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Key  Generation  Algorithm 

Bilinear  Operations 

Est.  Time 
P  =  10 

Est.  Time 
P=  100 

KP-ABE  from  [19,  App.  C] 

5PE2  +  2PM2 

.370 

3.703 

KP-Pool-Offline  Sec.  5.1 

5PE2  +  2PM2 

.370 

3.703 

KP-Pool-Online  Sec.  5.1 

0 

<  .001 

<  .001 

CP- ABE  from  [19] 

(3  P  +  4)E2  +  (2  P  +  1)M2 

.252 

2.253 

CP-Pool- Offline  Sec.  5.2 

(3  P  +  4)E2  +  (P  +  1)M2 

.251 

2.251 

CP-Pool-Online  Sec.  5.2 

pm2 

<  .001 

.003 

Fig.  2.  Performance  estimates  for  regular  and  online/offline  key  generation  algorithms. 
We  mapped  these  algorithms  into  the  asymmetric  bilinear  setting,  placing  the  cipher- 
texts  in  Gi  and  keys  in  G2.  Let  E j  (resp.,  Mi)  denote  an  exponentiation  (reps.,  multi¬ 
plication)  in  the  group  Gi.  The  bilinear  operations  are  the  dominate  cost,  so  we  ignore 
minor  factors  such  as  arithmetic  in  Zp.  The  variable  P  represents  the  size  of  the  at¬ 
tribute  list  (in  CP- ABE)  or  the  complexity  of  the  access  policy  (in  KP-ABE).  The 
times  are  in  seconds.  It  is  helpful  to  compare  the  cost  of  the  original  scheme  (with  a 
citation)  to  the  cost  of  the  online  phase.  In  both  schemes,  our  estimates  show  that  over 
99%  of  the  work  to  generate  a  key  can  be  shifted  to  the  offline  phase. 


This  concept  is  sometimes  called  “online/offline”  encryption.  We  provided  effi¬ 
cient  constructions  for  both  key-policy  and  ciphertext-policy  ABE  systems. 

We  provided  performance  estimates  that  showed  over  99%  of  the  computa¬ 
tional  work  could  be  moved  to  offline  phase  in  many  scenarios.  We  expect  that 
this  technology  could  reduce  battery  consumption  on  mobile  devices  and  help 
reduce  the  bottleneck  on  a  master  authority  server  tasked  with  generating  user 
keys.  Overall,  it  helps  reduce  the  cost  of  bringing  ABE  into  practice. 
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ABSTRACT 

Anonymous  credentials  provide  a  powerful  tool  for  making 
assertions  about  identity  while  maintaining  privacy.  However, 
a  limitation  of  today’s  anonymous  credential  systems  is  the 
need  for  a  trusted  credential  issuer  —  which  is  both  a  single 
point  of  failure  and  a  target  for  compromise.  Furthermore, 
the  need  for  such  a  trusted  issuer  can  make  it  challenging  to 
deploy  credential  systems  in  practice,  particularly  in  the  ad 
hoc  network  setting  (e.g.,  anonymous  peer-to-peer  networks) 
where  no  single  party  can  be  trusted  with  this  responsibility. 

In  this  work  we  propose  a  novel  anonymous  credential 
scheme  that  eliminates  the  need  for  a  trusted  credential 
issuer.  Our  approach  builds  on  recent  results  in  the  area  of 
electronic  cash,  and  uses  techniques  —  such  as  the  calculation 
of  a  distributed  transaction  ledger  —  that  are  currently 
in  widespread  deployment  in  the  Bitcoin  payment  system. 
Using  this  decentralized  ledger  and  standard  cryptographic 
primitives,  we  propose  and  provide  a  proof  of  security  for 
a  powerful  anonymous  credential  system,  one  that  allows 
users  to  make  flexible  identity  assertions  with  strong  privacy 
guarantees.  We  further  show  how  our  basic  system  can  be 
extended  to  provide  a  variety  of  powerful  features  including 
fc-show  credentials  and  “updatable”  credentials  that  admit  a 
fully  anonymous  reputation  system.  From  this  we  construct 
a  distributed  anonymous  reputation  system  that  assigns 
users  a  single  global  reputation  score.  Finally,  we  discuss  a 
number  of  practical  applications  for  our  techniques,  including 
resource  management  in  ad  hoc  networks  and  prevention  of 
Sybil  attacks. 

1.  INTRODUCTION 

Traditionally,  making  statements  about  identity  on  the 
Internet,  whether  actual  assertions  of  identity  (“I  am  Spar- 
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tacus”)  or  about  one’s  identity  (“I  am  a  gladiator”)  involves 
centralized  providers  who  verify  the  identity  claim  and  issue  a 
credential  attesting  to  that  verification.  These  organizations, 
which  include  Certificate  Authorities,  DNS  maintainers,  or 
login  providers  like  Google  and  Facebook,  play  a  large  role 
in  securing  internet  infrastructure,  email,  and  financial  trans¬ 
actions.  Our  increasing  reliance  on  these  providers  elicits 
two  concerns:  first,  the  use  of  global  identifiers  raises  issues 
about  privacy  and  user  tracking.  Second  —  and  more  fun¬ 
damentally  —  in  many  settings  such  as  ad  hoc  networks,  it 
may  be  challenging  to  identify  parties  who  can  be  trusted  to 
play  this  critical  role. 

Anonymous  credentials,  introduced  by  Chaum  [19]  and 
developed  in  a  line  of  subsequent  works  [8,  11,  14,  12,  4],  repre¬ 
sent  a  powerful  solution  to  the  privacy  concern:  they  deprive 
even  colluding  credential  issuers  and  verifiers  of  the  ability 
to  identify  and  track  their  users.  Unfortunately,  anonymous 
credentials  exacerbate  the  second  issue.  Most  existing  cre¬ 
dential  systems  assume  a  trusted,  centralized  “issuer,”  which 
is  typically  responsible  both  for  certifying  users’  identity 
statements  and  for  issuing  the  corresponding  anonymous 
credentials.  Indeed,  the  trust  requirement  for  an  anonymous 
credential  issuer  is  arguably  higher  than  the  corresponding 
requirement  for  a  standard  identity  management  system, 
since  the  anonymity  properties  make  it  difficult  to  detect 
provider  malfeasance  (e.g.,  the  creation  of  false  credentials). 
Ideally  we  could  distribute  both  the  certification  of  identities 
and  the  issuing  of  credentials. 

Until  recently,  it  seemed  difficult  to  contemplate  certifying 
identities  without  assuming  a  trusted  party.  However,  several 
recent  developments  have  offered  an  alternative  and  decen¬ 
tralized  vision  for  addressing  this  problem.  In  these  systems, 
exemplified  by  Namecoin  [37],  peers  collaborate  to  main¬ 
tain  a  distributed  append-only  transaction  ledger  for  identity 
assertions.  These  systems  employ  the  ledger  to  record  map¬ 
pings  from  names  to  public  keys  and  can  enforce  complex 
semantics  over  the  identity  assertions.  The  Namecoin  sys¬ 
tem  has  already  been  deployed  to  implement  a  decentralized 
version  of  the  DNS  system  [25],  and  it  is  easy  to  imagine 
further  extensions  such  as  a  decentralized  SSL  Public  Key 
Infrastructure,  time  stamping,  and  reputation  networks.  The 
ability  to  establish  and  make  statements  about  identity  (e.g., 
“I  have  an  identity,  it  required  some  effort  to  create,  and  I 
have  used  it  in  successful  transactions”)  seems  particularly 
useful  for  applications  related  to  ad  hoc  networks,  which  are 
famously  vulnerable  to  Sybil  attacks  [26]. 

Even  given  the  above  systems,  decentralized  issuing  of 
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anonymous  credentials  remains  elusive.  Specifically,  decen¬ 
tralized  systems  seem  incompatible  with  most  existing  anony¬ 
mous  credential  techniques,  which  typically  rely  on  blind 
signatures.  The  use  of  signatures  necessitates  a  trusted  is¬ 
suer  —  or  at  least  a  small  quorum  of  cooperating  parties  who 
hold  shares  of  the  private  key.  Unfortunately,  implementing 
threshold  cryptographic  techniques  seems  challenging  if  we 
wish  to  widely  distribute  trust  or  deal  with  ad  hoc  applica¬ 
tions  where  nodes  routinely  enter  and  exit  the  network.  This 
appears  to  leave  us  with  a  binary  choice:  we  must  choose 
centralized  anonymous  credentials  that  protect  our  privacy 
or  decentralized  credentials  that  offer  no  privacy  protection. 

Our  contribution.  In  this  paper  we  show  how  to  construct 
anonymous  credentials  in  a  decentralized  setting.  Our  ap¬ 
proach  extends  prior  work  on  anonymous  credentials  but 
removes  the  need  to  appoint  a  trusted  credential  issuer.  A 
consequence  of  this  result  is  that  our  credential  system  can 
be  instantiated  on-demand  and  operated  by  an  ad  hoc  group 
of  mistrustful  peers.  We  show  how  to  extend  our  creden¬ 
tial  scheme  to  create  updatable  (e.g.  stateful)  anonymous 
credentials  in  which  users  obtain  new  credentials  based  on 
changing  properties  of  their  identity.  Finally,  from  updatable 
credentials  we  construct  the  first  fully  peer-to-peer  anony¬ 
mous  reputation  system  where  users  have  a  single  global 
reputation  score.  We  believe  the  reputation  system  may  be 
of  independent  interest. 

As  a  basic  ingredient,  our  protocols  require  the  existence 
of  a  distributed  public  append-only  ledger,  a  technology  which 
has  most  famously  been  deployed  in  distributed  electronic 
currencies  such  as  Bitcoin  [36].  This  ledger  can  be  employed 
by  individual  nodes  to  make  assertions  about  identity  in  a 
fully  anonymous  fashion  without  the  assistance  of  a  credential 
issuer. 

We  believe  that  our  techniques  have  several  immediate  ap¬ 
plications.  These  include: 

•  Anonymous  resource  management  in  ad  hoc  net¬ 
works.  Peer-to-peer  networks  are  vulnerable  to  imper¬ 
sonation  attacks,  where  a  single  party  simulates  many 
different  peers  in  order  to  gain  advantage  against  the 
network  [26].  We  show  that  our  credentials  may  be 
useful  in  mitigating  these  attacks.  The  basic  approach 
is  to  construct  an  anonymous  subscription  service  [22, 
9,  34]  where  parties  would  establish  unique  or  costly 
pseudonyms  (for  example  by  completing  a  computa¬ 
tional  proof  of  work,  submitting  a  payment,  or  demon¬ 
strating  satisfaction  of  some  network  criteria).  They 
can  then  assert  possession  on  their  identity  under  a 
specific  set  of  restrictions,  e.g.,  a  limit  to  the  number 
of  requests  they  can  make  in  each  time  period. 

•  Anonymous  reputation  management  for  ad  hoc 
networks.  A  further  extension  of  our  construction  al¬ 
lows  parties  to  update  credentials,  i.e.,  by  inserting  new 
credentials  into  the  block  chain.  This  admits  a  variety 
of  sophisticated  enhancements  such  as  fully  anonymous 
reputation  systems  [42,  1]  in  which  parties  update  and 
prove  statements  about  a  reputation  score  following 
successful  (or  unsuccessful)  interactions.  These  systems 
can  be  useful  in  situations  where  reputation  informa¬ 
tion  improves  network  efficiency  but  where  traditional 
(non-anonymous)  reputation  systems  may  expose  high- 
reputation  nodes  to  malicious  attacks. 


•  Auditable  credentials.  Our  techniques  may  also  be 
used  to  extend  existing  centralized  credential  systems 
by  allowing  for  public  audit  of  issued  credentials.  This 
helps  to  guard  against  compromised  credential  issuers 
and  allows  the  network  to  easily  detect  and  revoke  in¬ 
appropriate  credential  grants.  For  example,  in  Direct 
Anonymous  Attestation  (DAA)  one  might  want  to  pre¬ 
vent  a  malicious  DAA  authority  from  covertly  granting 
certificates  to  users  who  do  not  have  a  TPM  or  whose 
TPM  did  not  attest. 

1.1  Overview  of  Our  Construction 

We  now  provide  a  brief  overview  for  our  construction, 
which  is  inspired  by  the  electronic  cash  proposals  of  Sander 
and  Ta-Shma  [45]  and  Miers  et  al.  [35].  We  begin  with  a 
brief  overview  of  decentralized  identification  techniques. 

Decentralized  identities.  Decentralized  identity  systems 
such  as  Namecoin  are  based  on  two  assumptions:  the  exis¬ 
tence  of  a  distributed  append-only  transaction  ledger  and 
a  set  of  consensus  rules  for  accepting  new  entries  into  this 
ledger.  In  a  basic  PKI  system,  users  are  permitted  to  assert 
ownership  of  arbitrary  identity  strings  by  submitting  a  trans¬ 
action  embedding  the  identity  as  well  as  a  public  key  for 
some  digital  signature  scheme.  The  network  then  evaluates 
the  legitimacy  of  each  claim  according  to  rules  defined  in 
the  protocol.  In  a  simple  example  -  which  corresponds  to 
the  Namecoin  DNS  system  -  pseudonyms  may  be  arbitrary 
strings  and  will  be  accepted  by  the  network  on  the  condition 
that  the  pseudonym  has  not  previously  been  claimed. 

Naturally  it  is  possible  to  apply  more  complex  rules  to  this 
process.  For  example,  identity  claims  may  be  conditioned 
on  the  submission  of  a  publicly-verifiable  proof  of  work  or 
even  proof  that  a  sum  of  electronic  currency  has  been  spent 
or  destroyed.  Identity  claims  may  also  leverage  one  or  more 
existing  non-anonymous  identity  credentials:  for  example,  a 
proof  that  the  claimant  has  a  certificate  from  a  PKI  and/or 
a  signature  using  a  TPM  enrollment  key.  Identities  may  also 
include  externally  verifiable  assertions  about  the  claiming 
party,  e.g.,  that  the  party  is  contributing  a  specific  amount 
of  resources  to  a  peer-to-peer  network. 

Issuing  and  showing  credentials.  The  ability  to  estab¬ 
lish  identities  and  bind  them  to  a  public  key  ensures  that 
users  can  assert  their  identity  in  a  non-anonymous  fash¬ 
ion,  simply  by  issuing  signatures  from  the  corresponding 
secret  key.  Unfortunately,  this  does  not  immediately  show 
us  how  to  construct  anonymous  credentials,  since  traditional 
anonymous  credentials  consist  of  a  signature  computed  by 
a  credential  issuer.  Since  no  central  party  exists  to  com¬ 
pute  the  credential  signature,  this  approach  does  not  seem 
feasible  without  elaborate  (and  inefficient)  use  of  threshold 
cryptography.1 

We  instead  take  a  different  approach.  To  issue  a  new 
credential  in  our  decentralized  system,  the  user  establishes  an 
identity  and  related  attributes  as  described  above.  She  then 
attaches  a  vector  commitment  to  her  secret  key  sku  along 
with  the  identity  and  attribute  strings  that  are  contained 
within  her  identity  assertion.  Finally,  she  includes  a  non¬ 
interactive  proof  that  the  credential  is  correctly  constructed, 

1A  possibility  is  to  use  ring  signatures  [43],  which  do  not 
require  a  single  trusted  signer.  Unfortunately  these  signatures 
grow  with  the  number  of  participating  signers  and  require 
expensive  communication  to  generate. 
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i.e.,  that  the  attributes  in  the  commitment  correspond  to 
those  revealed  in  the  identity  assertion.  The  network  will 
accept  the  identity  assertion  if  and  only  if  the  assertion  is 
considered  valid,  and  the  attached  proof  is  valid. 

At  a  later  point  an  individual  can  prove  possession  of 
such  a  credential  by  proving  the  following  two  statements  in 
zero-knowledge : 

1.  She  knows  a  commitment  Ci  in  the  set  (C 1, . . . ,  Cjv)  of 
all  credentials  previously  accepted  to  the  block  chain. 

2.  She  knows  the  opening  (randomness)  for  the  commit¬ 
ment. 

In  addition  to  this  proof,  the  user  may  simultaneously 
prove  additional  statements  about  the  identity  and  attributes 
contained  within  the  commitment  Ci.  The  challenge  in  the 
above  construction  is  to  efficiently  prove  statements  (1)  and 
(2),  i.e.,  without  producing  a  proof  that  scales  with  N.  Our 
solution,  which  adapts  techniques  from  distributed  e-cash 
systems  [35],  circumvents  this  problem  by  using  an  efficient 
publicly-verihable  accumulator  [12]  to  gather  the  set  of  all 
previous  commitments  together.  Using  this  accumulator 
in  combination  with  an  efficient  membership  proof  due  to 
Camenisch  and  Lysyanskaya  in  [13],  we  are  able  to  reduce 
the  size  of  this  proof  to  O(A)  for  security  parameter  A,  rather 
than  the  0(N  •  A)  proofs  that  would  result  from  a  naive  OR 
proof. 

Of  course,  merely  applying  these  techniques  does  not  lead 
to  a  practical  credential  system.  A  key  contribution  of  this 
work  is  to  supply  concrete  instantiation  of  the  above  idea 
under  well-studied  assumptions,  and  to  prove  that  our  con¬ 
struction  provides  for  consistency  of  credentials  (ensuring 
multiple  users  cannot  pool  their  credentials),  the  establish¬ 
ment  of  pseudonyms,  and  a  long  set  of  extensions  built 
upon  anonymous  credentials.  Last  but  not  least  we  need 
to  formally  define  and  prove  the  security  of  a  distributed 
anonymous  credential  scheme  and  provide  some  model  for 
the  distributed  ledger.  Our  instantiation  requires  a  single 
trusted  setup  phase,  after  which  the  trusted  party  is  no  longer 
required.2 

Extensions:  stateful  credentials  and  reputation  sys¬ 
tems.  We  argue  that  our  basic  credential  system  is  sufficient 
to  permit  many  useful  activities  in  a  decentralized  network. 
However,  there  are  also  cases  where  the  user’s  attributes 
may  be  a  function  of  previous  transactions  on  the  network. 
One  example  is  a  decentralized  reputation  system,  where  the 
user  periodically  updates  his  “attribute”  (reputation  count) 
based  on  previous  interactions  with  other  users.  In  §6  and 
§7  we  propose  extensions  to  our  basic  anonymous  credential 
system  that  allow  users  to  update  their  credential  based  on 
interactions  with  other  parties.  The  key  to  our  proposal  is 
that  users  can  prove  knowledge  of  a  previous  transaction 
and  an  interaction  with  a  third  party  and  use  these  proofs 
as  the  condition  for  obtaining  a  new  credential.  This  means 
that  users  can  interact  and  exchange  reputation  according 
to  a  set  of  network-wide  transaction  rules,  without  revealing 
which  users  interacted  and  how  that  interaction  affected  their 
score.  Users  may  later  prove  statements  about  their  current 
reputation  score,  within  a  range  of  their  choice.  We  believe 
that  this  has  numerous  applications  to  peer  networks  with 

2In  §6  we  discuss  techniques  for  removing  this  trusted  setup 
requirement. 


nodes  of  varying  capabilities,  e.g.,  electing  supernodes  in 
hierarchical  peer  networks. 

1.2  Outline  of  This  Work 

The  remainder  of  this  work  is  organized  as  follows.  In  the 
next  section  we  discuss  specific  applications  for  decentralized 
anonymous  credentials  and  argue  that  these  systems  can  be 
used  to  solve  a  variety  of  problems  in  peer-to-peer  networks. 
In  §3  we  describe  the  cryptographic  building  blocks  of  our 
construction,  and  in  §4  we  define  the  notion  of  a  decentralized 
anonymous  credential  scheme  and  provide  an  ideal-world 
security  definition.  In  §5  we  provide  an  overview  of  our 
basic  construction  as  well  as  a  specific  instantiation  based  on 
the  Discrete  Logarithm  and  Strong  RSA  assumption.  In  §6 
we  extend  our  basic  construction  to  add  a  variety  of  useful 
features,  including  fc-show  credentials,  stateful  credentials, 
and  credential  revocation.  Finally,  in  §7  we  detail  the  first 
distributed,  identity-bound,  anonymous  reputation  systems 
where  users  have  a  single  global  reputation. 

2.  APPLICATIONS 

In  this  section  we  discuss  several  of  the  applications  fa¬ 
cilitated  by  decentralized  anonymous  credentials.  While  we 
believe  that  these  credential  systems  may  have  applications 
in  a  variety  of  environments,  we  focus  specifically  on  settings 
where  trusting  a  central  credential  issuer  is  not  an  option  or 
where  issued  credentials  must  be  publicly  audited. 

Mitigating  Sybil  attacks  in  ad  hoc  networks.  Imper¬ 
sonation  attacks  can  have  grave  consequences  for  both  the 
security  and  resource  allocation  capabilities  of  ad  hoc  net¬ 
works.  A  variety  of  solutions  have  been  proposed  to  address 
this  problem.  One  common  approach  is  to  require  that 
clients  solve  proofs  of  work:  resource-consuming  challenges 
that  typically  involving  either  storage  or  computation  [26]. 
Unfortunately  it  can  be  challenging  to  re-use  a  single  proof  of 
work  in  an  anonymous  fashion,  i.e.,  without  either  identifying 
participants  or  allowing  other  users  to  clone  the  solution. 

One  solution  to  this  problem  is  to  use  fc-show  anonymous 
credentials.  In  this  approach,  peers  establish  a  single  cre¬ 
dential  by  solving  a  proof  of  work.  This  allows  the  peer 
to  obtain  a  credential  that  can  be  used  a  limited  number 
of  times  or  a  limited  number  of  times  within  a  given  time 
period.  When  a  peer  exceeds  the  fc-use  threshold  (e.g.,  by 
cloning  the  credential  for  a  Sybil  attack),  the  credential  can 
be  identified  and  revoked.  We  note  that  this  proposal  is  a 
distributed  variant  of  the  anonymous  subscription  service 
concept,  which  was  first  explored  in  [22,  9[. 

Managing  resource  usage.  In  networks  where  peers  both 
contribute  and  consume  resources,  ensuring  fair  resource  uti¬ 
lization  can  be  challenging.  For  example,  a  storage  network 
might  wish  to  ensure  peers  provide  as  much  storage  as  they 
consume  [39]  or  ensure  that  peers  fairly  use  network  band- 
witli  [40].  This  can  be  problematic  in  networks  that  provide 
anonymity  services  (e.g.  Tor)  or  VOIP3,  where  peers  may 
be  reluctant  to  identify  which  traffic  they  originated.  An 
anonymous  credential  system  allows  peers  to  identify  their 
contributions  to  routing  traffic  in  exchange  for  a  credential 
which  they  can  then  use  to  originate  traffic.  This  helps  to 

3 Prior  its  acquisition  by  Microsoft,  Skype  used  a  peer-to-peer 
overlay  network 
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ensures  that  peers  contribute  resources  back  to  the  network 
while  preserving  their  anonymity. 

Reputation  in  peer-to-peer  systems.  As  noted  in  [49], 
the  lack  of  trust  relationships  can  be  a  fundamental  problem 
in  peer-to-peer  systems.  This  problem  is  exacerbated  in 
anonymous  communication  networks,  where  peer  interactions 
can  reveal  sensitive  information  about  usage  history.  The 
distributed  anonymous  reputation  system  we  describe  in 
§7  allows  nodes  to  establish  a  reputation  based  on  a  past 
history  of  positive  interactions  with  other  nodes.  We  offer 
two  examples  where  this  is  useful. 

First,  consider  the  usage  of  Tor  to  circumvent  censorship 
by  state  level  actors.  While  the  identities  of  Tor  nodes 
themselves  are  public,  entrance  nodes  (called  bridges)  need 
to  remain  both  (1)  unblocked  and  thus  unknown  to  censors 
and  (2)  available  to  honest  users.  Wang  et  al.  [48]  propose 
a  solution  to  these  seemingly  incompatible  goals:  distribute 
bridge  addresses  only  to  high-reputation  users,  and  define 
a  user’s  reputation  as  the  uptime  of  the  bridges  they  know 
about.  Being  centralized,  their  system  requires  a  central 
party  who  must  be  trusted  both  not  to  reveal  the  whole 
bridge  list  and  with  accurately  maintaining  users’  reputations. 
Our  proposal  allows  us  to  eliminate  this  party. 

Similarly,  file  sharing  networks  may  also  benefit  from  rep¬ 
utation,  as  these  networks  are  vulnerable  to  malicious  peers 
uploading  inauthentic  files.  Kamvar  et  al.  [32]  identify  this 
problem  and  propose  a  reputation  system  as  a  solution.  How¬ 
ever,  their  proposed  solution  associates  each  user  with  an 
“opaque  identifier”  and  thus  offers  users  very  little  privacy. 

3.  PRELIMINARIES 

We  make  use  of  the  following  complexity  assumptions  and 
cryptographic  building  blocks  to  construct  our  scheme. 

3.1  Complexity  Assumptions 

The  security  of  our  scheme  relies  on  the  following  two 
complexity  assumptions: 

Strong  RSA  Assumption  [3,  28].  Given  a  randomly 
generated  RSA  modulus  n  and  a  random  element  y  £  h*n,  it 
is  hard  to  compute  i£Z*  and  integer  exponent  e  >  1  such 
that  a f  =  y  mod  n.  We  can  restrict  the  RSA  modulus  to 
those  of  the  form  pq,  where  p  =  2 p'  +  1  and  q  =  2 q'  +  1  are 
safe  primes. 

Discrete  Logarithm  (DL)  Assumption  [23].  Let  G  be 

a  cyclic  group  with  generator  g.  Given  h  €  G,  it  is  hard  to 
compute  x  such  that  h  =  gx . 

3.2  Cryptographic  Building  Blocks 

Zero-knowledge  proofs.  In  a  zero-knowledge  protocol  [30] 
a  user  (the  prover)  proves  a  statement  to  another  party 
(the  verifier)  without  revealing  anything  about  the  state¬ 
ment  other  than  that  it  is  true.  Our  constructions  use 
zero-knowledge  proofs  that  can  be  instantiated  using  the 
technique  of  Schnorr  [47],  with  extensions  due  to,  e.g.,  [21, 
15,  17,  7].  We  convert  these  into  non-interactive  proofs  by 
applying  the  Fiat-Shamir  heuristic  [27].  When  we  use  these 
proofs  to  authenticate  auxiliary  data,  we  refer  to  the  resulting 
non-interactive  proofs  as  signatures  of  knowledge  as  defined 
in  [18]. 

When  referring  to  these  proofs  we  will  use  the  notation  of 
Camenisch  and  Stadler  [16].  For  instance,  NIZKPoK{(®, y)  : 


h  =  gx  A  c  =  gy }  denotes  a  non-interactive  zero-knowledge 
proof  of  knowledge  of  the  elements  x  and  y  that  satisfy  both 
h  —  gx  and  c  =  gv .  All  values  not  enclosed  in  ()’s  are 
assumed  to  be  known  to  the  verifier.  Similarly,  the  extension 
ZKSoK[m]{(:r, y)  :  h  =  gx  A  c  =  gv}  indicates  a  signature 
of  knowledge  on  message  m. 

Accumulators  [35].  An  accumulator  allows  us  to  combine 
many  values  into  one  smaller  value  (the  accumulator).  We 
then  have  a  single  element,  called  the  witness,  that  allows 
us  to  attest  to  the  fact  that  a  given  value  is  actually  part 
of  the  accumulator.  Our  constructions  use  an  accumulator 
based  on  the  Strong  RSA  assumption.  The  accumulator  we 
use  was  first  proposed  by  Benaloh  and  de  Mare  [5]  and  later 
improved  by  Baric  and  Pfitzmann  [3]  and  Camenisch  and 
Lysyanskaya  [12].  We  describe  the  accumulator  using  the 
following  algorithms: 

•  AccumSetup(A)  — >  params.  On  input  a  security  param¬ 
eter,  sample  primes  p,  q  (with  polynomial  dependence 
on  the  security  parameter),  compute  N  =  pq,  and  sam¬ 
ple  a  seed  value  u  €  QRn,u  ^  1.  Output  ( N,u )  as 
params. 

•  Accumulate(pa?'ams,  C)  — >-  A.  On  input  params  ( N,u ) 
and  a  set  of  prime  numbers  C  =  {ci,...,c;  |  c  € 

[A,  ®]},4  compute  the  accumulator  A  as  uclC2"'Crl  mod 
N. 

•  Gen\N\tness(params,  v,  C)  — >  u>.  On  input  params 
( N,u ),  a  set  of  prime  numbers  C  as  described  above, 
and  a  value  v  €  C,  the  witness  u>  is  the  accumulation  of 
all  the  values  in  C  besides  v,  i.e. ,  to  =  Accumulate(params, 

c\M). 

•  AccVerify (params,  A,  v,u>)  —>  {0, 1}.  On  input  params 
( N,u ),  an  element  v,  and  witness  oj,  compute  A'  = 
u>v  mod  N  and  output  1  if  and  only  if  A'  —  A,  v  is 
prime,  and  v  €  [A,  ®]  as  defined  previously. 

For  simplicity,  the  description  above  uses  the  full  calculation 
of  A.  Camenisch  and  Lysyanskaya  [12]  observe  that  the 
accumulator  may  also  be  incrementally  updated,  i.e.,  given 
an  existing  accumulator  An  it  is  possible  to  add  an  element 
x  and  produce  a  new  accumulator  value  A„+i  by  computing 
An+ 1  =  Ax  mod  N.  5 

Camenisch  and  Lysyanskaya  [12]  show  that  the  accumu¬ 
lator  satisfies  a  strong  collision-resistance  property  if  the 
Strong  RSA  assumption  is  hard.  Informally,  this  ensures 
that  no  p.p.t.  adversary  can  produce  a  pair  ( v,oj )  such  that 
v  (f  C  and  yet  AccVerify  is  satisfied.  Additionally,  they  de¬ 
scribe  an  efficient  zero-knowledge  proof  of  knowledge  that  a 
committed  value  is  in  an  accumulator.  We  convert  this  into 
a  non-interactive  proof  using  the  Fiat-Shamir  transform  and 
refer  to  the  resulting  proof  using  the  following  notation: 

NIZKPoK{(u,  lo)  :  AccVerify ((N,u),  A,v,uj)  =  1}. 

Verifiable  Random  Functions.  A  pseudorandom  func¬ 
tion  (PRF)  [29]  is  an  efficiently  computable  function  whose 

4“Where  A  and  ®  can  be  chosen  with  arbitrary  polynomial 
dependence  on  the  security  parameter,  as  long  as  2  <  A  and 
®  <  A2.”  [13]  For  a  full  description,  see  [13,  §3.2  and  §3.3]. 
’This  allows  the  network  to  maintain  a  running  value  of  the 
accumulator  and  prevents  individual  nodes  from  having  to 
recompute  it  [35]. 
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•  RegNym(Nymtj} ,  U,0 ):  U  logs  into  Tp  with  sku  to  register  a  nym  with  organization  O.  If  she  does  not  have  an  account, 
she  first  creates  one.  She  gives  Tp  a  unique  random  string  Nym p  for  use  as  her  nym  with  O.  Tp  checks  that  the  string  is 
indeed  unique  and  if  so  stores  (Nym°,  U,  O)  and  informs  U. 

•  MintCred(Nymp ,  O,  attrs,  aux):  U  logs  into  Tp  authenticating  with  sku-  If  Nym°  is  not  U’s  nym  with  O  or  sku  is 
wrong,  reject.  Otherwise,  Tp  checks  that  aux  justifies  issuing  a  credential  under  O’s  issuing  policy  and  if  so  generates  a 
unique  random  id  ID  and  stores  (Nym^,U,  ID,  attrs).  It  then  adds  ID  to  its  public  list  of  issued  credentials  for  O. 

•  ShowOnN ym.(Nym^ ,  Nym ,  O,  V,  attrs,  C):  U  logs  into  Tp  with  sku-  If  Nym°  is  not  U’ s  nym  with  O  or  Nym ^  is  not 
U’s  nym  with  V,  reject.  Else,  Tp  checks  if  the  tuple  ( Nym p,  U)  exists,  if  ID  associated  with  that  tuple  is  in  the  set  of 
credentials  C  that  U  provided,  and  if  the  given  attributes  attrs  match  the  attributes  associated  with  that  tuple.  If  all 
conditions  hold,  Tp  informs  V  that  Nym p  has  a  credential  from  O  in  the  set  C.  V  then  retrieves  the  set  of  credentials 
Co  issued  by  O  from  Tp  and  accepts  Tp’ s  assertion  if  and  only  if  C  C  Co  and  O’s  issuing  policy  is  valid  \/c'  €  Co- 

•  GetCredList(0 ):  Tp  retrieves  the  list  of  credentials  for  organization  O  and  returns  it. 


Figure  1:  Ideal  Functionality.  Security  of  a  basic  distributed  anonymous  credential  system. 


output  cannot  be  distinguished  (with  non-negligible  advan¬ 
tage)  from  random  by  a  computationally  bounded  adversary. 
We  denote  the  pseudorandom  function  as  fk(-),  where  k 
is  a  randomly  chosen  key.  A  number  of  PRFs  possess  effi¬ 
cient  proofs  that  a  value  is  the  output  of  a  PRF  on  a  set 
of  related  public  parameters.  Two  examples  of  this  are  the 
Dodis-Yampolskiy  (DY)  PRF  [24]  and  the  Naor-Reingold 
PRF  [38]. 

Pedersen  Commitments.  A  commitment  scheme  allows 
a  user  to  bind  herself  to  a  chosen  value  without  revealing 
that  value  to  the  recipient  of  the  commitment.  This  commit¬ 
ment  to  the  value  ensures  that  the  user  cannot  change  her 
choice  (i.e.,  binding),  while  simultaneously  ensuring  that  the 
recipient  of  the  commitment  does  not  learn  anything  about 
the  value  it  contains  (i.e.,  hiding)  [20].  In  Pedersen  commit¬ 
ments  [41],  the  public  parameters  are  a  group  G  of  prime 
order  q,  and  generators  (go,  ■  ■  ■ ,  gm)-  In  order  to  commit  to 
the  values  (vi, . . . ,  vm)  £  Z™ ,  pick  a  random  r  £  Zg  and  set 
C  =  PedCom(i>i, ... .  ,vm\r)  =  gl  11™ i  ffP • 

4.  DECENTRALIZED  ANONYMOUS  CRE¬ 
DENTIALS 

A  traditional  anonymous  credential  system  has  two  types  of 
participants:  users  and  organizations.  Users,  who  each  have  a 
secret  key  sku,  are  known  by  pseudonyms  both  to  each  other 
and  organizations.  Nym for  example,  is  the  pseudonym 
of  user  A  to  organization  O.  Decentralized  anonymous  cre¬ 
dentials  have  no  single  party  representing  the  organization. 
Instead,  this  party  is  replaced  with  a  quorum  of  users  who 
enforce  a  specific  credential  issuing  policy  and  collaboratively 
maintain  a  list  of  credentials  thus  far  issued.  For  consistency 
with  prior  work,  we  retain  the  term  “organization”  for  this 
group. 

A  distributed  anonymous  credential  system  consists  of  a 
global  transaction  ledger  as  well  as  the  following  (possibly 
probabilistic)  algorithms: 

•  Setup(lA)  —¥  params.  Generates  the  system  parame¬ 
ters. 

•  Key  Gen  (params)  —¥  sku-  Run  by  a  user  to  generate 
her  secret  key. 


•  Form  Nym  (params,  U,  E,  sku)  — >  (Nym§,  skNymE).  Run 

by  a  user  to  generate  a  pseudonym  Nym§  and  an  au¬ 
thentication  key  skNymE  between  a  user  U  and  some 
entity  (either  a  user  or  an  organization)  E. 

•  MintC  red  (params,  sku,  Nymp,  skNymo,  attrs,  aux) 

(c,  skc,TTM)-  Run  by  a  user  to  generate  a  request  for 
a  credential  from  organization  O.  The  request  consists 
of  a  candidate  credential  c  containing  public  attributes 
attrs\  the  user’s  key  sku',  auxiliary  data  aux  justifying 
the  granting  of  the  credential;  and  a  proof  i vm  that 
(1)  Nymp  was  issued  to  the  same  sku  and  (2)  the 
credential  embeds  attrs. 

•  MintVerify(params,  c,  Nymp ,  aux,  tvm)  — >  {0, 1}.  Run 
by  nodes  in  the  organization  to  validate  a  credential. 
Returns  1  if  i xm  is  valid,  0  otherwise. 

•  Show  (params,  skv,  Nym\j,skNymv,c,skc,C0)  — >  tvs- 
Run  by  a  user  to  non- interactively  prove  that  a  given 
set  of  attributes  are  in  a  credential  c  in  the  set  of  issued 
credentials  Co  and  that  c  was  issued  to  the  same  person 
who  owns  Nymp.  Generates  and  returns  a  proof  tvs- 

•  ShowVerify(params,  Nymp,  tvs,  Co)  — >  {0, 1}.  Run  by 
a  verifier  to  validate  a  shown  credential.  Return  1  if 
tvs  is  valid  for  Nymp,  0  otherwise. 

4.1  Security 

We  define  our  system  in  terms  of  an  ideal  functionality 
implemented  by  a  trusted  party  Tp  that  plays  the  role  that 
our  cryptographic  constructions  play  in  the  real  system.  All 
communication  takes  place  through  this  ideal  trusted  party. 
Security  and  correctness  for  our  system  comes  from  a  proof 
that  this  ideal  model  is  indistinguishable  from  the  real  model 
provided  the  cryptographic  assumptions  hold.  Our  ideal 
functionality  is  outlined  in  Figure  1. 

It  consists  of  organizations  who  issue  credentials  and  users 
who  both  prove  that  they  have  these  credentials  and  verify 
such  proofs.  Organizations  have  only  two  things:  1)  an 
efficient  and  publicly  evaluable  policy,  policy Q,  for  granting 
credentials  and  2)  an  append-only  list  of  credentials  meeting 
that  policy  maintained  by  the  trusted  party. 
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•  Setup(lA)  — >  params.  On  input  a  security  parameter  A,  run  AccumSetup(lA)  to  obtain  the  values  ( N,u ).  Next  generate 
primes  p,  q  such  that  p  =  2 wq  +  1  for  w  >  1.  Let  G  be  an  order-g  subgroup  of  Z£,  and  select  random  generators  go, ,  gn 
such  that  G  =  (go)  =  ■  ■  ■  =  (gn).  Output  params  =  (N,  u,p,  q,  go, ■ ■ ■ ,  gn). 

•  Key  Gen  (params)  — >  sk.  On  input  a  set  of  parameters  params,  select  and  output  a  random  master  secret  sk  £  Zq. 

•  FormNym (params,  sk)  (Nym,  skNym).  Given  a  user’s  master  secret  sk,  select  a  random  r  £  Z9  and  compute 
Nym  =  gog{k.  Set  skNym  =  r  and  output  (Nym,  skNym). 

•  MintCred(params,  sk,  Nym®,  skNymo,  attrs,  aux)  —>  (c,  skc,TTM).  Given  a  nym  Nym°  and  its  secret  key  skNymo;  at- 

!  m 

tributes  attrs  =  (ao,  ■  ■  ■ ,  am)  £  Zq;  and  auxiliary  data  aux,  select  a  random  r'  £  Zq  and  compute  c  =  g 5  g{k  g“j_2.  Set 

i=0 

skc  =  r'  and  output  (c,  skc,  ttm)  where  ttm  is  a  signature  of  knowledge  on  aux  that  the  nym  and  the  credential  both 
belong  to  the  same  master  secret  sk,  i.e.: 

7r m  =  ZKSoK[aua;]{(sfc,  r  ,  r)  : 

m 

r  sk  T  T  0"i  A  at  O  r  sk~\ 

c  =  g0  9i  [[fti+2  A  Nymv  =  g0g1  } 

i=0 

Finally,  submit  the  resulting  values  (c,  ttm,  attrs)  to  the  public  transaction  ledger. 

•  MintVerify (params,  c,  attrs,  Nym°,aux,  ttm)  — >  {0, 1}.  Given  a  credential  c,  attributes  attrs,  a  nym  Nym®,  and  proof 
ttm,  verify  that  ttm  is  the  signature  of  knowledge  on  aux.  If  the  proof  verifies  successfully,  output  1,  otherwise  output  0. 
The  organization  nodes  should  accept  the  credential  to  the  ledger  if  and  only  if  this  algorithm  returns  1. 

•  Show  (params,  sk,  Nym\j,  skNymv ,  c,  attrs,  skc,  Co)  —>  tts-  Given  a  user’s  master  secret  sk;  a  nym  Nym y  between  the 
user  and  the  verifier  and  its  secret  key  skNymv;  a  credential  c  and  its  secret  key  skc;  the  attributes  (ao, . . . ,  am)  used  in 
the  credential;  and  a  set  of  credentials  C,  compute  A  =  Accumulate(params,  Co)  and  uj  —  GenWitness(params,  c,  Co) 
and  output  the  following  proof  of  knowledge: 

tts  =  NIZKPoK{(sA;,  c o,  r  ,  c,  r,  Nym ^)  : 

m 

AccVerify (params,  A,  c,u>)  =  1  A  c  =  gr0  jf  A  Nym„  =  gr0gt} 

i= 0 

•  ShowVerify(params,  Nym)(),ns,  Co)  —>  {0, 1}.  Given  a  nym  Nym ,  proof  of  possession  of  a  credential  tts,  and  the  set 
of  credentials  issued  by  organization  O  Co,  first  compute  A  =  Accumulat ^(params,  Co).  Then  verify  that  tts  is  the 
aforementioned  proof  of  knowledge  on  c,  Co,  and  Nym using  the  known  public  values.  If  the  proof  verifies  successfully, 
output  1,  otherwise  output  0. 


Figure  2:  Our  basic  decentralized  anonymous  credential  scheme. 


4.2  Trusting  the  Ledger 

An  obvious  question  is  whether  the  append-only  transac¬ 
tion  ledger  is  necessary  at  all.  Indeed,  if  the  list  of  valid 
credentials  can  be  evaluated  by  a  set  of  untrusted  nodes, 
then  it  seems  that  a  user  (Prover)  could  simply  maintain  a 
credential  list  compiled  from  network  broadcasts  and  provide 
this  list  to  the  Verifier  during  a  credential  show.  However, 
this  approach  can  enable  sophisticated  attacks  where  a  mali¬ 
cious  Verifier  manipulates  the  Prover’s  view  of  the  network 
to  include  a  poisoned- pill  credential  that  —  although  valid 
by  the  issuing  heuristic  —  was  not  broadcast  to  anyone  else. 
When  the  prover  authenticates,  she  has  completely  identified 
herself. 

The  distributed  transaction  ledgers  employed  by  networks 
such  as  Bitcoin  and  Namecoin  provide  a  solution  to  this 
problem,  as  their  primary  purpose  is  to  ensure  a  shared  view 
among  a  large  number  of  nodes  in  an  adversarial  network.  In 
practice  this  is  accomplished  by  maintaining  a  high  degree 
of  network  connectivity  and  employing  computational  proofs 
of  work  to  compute  a  hash  chain. 

For  an  attacker  to  execute  the  poisoned  credential  attack 


against  such  a  ledger,  she  would  need  to  both  generate  and 
maintain  a  false  view  of  the  network  to  delude  the  prover. 
This  entails  both  simulating  the  prover’s  view  of  the  rest  of 
the  network  complete  with  all  its  computational  power  and 
forging  any  assurances  the  prover  might  expect  from  known 
peers  about  the  present  state  of  the  network.  If  the  prover 
has  a  reasonable  estimate  of  the  actual  network’s  power  (e.g., 
she  assumes  it  monotonically  increases),  then  an  attacker 
must  actually  have  equivalent  computational  power  to  the 
entirety  of  the  network  to  mount  such  an  attack.  For  the 
purposes  of  this  paper  we  assume  such  active  attacks  are 
impossible  even  if  the  attacker  controls  a  simple  majority  of 
the  computational  power.  Attackers  are  still  free  to  attempt 
any  and  all  methods  of  retroactively  identifying  a  user  and 
mount  any  other  active  attacks. 

5.  OUR  CONSTRUCTION 

We  now  provide  an  overview  and  instantiation  of  our  con¬ 
struction. 

5.1  Overview 
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Alice’s  pseudonym  with  a  given  organization/user  is  an 
arbitrary  identity  that  she  claims  in  a  transaction.  She  tags 
this  value  with  a  Pedersen  commitment  to  her  secret  key 
sk  and  signs  the  resulting  transaction  using  a  signature  of 
knowledge  that  she  knows  the  secret  key.  There  is  no  sepa¬ 
rate  process  for  registering  a  pseudonym:  instead  they  are 
simply  used  in  issue  and  show  to  allow  operations  to  be 
linked  if  necessary.  Alice’s  credential  c  is  a  vector  Peder¬ 
sen  commitment  to  both  sk  and  a  set  of  public  attributes 
attrs  =  do,  ■■■ ,  am ,  which  Alice  also  includes  in  her  creden¬ 
tial.  To  issue  a  credential,  Alice  provides  the  network  with 
a  credential,  a  pseudonym,  her  attributes,  optionally  some 
auxiliary  data  justifying  the  credential  issue  (e.g.,  a  proof 
of  work  that  Alice  is  not  a  Sybil),  and  a  proof  that  (1)  the 
commitment  and  the  pseudonym  contain  the  same  secret 
key  and  (2)  the  attributes  are  in  some  allowed  set.  If  all  of 
this  validates,  the  entry  is  added  to  the  ledger.  Alice  shows 
the  credential  under  a  different  pseudonym  by  proving  in 
zero-knowledge  that  (1)  she  knows  a  credential  on  the  ledger 
from  the  organization,  (2)  the  credential  opens  to  the  same 
sk  as  her  pseudonym,  and  (3)  it  has  some  attributes. 

5.2  Concrete  Instantiation 

We  instantiate  our  system  with  the  cryptographic  prim¬ 
itives  discussed  in  Section  3.  Specifically,  we  use  Pedersen 
commitments  and  a  Strong  RSA  based  accumulator.  The 
proofs  are  conducted  using  standard  techniques  [47,  12]  and 
are  similar  to  the  proofs  used  by  Miers  et  al.  in  [35].  See 
Figure  2  for  details. 

Theorem  5.1.  The  basic  distributed  anonymous  creden¬ 
tial  system  described  in  Figure  2  is  secure  in  the  random 
oracle  model  under  the  Strong  RSA  and  the  Discrete  Loga¬ 
rithm  assumptions. 

We  sketch  of  the  proof  of  Theorem  5.1  in  Appendix  A. 

6.  EXTENSIONS 

We  consider  extending  the  basic  system  in  several  ways. 

6.1  /  -show  Credentials 

Damgard  et  al.  [22]  first  suggested  a  credential  system 
where  users  could  only  authenticate  once  per  time  period. 
Camenisch  et  al.  [9]  independently  proposed  a  significantly 
more  efficient  construction  that  allows  for  up  to  k  authenti¬ 
cations  per  time  period,  with  the  ability  to  revoke  all  cloned 
credentials  if  a  credential  was  used  beyond  this  limit.  Ca- 
menisch  et  al.  suggested  that  these  technique  might  be  used 
to  build  anonymous  subscription  services,  allowing  users 
to  access  a  resource  (such  as  a  website)  within  reasonable 
bounds.  We  briefly  show  that  these  same  techniques  can  be 
applied  to  our  basic  credential  system. 

In  the  system  of  [9]  an  authority  issues  a  credential  on  a 
user’s  secret  seed  s.  To  show  a  credential  for  the  ith  time  in 
validity  period  t,  the  user  generates  a  serial  number  S  using 
a  verifiable  random  function  (VRF)  as  S'  =  /s(0||t||f).  She 
also  includes  a  non-interactive  zero-knowledge  proof  that  this 
serial  number  is  correctly  structured.6  This  technique  can 
be  applied  to  our  construction:  the  user  simply  generates  a 

6  The  re-use  of  a  credential  would  result  in  a  repeated  serial 
number,  and  yet  the  nature  of  the  VRF’s  output  (for  an 
honest  user)  ensures  that  attackers  cannot  link  individual 
shows. 


random  seed  s  and  includes  this  value  in  the  commitment  she 
stores  in  the  transaction  ledger,  along  with  a  non-interactive 
proof  that  she  knows  the  value  s.  We  note  that  for  the  trivial 
case  of  one-time  show  credentials,  we  can  simply  reveal  the 
seed.7 

6.2  Credentials  with  Hidden  Attributes 

In  our  basic  construction  of  §5,  users  provide  a  full  list  of 
attributes  when  requesting  and  showing  credentials.  While 
this  is  sufficient  for  many  applications,  there  exist  cases 
where  a  user  might  wish  to  conceal  the  attributes  requested 
or  shown,  opting  instead  to  prove  statements  about  them, 
e.g.,  proving  knowledge  of  a  secret  key  or  proving  that  an 
attribute  is  within  a  certain  range.  We  note  that  this  requires 
only  minor  changes  to  our  protocols  —  the  user  simply 
attaches  a  proof  that  the  attribute  values  contained  within 
the  credential  c  satisfy  some  statement. 

6.3  Stateful  Credentials 

A  stateful  anonymous  credential  system  [20]  is  a  variant  of 
an  anonymous  credential  system  where  credential  attributes 
encode  some  state  that  can  be  updated  by  issuing  new  cre¬ 
dentials.  This  credential  issuance  is  typically  conditioned 
on  the  user  showing  a  previous  credential  and  offering  proof 
that  the  new  credential  should  be  updated  as  a  function  of 
the  original. 

Intuitively,  we  can  add  this  capability  quite  easily  due  to 
the  fact  that  our  credentials  are  non-interactively  issued.  We 
construct  a  “single  show”  credential  c  embedding  some  state 
state  in  the  attributes  and  a  serial  number  S.  Users  are 
free  to  show  c  as  many  times  as  they  like  without  revealing 
the  serial  number.  However,  to  update  the  state  of  the 
credential,  they  must  author  a  transaction  that  shows  the 
original  credential  and  reveals  the  serial  number  S  and  “mint” 
a  new  candidate  credential  c'  containing  the  updated  state 
state 1  (hidden  inside  of  a  commitment)  and  a  proof  that 
there  exists  a  valid  relationship  between  the  state  encoded 
in  c  and  the  new  state  in  c'  (for  example,  that  the  attributes 
have  been  incremented). 

This  requires  only  minor  extensions  to  our  basic  scheme.  In 
this  case  we  add  an  Update  algorithm  that  operates  similarly 
to  MintCred  but  includes  the  earlier  credential  and  a  proof 
of  its  construction.  A  valid  proof  of  the  existing  credential 
now  becomes  a  condition  for  the  organization  accepting  the 
updated  credential  into  the  ledger.  We  provide  a  description 
of  this  new  algorithm  in  Figure  3. 

6.4  Credential  Revocation 

Several  previous  works  have  proposed  techniques  for  revok¬ 
ing  anonymous  credentials  [12,  10,  2].  We  note  that  several 
of  these  techniques  can  be  applied  to  our  credential  sys¬ 
tem.  However,  we  also  observe  that  our  use  of  a  centralized 
transaction  ledger  may  improve  the  security  of  the  existing 
proposals.  Suppose  our  goal  is  only  to  revoke  systems  where 
a  user’s  key  secret  key  has  been  publicly  compromised.  A 
common  technique  is  to  simply  place  such  keys  on  a  list  and 
have  the  user  prove  the  secret  key  in  his  commitment  is  not 
on  the  list.  After  all,  no  legitimate  user’s  key  can  appear  on 
this  list.  However,  we  observe  that  without  a  globally-shared 

'  Camenisch  et  al.  [9]  describe  a  further  extension  that  reveals 
the  user’s  identity  in  the  event  of  a  credential  double-show. 
We  omit  the  details  here  for  space  reasons  but  observe  that 
the  same  technique  can  be  applied  to  our  construction. 
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•  Updat e(params,  sk,  c,  skc ,  Co,  update-relation,  state')  (c1 ,  sk'c,  ttu)-  Given  a  credential  c  and  associated  secret  key  skc, 
a  set  of  credentials  Co,  an  updated  state  state'  =  (s'0, . . . ,  s'm)  £  Zg,  and  an  update  relation  update-relation,  generate  a 

fresh  random  serial  number  S'  £  Z9  and  random  value  r'  £  Z9  to  form  a  new  credential  d  =  g q  g{k  gi  n  g" i3.  Compute 

»=o 

A  =  Accumulate(params,  Co)  and  ui  =  Gen\N\tness(params,c,Co)-  Output  (d ,  sk'c,  nu)  where  sk'c  =  (S' ,  state' ,d)  and 

7ru  =  NIZKPoK {(sk, uj,c, state, r, d , state  ,r')  : 

AccVerify  (params,  A,  c,  w)  =  1 

m  m 

A  c  =  II  A  c'  =  glgtgi'  4s 

i=0  i= 0 

A  updatejrelation(state,  state)  =  1} 

•  UpdateVerify (params,  c,  Co,  ttu)  — ►  {0, 1}.  Given  a  stateful  credential  c,  a  credential  set  Co,  and  proof  7ru,  output  1  if 
nu  is  correct,  the  proved  state  transition  is  a  legal  one,  and  the  serial  number  S  was  not  previously  used.  Otherwise  0. 

Figure  3:  Extensions  for  a  stateful  anonymous  credential  system.  updatejrelation(. . .)  =  1  denotes  that  the  update  encodes 
some  arbitrary  state  transition  (e.g.  state'  =  state  +  1). 


state,  a  malicious  revocation  authority  might  be  able  to  feed 
different  users  different  revocation  lists,  then  collude  with 
verifiers  to  identify  users. 

Although  we  use  an  append-only  list  and  cannot  simply 
delete  the  credential  outright,  we  can  add  a  marker  stating 
that  the  credential  is  no  longer  valid.  Since  this  list  is  public 
and  shared  amongst  all  the  users,  any  user  whose  credential 
is  revoked  will  simply  not  attempt  to  authenticate.  We  thus 
can  realize  almost  any  credential  revocation  policy  without 
a  trusted  party  who  could  deanonymize  users. 

6.5  Avoiding  trusted  setup 

Setting  up  the  accumulator  in  our  basic  construction  re¬ 
quires  generating  an  RSA  modulus.  However,  its  factor¬ 
ization  is  never  used  and  in  fact  must  remain  unknown  to 
prevent  forged  membership  proofs.  Because  of  this,  we  could 
use  a  single  trusted  setup  phase  where  the  factorization  is 
destroyed  immediately  after  the  parameters  are  generated. 
A  more  elegant  option  is  to  use  so  called  RSA  UFOs  [44]  for 
accumulator  parameters  without  a  trapdoor,  forgoing  the 
need  for  any  trusted  parameter  generation. 

7.  ANONYMOUS  REPUTATION  SYSTEMS 

The  techniques  described  thus  far  allow  users  to  show 
a  credential  without  fear  of  linking  a  pseudonym  to  their 
identity.  In  the  extreme  case,  a  user  can  dispense  with 
persistent  pseudonyms  in  their  entirety  and  make  all  of  her 
transactions  unlinkable.  For  certain  applications,  however, 
this  is  not  desirable:  when  a  user’s  actions  are  unlinkable, 
malicious  actions  have  no  consequence  and  honest  users 
have  no  way  to  prove  good  behavior.  A  solution  to  this 
problem  is  to  create  a  reputation  system  in  which  users  have 
a  single  global  reputation  score  they  can  demonstrate  across 
pseudonyms.  Like  an  anonymous  credential  system,  any 
proof  of  reputation  should  be  completely  anonymous  even  in 
the  face  of  the  retrospective  collusion  of  all  other  parties  in 
the  system. 

Although  a  fair  amount  of  work  has  been  conducted  on 
systems  with  local  reputation,  reputation  for  pseudonyms 
only  [33],  or  reputation  systems  secure  only  if  some  sub¬ 
set  of  trusted  parties  never  collude  even  retroactively  [31], 
there  appears  to  be  no  distributed  solution  that  provides  our 


desired  properties.  To  the  best  of  our  knowledge  the  only 
construction  to  date  which  offers  anonymous  —  even  if  all 
parties  collude  after  the  fact  —  global  reputation  is  due  to 
Androulaki  et  al.  [1]  and  requires  a  semi-trusted  third  party 
to  keep  track  of  reputation. 

Informally,  the  security  model  for  Androulaki  et  al.’s 
scheme  requires  the  following  three  properties  which  we  use 
as  a  starting  point  for  our  construction: 

1 .  Anonymity  of  peers  during  reputation  exchange  and  rep¬ 
utation  demonstration:  pseudonyms  cannot  be  linked 
to  each  other  or  to  the  underlying  user  by  any  collection 
of  parties. 

2.  Unforgeability  of  reputation  points. 

3.  Inflation  resistance:  the  existence  of  some  fixed  number 
of  points  allocable  per  day. 

The  first  two  properties  map  intuitively  to  the  security 
properties  of  a  credential  system  (i.e.,  unforgeability  of  cre¬ 
dentials  and  anonymity).  The  last  one  is  a  special  restriction 
due  to  [6] :  if  reputation  can  be  handed  out  in  an  unlimited 
manner,  then  the  system  is  worthless. 

At  first  glance,  e-cash  systems  seem  to  provide  an  easy 
way  to  realize  such  a  system:  users  spend  “repcoins”  with 
each  other  and  an  anonymous  credential  issued  by  the  bank 
is  used  to  attest  to  their  repcoin  balance.  However,  e-cash 
systems  are  only  anonymous  for  the  spender:  a  user  and  a 
bank  can  collude  to  identify  who  the  repcoins  were  deposited 
with.  A  reputation  system  needs  a  superset  of  the  privacy 
features  provided  by  e-cash:  both  parties  in  a  transaction 
need  to  maintain  their  anonymity  and  thus  both  spends 
and  deposits  must  be  blind.  Androulaki  et  al.’s  solution  in 
fact  uses  blinded  deposits  to  allow  a  bank  trusted  to  track 
reputation  to  issue  anonymous  reputation  credentials.  8 

7.1  A  Basic  Reputation  System 

Given  a  distributed,  updatable  anonymous  credential  sys¬ 
tem,  we  can  instantiate  a  distributed,  global,  identity-bound 
anonymous  reputation  system  as  a  special  class  of  legal  state 
transitions  between  stateful  credentials.  In  essence,  we  view 

8  Making  this  system  distributed  would  entail  constructing 
both  a  distributed  e-cash  scheme  and  a  distributed  anony¬ 
mous  credential  scheme.  We  opt  for  a  cleaner  approach. 
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•  RepDec(params,  sk,  c,  skc,  Co,  A)  — >  (c' ,  sk'c,  comrriA,  rA,  7iVd).  Given  a  credential  c  and  associated  secret  key  skc,  a  set 
of  credentials  Co,  and  an  amount  to  decrement  the  reputation  A  £  Z9,  calculate  the  new  balance  balance'  =  balance  —  A. 
Then  generate  a  fresh  random  serial  number  S'  €  Z9  and  random  values  r',rA  £  Zi9  to  form  a  credential  c  = 
9o  9ik92  g3alance  and  conrmiA  =  go^g't-  Compute  A  =  Accumulate(params,  Co)  and  to  =  GenWitness(params,  c,  Co). 
Output  (c' ,  sh'c,  comm.A,  ta,  nrd)  where  sk'c  =  (S' ,  balance,  r')  and 

7vr(i  =  NIZKPoK{(sfc,  c,  c  ,  w,  balance,  balance  ,  A,  r,  r  ,  ta)  : 

AccVerify(params,  A,  c,  u>)  =  1 

.  r  sk  S  balance  .  /  r'  sk  S'  balance' 

A  c  =  ffoSTj  ff3  A  c  =  3o  ffi  fl2  S3 


A  commA  =  9o^gt  A  balance'  =  balance  —  A} 


•  Replnc(params,  sfc,  c,  sfcc,  comm-A,  A,  ta,  Co)  — >•  (c' ,  sk'c,Trre).  Given  a  credential  c  and  associated  secret  key  sfcc,  an 
amount  to  increment  the  reputation  A  £  Z9,  a  commitment  to  the  reputation  change  comm  a  and  its  opening  ta,  and 
a  set  of  credentials  Co,  calculate  the  new  balance  balance'  =  balance  +  A.  Generate  a  fresh  random  serial  number 
S'  £  Z9  and  random  value  r'  £  Z9  to  form  a  fresh  credential  c'  =  go  glkgi  g3alarlce  encoding  the  new  balance.  Compute 
A  =  Accumulate(params,  Co)  and  u  =  GenWitness(params,  c,  Co).  Output  (c',sk'c,  7iye)  where  sk'c  =  (S' ,  balance,  r') 
and 


7Vre 


NIZKPoK{(sfc,  c,  c  ,  u>,  balance,  balance' ,  A,  r,  r  ,  va)  : 
AccVerify  (params,  A,  c,  u>)  =  1 


.  r  sk  S  balance  A  /  r  sk  S'  balance' 

A  c  =  g0g i  g2g3  A  c  =  g0  gx  g2  g3 


A  commA  =  9o^g^  A  balance  =  balance  +  A} 


•  RepVerify(c^,  cb,  7t rd,  nre,  Co)  {0, 1}.  Given  credentials  ca  and  cb,  proofs  nrd  and  TTre,  and  a  set  of  credentials  Co, 
verify  a  reputation  transaction  between  two  parties  by  validating  the  proofs,  checking  that  they  use  the  same  commA, 
and  checking  that  the  revealed  serial  numbers  were  not  previously  used.  Output  1  if  all  conditions  hold,  else  0. 


Figure  4:  Extensions  for  an  anonymous  reputation  system. 


a  reputation  system  as  simply  an  instance  of  an  updatable 
credential  system  where  the  encoded  state  is  a  user’s  rep¬ 
utation.  Updates  affect  a  pair  of  stateful  credentials,  and 
we  restrict  state  transitions  to  ones  that  conserve  the  total 
amount  of  reputation  in  the  credential  pair.  In  fact,  we  can 
realize  more  complex  relations  subject  to  that  constraint, 
but  for  simplicity  we  limit  our  discussion  here  to  the  simple 
conservation  of  reputation.9  This  system  even  allows  for  neg¬ 
ative  reputation,  a  notable  feature  which  previously  required 
a  continually  available  online  bank  [46]. 

We  define  three  additional  functions  in  Figure  4  that  allow 
users  to  transfer  reputation  and  verify  the  transfer.  Using 
RepDec  Alice  would  decrement  her  reputation  by  the  amount 
she  wants  to  send  and  broadcast  the  resulting  proof  nrd  for 
insertion  into  the  block  chain.  She  would  then  send  commA 
and  its  opening  values  (A,  ta)  to  Bob.  Bob  would  run  Repine 
and  also  broadcast  the  resulting  proof.  Alice  can  “give”  Bob 
negative  reputation  by  forcing  him  to  decrement  his  balance 
by  some  amount  prior  to  an  encounter  and  then  giving  back 
some  (or  none)  of  it  after  the  encounter  is  completed.  We 
neglect  pseudonyms  in  the  above  definition  for  the  sake  of 
exposition,  but  they  can  be  added  in  the  usual  way. 

We  leave  a  proof  of  security  for  the  full  version  of  this 
work  but  provide  a  short  intuition  here:  provided  that  our 
updatable  anonymous  credential  scheme  is  secure  then  so 
is  this  scheme  since  clearly  no  user  can  increase  his  reputa¬ 
tion  without  another  depleting  hers.  Anonymity,  however, 

9  Our  policies  are  limited  to  the  relations  over  committed 
values  that  can  be  proved  in  zero-knowledge.  If  we  restrict 
ourselves  to  efficient  proofs,  we  can  realize  a  broad  set  of 
polynomial  relations  over  the  reputation  of  both  parties. 


is  not  as  clear.  Bob  must  know  the  transaction  in  which 
Alice  decrements  her  reputation.  Clearly  this  leaks  some 
information.  However,  due  to  the  anonymity  property  of  our 
credential  construction,  the  entire  mint /update  process  can¬ 
not  be  linked  to  a  previous  or  subsequent  show.  As  such,  no 
one  learns  anything  that  is  linkable  to  any  other  transaction. 
Because  of  this  unlinkability,  we  obtain  an  identity-bound 
reputation  system  where  users  do  not  need  to  discard  their 
reputation  when  switching  pseudonyms.  Similarly,  inflation 
resistance  follows  from  the  fact  that  we  can  specify  arbitrary 
rules  of  accepting  credentials  into  the  block  chain  in  the  first 
place.  As  such  we  can  limit  how  reputation  is  added  to  the 
network  by  limiting  the  rate  at  which  reputation  points  are 
added. 

8.  RELATED  WORK 

Anonymous  credentials.  Introduced  by  Chaum  [19]  and 
developed  in  a  line  of  subsequent  works  (e.g.,  [8,  11,  14]), 
anonymous  credentials  allow  a  user  to  prove  that  she  has 
a  credential  issued  by  some  organization,  without  revealing 
anything  about  herself  other  than  that  she  has  the  credential. 
Under  standard  security  definitions,  even  if  the  verifier  and 
credential  issuer  collude,  they  cannot  determine  when  the 
credential  was  issued,  who  it  was  issued  to,  or  when  it  was 
or  will  be  used.  A  common  construction  involves  issuing  a 
credential  by  obtaining  a  signature  from  an  organization  on 
a  committed  value  (e.g.,  using  the  signature  scheme  of  [12]) 
then  proving  in  zero-knowledge  that  one  has  a  signature  under 
the  organization’s  public  key  on  that  value.  The  contents 
of  the  commitment  may  be  revealed  outright  or  various 
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properties  can  proved  on  the  committed  values  (e.g.,  Alice 
can  prove  she  is  over  21  years  old).  Extensions  to  this  work 
describe  credentials  that  can  only  be  shown  anonymously  a 
limited  number  of  times  [9]  or  delegated  to  others  [4].  All 
of  these  schemes  require  issuing  organizations  to  maintain  a 
secret  key. 

Bitcoin  and  append-only  ledgers.  Our  construction  re¬ 
lies  on  the  existence  of  a  distributed  append-only  transaction 
ledger ,  a  technology  that  makes  up  the  core  component  of 
the  Bitcoin  distributed  currency:  the  log  of  all  currency 
transactions  called  the  block  chain  [36].  These  ledgers  are 
maintained  by  an  ad  hoc  group  of  network  nodes  who  are  free 
to  enter  and  leave  the  network  (there  is  no  key  provisioning 
necessary  for  them  to  join).  A  typical  transaction  ledger  con¬ 
sists  of  a  sequence  of  blocks  of  data  that  are  widely  replicated 
among  the  participating  nodes,  with  each  block  connected 
to  the  previous  block  using  a  hash  chain.  Nodes  compete 
for  the  opportunity  to  add  new  blocks  of  transactions  to  the 
ledger  by  producing  a  partial  hash  collision  over  the  new 
data  and  the  hash  of  the  last  block  in  the  chain.  The  hash 
collision  serves  two  purposes:  first,  it  is  a  computationally 
difficult  to  forge  authenticator  of  the  ledger  and  second,  since 
finding  a  partial  hash  collision  involves  substantial  compu¬ 
tational  effort,  the  peer  who  finds  it  is  chosen  “at  random” 
with  a  probability  proportional  to  the  rate  at  which  they  can 
compute  identify  such  partial  collisions.  As  a  result,  an  ad 
hoc  group  of  mutually  distrusting  and  potentially  dishonest 
peers  can  correctly  manage  such  a  ledger  provided  that  a 
majority  of  their  computational  power  is  held  by  honest  par¬ 
ties.  Recent  experience  with  Bitcoin  and  Namecoin  provides 
evidence  that  this  assumption  holds  in  practice. 

Namecoin.  Namecoin  [37]  is  a  decentralized  identity  system 
that  uses  the  same  block  chain  technology  as  Bitcoin.  Al¬ 
though  Namecoin  is  in  part  a  currency  system  —  its  internal 
currency,  the  namecoin  (NMC),  is  used  to  purchase  a  name 
in  the  same  way  one  pays  for  a  domain  name  —  its  primary 
purpose  is  to  associate  names  with  arbitrary  data.  A  user 
can  claim  a  name  provided  (1)  they  pay  the  price  in  NMC  for 
it  and  (2)  it  is  unclaimed.  At  that  point,  an  entry  is  inserted 
into  the  block  chain  mapping  the  name  to  a  public  key  and 
some  arbitrary  data.  The  public  key  allows  the  owner  to 
update  the  data  by  signing  a  new  record.  The  data  allows  for 
various  uses.  If  it  is  an  IP  address,  then  one  has  a  distributed 
DNS  system  (such  a  system,  .bit,  is  already  deployed).  On 
the  other  hand,  if  it  is  a  public  key,  the  result  is  a  basic 
PKI.  The  first-come  first-served  nature  of  Namecoin  seems 
somewhat  anachronistic,  however  it  replicates  in  miniature 
the  way  normal  DNS  names  are  generally  assigned,  where 
the  first  person  to  claim  the  name  gets  it.  Similarly,  standard 
(non-extended  validation)  SSL  certificates  for  a  domain  are 
typically  issued  to  anyone  who  can  demonstrate  control  of  a 
domain  (usually  via  an  email  to  admin@domain). 

9.  CONCLUSION 

In  this  work  we  constructed  a  distributed  anonymous  cre¬ 
dential  system  and  extended  this  system  to  provide  a  dis¬ 
tributed,  identity-bound  reputation  system  where  users  have 
a  single  global  reputation.  Our  constructions  are  secure  in 
the  random  oracle  model  under  standard  cryptographic  as¬ 
sumptions  assuming  the  existence  of  a  trustworthy  global 
append-only  ledger.  To  realize  such  a  ledger  we  propose 
using  the  block  chain  system  already  in  real  world  use  with 


the  distributed  cryptographic  currency  Bitcoin.  Although  we 
are  limited  in  the  class  of  identity  assertions  we  can  certify, 
we  argue  that  several  basic  assertions  are  of  particular  use  in 
peer-to-peer  systems,  as  they  can  be  used  to  mitigate  Sybil 
attacks,  ensure  fair  resource  usage,  and  punish  malicious 
peers  while  maintaining  user  anonymity. 

Future  work.  We  leave  two  open  problems  for  future  work. 
First,  the  proofs  in  this  work  assumed  the  security  of  a 
transaction  ledger.  We  leave  a  precise  formal  model  of  the 
ledger,  which  attacks  are  allowable,  and  what  bounds  may  be 
placed  on  their  consequence  as  an  open  problem.  Second,  the 
efficiency  of  our  construction  can  be  improved.  Although  all 
of  our  algorithms  are  efficient  (in  that  they  do  not  scale  with 
the  size  of  the  ledger),  the  need  for  double-discrete  logarithm 
proofs  leads  to  somewhat  large  proof  sizes  when  showing 
a  credential  (roughly  40KB  for  modest  parameters).  Our 
construction  may  be  optimized  for  certain  applications  that 
do  not  require  the  full  flexibility  of  our  construction.  At  the 
same  time,  we  hope  that  advances  in  bilinear  accumulators, 
mercurial  commitments,  or  lattice  based  techniques  may 
provide  a  more  efficient  construction. 
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APPENDIX 

A.  PROOF  OF  SECURITY  FOR  OUR  BA¬ 
SIC  SYSTEM 

We  now  provide  a  sketch  of  the  proof  of  security  for  our 
basic  distributed  anonymous  credentials  system. 

Our  basic  approach  is  to  show  that  for  every  real-world 
adversary  A  against  the  credential  system,  we  can  construct 
an  ideal-world  adversary  S  against  the  ideal-world  system 
such  that  the  transcript  of  A  interacting  with  the  real  sys- 
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tem  is  computationally  indistinguishable  from  the  transcript 
produced  by  A  interacting  with  S.  We  assume  a  static  cor¬ 
ruption  model  in  which  the  adversary  controls  some  set  of 
users  and  leave  a  proof  in  the  adaptive  corruption  model 
for  future  work.  We  also  assume  that  our  zero-knowledge 
signatures  of  knowledge  include  an  efficient  extractor  and 
simulator  and  that  the  params  are  created  using  a  trusted 
setup  process. 

Our  proof  assumes  the  existence  of  a  global,  trusted  trans¬ 
action  ledger,  which  we  use  as  a  black  box.  We  leave  a 
complete  proof  that  considers  this  construction  and  models 
it  to  future  work. 

We  begin  by  sketching  the  simulator  S  for  our  system. 

A.l  Description  of  the  Simulator 

Minting  a  credential.  When  a  user  controlled  by  the  ad¬ 
versary  with  nym  Nym®  wants  a  credential,  the  user  first 
generates  ,  attrs).  When  the  simulator  receives  notifi¬ 

cation  of  this,  it  first  verifies  that  the  credential  and  proof 
are  valid  and  meet  the  organization’s  policy.  If  so  it  employs 
the  knowledge  extractor  for  the  signature  of  knowledge  on 
7v m  to  get  ( sk,aux ). 

The  simulator  then  checks  if  it  has  a  record  of  ( U ,  sk ,  Nym°) 
on  its  list  of  users.  If  the  user  with  key  sk  and  nym  Nym ® 
exists,  then  S  retrieves  sku  associated  with  (U,  sk,  Nym°) 
and  proceeds.  If  it  is  not  on  the  list,  the  simulator  checks 
if  it  has  previously  seen  a  user  with  key  sk.  If  the  user 
with  key  sk  is  not  present,  then  the  simulator  creates  a 
user  U  and  runs  RegNym(Nym^,U,0)  to  register  Nym° 
and  obtain  sku  for  further  interactions  with  Tp.  S  then 
stores  (U,  sk,  sku ,  Nym°)  in  its  list  of  users  controlled  by 
the  adversary.  If  a  user  U  with  key  sk  exists,  then  it  runs 
RegNym(Nymf,U,0)  to  register  Nym°  and  adds  Nym° 
to  C/’s  record. 

Once  the  simulator  has  registered  the  nym  or  verified  it 
already  exists,  it  runs  MintCred(Nym O,  attrs,  aux ).  The 
simulator  then  transmits  the  credential  information  to  the 
trusted  store  and  acknowledges  the  credential’s  issuance. 
S  stores  (sk,  Nym®,  attrs,  aux,  c,  tvm)  in  its  list  of  granted 
credentials. 

When  an  honest  user,  through  Tp,  wants  to  establish  a 
credential,  the  simulator  creates  a  credential  c  (using  the 
publicly  available  attrs)  and  uses  the  simulator  for  the  sig¬ 
nature  of  knowledge  ttm  to  simulate  the  associated  proof.  It 
then  transmits  the  credential  information  (c,  7Tm,  attrs)  to 
the  trusted  store. 

Showing  a  credential.  When  a  user  controlled  by  the 
adversary  wants  to  show  a  credential  from  organization  O 
to  verifier  V  with  which  it  has  nyms  Nym°  and  Nym p 
respectively,  the  user  first  generates  ns-  When  the  simulator 
receives  notification  of  this,  it  verifies  the  proof  as  in  the  real 
protocol  (rejecting  if  it  is  invalid).  If  the  show  verifies,  it 
runs  the  knowledge  extractor  for  the  proof  of  knowledge  on 
ns  to  get  sk. 

The  simulator  then  checks  if  it  has  a  record  of  ( U ,  sk, 
Nym®,  Nymf)  on  its  list  of  users.  If  the  user  with  key  sk 
and  nyms  Nym y  and  Nym p  exists,  then  S  retrieves  sku 
associated  with  (U,  sk,  Nym°)  and  proceeds.  If  the  record 
does  not  exist,  either  in  part  or  in  full,  the  simulator  checks 
if  it  has  previously  seen  a  user  with  key  sk.  If  the  user  with 
key  sk  is  not  present,  then  the  simulator  creates  a  user  U 
and  runs  RegNym(Nymp,  U,  O)  and  RegNym(Nym(j ,  U,  V) 


to  register  Nym y  and  Nym and  obtain  sku  for  further  in¬ 
teractions  with  Tp.  S  then  stores  (U,  sk,  sku,  Nym®,  Nym p) 
in  its  list  of  users  controlled  by  the  adversary.  If  a  user  U 
with  key  sk  exists,  then  it  runs  RegNym(Nymu,  U,  O)  (resp. 
RegNym(Nym(j,  U,  V))  to  register  Nym°  (resp.  Nym p)  and 
adds  Nymp  (resp.  Nym p)  to  U’s  record. 

Now,  the  simulator  S  runs  ShowOnNym(Nym<lT,  Nym f, 
0,V,  C)  where  C  is  obtained  by  the  simulator  through  a  call 
to  GetCredList(0). 

When  an  honest  user  (through  Tp)  wants  to  show  a  creden¬ 
tial  to  a  verifier  V  controlled  by  the  adversary,  the  simulator 
runs  the  zero-knowledge  simulator  for  ns  to  simulate  a  proof 
that  it  then  sends  to  V. 

A.  1.1  Proof  ( sketch )  of  a  Successful  Simulation 

Our  basic  distributed  anonymous  credentials  system  is 
secure  under  the  Strong  RSA  and  the  Discrete  Logarithm 
assumptions  if  the  view  of  the  adversary  in  the  real  protocol 
is  computationally  indistinguishable  from  his  view  in  the 
simulation.  This  means  that  the  simulator  must  only  fail 
with  negligible  probability. 

We  first  begin  by  discussing  the  signatures/proofs  7tm 
and  ns-  Under  the  Discrete  Logarithm  assumption,  7tm  is 
a  computational  zero-knowledge  signature  of  knowledge  on 
aux  of  the  values  sk,  r,  and  r'  such  that  the  nym  Nym ° 
and  the  credential  c  both  belong  to  the  same  master  secret 
sk.  The  proof  is  clearly  zero-knowledge  because  it  can  be 
constructed  using  standard  techniques  [47].  One  can  see 
that  the  only  way  to  forge  this  proof  would  be  to  cause  a 
collision  on  the  commitments,  which  occurs  with  negligible 
probability  under  the  Discrete  Logarithm  assumption  [41]. 
Under  the  Strong  RSA  and  Discrete  Logarithm  assumptions, 
ns  is  a  statistical  non-interactive  zero- knowledge  proof  of 
knowledge  of  the  values  sk,  oj,  c,  Nym p,  r,  and  r'  such  that 
uj  is  a  witness  that  c  is  in  the  accumulator  A  and  nym  Nym p 
and  the  credential  c  both  belong  to  the  same  master  secret 
sk.  We  can  again  see  that  this  proof  can  be  constructed  using 
known  techniques  [47,  12]  similar  to  the  proofs  used  by  Miers 
et  al.  in  [35].  In  order  to  forge  such  a  proof,  the  adversary 
would  need  to  either  find  a  collision  on  the  commitments  or 
forge  an  accumulator  membership  witness.  We  previously 
discussed  how  the  first  case  occurs  with  negligible  probability. 
The  second  case  occurs  with  negligible  probability  under  the 
Strong  RSA  assumption  due  to  [12] .  See  the  full  version  of  the 
paper  for  a  formal  treatment/reduction  of  these  statements. 

Intuitively,  we  can  now  see  that  the  simulator  will  fail  neg¬ 
ligibly  because  it  deals  solely  with  zero-knowledge  signatures 
of  knowledge  and  zero-knowledge  proofs  of  knowledge,  which 
have  efficient  extractors  and  simulators.  Our  proofs  7tm  and 
ns  have  knowledge  extractors  that  succeed  with  probability 
1  —  u(X)  for  some  negligible  function  u(-).  Since  signatures 
and  proofs  are  the  sole  point  of  failure  for  our  simulator 
described  above,  it  fails  with  negligible  probability.  Because 
the  only  thing  the  adversary  sees  is  the  zero-knowledge  proofs 
and  signatures,  the  simulated  signatures  and  proofs  are  com¬ 
putationally  indistinguishable  from  legitimate  ones,  and  the 
adversary  cannot  cause  our  simulator  to  fail  except  with  neg¬ 
ligible  probability,  the  adversary  cannot  distinguish  between 
an  interaction  with  the  simulator  and  the  real  protocol. 
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ABSTRACT 

Oblivious  RAM  (ORAM)  data  structures  have  traditionally 
been  measured  by  their  bandwidth  overhead  and  client  stor¬ 
age.  We  observe  that  when  using  ORAM  structures  to  build 
secure  computation  protocols  for  RAM  programs,  the  size 
and  depth  of  the  circuit  that  implement  the  ORAM  opera¬ 
tions  is  a  more  relevant  measure  of  performance.  For  exam¬ 
ple,  we  note  that,  in  the  context  of  secure  computation,  an 
ORAM  design  with  an  asymptotic  bandwidth  complexity  of 
0(log  n)  can  be  easily  out-performed  by  an  “inferior”  scheme 
due  to  its  complicated  read/write  algorithm. 

We  therefore  embark  on  a  study  of  the  circuit- complexity 
of  several  recently  proposed  ORAM  constructions.  Through 
careful  implementations  and  experiments,  we  show  that  asymp¬ 
totic  analysis  is  not  indicative  of  true  performance  of  ORAMs 
when  they  are  used  in  a  secure  computation  protocol  for 
RAM  programs  with  realistic  memory  sizes. 

We  then  present  scoram,  a  heuristic  compact  ORAM  de¬ 
sign  optimized  for  use  in  secure  computation  protocols.  Our 
new  design  is  almost  lOx  smaller  and  also  faster  than  all 
other  designs  we  have  tested  for  realistic  memories  of  size 
4MB-2GB  and  for  failure  probabilities  of  2-80.  This  new 
SCORAM  makes  it  feasible  to  perform  more  secure  computa¬ 
tions  on  gigabyte-sized  data  sets. 

1.  INTRODUCTION 

Two-party  secure  computation  refers  to  a  cryptographic 
technique  that  allow  Alice,  who  holds  private  input  x  and 
Bob,  who  holds  private  input  y,  to  jointly  compute  f(x,  y) 
without  revealing  any  information  to  each  other  aside  from 
the  output  f(x,  y)  .  All  known  efficient  constructions  of  such 
generic  cryptographic  protocols  require  an  oblivious  repre¬ 
sentation  of  the  function  /  being  evaluated  to  ensure  that 
the  control  flow  of  the  algorithm  does  not  depend  on  its  in¬ 
put  and  therefore  leak  partial  information.  The  standard  ap¬ 
proach  to  creating  such  an  oblivious  representation  is  to  gen- 
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erate  a  binary  circuit  from  the  description  of  /.  This  is  the 
strategy  chosen  by  dozens  of  prior  works  [?,?,?,?,?,?,?,?,?] 
on  secure  computation. 

A  well-known  drawback  to  the  approach  of  creating  a 
boolean  circuit  for  /  is  that  the  size  of  the  circuit  for  / — and 
thus  the  running  time  of  the  secure  computation  protocol  for 
Alice  and  Bob — relates  to  the  worst-case  running  time  and 
space  complexity  of  /.  This  circuit  blow-up  is  especially 
problematic  in  the  case  when  the  most  efficient  implemen¬ 
tation  of  /  is  in  the  RAM  model  of  computation  in  which 
programs  can  access  any  cell  of  its  working  memory  in  0(1) 
time  (the  RAM  model  represents  how  programs  typically 
run  on  modern  processors).  In  contrast,  a  circuit  requires 
O(s)  time  to  access  a  particular  element  of  its  “memory” 
where  s  is  the  (worst-case)  space  complexity  of  the  machine 
that  implements  /. 

To  avoid  this  circuit  overhead,  Ostrovsky  and  Shoup  [?] 
considered  whether  RAM  programs  could  be  directly  imple¬ 
mented  as  secure  computation  protocols  without  having  to 
transform  them  to  circuits.  Unfortunately,  the  memory  loca¬ 
tions  that  are  accessed  by  a  program  often  leak  intermediate 
values  of  the  program  and  thereby  contradict  the  security 
guarantees  of  secure  computation.  To  overcome  this  issue, 
Ostrovsky  and  Shoup  use  an  Oblivious  RAM  (ORAM)  data 
structure  proposed  first  by  Goldreich  [?]  to  compile  RAM 
programs  into  secure  computation  protocols. 

Intuitively,  an  ORAM  is  a  method  for  compiling  a  RAM 
program  into  another  RAM  program  whose  memory  ac¬ 
cess  pattern  does  not  depend  on  any  input  to  the  program 
(thus,  the  memory  access  pattern  is  said  to  be  oblivious). 
ORAM  techniques  have  been  widely  studied  in  other  con¬ 
texts  The  goals  of  these 

prior  works  have  been  to  (a)  reduce  the  bandwidth  overhead 
of  the  ORAM  (b)  reduce  the  “client  storage”  of  the  ORAM, 
and  (c)  reduce  the  server’s  overall  memory  overhead.  Re¬ 
markably,  state  of  the  art  approaches  to  OR  AM  design  limit 
the  overhead  in  all  three  aspects  to  various  combinations  of 
0(logc(n))  for  ce  {0, 1,2,3}! 

Towards  large-scale  secure  computation.  At  present, 
secure  computation  is  limited  to  small  problems  because 
large  datasets  incur  very-large  overheads  in  the  circuit-model. 
Secure  computation  in  the  RAM  model  offers  an  asymptoti¬ 
cally  efficient  way  to  circumvent  these  problems  and  can  po¬ 
tentially  scale  secure  computation  to  large  datasets.  Indeed, 
the  development  of  practical  ORAM  techniques  and  demon¬ 
strations  of  practical  ORAM  implementations  [?]  have  lead 
to  recent  notable  works  that  demonstrate  how  ORAM-based 
secure  computation  protocols  enable  dramatic  efficiency  im- 
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ORAM 

Circuit  Size 

Circuit  Size  (gates) 

Number  of  Inputs 

(Asymptotic  Bounds) 

A  =  220 

A  =  229 

A  =  220 

A  =  229 

Linear  Scan  oram 

O  (DA) 

142. 6M 

«82678.1M 

33. 5M 

17180. OM 

LO  ORAM 

0(DlogN)w(l) 

CLP  ORAM 

0(log5  A  +  D  log3  A)w(l) 

29.4M 

121.8M 

0.6M 

2.1M 

Binary  Tree  ORAM 

0(log4  A  +  D  log2  A)w(l) 

38. 5M 

127.7M 

7.0M 

24.2M 

naive  path  oram 

0(log4  A  +  D  log2  A)w(l) 

87.3M 

278. 1M 

0.1M 

0.3M 

PATH  SCORAM 

0(log3  A  +  D  log  N)u>(l) 

37.2M 

111.7M 

0.1M 

0.3M 

SCORAM 

N/A  (heuristic) 

4.6M 

13. OM 

0.3M 

0.9M 

Table  1:  Performance  metrics  for  different  ORAM  schemes  when  used  in  Secure  Computation.  A  is  the  number 
of  blocks  in  the  ORAM,  D  is  number  of  bits  in  each  block  (i.e.,  the  payload  bit  length),  and  the  security  parameter  is 
set  to  be  0(log  A)w(l).  We  use  the  notation  g(N)  =  0(/(A))<u(l)  to  denote  that  for  any  a(N)  =  cu(l),  it  holds  that 
g(N)  —  0(f(N)a(N)).  The  notation  O  hides  log  log  A  factors.  All  concrete  measurements  are  for  payload  bit-length  D  =  32 
bits  with  probability  of  SCORAM  failure  set  to  2-80  and  include  all  recursive  instances  of  the  ORAM  to  store  the  position 
map.  The  circuit  size  reports  all  gates,  and  the  number  of  inputs  defines  cost  of  input  preprocessing,  e.g.,  OT. 


provements  in  processing  large,  secret  datasets.  For  exam¬ 
ple,  the  work  of  Gordon  et  al.  [?]  shows  how  repetitive  bi¬ 
nary  search  queries  can  be  securely  computed  in  amorized 
sublinear  time.  Liu  et  al.  [?]  show  how,  under  big  data 
sizes,  RAM-model  secure  computation  significantly  outper¬ 
forms  the  circuit  model  even  for  run- once  tasks,  including 
KMP-string  matching  and  shortest  path.  This  work  extends 
this  vision  by  tackling  the  problem  of  finding  very  efficient 
ORAMs  to  enable  secure  computation  on  giga-byte  sized 
datasets. 

1.1  Contribution 

We  embark  on  a  comprehensive  study  of  practical  secure 
computation  ORAM  techniques.  We  do  so  via  both  the¬ 
oretical  analysis  of  several  metrics  used  to  judge  ORAMs 
and  several  experiments  performed  on  optimized  implemen¬ 
tations  of  4  state-of-the-art  ORAM  designs.  We  report  on 
a  new  heuristic  ORAM  design  that  outperforms  all  other 
ORAMs  we  considered. 

Our  first  observation  is  that  the  traditional  measures  of 
an  ORAM  scheme  do  not  properly  predict  ORAM  perfor¬ 
mance.  ORAM  has  been  considered  for  two  primary  appli¬ 
cation  scenarios:  the  privacy-preserving  cloud  outsourcing 
scenario  [?,?,?],  and  the  secure  processor  application  [?,?]. 
In  these  settings,  an  ORAM’s  overhead  is  measured  by  its 
“bandwidth  overhead”,  i.e.,  how  many  data  units  the  ORAM 
must  retrieve  to  serve  a  single  memory  query  . 

We  observe  that  the  bandwidth  overhead  metric  is  inad¬ 
equate  at  characterizing  the  performance  of  an  ORAM  in 
a  secure  computation  application.  Instead,  the  circuit  com¬ 
plexity  of  the  ORAM  algorithm  — a  measure  that  is  tradi¬ 
tionally  ignored  by  the  literature — plays  a  critical  role  in 
the  efficiency  ORAM-based  secure  computation.  Although 
this  paper  focuses  on  using  ORAM  in  a  garbled  circuits  ap¬ 
proach  to  secure  computation,  we  note  that  the  metrics  we 
put  forth  are  meaningful  when  SCORAM  is  used  in  other 
secure  computation  techniques  as  well. 

Re-evaluate  and  improve  existing  ORAMs.  We  then 

4The  bandwidth  overhead  metric  is  equivalent  to  the  blowup 
of  the  runtime  of  the  Oblivious  RAM  in  comparison  with  the 
non-oblivious  RAM  machine  -  this  was  the  terminology  used 
originally  by  Goldreich  and  Ostrovsky  [?]. 


conduct  a  systematic  evaluation  of  several  state-of-the-art 
ORAM  schemes  (e.g.,  Binary  Tree  oram  [?],  Path  ORAM  [?], 
CLP  ORAM  [?])  when  applied  to  the  secure  computation  set¬ 
ting.  Table  1  reports  both  the  theoretical  and  concrete  com¬ 
plexity  of  these  existing  OR  AM  schemes.  Our  concrete  pa¬ 
rameters  are  derived  from  carefully  optimized  implementa¬ 
tions  of  these  algorithms. 

In  particular,  we  observe  that  the  basic  tree  ORAM  by 
Shi  et  al.  [?]  has  the  same  asymptotic  efficiency  as  the  Path 
ORAM  [?]  (when  implemented  with  a  naive  circuit),  but  the 
latter  has  a  much  larger  concrete  circuit  when  implemented 
for  reasonable  parameters.  We  therefore  propose  path  sco- 
ram,  a  new  circuit  construction  for  Path  ORAM,  achiev¬ 
ing  better  asymptotic  overhead  than  its  naive  counterpart. 
However,  this  asymptotically  efficient  path  SCORAM  requires 
3  oblivious  sorts  during  the  circuit  construction,  which  in¬ 
curs  a  large  constant  in  practice.  As  a  result,  we  observe  that 
its  empirical  performance  is  not  a  clear  win  over  asymptoti¬ 
cally  worse  schemes  such  as  the  simple  Binary  Tree  ORAM  [?] 
or  the  CLP  ORAM  [?]. 

A  new  ORAM  scheme.  Based  on  the  experience  gained, 
we  shift  the  focus:  instead  of  aiming  for  an  asymptotically 
more  efficient  ORAM,  we  aim  to  construct  a  scheme  that  is 
empirically  the  most  efficient.  We  argue  that  within  poly  log  A 
complexity  ranges,  optimizing  for  asymptotics  can  be  mis¬ 
guided.  For  conceivable  data  sizes  ranging  from  gigabytes 
to  terabytes,  log  A  is  typically  20  to  40,  and  can  be  easily 
overwhelmed  by  even  moderate  constants  (e.g.  100)  that 

may  be  incurred  by  asymptotically  superior  schemes.  Sim¬ 
ilar  observations  of  asymptotics  vs.  practical  performance 
are  widespread,  e.g.  by  Stefanov  et  al.  for  constructing 
small-domain  PRPs  [?]. 

Our  result  is  a  heuristic  ORAM  scheme,  SCORAM,  that 
is  almost  10X  smaller  and  also  faster  than  any  other  ap¬ 
proach  we  are  aware  of.  Our  implementation  of  SCORAM 
will  be  made  available  online  for  people  to  build  efficient 
ORAM-based  secure  computation  protocols2.  Our  SCO¬ 
RAM  scheme  and  implementation  are  also  an  important 


2  The  URL  is  not  included  here  to  preserve  anonymity  in  the 
submission.  We  will  make  our  code  available  upon  reviewers’ 
request. 
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building  block  for  realizing  efficient  oblivious  data  struc¬ 
tures  [?]  in  secure  computation. 


1.2  Related  Work 

Keller  and  Scholl  [?]  implemented  secure  oblivious  data 
structures  using  both  the  SCSL  ORAM  [?]  and  the  Path 
ORAM  [?].  Their  implementations  use  a  small  security  pa¬ 
rameter  2~20  and  works  in  a  pre-processing  model;  in  con¬ 
trast,  we  evaluate  at  security  parameter  2-60  to  be  more 
realistic.  At  least  two  of  our  implementations  achieve  bet¬ 
ter  efficiency  parameters  while  also  enjoying  provable  error 
bounds. 

Gordon  et  al.  [?]  study  the  feasibility  of  constructing  sublinear¬ 
time  secure  computation  protocols  for  functions  that  can 
be  computed  in  sublinear  time  on  a  random-access  machine 
(RAM).  They  show  generically  how  any  function  /(•,  •)  that 
can  be  computed  in  time  t  and  space  s  in  the  RAM  model 
can  be  securely  computed  by  a  protocol  that  requires  amor¬ 
tized  time  0(f)poly  log(s),  requires  one  party  to  use  space 
0(log(s))  and  requires  the  other  party  to  use  space  0(spoly  log(s) 
Note,  their  goal  is  to  ensure  that  one  party  in  the  protocol 
requires  very  little  space  complexity.  They  report  on  an 
implementation  of  a  binary-tree  based  SCORAM;  using  se¬ 
curity  parameter  2-13,  and  N  =  220,  their  ORAM  scheme 
requires  roughly  6.6M  non-free  gates  and  12M  total  gates. 

To  the  best  of  our  ability,  we  attempted  to  recreate  their 
parameters:  our  implementation  of  the  same  required  3.3M 
non-free  gates  and  16m  total  gates.  The  implementation 
of  our  best  scheme  at  a  much  higher  security  parameter  is 
approximately  3  times  smaller.  See  §6  for  details. 

Gentry  et  al.  [?]  optimize  the  binary  tree  ORAM  for  se¬ 
cure  computation.  We  did  not  include  the  scheme  in  Table  1 
because  their  scheme  is  subsumed  both  asymptotically  and 
empirically  by  Path  ORAM  [?].  This  can  be  observed  with  a 
simple  back-of-the-envelope  calculation  as  follows:  Gentry  et 
al.  propose  techniques  to  reduce  the  tree  height  by  enlarging 
the  bucket  size.  They  then  proposed  a  new  eviction  algo¬ 
rithm  similar  to  Path  ORAM’s  eviction,  except  that  they 
directly  compute  where  a  block  should  be  dropped  along 
the  path — closest  to  leaf  possible  respecting  invariant — and 
then  drop  it  in  that  bucket.  Naively  implementing  their 
eviction  would  result  in  0(A2)  overhead  where  A  is  the  total 
number  of  blocks  on  the  path,  i.e.,  A  =  (bucket  size)*(path 
length).  Notice  that  Path  ORAM  also  has  0(A2)  overhead 
for  a  naive  eviction  circuit,  but  Path  ORAM’s  A  value  is 
both  asymptotically  and  empirically  smaller  than  that  of 
Gentry  et  al.  In  both  schemes,  we  can  have  an  asymptoti¬ 
cally  smaller  eviction  circuit  with  oblivious  sort,  but  as  we 
show,  oblivious  sort  introduces  such  a  large  constant,  that 
the  practical  performance  is  worse  than  that  of  the  original 
binary-tree  ORAM. 

As  far  as  we  know,  Lu  and  Ostrovksy  [?]  report  the  asymp¬ 
totically  best  ORAM  in  the  literature.  Their  2-server  design 
can  perform  a  sequence  of  n  reads  or  writes  with  O(logn) 
amortized  overhead  per  access  while  using  0(n )  storage  for 
the  servers  and  0(1)  client  memory.  These  parameters  meet 
the  lower-bound  for  performance  of  a  single-server  ORAM 
and  are  superior  to  any  known  single-server  ORAM.  Thus, 
it  appears  to  be  a  perfect  candidate  for  ORAM  in  secure 
computation.  Unfortunately,  there  are  two  serious  practical 
bottlenecks  to  the  implementation  of  LO. 

To  understand  the  first  issue,  recall  that  the  LO  ORAM 


builds  upon  the  KLO  ORAM  [?]  which  further  builds  upon3 
the  map-reduce  based  cuckoo-hashing  based  ORAM  of  Goodrich 
and  Mitzenmacher  [?].  In  order  to  read  or  write  at  index 
x,  the  scheme  iteratively  queries  a  hierarchy  of  hash  tables 
Hk,  Hk+ i,  . . . ,  Hl  with  either  i  or  a  dummy  address  t.  de¬ 
pending  on  whether  x  has  been  found  or  not.  The  security 
relies  on  the  issuing  of  this  dummy  query  once  x  has  been 
found  in  order  to  maintain  the  invariant  that  every  lookup 
is  unique  (i.e,  there  is  never  a  lookup  for  the  same  address 
x  at  any  two  levels  in  the  hierarchy).  This  means  that  read 
queries  require  several  sequential  executions  of  separate  se¬ 
cure  computation  protocols;  in  contrast,  tree-based  ORAM 
designs  require  only  1  secure  computation  protocol  to  be  run 
per  read/write  operation. 

The  second  serious  problem  is  a  large  overhead  constant 
for  cuckoo  hashing.  All  cuckoo-hashing  based  ORAMs  de¬ 
pend  on  an  lemma  proven  by  Goodrich  and  Mitzenmacher  [?] 
which  bounds  the  collision  rate  of  a  cuckoo-hashing  struc¬ 
ture  via  a  combinatorial  analysis  of  a  graph  G  that  is  based 
on  the  cuckoo-hashing  function.  This  lemma  requires  the 
cuckoo  hash  table  size  to  be  m  =  ft  (log'  (IV));  this  technique 
therefore  only  starts  to  beat  the  Linear  scan  SCORAM  when 
N  >  2-37. 

2.  BACKGROUND:  TREE-BASED  ORAMS 

Notation.  We  use  N  to  denote  the  number  of  (real)  data 
blocks  in  ORAM,  D  to  denote  the  bit-length  of  a  block  in 
ORAM,  Z  to  denote  the  capacity  of  each  bucket  in  the 
ORAM  tree,  and  A  to  denote  the  ORAM’s  statistical  se¬ 
curity  parameter.  When  discussing  binary  trees  of  depth  L 
in  this  paper,  we  say  the  leaves  are  at  level  0  and  the  root  is 
at  level  L  —  1.  Although  unconventional,  this  simplifies  the 
description  of  our  algorithms. 

2.1  Tree-based  ORAM  Construction 

Shi  et  al.  [?]  proposed  a  new  binary-tree  based  framework 
for  constructing  a  class  of  ORAM  schemes.  Many  recent 
efficient  ORAM  schemes  [?,?,?]  extend  this  construction,  so 
we  briefly  review  this  framework  below.  The  key  difference 
between  the  schemes  is  the  choice  of  eviction  strategy. 

Data  organization.  The  server  organizes  N  blocks  into  a 
binary  tree  of  height  L  =  log  N\  each  node  of  the  tree  is  a 
bucket  containing  Z  blocks.  Each  block  is  of  the  form: 

{idxj  jlabel|  |data}, 

where  idx  is  the  index  of  a  block,  e.g.,  the  (logical)  address 
of  desired  block;  label  is  a  leaf  identifier  specifying  the  path 
on  which  the  block  resides;  and  data  is  the  payload  of  the 
block. 

The  client  stores  a  position  map,  mapping  memory  ad¬ 
dresses  to  leaf  labels.  Position  map  storage  can  be  reduced 
to  0(1)  by  recursively  storing  the  position  map  in  a  smaller 
ORAM  (see  [?]  for  details).  These  leaf  labels  are  assigned 
randomly  and  are  reassigned  as  blocks  are  accessed.  If  we 
label  the  leaves  from  0  to  N  —  1,  then  each  label  is  associated 
with  a  path  from  the  root  to  the  corresponding  leaf.  Tree- 
based  ORAMs  maintain  the  invariant  that  a  block  marked 
label  resides  either  on  the  path  leading  to  the  corresponding 
leaf  node  specified  by  label;  or  resides  in  the  client’s  stash. 

3  KLO  point  out  a  subtle  security  issue  that  affects  almost 
all  cuckoo-basing  based  ORAM  schemes,  and  explain  how 
to  fix  it. 
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Operations.  Tree-based  ORAM  have  three  main  opera¬ 
tions.  Among  these,  the  Eviction  algorithm  is  the  key  differ¬ 
ence  between  schemes. 

•  Read  And  Remove:  Given  an  index  idx,  the  client  looks 
up  the  its  label  from  the  position  map,  and  fetches  all 
blocks  on  the  path  leading  to  label.  The  client  finds 
the  block  idx  (due  to  the  main  invariant)  and  removes 
it  from  the  path. 

•  Add:  The  retrieved  block  is  potentially  updated,  reen¬ 
crypted  and  written  back  to  the  root  bucket. 

•  Eviction:  Percolate  blocks  towards  leaves  such  that  no 
bucket  will  overflow  except  with  negligible  probability. 
Various  ORAMs  use  different  eviction  schemes  which 
we  explain  below. 

Recursion.  Instead  of  storing  the  entire  position  map  in 
the  client’s  local  memory,  the  client  can  store  it  in  a  smaller 
ORAM  on  the  server.  In  particular,  this  position  map  ORAM 
needs  to  store  N  log(V)-bit  labels.  By  storing  \  labels  in 
one  block,  this  ORAM  only  needs  N/x  blocks.  Finally,  by 
applying  recursion,  the  position  map  can  be  reduced  to  0(1) 
size,  after  which  the  Linear  scan  ORAM  can  be  used.  See  §5 
for  a  discussion  of  how  we  set  the  recursion  parameters.  Un¬ 
less  otherwise  noted,  our  discussion  of  the  complexity  of  the 
eviction  strategy  applies  to  a  single  ORAM  (i.e.,  not  taking 
into  consideration  the  recursion,  which  applies  equally  to  all 
tree-based  strategies). 

2.2  Various  Eviction  Strategies 

Original  binary-tree  ORAM.  The  original  Binary  Tree 
ORAM  scheme  [?]  adopts  random  eviction:  with  every  data 
access,  pick  two  random  buckets  from  each  level,  and  evict 
one  block  from  each  selected  bucket  by  placing  the  block 
into  the  correct  child  node  (subject  to  the  invariant).  Shi 
et  al.  show  that  this  eviction  strategy  requires  a  bucket 
size  of  0(log  iV)w(l)  to  avoid  overflow  except  with  negligible 
probability. 

Path  ORAM.  Path  ORAM  adopts  a  greedy  eviction  strat¬ 
egy  that  works  with  a  stash  maintained  in  client  storage. 
Blocks  on  the  path  P  are  first  unioned  with  the  stash.  Each 
block  in  this  set  is  then  placed  as  close  as  possible  to  its  desti¬ 
nation  leaf  in  path  P  subject  to  the  path  invariant.  Stefanov 
et  al.  [?]  show  that  this  aggressive  eviction  strategy  works 
with  buckets  that  are  only  4  blocks. 

CLP  ORAM.  In  the  CLP  ORAM  [?]  scheme,  internal  nodes 
of  the  binary  tree  have  0(loglog  N)  blocks  per  bucket,  and 
the  stash  is  replaced  by  a  queue  that  requires  add,  pop, 
and  find  operations.  After  path  P  is  read,  block  x  is  re¬ 
moved  and  remapped,  and  then  added  to  the  queue.  Next, 
the  ORAM  performs  a  “flush”  operation  by  selecting  a  new 
leaf  at  random,  reading  its  path  into  the  ORAM,  and  then 
placing  each  block  in  this  path  as  close  as  possible  to  the 
block’s  destination  leaf  subject  to  the  path  invariant.  This 
flush  operation  is  performed  according  to  a  geometrically 
distributed  random  variable  with  expectation  2. 

This  scheme  claims  0(log2(A))  worst-case  computational 
overhead,  constant  memory  overhead,  and  CPU  cache  size 
that  is  polylog(A).  Our  empirical  results  confirm  the  claim 
in  CLP  that  the  data  structure  required  to  implement  the 
queue  is  simpler  than  the  one  needed  to  implement  the  stash 
in  the  Path  ORAM  construction.  However,  as  we  show  in 
the  next  section,  the  Path  SCORAM  and  the  SCORAM  can  be 


1 

P[O..L  —  1  ][Z\  stores  the  block  to  be  put  back 

2 

for  i  from  0  to  L  —  1  do  / /from  leaf  to  root 

3 

for  j  from  1  to  Z  do 

4 

for  k  from  1  to  LZ  +  stsize  do 

5 

if  LCA(A[fc]. label,  P)  <  i  then 

6 

p[i\\j]  ~  A[k} 

7 

A[k]  ~  ± 

Figure  1:  Naive  oblivious  algorithm  for  Path  ORAM’s 
Eviction.  Variable  A  denotes  a  buffer  created  by  concatenat¬ 
ing  the  stash  and  the  path  P  read  in  Path  ORAM.  This  algo¬ 
rithm  writes  as  many  blocks  back  to  P  as  possible,  packing 
them  as  close  to  the  leaf  as  possible. 


optimized  to  support  an  even  simpler  (and  smaller)  eviction 
algorithm. 

2.3  SCORAM 

A  SCORAM  is  an  ORAM  scheme  that  is  specifically  de¬ 
signed  for  use  in  the  Ostrovksy-Shoup  framework  for  se¬ 
cure  computation  of  RAM  programs.  Unlike  the  traditional 
ORAM  scenario,  in  this  framework,  both  the  server  mem¬ 
ory  and  the  client  storage  of  the  ORAM  are  secret-shared 
between  the  parties4. 

Each  instruction  of  a  RAM  program  consists  of  an  ad¬ 
dress  to  read  from  memory,  an  operation  to  perform,  and 
an  address  to  write  back  to  memory.  These  three  steps  are 
accomplished  via  a  secure  computation  protocol  between  the 
parties  that  takes  as  input  (a)  secret  shares  of  the  memory, 
(b)  secret  shares  of  the  ORAM  client  state,  (c)  and  secret 
shares  of  the  program  state. 

The  most  significant  component  of  this  secure  computa¬ 
tion  is  typically  the  logic  used  to  implement  the  read  and 
write  operations  via  the  SCORAM  design.  In  particular, 
the  SCOR  AM  design  contributes  most  of  the  (a)  inputs  each 
party  must  supply  to  the  secure  computation,  (b)  and  the 
logical  gates  of  the  secure  computation  protocol  used  to  im¬ 
plement  the  three  steps  of  the  instruction.  Among  the  com¬ 
ponents  of  the  SCORAM  design,  the  eviction  procedures  is 
the  costliest.  In  the  next  section,  we  analyze  the  eviction 
procedures  for  several  SCORAM  designs. 

3.  FIRST  ATTEMPT:  PATH  SCORAM 

We  first  investigate  the  Path  ORAM  since  has  the  least 
bandwidth  overhead  among  all  tree-based  ORAMs.  Natu¬ 
rally  a  good  question  is  whether  we  can  implement  Path 
ORAM  with  a  small  circuit  as  well,  since  ReadAnd Remove 
and  Add  algorithm  are  trivial  to  turn  into  0(D  log  A)ui(l)- 
sized  circuits,  we  focus  our  discussion  on  how  to  implement 
Path  ORAM’s  eviction  algorithm  in  circuit. 

Expressing  circuits.  In  the  remainder  of  the  paper,  we 
will  need  to  describe  circuit  constructions.  Since  oblivious 
algorithms  can  be  easily  transformed  into  circuits  preserving 
complexity,  in  this  paper,  we  equate  the  notions  of  oblivious 
algorithms  and  circuits,  and  describe  circuits  using  oblivious 
algorithms.  When  we  sort  lexicographically  according  to  a 

4We  note  that  Gordon  et  al.  propose  an  asymmetric  division 
of  the  server  and  client  state  to  enable  one  party  in  the  secure 
computation  protocol  to  have  a  sub  linear  number  of  input 
bits. 
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1.  Initialization.  For  each  i  £  {1,2  letA[i[.  bucket  :=  LCA(A[i[.  label,  P),  let  A[i].  dummy  denote  whether  A[i] 

is  a  dummy  block. 

2.  O-sort:  real  before  dummy.  Oblivious  sort  based  on  the  key  bucket.  After  sorting,  all  real  blocks  come  first,  in 
bucket  ascending  order. 

3.  Scan  A  to  compute  the  final  offset  (from  leaf)  for  each  block.  We  give  the  algorithm  to  calculate  offset  from 
bucket  in  Figure  4. 

4.  Append  dummy.  Append  LZ  dummy  blocks  at  the  end  whose  offset  are  1, .  .  . ,  LZ,  respectively. 

5.  O-sort:  reorder  based  on  offset.  Oblivious  sort  A  by  offset  (where  blocks  with  offset  =  ±  are  put  at  the  end). 

6.  Suppress  unnecessary  dummy.  Scan  A  to  “eliminate”  unnecessary  dummy  blocks.  A  dummy  block  is  considered 
unnecessary  if  it  is  preceded  by  a  real  block  with  the  same  offset  value.  We  “eliminate”  this  dummy  block  by  setting 
its  offset  to  “_L”. 

7.  O-sort:  fall  into  place.  Sort  A  by  offset  so  that  unnecessary  dummys  are  moved  to  the  end  A. 


Figure  2:  The  path  SCORAm’s  eviction  algorithm. 


key  pair  (key^keyj),  we  mean  first  sort  according  to  key1; 
and  if  there  is  a  tie  on  keyl5  then  we  sort  according  to  key2. 

Notations.  Suppose  each  of  pi  and  p2  represents  a  leaf  or 
a  root-to-leaf  path.  We  use  LCA(pi,p2)  to  denote  the  level 
of  the  lowest  common  ancestor  of  the  leaves,  or  equivalently 
the  node  where  the  two  paths  diverge  when  traversing  from 
the  root.  In  the  remainder  of  the  paper,  we  sometimes  use 
the  notation  label  and  a  path  p  interchangeably,  since  a  path 
p  is  defined  by  the  label  of  a  leaf  node. 

Let  A  denote  a  buffer  created  by  concatenating  the  stash 
concatenated  with  a  path  p  (the  data  read  path)  in  Path 
ORAM.  Path  ORAM’s  eviction  writes  as  many  blocks  from 
A  to  p  as  possible,  and  packs  them  as  close  to  the  leaf  as 
possible. 

Naive  0(D  log2  N )  eviction  circuit.  A  naive  way  to  turn 
Path  ORAM’s  eviction  algorithm  into  a  circuit  would  result 
in  a  0(D  log2  7V)cu(l)-sized  circuit.  We  describe  this  naive 
method  in  Figure  1. 

3.1  A  New  O(Z)  log  N)  Eviction  Circuit 

The  rearrangement  problem.  Path  ORAM’s  eviction 
can  be  recast  as  a  rearrange  problem:  we  would  like  to  obliv¬ 
iously  rearrange  the  entries  in  A  (by  pairwise  swapping)  with 
respect  to  the  following  conditions: 

1.  The  blocks  in  A[1...LZ]  will  be  written  back  to  the 
path  P,  where  the  block  at  i  =  kZ+j  (where  k  = 

and  1  <  j  <  Z)  will  go  to  bucket  k.  We  require  that  for 
each  i,  if  A[i]  is  a  real  block,  then  LCA(A[i[. label,  P)  < 
k.  If  less  than  Z  real  blocks  are  assigned  to  a  bucket, 
dummy  blocks  will  be  added  to  that  bucket. 

2.  For  the  real  blocks  that  cannot  be  written  in  the  path, 
they  will  be  stored  in  A[LZ  +  1...LZ  -\-sts\ze\.  Hence,  if 
A[LZ  +  stsize  +  1]  contains  a  real  block,  this  indicates 
stash  overflow. 

Circuit  construction.  First  of  all,  we  add  three  extra 
fields  bucket,  offset  and  dummy  (used  only  in  this  improved 
eviction  algorithm)  to  each  entry  A[i],  bucket  takes  values 
from  {0, . . . ,  L  —  1}  U  {_L } .  For  a  dummy  block,  bucket  is  set 
to  _L.  For  a  real  block,  bucket  :=  LCA(label,  P),  where  label 
denotes  the  leaf  label  of  the  block.  In  other  words,  bucket 
is  the  lowest  level  (i.e.,  closest  to  leaf)  where  the  block  is 
allowed  to  reside  on  the  path  P.  Recall  that  we  assume 
bucket  =  0  refers  to  the  leaf  level  while  bucket  =  L  —  1  refers 
to  the  root  level,  offset  takes  values  from  {1, . . . ,  LZ }  U  {_L} . 
dummy  indicates  if  a  block  is  dummy. 


The  improved  eviction  algorithm  is  described  in  Figure  2. 
At  the  end  of  the  algorithm,  the  first  Z  blocks  of  A  can  go 
to  the  leaf,  path,  and  the  next  Z  blocks  should  go  to  leaf 
but  one  level,  and  so  forth. 

In  Appendix  B,  we  also  consider  how  to  construct  a  low- 
depth  circuit  for  our  new  eviction  algorithm. 

Examples.  The  most  sophisticated  part  of  the  algorithm  is 
Step  3  in  Figure  2,  i.e.,  computing  the  offset  of  blocks.  This 
part  of  the  algorithm  is  further  explained  in  Figure  4.  Below 
we  give  an  example  of  this  step.  Assume  that  Z  =  3.  Then, 
a  sequence  of  bucket  values  [0  0  0  0  1]  should  result  in  offset 
values  [1  2  3  4  5].  Additionally,  bucket  values  [01111] 
should  result  in  offset  values  [1  4  5  6  7]. 

An  example  of  the  full  eviction  circuit  is  given  in  Figure  3. 


1 

available  :=  1 

2 

for  i  from  1  to  LZ  +  stsize  do 

3 

if  available  >  Z  *  A[i\. bucket  +  1  then 

4 

A[i], offset  :=  available 

5 

available  :=  available  +  1 

6 

else 

7 

A[i], offset  :=  Z  *  A[i\. bucket  +  1 

8 

available  :=  A[i] .offset  +  1 

Figure  4:  Computing  offset  from  bucket. 


Theorem  1.  The  path  scoram  with  Eviction  described 
above  can  be  fully  implemented  (i.e.,  including  all  the  recur¬ 
sive  ORAMs  used  to  store  the  position  map)  in  Oflog3  N  + 
D  log2  N)  boolean  gates. 

Proof.  The  circuit  to  implement  the  data  level  ORAM 
requires  0(D  log  N  log  log  N)  gates  due  to  the  oblivious  sort¬ 
ing  operations  in  Figure  2.  For  recursion  levels,  we  use 
O(logA)  for  each  block,  and  with  O(loglV)  levels  of  recur¬ 
sion,  the  total  circuit  size  for  position  map  recursion  levels  is 
O  (log3  N  log  log  N).  Therefore,  the  total  circuit  size  across 
all  levels  is  0(log3  N  +  D  log  N).  □ 

Findings.  We  implement  our  path  SCORAM  and  compare 
its  empirical  performance  with  that  of  the  Binary  Tree  ORAM 
and  CLP  ORAM.  While  path  SCORAM  is  asymptotically  su¬ 
perior  to  both  Binary  Tree  ORAM  and  CLP  ORAM  in  terms  of 
circuit  size,  for  practical  ranges  of  N,  empirical  results  sug¬ 
gest  that  both  the  Binary  Tree  ORAM  and  CLP  ORAM  perform 
better.  Detailed  empirical  results  are  presented  in  Section  6. 
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stash 

Figure  3:  Running  0(D  log  N)  eviction  algorithm  over  a  toy  example.  Here  we  assume  L  =  2,  Z  =  3  and  stsize  =  3.  b  stands 
for  the  bucket  field  while  k  the  offset  field.  d=l  indicates  dummy  blocks,  where  the  contents  of  other  fields  are  not  applicable. 


Upon  closer  examination,  we  realize  that  path  SCORAM 
requires  3  oblivious  sorts  in  its  circuit  construction,  thus  in¬ 
curring  a  large  constant.  This  motivated  our  observation 
that  asymptotics  is  not  representative  of  practical  perfor¬ 
mance  for  the  poly  log  TV  range,  since  log  IV  is  so  small  (e.g., 
20  to  30)  for  real-life  ranges  of  N,  that  constants  matter  just 
as  much  as  logiV  factors. 

4.  SECOND  ATTEMPT:  A  NEW  SCORAM 

Because  asymptotic  evaluation  does  not  properly  char¬ 
acterize  practical  performance  for  our  problem,  we  devise  a 
new  SCORAM  scheme  optimized  for  empirical  performance. 
Our  key  idea  is  to  have  an  effective  eviction  algorithm  that 
can  be  implemented  in  small  circuit.  In  this  section,  we  focus 
on  presentation  of  the  algorithm,  leaving  optimal  parameter 
choices  to  the  next  section. 

4.1  Our  New  SCORAM  Scheme 

Our  new  compact  SCORAM,  which  we  call  scoram,  is  an¬ 
other  tree-based  ORAM.  Read  And  Remove  and  Add  operate 
in  the  same  way  as  the  tree-based  OR  AMs,  and  we  therefore 
focus  the  presentation  on  the  Eviction  algorithm. 

Overall,  Eviction  will  perform  flushO  (Algorithm  1)  a 
times.  In  our  implementation,  we  choose  a  —  4  which  we 
determine  to  be  the  optimal  choice  (see  §5  for  more  details). 
Below  we  explain  the  intuition. 

Greedy  push  pass  (lines  7  to  10)  We  opt  for  a  greedy 
push  pass  similar  to  that  of  the  CLP  ORAM,  but  avoid  their 
bucket  overflows  handling  strategy.  First,  a  random  path  is 
selected  for  eviction  with  every  data  access.  Next,  for  each 
bucket  from  root  to  the  leaf-1  level  on  the  selected  path: 
pick  a  block  that  can  be  evicted  deepest  along  this  path, 


and  push  it  to  the  child  bucket  if  there  is  room. 

In  the  CLP  ORAM,  a  bucket  overflow  occurs  when  more 
than  half  of  the  bucket  capacity  number  of  blocks  can  be 
evicted  to  one  of  its  children.  Overflow  events  are  indicative 
of  getting  too  crowded  in  some  parts  of  the  tree.  Chung  et 
al.  handles  this  event  by  choosing  a  block  to  remove  from 
the  bucket,  remapping  its  label,  and  putting  it  back  into  the 
stash.  This  is  an  expensive  operation,  since  (1)  removing 
(adding)  blocks  from  a  bucket  (to  the  stash)  requires  a  linear 
scan;  (2)  it  needs  to  be  done  for  every  bucket  on  the  eviction 
paths  because  we  cannot  reveal  where  the  actual  overflows 
happen;  (3)  updating  the  (recursively  stored)  position  map 
is  also  very  expensive.  Our  implementation  suggests  that  for 
a  RAM  storing  1  million  32-bit  entries,  more  than  85%  of 
the  computational  cost  are  due  to  obliviously  handling  over¬ 
flows.  Although  some  of  the  above  overflow  handling  logic 
can  be  implemented  asymptotically  better  using  oblivious 
sorting,  this  actually  worsens  the  empirical  overhead  due  to 
the  large  constant  factor  associated  with  oblivious  sorting. 

Therefore,  our  new  SCORAM  avoids  checking  and  han¬ 
dling  overflows.  A  block  will  only  be  evicted  if  the  child 
bucket  is  not  full.  Unfortunately,  such  a  “greedy  push  pass” 
alone  would  make  the  eviction  less  effective,  as  it  is  more 
likely  for  a  bucket  to  be  full  and  the  stash  could  grow  un¬ 
duly  large.  This  motivates  our  idea  of  compensating  with  a 
“reverse  dropping  pass”. 

Reverse  dropping  pass  (lines  3  to  6).  Pick  a  block 
that  can  be  pushed  deepest  along  the  path,  then  put  it  into 
a  bucket  as  deep  in  the  path  as  possible.  This  can  be  im¬ 
plemented  by  scanning  the  eviction  path  in  reverse  order 
from  leaf  to  root  and  placing  the  block  into  the  first  non-full 
bucket  that  satisfies  the  block’s  path-invariant. 
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Algorithm  1  flushO 

1:  path  :=  UniformRandom(0, A  —  1) 

2:  bucket[0, L  —  1]  :=  array  of  buckets  from  leaf  to  root 
3:  B i  :=  the  block  in  the  stash  with  smallest  LCA(path,  B. label). 

4:  for  i  from  0  to  L  —  1  do  (from  leaf  to  root) 

5:  if  bucket[i]  is  not  full  and  LCA(path,  B. label)  <  i  and  B i  has  not  been  added  already  then 

6:  Add  Bi  to  bucket [*]. 

7:  for  i  from  L  —  1  to  1  do  (from  root  to  leaf) 

8:  B2  :=  the  block  in  bucket[*]  with  smallest  LCA(path,  £>2-label). 

9:  if  bucket[i  —  1]  is  not  full  and  LCA(path,  _B2-label)  <  i  then 

10:  Move  £>2  from  bucket [i]  to  bucket (i  —  1]. 


Figure  5:  scoram:  stash  size  grows  linear  with  secu¬ 
rity  parameter.  Bucket  size  Z  =  6,  number  of  flushes 
a  =  4. 


Security.  Security  of  the  scheme  follows  as  per  all  other 
tree-based  ORAMs;  the  server’s  view  observes  accesses  along 
random  paths. 

5.  OPTIMIZATIONS 

Our  optimizations  largely  fall  into  two  categories:  (1)  de¬ 
termining  the  best  parameters  for  a  particular  SCORAM 
configuration  (Section  5.1);  (2)  improving  the  circuit  design 
for  frequently  used  logic  components  (Section  5.2). 

In  general,  ORAM  schemes  have  several  decisive  parame¬ 
ters  including  bucket  size,  stash  size  (if  it  uses  a  stash)  and 
recursion  factor.  Depending  on  the  specific  eviction  algo¬ 
rithms  employed,  there  are  additional  parameters  describing 
the  eviction  process.  For  example,  in  our  new  SCORAM, 
we  use  q  to  denote  the  number  times  to  call  flush.  These 
parameters  are  subtly  inter-related.  For  instance,  a  larger 
bucket  size  allows  for  smaller  a  and  smaller  stash  at  the 
same  security  parameter. 

5.1  Parameter  Optimization 

We  now  systematically  explore  this  parameter  space  to 
determine  heuristically  good  choices  for  our  new  SCORAM 
scheme. 

Methodology.  Some  of  our  optimizations  rely  on  simula¬ 
tions  to  count,  for  any  particular  ORAM  setup,  the  number 
of  ORAM  failures  (for  estimating  the  security  guarantee) 
and  the  total  number  of  encryptions  per  memory  access. 
We  use  simulations  because  all  of  the  proofs  that  upper- 


bound  the  failure  probabilities  are  too  conservative  in  their 
approximations. 

For  each  ORAM,  we  first  run  16  million  ORAM  accesses 
to  warm  up  the  ORAM,  such  that  it  enters  a  steady  state, 
we  then  start  collecting  numbers  to  determine  the  security 
parameters  associated  with  this  setup  (including  e.g.,  vari¬ 
ous  bucket  and  stash  sizes).  Since  the  time  average  is  equal 
to  emsemble  average  for  regenerative  processes  [?],  we  sim¬ 
ulate  each  ORAM  setup  for  a  single  long  run  of  1  billion 
accesses  to  estimate  the  security  parameter  (instead  of  mul¬ 
tiple  runs).  This  allows  us  to  estimate  ORAM  parameters 
that  achieve  up  to  2-80  security.  A  similar  approach  was 
suggested  by  Stefanov  et  al.  [?]. 

Number  of  flushes  and  bucket  size.  We  have  run  sim- 
iluations  of  our  new  ORAM  that  indicate  a  good  choice  of 
a  is  4. 

After  a  is  fixed,  we  consider  two  strategies  to  configure 
bucket  size:  1)  a  uniform  bucket  size  everywhere;  and  2) 
varying  bucket  sizes  across  levels.  For  the  former,  we  em¬ 
pirically  determine  an  optimal  bucket  size  of  6.  However, 
we  observe  that  buckets  at  the  middle  and  lower  part  of  the 
path  tend  to  be  more  congested.  This  motivates  us  to  re¬ 
distribute  the  bucket  size  across  levels.  For  example,  for  a 
binary  tree  of  21  levels,  we  find  that  increasing  the  bucket 
size  by  1  for  the  first  10  buckets  from  root  and  decreasing 
the  bucket  size  by  1  for  the  last  10  bucket  at  leaf  is  a  bet¬ 
ter  distribution  than  evenly  distributing  buckets.  Assuming 
80-bit  security,  varying  the  bucket  size  in  this  way  allows  us 
to  reduce  the  stash  size  from  66  to  50,  resulting  in  a  circuit 
of  size  of  4,094,832  gates  versus  4,562,988  for  the  version  of 
SCORAM  reported  in  Table  1,  i.e. ,  roughly  a  10%  reduction. 

Stash  size.  We  plot  the  stash  size  versus  security  param¬ 
eters  with  different  log  A  in  Figure  5.  Each  point  (x,  y)  on 
the  curve  should  be  read  as  “with  a  stash  size  of  more  than 
y,  ORAM  failures  were  observed  2~x  fraction  of  the  time”, 
the  stash  size  grows  linearly  with  security  parameters,  sug¬ 
gesting  the  failure  probability  decreases  exponentially  with 
the  stash  size.  Note  that  unlike  the  path  SCORAM,  the  stash 
size  is  super-linear  in  log  A. 

Recursion  factor.  Here  we  study  the  choices  needed  to  re¬ 
cursively  implement  the  position-map  in  all  tree-based  SCO¬ 
RAM  designs.  We  formulate  the  choice  as  an  optimization 
problem  as  follows. 

As  before,  let  A  denote  the  number  of  blocks  (and  thus 
the  size  of  the  position  map),  D  denote  the  number  of  bit  per 
blocks,  and  for  our  given  scheme,  let  /(A,  D)  =  0(D  log6  A)cu(l) 
denote  the  the  circuit  size  for  one  ORAM  access  excluding 
the  cost  of  the  position  map  lookup.  Let  LS(N,D)  denote 
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X 

£ 

Total  #  gates 

N  =  220  N  =  229 

2 

9 

6,657,629 

20,363,468 

4 

5 

4,562,988 

13,619,451 

8 

3 

4,657,921 

13,382,510 

16 

2 

5,518,948 

15,657,910 

32 

1 

6,933,117 

21,455,341 

64 

1 

11,120,697 

34,165,313 

Table  2:  How  to  pick  \  and  the  recursion  level  This  ta¬ 
ble  shows  how  we  concretely  optimize  recursion  parameters 
needed  to  implement  the  position  maps  in  the  SCORAM.  \ 
describes  how  many  addresses  are  packed  into  each  block, 
and  £  describes  the  number  of  recursive  steps  before  we  use 
the  linear-scan  ORAM  as  the  base  case. 


the  circuit  size  of  the  linear  scan  ORAM. 

In  our  top-level  ORAM,  we  have  Do  =  32.  When  imple¬ 
menting  the  position  map  recursively  with  another  ORAM, 
we  must  select  the  number  of  labels,  x,  to  pack  into  a  block 
and  the  number  of  times,  £,  to  recurse  before  finally  us¬ 
ing  the  linear  scan  ORAM  as  the  base  case.  Note,  the 

ORAM  for  the  jth  recursive  level  has  Ar,  =  A-  blocks  of 

x' 

size  Di  —  x  log  Ni-i-  Thus,  the  total  cost  of  the  SCORAM 
with  recursion  is 

e 

Y  f{Ni,  Di)  +  LS(Ne+1,De+1) 

i= 0 

For  example,  when  N  =  220,  x  =  8  and  £  =  3,  we  have 
total  cost:  /( 220,  32)+/(217, 160)+/(214, 136)+/(2n,  112)+ 
LS( 2S,88).  Since  we  can  empirically  determine  /  for  any 
parameter  setting,  we  can  thus  minimize  the  total  cost.  In 
our  case,  we  limit  x  t°  a  power  of  2  and  use  the  same  x 
at  each  recursive  level.  See  Table  2  for  the  results  of  this 
optimization.  When  N  =  220,  we  use  x  =  4  and  £  =  5,  and 
when  N  =  229,  we  use  x  =  8  and  £  =  3. 

5.2  Backend-Independent  Optimizations 

Reducing  gates.  A  highly  frequently  used  logic  is  to  de¬ 
termine  if  a  block  is  dummy.  We  add  a  single  bit  field  is- 
Dummy  to  each  block  indicating  wether  the  block  is  dummy. 
This  simple  trick  reduces  the  circuit  size  from  log N  AND 
gates  to  1  AND  gate.  In  addition,  an  important  side  benefit 
is  that  it  enables  efficient  oblivious  removal  of  a  block  from 
the  bucket.  We  only  need  to  set  the  isDummy  field  instead 
of  resetting  all  bits  of  a  block. 

5.3  Backend-Dependent  Optimizations 

Fewer  non- free  gates  Some  secure  computation  protocols 
such  as  the  garbled  circuit  and  the  GMW  protocol  support 
almost-free  XOR  gates.  We  make  several  circuit  level  opti¬ 
mizations  especially  exploiting  this  opportunity. 

A  common  operation  in  some  Eviction  algorithms  (e.g., 
CLP  SCORAM,  SCORAM)  is,  given  a  bucket  B  of  Z  blocks 
b i,  . . . ,  bz },  to  find  the  block  b*  that  can  be  pushed  deep¬ 
est  along  the  path  P  without  violating  the  path  invariant. 
Intuitively,  we  can  first  calculate  LCA(&i. label,  P)  for  every 
i\  then  compute  b*  whose  label  is  maxi<,<z(6i).  Since  each 
label  has  log  N  bits,  counting  the  number  of  leading  zeros  for 
every  block  requires  £+£ log£  AND  gates  and  computing  the 


maximum  for  all  Z  blocks  requires  (Z  —  1)  logf  AND  gates. 
Therefore,  it  uses  a  total  of  Z(£+£\og£)  +  {Z  —  1)  logf  gates. 

In  our  implementation,  we  use  a  circuit  of  size  (2 Z  —  1  )L 
to  compute  exactly  this  function.  The  idea  is  to  (1)  use  a 
linear  scan  to  reset  every  bit  of  the  label  except  the  leading 
T’  bit  (which  costs  a  total  of  Z£  gates  per  bucket);  (2)  then 
use  Z  —  1  comparison  circuit  to  find  the  minimal  label,  which 
belongs  to  the  bucket  to  be  flushed. 

6.  PERFORMANCE  EVALUATION 

6.1  Methodology  and  Metric 

Our  evaluation  focuses  on  the  following  types  of  metrics: 

1.  Cryptographic  backend  independent  metrics,  such  as 
gate  count.  This  characterizes  the  performance  of  a 
SCORAM  in  general,  relatively  independent  of  the 
cryptographic  backends. 

2.  Cryptographic  backend  dependent  metrics,  such  as  the 
number  of  encryptions,  number  of  non-free  gates,  and 
bandwidth.  These  metrics  characterize  the  performance 
of  an  ORAM  scheme  with  a  semi-honest  Garbled  Cir¬ 
cuit  backend  in  a  manner  that  is  independent  of  the 
specific  hardware  configuration  or  implementation  ar¬ 
tifacts. 

3.  Implementation  and  machine  dependent  metrics,  such 
as  runtime  and  breakdown  of  runtime.  We  will  de¬ 
scribe  our  specific  hardware  configuration  and  the  spe¬ 
cific  Garbled  Circuit  implementation  as  the  context  of 
our  results.  We  also  discuss  the  interpretation  of  these 
results  and  project  the  performance  had  the  experi¬ 
ments  been  run  on  a  different  hardware  configuration 
or  with  a  more  optimized  Garbled  Circuit  implemen¬ 
tation. 

For  all  ORAMs  plotted,  each  payload  data  is  chosen  to 
be  32  bits.  We  set  both  the  computational  and  statistical 
security  parameters  to  be  80  bits. 

6.2  Comparing  ORAMs  for  secure  computa¬ 
tion 

We  reevaluate  the  state-of-the-art  ORAM  schemes  over 
secure  computation,  and  compare  their  performance  with 
our  new  SCORAM  SCORAM.  The  metrics  we  considered 
include  total  gate  count  (Figure  6a),  non-free  gate  count 
(Figure  6b),  number  of  AES  encryptions  (Figure  6c),  and 
input  size  of  circuit  (Figure  6d). 

Table  3  summarizes  the  margin  by  which  our  SCORAM 
outperforms  existing  schemes.  In  particular,  we  show  that 
across  all  metrics,  we  achieve  7.6  x  to  9.8  x  performance  im¬ 
provements  comparing  to  the  respective  second  best  candi¬ 
dates. 

As  mentioned  earlier,  even  though  the  path  SCORAM  is 
asymptotically  better  than  Binary  Tree  ORAM,  for  practical 
ranges  of  N,  Binary  Tree  ORAM  outperforms  path  SCORAM 
due  to  lower  constants  in  the  asymptotic  bound.  This  is 
shown  in  Figure  6. 

The  most  popular  ORAM  scheme  used  previously  is  Bi¬ 
nary  Tree  oram.  Our  newest  scheme  is  7  times  smaller  and 
requires  27x  fewer  inputs.  Note  that  each  input  bit  involves 
an  oblivious  transfer,  which,  even  with  OT  extension,  incurs 
2  encryptions. 

For  the  sake  of  reproducibility,  we  report  all  parameter 
settings  that  we  used  to  run  our  experiments  in  Table  5  in 
the  Appendix. 
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log(Number  of  Blocks  in  ORAM) 

(a)  Total  gate  count. 


xlO8 


(c)  Number  of  encryptions. 


xlO7 


(b)  Number  of  AND  gates. 


log(Number  of  Blocks  in  ORAM) 


(d)  Number  of  Input  bits. 


Figure  6:  Comparison  of  various  ORAMs.  Payload  bitlengtli  =  32  bits,  security  parameter  =  80. 


6.3  Performance  Profiling  for  SCORAM 

We  further  investigate  the  performance  breakdown  of  SCO¬ 
RAM  scheme.  Specifically,  the  cost  can  be  broken  down  into 
I/O  overhead  and  computation  overhead.  I/O  overhead  can 
be  further  broken  down  into  transmission  time  (i.e,  total  # 
bytes  transferred/network  bandwidth),  and  synchronization 
overhead  (i.e.,  all  queuing  delays  in  the  JVM,  OS,  and  on 
the  network  stack). 

Our  machine/implementation-dependent  measurements  are 
taken  on  a  single  server  (Intel  Xeon  2.13G  Hz)  running  the 
circuit  generator  and  evaluator  as  two  independent  processes 
(communicating  through  Java  Socket).  The  memory  usage 
ranges  from  4-80  GB  for  both  processes  depending  on  the 
data  size. 

Interpreting  the  measurements.  First,  our  implemen¬ 
tation  does  not  currently  exploit  the  AES-NI  instructions  to 
speed-up  garbling.  We  expect  a  noticeable  speedup  for  the 
computation  time  when  hardware  AES  is  implemented. 

Second,  the  Garbled  Circuit  backend  we  used  is  a  Java- 
based  implementation.  Therefore,  our  timing  measurements 
are  subject  to  the  artifacts  of  the  Java-based  implemen¬ 
tation.  There  are  two  main  sources  of  artifacts,  memory 
garbage  collector  and  I/O  synchronization.  In  Figure  7,  we 
note  that  a  substantial  portion  of  the  time  is  due  to  I/O. 
Since  the  experiments  is  run  on  the  same  machine  where 
network  bandwidth  is  not  a  bottleneck,  we  infer  majority  of 
the  I/O  time  we  recorded  are  due  to  I/O  synchronization. 


Figure  8:  The  amount  of  data  transferred  per  access  for  SCO¬ 
RAM.  Payload  bitlength  is  32  bit,  80-bit  security  parameter. 


Note  that  for  the  circuit  generator,  we  observe  the  computa¬ 
tion  time  spent  on  OT  and  garbling  is  roughly  the  same.  On 
the  circuit  evaluator  side,  the  portion  of  I/O  cost  is  larger 
because  the  evaluator  indeed  has  less  computational  work 
to  do  (thanks  to  the  garbled  row  reduction  technique)  while 
being  stuck  more  often  waiting  for  the  generator. 

Network  transmission.  Figure  8  plots  the  bandwidth 
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Metric 

Second  best 

Performance 

N  =  220 

gain  of  scoram 

N  =  229 

Gate  count 

CLP  ORAM 

6.7  X 

9  AX 

Non-Free  Gates 

Binary  Tree  ORAM 

7.6X 

7.6X 

Number  of  Encryptions 

CLP  ORAM 

Binary  Tree  ORAM 

7.2X 

9.8X 

Table  3:  Performance  comparison  of  scoram  over  the  second  best  candidates.  (Data  payload:  32  bits.  Security 
parameter:  =  80).  Considering  the  number  of  encryptions,  the  second  best  is  the  CLP  ORAM  when  N  =  220,  and  the  Binary 
Tree  ORAM  when  N  =  229. 
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(a)  Breakdown  for  the  Garbled  Circuit  generator. 
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(b)  Breakdown  for  the  Garbled  Circuit  evaluator. 


Figure  7:  Cost  breakdown  of  SCORAM.  (Data  payload:  32-bit,  Security  parameter:  80-bit) 
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consumption  for  our  new  SCORAM  scheme,  under  differ¬ 
ent  security  parameters.  Note  that  the  bandwidth  overhead 
is  proportional  to  the  total  number  of  non-free  gates  in  our 
garbled  circuit  system.  The  non-free-gate  counts  (Figure  6b) 
correlates  with  growth  in  the  bandwidth. 

Comparison  with  other  ORAM  implementations  over 
secure  computation  We  are  aware  of  two  other  SCOR  AM 
implementations.  Gordon  et  al.  [?]  report  on  an  ORAM  with 
N  =  220  and  D  =  512.  The  paper  does  not  clearly  report 
the  bucket  size  they  use,  but  we  assume  the  bucket  size  is 
40  based  on  our  interpretation  of  their  paper.  Their  ORAM 
requires  11. 9M  gates  and  takes  approximately  50  seconds  for 
one  operation.  In  contrast,  our  best  implementation  for  their 
parameters  requires  3,743,213  total  gates,  and  our  imple¬ 
mentation  at  significantly  higher  security  parameters  runs 
in  under  30  seconds. 

The  second  ORAM  implementation  over  secure  compu¬ 
tation  is  by  Marcel  Keller  and  Peter  Scholl  [?].  Their  im¬ 
plementation  was  based  on  the  SPDZ  protocol,  running  in 
the  preprocessing  model  (assuming  sufficient  CPU/Memory 
resource  for  precomputation).  Their  flagship  scheme  was 
based  on  Path  ORAM,  with  heuristic  modifications  (so  the 
security  is  also  based  on  simulation).  They  reported  their 
protocol  can  securely  compute  an  ORAM  access  in  under 
250  ms  (not  counting  the  expensive  pre-computation)  over 
a  dataset  of  size  1  million  (with  20- bit  security).  However, 
besides  the  differences  in  the  crypto-backends,  hardware, 
programming  systems  and  execution  model,  many  other  im¬ 
portant  context  (e.g.,  data  payload  size,  gate  counts,  etc.) 
remain  to  be  clarified  for  a  fair  comparison.  Complemen¬ 
tary  to  their  work,  we  provide  implementations  for  5  quite 


different  ORAMs  and  it  is  possible  to  run  the  SPDZ  crypto 
backend  over  our  SCORAM  implementations. 

We  also  notice  that  Liu  et  al.  [?]  study  RAM-based  secure 
computation.  However,  their  experiments  were  based  on  an 
program  that  only  produces  simulated  performance  numbers 
rather  than  a  functional  SCORAM. 

Execution  of  the  Garbled  Circuit  in  the  Honest-but- 
Curious  model  We  also  executed  our  SCORAM  on  a  gar¬ 
bled  circuit  platform  and  measured  the  time  spent  on  the 
different  phases  of  the  secure  computation  protocol.  Fig¬ 
ure  7b  and  Figure  7a  shows  the  time  for  client  and  server 
respectively.  Here  we  split  the  work  by  task  into  Garbling 
and  Oblivious  Transfer,  which  are  further  divided  into  Com¬ 
putation  time  and  I/O  time.  As  the  plot  indicates,  if  we 
have  perfect  communication  channel,  the  overall  time  will 
be  dominated  by  computation  time,  which  corresponds  to 
the  white  part  of  the  bar.  For  N  =  220,  each  SCORAM  ac¬ 
cess  requires  roughly  30  seconds.  While  this  is  several  times 
faster  (at  higher  security  parameters)  than  the  best  previ¬ 
ous  results,  it  indicates  that  secure  computation  in  the  RAM 
still  incurs  several  orders  of  magnitude  slowdown  over  plain 
implementations,  and  thus  more  research  is  needed. 

7.  CONCLUSION 

As  the  key  enabling  primitive  of  RAM-based  secure  com¬ 
putation,  the  construction  of  efficient  SCORAM  remains  a 
challenge.  We  have  made  the  first  step  towards  building 
practical  SCORAMs  by  performing  a  thorough  study  of  the 
performance  of  5  state-of-art  SCORAM  constructions  based 
on  several  metrics  closely  related  to  common  instantiation 
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of  secure  computation  protocols.  We  look  forward  to  releas¬ 
ing  our  code  to  benefit  the  academic  research  in  the  related 

fields. 
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Variable 

Meaning 

N 

number  of  blocks  in  ORAM 

D 

payload  bit-length 

L 

number  of  levels  in  binary  tree 

Z 

capacity  of  each  bucket 

label 

leaf  label  of  a  block 

LCA(pi,p2) 

lowest  common  ancestor  of  paths  p\ 
and  P2 

APPENDIX 
A.  NOTATIONS 

Table  4:  Some  globally  used  notations. 


B.  A  LOGARITHMIC  DEPTH  CIRCUIT 

We  describe  how  to  construct  a  low-depth  circuit  for  path 
SCORAM.  The  main  steps  of  the  algorithm  are: 

1.  Setting  temporary  offset  fields.  As  described  be¬ 
fore,  we  first  sort  the  array  A  obliviously  according  to 
the  field  bucket.  For  each  entry  A[i],  if  it  is  a  dummy 
block,  set  its  Held  A[i], offset  :=  _L.  Otherwise,  for 
1  <  i  <  LZ,  set  A[i}. offset  :=  Z  ■  A[i], bucket  +  1;  recall 
that  our  final  goal  is  to  rearrange  blocks  such  that  the 
entry  A[i]  should  go  to  bucket  [VjlJ,  and  so  the  offset 
value  is  the  smallest  index  at  which  the  block  can  re¬ 
side  in  A.  For  LZ  +  1  <  *  <  LZ  +  stsize,  the  block 
A[i]  cannot  be  written  back  in  the  path  P,  and  we  set 
A[i] .offset  :=  st.  Setting  the  offset  fields  takes  circuit 
of  size  O(S)  and  depth  0(1).  For  sorting  the  key  val¬ 
ues,  we  use  the  natural  order  for  positive  integers  Z+, 
and  use  the  convention  Z+  <  st  <  _L.  Observe  that  for 
stsize  +  LZ  +  1  <  i  <  stsize  +  2 LZ,  A[i]  must  contain  a 
dummy  block. 

2.  Determining  final  offset  of  real  blocks.  The  blocks 
that  are  going  to  be  written  back  in  the  path  P  can 
come  from  only  A[1..LZ],  which  is  sorted  according  to 
the  field  offset,  that  currently  indicates  the  lowest  index 
at  which  the  block  can  reside  in  A.  The  purpose  of  this 
step  is  to  update  the  offset  field  to  the  final  position 
of  each  real  block  within  A  before  being  written  back 
to  the  path  P.  This  can  be  achieved  by  linear  scan  as 
described  in  Figure  4  in  Section  3.1.  However,  a  naive 
implementation  will  incur  a  circuit  depth  of  Q(LZ). 
We  shall  describe  a  more  careful  implementation  using 
divide  and  conquer  with  circuit  depth  of  0(log  LZ). 

A  naive  way  to  implement  linear  scan  will  incur  a  circuit 
depth  of  Q(LZ)  =  ©(log  N).  We  shall  describe  a  more  care¬ 
ful  implementation  such  that  the  circuit  depth  is  dominated 
by  that  for  oblivious  sorting.  Recall  the  input  of  the  prob¬ 
lem  is  an  array  A[  1 . . .  m]  that  is  sorted  according  to  the 
offset  field,  which  indicates  the  smallest  integer  that  can  be 
received  by  the  entry.  The  problem  is  equivalent  to  increas¬ 
ing  the  offset  field  of  each  entry  as  little  as  possible  such 
that  the  array  A  is  still  sorted  according  to  offset  and  no 
two  entries  have  the  same  offset  value. 

The  high  level  idea  is  to  use  divide  and  conquer.  The 
standard  procedure  is  to  first  solve  the  problem  recursively 
on  Afl.-j]  and  A[j  +  l..m],  where  j  =  [?rj.  Observe  that  the 
offset  fields  of  entries  in  A[l..j]  do  not  have  to  be  changed, 
and  in  order  to  achieve  0(1)  circuit  depth,  we  need  to  update 
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the  entries  A[j  +  1  ..m]  in  parallel. 

Observe  that  at  this  point,  the  next  available  integer  for 
A[j  +  1]  is  p  :=  A\j\. offset  +  1.  Hence,  r  :=  max{p  —  A[j  + 
1]  .offset,  0}  is  the  amount  that  we  need  to  increase  A[j  + 
1]  .offset.  The  issue  is  whether  we  are  able  to  deduce  the 
increment  readily  for  entries  A[i],  for  all  j  +  1  <  i  <  m. 

For  such  an  i,  observe  that  n  :=  {A[i\. offset  —  A[j  + 
1]  .offset)  —  (i  —  j  —  1)  is  the  number  of  integers  in  [A[j  + 
1]. offset. ,A[i\. offset]  that  have  not  been  assigned  to  any  en¬ 
try.  Hence,  the  amount  we  need  to  increase  A[i\. offset  is 
max{r  —  ri,0}.  Hence,  this  step  can  be  done  in  parallel  for 
all  j  +  1  <  i  <  m.  The  whole  procedure  is  achieved  by 
calling  UpdateOffset(A[l..m]),  whose  pseudocode  is  given  in 
Algorithm  2.  A  standard  analysis  shows  that  this  leads  to  a 
circuit  of  size  0(m  log  m)  and  depth  O(logm). 


Algorithm  2  UpdateOffset(A[a..6])  using  divide  and  con¬ 
quer 

1:  if  a=b  then  return; 

.r- 

3:  UpdateOffset(A[a..ji]); 

4:  UpdateOffset(A[j  +  1..6]); 

5:  r  :=  max{  A  [j],  offset  +  1  —  A[j  +  1]. offset,  0}; 

6:  s  :=  A[j  +  1], offset; 

7:  for  i  from  j  +  1  to  b  in  parallel  do 
8:  A[i\ .offset  :=  A[i].offset+ 

max{r  —  (A[i\.  offset  —  s)  +  (i  —  j  —  1),  0}; 

9:  return; 


C.  A  DESCRIPTION  OF  ALL  EXPERIMENTS 

In  this  section,  we  describe  every  ORAM  experiment  that 
we  report  in  this  paper  in  order  to  facilitate  reproducible 
experiments.  The  details  is  summarized  in  Figure  5 


ORAM  design 

N 

Other  Parameters 

Gates 

Inputs 

z 

Stash,  Evict,  i 

(M) 

(M) 

Binary  Tree  ORAM 

220 

120 

N/A,2,  4 

38.5 

7.0 

229 

120 

N/A,2,  8 

127.7 

24.2 

CLP  ORAM 

220 

4 

120,2,  4 

29.4 

0.7 

229 

4 

144,2,  8 

121.8 

2.1 

naive  PATH  ORAM 

220 

4 

89,1,  4 

87.3 

0.1 

229 

4 

89,1,  8 

278.1 

0.3 

PATH  SCORAM 

220 

4 

89,1,  4 

37.2 

0.1 

229 

4 

89,1,  8 

111.7 

0.3 

SCORAM 

220 

6 

88,4,  4 

4.4 

0.3 

229 

6 

141,4,8 

13.0 

0.9 

Table  5:  A  listing  of  all  parameters  used  in  our  ex¬ 
periments.  The  parameters  are  set  to  achieve  statistical 
security  of  2~80.  Gates  and  Inputs  are  obtained  with  pay- 
load  bitlength  =  32bits;  Cutoff  Threashold  is  set  at  210 
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ABSTRACT 

Cryptographic  design  tasks  are  primarily  performed  by  hand 
today.  Shifting  more  of  this  burden  to  computers  could  make 
the  design  process  faster,  more  accurate  and  less  expensive. 
In  this  work,  we  investigate  tools  for  programmatically  alter¬ 
ing  existing  cryptographic  constructions  to  reflect  particular 
design  goals.  Our  techniques  enhance  both  security  and  ef¬ 
ficiency  with  the  assistance  of  advanced  tools  including  Sat¬ 
isfiability  Modulo  Theories  (SMT)  solvers. 

Specifically,  we  propose  two  complementary  tools,  Au- 
toGroup  and  AutoStrong.  AutoGroup  converts  a  pairing- 
based  encryption  or  signature  scheme  written  in  (simple) 
symmetric  group  notation  into  a  specific  instantiation  in  the 
more  efficient,  asymmetric  setting.  Some  existing  symmet¬ 
ric  schemes  have  hundreds  of  possible  asymmetric  transla¬ 
tions,  and  this  tool  allows  the  user  to  optimize  the  construc¬ 
tion  according  to  a  variety  of  metrics,  such  as  ciphertext 
size,  key  size  or  computation  time.  The  AutoStrong  tool 
focuses  on  the  security  of  digital  signature  schemes  by  auto¬ 
matically  converting  an  existentially  unforgeable  signature 
scheme  into  a  strongly  unforgeable  one.  The  main  technical 
challenge  here  is  to  automate  the  “partitioned”  check,  which 
allows  a  highly-efficient  transformation. 

These  tools  integrate  with  and  complement  the  Auto- 
Batch  tool  (ACM  CCS  2012),  but  also  push  forward  on  the 
complexity  of  the  automation  tasks  by  harnessing  the  power 
of  SMT  solvers.  Our  experiments  demonstrate  that  the  two 
design  tasks  studied  can  be  performed  automatically  in  a 
matter  of  seconds. 

1.  INTRODUCTION 

Cryptographic  design  is  challenging,  time  consuming  and 
mostly  performed  by  hand.  A  natural  question  to  ask  is: 
to  what  extent  can  computers  ease  this  burden?  Which 

‘This  work  was  partially  supported  by  DARPA  and  the  Air 
Force  Research  Laboratory  (AFRL)  under  contract  FA8750- 
11-2-0211.  This  document  is  a  pre-print  for  DARPA  and  not 
for  public  distribution. 


common  design  tasks  can  computers  execute  faster,  more 
accurately  or  less  expensively? 

In  particular,  this  work  investigates  tools  for  programmat¬ 
ically  altering  existing  cryptographic  constructions  in  order 
to  enhance  efficiency  or  security  design  goals.  For  instance, 
digital  signatures,  which  are  critical  for  authenticating  data 
in  a  variety  of  settings,  ranging  from  sensor  networks  to  soft¬ 
ware  updates,  come  in  many  possible  variations  based  on  ef¬ 
ficiency,  functionality  or  security.  Unfortunately,  it  is  often 
infeasible  or  tedious  for  humans  to  document  each  possible 
optimal  variation  for  each  application.  It  would  be  enor¬ 
mously  valuable  if  there  could  be  a  small  number  of  simple 
ways  to  present  a  scheme  -  as  simple  as  possible  to  avoid 
human-error  in  the  design  and/or  verification  process  -  and 
then  computers  could  securely  provide  any  variation  that 
may  be  required  by  practitioners. 

A  simple,  motivating  example  (which  we  explore  in  this 
work)  is  the  design  of  pairing-based  signature  schemes,  which 
are  often  presented  in  a  simple  “symmetric”  group  setting 
that  aids  in  exposition,  but  does  not  map  to  the  specific 
pairing-based  groups  that  maximize  efficiency.  Addressing 
this  disconnect  is  ripe  for  an  automated  tool. 

Summary  of  Our  Contributions  In  this  work,  we  ex¬ 
plore  two  novel  types  of  design  problems  for  pairing-based 
cryptographic  schemes.  The  first  tool  (AutoGroup)  deals 
with  efficiency,  while  the  second  (AutoStrong)  deals  with 
security.  We  illustrate  how  they  interact  in  Figure  1.  The 
tools  take  a  Scheme  Description  Language  (SDL)  represen¬ 
tation  of  a  scheme  (and  optionally  some  user  optimization 
constraints)  and  output  an  SDL  representation  of  the  altered 
scheme.  This  SDL  output  can  be  run  through  another  tool 
or  a  Code  Generator  to  produce  C++  or  Python  software. 

A  contribution  of  this  work  is  that  we  integrated  our  tools 
with  the  publicly-available  source  code  for  AutoBatch  [3, 
2]  (ACM  CCS  2012),  a  tool  that  automatically  identifies  a 
batch  verification  algorithm  for  a  given  signature  scheme, 
therein  weaving  together  a  larger  automation  system.  For 
instance,  a  practitioner  could  take  any  symmetric-pairing 
signature  scheme  from  the  literature,  use  AutoGroup  to  re¬ 
duce  its  bandwidth  in  the  asymmetric  setting,  use  Auto- 
Batch  to  reduce  its  verification  time,  and  then  automatically 
obtain  a  C++  implementation  of  the  optimized  construc¬ 
tion.  Our  work  appears  unique  in  that  we  apply  advanced 
tools,  such  as  SMT  solvers  and  Mathematica,  to  perform 
complex  design  tasks  related  to  pairing-based  schemes. 

Automated  Task  1:  Optimize  Efficiency  of  an  En¬ 
cryption  or  Signature  Scheme  via  User  Constraints. 
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Figure  1:  A  high-level  presentation  of  the  new  automated  tools,  AutoGroup  and  AutoStrong.  They  take  as 
input  a  Scheme  Description  Language  (SDL)  representation  of  a  cryptographic  scheme  and  output  an  SDL 
representation  of  a  transformation  of  the  scheme,  which  can  possibly  be  further  transformed  by  another  tool. 
These  tools  are  compatible  with  the  existing  AutoBatch  tool  and  Code  Generator  (shaded).  An  SDL  input 
to  the  Code  Generator  produces  a  software  implementation  of  the  scheme  in  either  C-| — (-  or  Python. 


Pairings  are  often  studied  because  they  can  realize  new  func¬ 
tionalities,  e.g.,  [18,  16],  or  offer  low-bandwidth  solutions, 
e.g.,  [20,  16].  Pairing  (a.k.a.,  bilinear)  groups  consist  of 
three  groups  Gi,G2,Gt  with  an  efficient  bilinear  map  e  : 
Gi  x  G2  — t  G t-  Many  protocols  are  presented  in  a  symmet¬ 
ric  setting  where  Gi  =  G2  (or  equivalently,  there  exists  an 
efficient  isomorphism  from  Gi  to  G2  or  vice  versa). 

While  symmetric  groups  simplify  the  description  of  new 
cryptographic  schemes,  the  corresponding  groups  are  rarely 
the  most  efficient  setting  for  implementation  [31].  The  state 
of  the  art  is  to  use  asymmetric  groups  where  Gi  7^  G2  and 
no  efficient  isomorphism  exists  between  the  two.  See  for 
instance  the  work  of  Ramanna,  Chatterjee  and  Sarkar  [50] 
(PKC  2012)  which  translates  the  dual  system  encryption 
scheme  of  Waters  [57]  from  the  symmetric  to  a  handful  of 
asymmetric  settings. 

Such  conversions  currently  require  manual  analysis  (of  all 
steps)  -  made  difficult  by  the  fact  that  certain  operations 
such  as  group  hash  functions  only  operate  in  a  single  group. 
Moreover,  in  some  cases,  there  are  hundreds  of  possible  sym¬ 
metric  to  asymmetric  translations,  making  it  tedious  to  iden¬ 
tify  the  optimal  translation  for  a  particular  application. 

We  propose  a  tool  called  AutoGroup  that  automatically 
provides  a  “basic”  translation  from  symmetric  to  asymmetric 
groups.1  It  employs  an  SMT  solver  to  identify  valid  group 
assignments  for  all  group  elements  and  also  accepts  user  con¬ 
straints  to  optimize  the  efficiency  of  the  scheme  according 
to  a  variety  of  metrics,  including  signature/ciphertext  size, 
signing/encryption  time,  and  public  parameter  size.  The 
tool  is  able  to  enumerate  the  full  set  of  possible  solutions 
(which  may  run  to  the  hundreds),  and  can  rapidly  identify 
the  most  efficient  solution. 

Automated  Task  2:  Strengthen  the  Security  of  a 
Digital  Signature  Scheme.  Most  signature  schemes  are 
presented  under  the  classic,  existential  unforgeability  defini¬ 
tion  [34],  wherein  an  adversary  cannot  produce  a  signature 
on  a  “new”  message.  However,  strong  unforgeability  guar¬ 
antees  more  -  that  the  adversary  cannot  produce  a  “new” 

JBy  ’’basic”,  we  mean  that  it  translates  the  scheme  as  writ¬ 
ten  into  the  asymmetric  setting,  with  minor  optimizations 
performed,  but  does  not  attempt  a  re-imagining  of  the  con¬ 
struction  based  on  a  stronger  asymmetric  complexity  as¬ 
sumption.  While  the  latter  is  sometimes  possible,  e.g.,  [50], 
it  may  not  be  required  in  some  applications  and  the  novel  se¬ 
curity  analysis  required  places  it  beyond  the  current  ability 
of  our  automation  tools.  See  Section  3.3  for  more. 


signature  even  on  a  previously  signed  message.  Strongly- 
unforgeable  signatures  are  often  used  as  a  building  block  in 
signcryption  [6],  chosen-ciphertext  secure  encryption  [27,  24] 
and  group  signatures  [7,  17]. 

There  are  a  number  of  general  transformations  from  clas¬ 
sic  to  strong  security  [54,  36,  53,  14,  55,  15],  but  also  a 
highly-efficient  transformation  due  to  Boneh,  Shen  and  Wa¬ 
ters  [21]  that  only  applies  to  “partitioned”  schemes.  We  pro¬ 
pose  a  tool  called  AutoStrong  that  automatically  decides 
whether  a  scheme  is  “partitioned”  and  then  applies  BSW 
if  it  is  and  a  general  transformation  otherwise.  The  parti¬ 
tioned  test  is  non-trivial,  and  our  tool  harnesses  the  power  of 
both  an  SMT  solver  and  Mathematica  to  make  this  determi¬ 
nation.  We  are  careful  to  err  only  on  false  negatives  (which 
impact  efficiency),  but  not  false  positives  (which  could  com¬ 
promise  security.)  Earlier  works  [14,  15]  claimed  that  there 
were  “very  few”  examples  of  partitioned  schemes;  however, 
our  tool  proved  this  was  not  the  case  by  identifying  valid 
partitions  for  most  schemes  we  tested. 

1.1  Related  Work 

Many  exciting  works  have  studied  how  to  automate  var¬ 
ious  cryptographic  tasks.  Automation  has  been  introduced 
into  the  design  process  for  various  security  protocols  [39,  52, 
49,  40,  37],  optimizations  to  software  implementations  in¬ 
volving  elliptic-curves  [10]  and  bilinear-map  functions  [48], 
the  batch  verification  of  digital  signature  schemes  [3],  se¬ 
cure  two-party  computation  [41,  42,  351,  and  zero-knowledge 
proofs  [22,  8,  9,  5,  43]. 

Our  current  work  is  most  closely  related  to  the  AutoBatch 
tool  [3].  We  borrow  our  tool-naming  system  from  their  pa¬ 
per  and  designed  our  tools  so  that  they  can  integrate  with 
the  publicly-available  source  code  of  AutoBatch  [2]  to  form  a 
larger,  more  comprehensive  solution.  This  work  is  different 
from  AutoBatch  in  that  it  attacks  new,  more  complicated 
design  tasks  and  integrates  external  SMT  solvers  and  Math¬ 
ematica  to  find  its  solutions. 

Prior  work  on  automating  the  writing  and  verification  of 
cryptographic  proofs,  such  as  the  EasyCrypt  work  of  Barthe 
et  al.  [13],  are  complimentary  to  but  distinct  from  our  effort. 
Their  goal  was  automating  the  construction  and  verification 
of  (game-based)  cryptographic  proofs.  Our  goal  is  automat¬ 
ing  the  construction  of  cryptographic  schemes.  A  system 
that  combines  both  to  automate  the  design  of  a  scheme  and 
then  automate  its  security  analysis  would  be  optimal. 

2.  TOOLS  USED 
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Our  automations  make  use  of  three  external  tools.  First, 
Z3  [25,  46]  is  a  freely-available,  state-of-the-art  and  highly 
efficient  Satisfiability  Modulo  Theories  (SMT)  solver  pro¬ 
duced  by  Microsoft  Research.  SMT  is  a  generalization  of 
boolean  satisfiability  (SAT)  solving,  which  determines  whether 
assignments  exist  for  boolean  variables  in  a  given  logical 
formula  that  evaluates  the  formula  to  true.  SMT  solvers 
builds  on  SAT  to  support  many  rich  first-order  theories  such 
as  equality  reasoning,  arithmetic,  and  arrays.  In  practice, 
SMT  solvers  have  been  used  to  solve  a  number  of  constraint- 
satisfaction  problems  and  are  receiving  increased  attention 
in  a  applications  such  as  software  verification,  program  anal¬ 
ysis,  and  testing.  Z3  in  particular  has  been  used  as  a  core 
building  block  in  API  design  tools  such  as  Spec^/Boogie  [11, 
26]  and  in  verifying  C  compilers  such  as  VCC. 

We  leverage  Z3  v4.3.1  to  perform  reasoning  over  state¬ 
ments  involving  arithmetic,  quantifiers,  and  uninterpreted 
functions.  We  use  Z3’s  theories  for  equality  reasoning  com¬ 
bined  with  the  decision  procedures  for  linear  arithmetic  ex¬ 
pressions  and  elimination  of  universal  quantifiers  ( e.g \/x) 
over  linear  arithmetic.  Z3  includes  support  for  uninterpreted 
(or  free)  functions  which  allow  any  interpretation  consistent 
with  the  constraints  over  free  functions  and  variables. 

Second,  we  utilize  the  development  platform  provided  by 
Wolfram  Research’s  Mathematica  [59]  (version  9),  which  al¬ 
lows  us  to  simplify  equations  for  several  of  our  analytical 
techniques.  We  leverage  Mathematica  in  our  automation  to 
validate  that  given  cryptographic  algorithms  have  certain 
mathematical  properties.  Finally,  we  utilize  some  of  the 
publicly-available  source  code  of  the  AutoBatch  tool  [2] ,  in¬ 
cluding  its  Scheme  Description  Language  (SDL)  parser  and 
its  Code  Generator,  which  translates  an  SDL  representation 
to  C++  or  Python. 

3.  AUTOGROUP 

In  this  section,  we  present  and  evaluate  a  tool,  called  Au- 
toGroup,  for  automatically  altering  a  cryptographic  scheme’s 
algebraic  setting  to  optimize  for  efficiency. 

3.1  Background  on  Pairing  Groups 

Let  Gi,G2,Gt  be  algebraic  groups  of  prime  order  p.2 
We  say  that  e  :  Gi  x  G2  — >  Gr  is  a  pairing  (a.k.a.,  bi¬ 
linear  map)  if  it  is:  efficiently-computable,  ( bilinear )  for  all 
g  £  Gi,  h  £  G2  and  a,  b  +-  Zp,  e(ga,hb)  =  e(g,h)ab-  and 
( non- degenerate )  if  g  generates  Gi  and  h  generates  G2,  then 
e(g,h)  ^  1.  This  is  called  the  asymmetric  setting.  A  spe¬ 
cialized  case  is  the  symmetric  setting,  where  Gi  =  G2.3 

In  practice,  all  candidate  constructions  for  pairing  groups 
are  constructed  such  that  Gi  and  G2  are  groups  of  points  on 
some  elliptic  curve  E,  and  Gt  is  a  subgroup  of  a  multiplica¬ 
tive  group  over  a  related  finite  field.  The  group  of  points 
on  E  defined  over  Fp  is  written  as  E(¥p).  Usually  Gi  is  a 
subgroup  of  E(¥p),  G2  is  a  subgroup  of  E(¥pk)  where  k  is 
the  embedding  degree,  and  Gt  is  a  subgroup  of  F*fc.  In  the 
symmetric  case  Gi  =  G2  is  usually  a  subgroup  of  E(FP). 

The  challenge  in  selecting  pairing  groups  is  to  identify 
parameters  such  that  the  size  of  Gt  provides  acceptable  se¬ 

2 Pairing  groups  may  also  have  composite  order,  but  we  will 
be  focusing  on  the  more  efficient  prime  order  setting  here. 

3An  alternative  instantiation  of  the  symmetric  setting  has 
Gi  ^  G2  but  admits  an  efficiently-computable  isomorphism 
between  the  groups. 


curity  against  the  MOV  attack  [44],  Hence  the  size  of  pk 
must  be  comparable  to  that  of  an  RSA  modulus  to  provide 
the  same  level  of  security  -  hence  elements  of  Fpk  must  be  of 
size  approximately  3,072  bits  to  provide  security  at  the  128- 
bit  symmetric  equivalent  level.  The  group  order  q  must  also 
be  large  enough  to  resist  the  Pollard-p  attack  on  discrete 
logarithms,  which  means  in  this  example  q  >  256. 

Two  common  candidates  for  implementing  pairing-based 
constructions  are  supersingular  curves  [30,  47]  in  which  the 
embedding  degree  k  is  <  6  and  typically  smaller  (an  example 
is  |p|  =  1536  for  the  128-bit  security  level  at  k  =  2),  or  ordi¬ 
nary  curves  such  as  MNT  or  Barreto-Naehrig  (BN)  [12].  In 
BN  curves  in  particular,  the  embedding  degree  k  =  12,  thus 
|p|  =  \q\  can  be  as  small  as  256  bits  at  the  128-bit  security 
level,  with  a  corresponding  speedup  in  field  operations. 

A  challenge  is  that  the  recommended  BN  subgroups  do 
not  possess  an  efficiently-computable  isomorphism  from  Gi 
to  G2  or  vice  versa,  which  necessitates  re-design  of  some 
symmetric  cryptographic  protocols.  A  related  issue  is  that 
BN  curves  permit  efficient  hashing  only  into  the  group  Gi. 
This  places  strict  restrictions  on  the  set  of  valid  group  as¬ 
signments  we  can  use. 

3.2  How  AutoGroup  Works 

AutoGroup  is  a  new  tool  for  automatically  translating 
a  pairing-based  encryption  or  signature  scheme  from  the 
symmetric-pairing  setting  to  the  asymmetric-pairing  setting. 
At  a  high-level,  AutoGroup  takes  as  input  a  representa¬ 
tion  of  a  cryptographic  protocol  (e.g.,  signature  or  encryp¬ 
tion  scheme)  written  in  a  Domain-Specific  Language  called 
Scheme  Description  Language  (SDL),  along  with  a  descrip¬ 
tion  of  the  optimizations  desired  by  the  user.  These  opti¬ 
mizations  may  describe  a  variety  of  factors,  e.g.,  requests  to 
minimize  computational  cost,  key  size,  or  ciphertext /signature 
size.  The  tool  outputs  a  new  SDL  of  the  scheme,  that  rep¬ 
resents  the  optimal  assignment  of  groups  for  the  given  con¬ 
straints.  The  assignment  of  groups  is  non-trivial,  as  many 
schemes  are  additionally  constrained  by  features  of  common 
asymmetric  bilinear  groups  settings,  most  notably,  restric¬ 
tions  on  which  groups  admit  efficient  hashing.  At  a  high 
level,  AutoGroup  works  by  reducing  this  constrained  group 
assignment  problem  to  a  boolean  satisfiability  problem,  ap¬ 
plying  an  SMT  solver,  and  processing  the  results.  We  next 
describe  the  steps  of  AutoGroup,  as  illustrated  in  Figure  2. 

1.  Extract  Generator  Representation.  The  first  stage 
of  the  AutoGroup  process  involves  parsing  SDL  to  identify 
all  base  generators  of  G  that  are  used  in  the  scheme.  For 
each  generator  g  £  G,  AutoGroup  creates  a  pair  of  gener¬ 
ators  g  1  £  Gi  and  <72  £  G2.  This  causes  an  increase  in 
the  parameter  size  of  the  scheme,  something  that  we  must 
address  in  later  steps. 

We  assume  the  Parser  knows  the  basic  structure  of  the 
scheme,  and  can  identify  the  algorithm  responsible  for  pa¬ 
rameter  generation.  This  allows  us  to  parse  the  algorithm 
to  observe  which  generators  that  are  created.  When  Auto¬ 
Group  detects  the  first  generator,  it  marks  this  as  the  “base” 
generator  of  G  and  splits  g  into  a  pair  g\  £  Gi  and  g2  £  G2. 
Every  subsequent  group  element  sampled  by  the  scheme  is 
defined  in  terms  of  the  base  generators.  For  example,  if  the 
setup  algorithm  next  calls  for  “choosing  a  random  generator 
h  in  G”,  then  AutoGroup  will  select  a  random  t'  £  Zp  and 
compute  new  elements  hi  =  g\  and  /12  =  gi  ■ 
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Figure  2:  A  high-level  presentation  of  the  tool  AutoGroup,  which  uses  external  tools  Z3  and  SDL  Parser. 


2.  Traceback  Inputs  to  the  Pairing  Function.  Re¬ 
call  that  the  pairing  function  e(A,  B )  takes  two  inputs.  We 
extract  all  the  pairings  required  in  the  scheme;  these  might 
come  from  the  setup  algorithm,  encryption/signing,  or  de¬ 
cryption/verification.  Prior  to  tracing  the  pairing  inputs, 
we  split  pairings  of  the  form  e(g,  A  -  B)  as  e(g,  A)  ■  e(g,  B )  to 
prepare  for  encoding  pairings  as  logical  formulas  in  the  SMT 
solver.  In  the  final  step  of  AutoGroup  we  recombine  the  pair¬ 
ings  to  preserve  efficiency.  We  reuse  techniques  introduced 
in  [28,  3]  to  split  and  combine  pairings  in  AutoGroup. 

After  splitting  applicable  pairings,  we  obtain  a  program 
slice  for  each  variable  input  to  determine  which  (symmetric) 
generators  were  involved  in  computing  it.  This  also  helps  us 
later  track  which  variables  are  affected  when  an  assignment 
for  a  given  variable  is  made  in  Gi  or  G2.  Consider  the 
example  A  =  X  ■  Y.  Clearly,  the  group  assignment  of  A 
affects  variables  X  and  Y,  and  capturing  the  slice  for  each 
pairing  input  variable  is  crucial  for  AutoGroup  to  perform 
correct  re-assignment  for  the  subset  of  affected  variables. 

3.  Convert  Pairings  to  Logical  Formulas.  Asymmet¬ 
ric  pairings  require  that  one  input  to  the  function  be  in  Gi, 
and  the  other  be  in  G2.  Conversion  from  a  symmetric  to 
an  asymmetric  pairing  can  be  reduced  to  a  constraint  sat¬ 
isfiability  problem;  we  model  the  asymmetric  pairing  as  an 
inequality  operator  over  binary  variables.  This  is  analogous 
because  an  inequality  constraint  enforces  that  the  binary 
variables  either  have  a  0  or  1  value,  but  not  both  for  the 
equation  to  be  satisfiable.  Therefore,  we  express  symmet¬ 
ric  pairings  as  a  logical  formula  of  inequality  operators  over 
binary  variables  separated  by  conjunctive  connectors  ( e.g 
A  7^  B  AC  7^  D).  We  then  employ  an  SMT  solver  to  find 
a  satisfiable  solution  and  apply  the  solver’s  solution  to  pro¬ 
duce  an  equivalent  scheme  in  the  asymmetric  setting. 

4.  Convert  Pairing  Limitations  into  Constraints. 

When  translating  from  the  symmetric  to  the  asymmetric 
pairing  setting,  we  encounter  several  limitations  that  must 
be  incorporated  into  our  model.  Chief  among  these  are  lim¬ 
itations  on  hashing:  in  some  asymmetric  groups,  hashing  to 
G2  is  not  possible.  In  other  groups,  there  is  no  such  iso¬ 
morphism,  but  it  is  possible  to  hash  into  Gi .  Depending  on 
the  groups  that  the  user  selects,  we  must  identify  an  asym¬ 
metric  solution  that  respects  these  constraints.  Fortunately 
these  constraints  can  easily  be  expressed  in  our  formulae,  by 
simply  assigning  the  output  of  hash  functions  to  a  specific 
group,  e.g.,  Gi. 

5.  Execute  SMT  Solver.  We  run  the  logical  formula 
plus  constraints  through  an  SMT  solver  to  identify  a  satis¬ 


fying  assignment  of  variables.  The  solver  checks  for  a  sat¬ 
isfiable  solution  and  produces  a  model  of  0  (or  Gi)  and  1 
(or  G2)  values  for  the  pairing  input  variables  that  satisfies 
the  specified  constraints.  We  can  go  one  step  further  and 
enumerate  all  the  unique  solutions  (or  models)  found  by  the 
solver  for  a  given  formula  and  constraints.  After  obtaining 
all  the  possible  models,  we  utilize  the  solver  to  evaluate  each 
model  and  determine  the  solutions  that  satisfies  the  user’s 
application-specific  requirements. 

6.  Satisfy  Application-specific  Requirements.  To 

facilitate  optimizations  in  the  asymmetric  setting  that  suit 
user  applications,  we  allow  users  to  additional  constraints 
requirements  on  the  chosen  solution.  There  are  two  possi¬ 
ble  ways  of  tuning  AutoGroup:  One  set  of  options  focus  on 
reducing  the  size  of  the  group  elements.  For  public  key  en¬ 
cryption,  the  user  can  choose  to  minimize  the  representation 
of  the  secret  keys,  ciphertext  or  both.  Similarly,  for  signa¬ 
tures  schemes,  the  user  can  specify  public  keys,  signatures 
or  both.  The  second  set  of  options  focus  on  reducing  algo¬ 
rithm  execution  times.  This  is  possible  due  to  the  fact  that 
for  many  candidate  asymmetric  groups,  group  operations  in 
Gi  are  dramatically  more  efficient  than  those  that  take  place 
in  G2.  Users  may  also  combine  various  operations,  in  order 
to  find  an  optimal  solution  based  on  a  combination  of  size 
and  operation  time. 

We  find  application-specific  solutions  by  minimizing  an 
objective  function  over  all  the  possible  models  obtained  from 
the  solver.  Our  objective  function  is  straightforward  and 
calculated  as  follows: 

n 

F(A,  C,  wi,w2)  =  ^((1  -  ai)  -wi  +a,i  ■  w2)  ■ 

i=  1 

where  A  =  a, ,  an  and  represents  the  pairing  input 
variables,  wi  and  w2  denote  weights  over  groups  Gi  and  G2, 
respectively,  C  =  c; , ... ,  c„  and  each  c;  corresponds  to  the 
cost  for  each  cq.  Each  input  variable  cn  can  have  a  value  of 
0  =  Gi  or  1  =  G2.  We  now  give  an  example  of  how  the  above 
options  are  converted  into  parameters  of  F  and  discuss  how 
the  SMT  solver  is  used  to  obtain  a  minimal  solution. 

For  each  parameter  that  we  intend  to  optimize,  we  de¬ 
fine  a  weight  function  that  evaluates  each  candidate  solution 
according  to  some  metric.  For  each  assigned  variable,  the 
weight  function  calculates  the  total  “cost”  of  the  construc¬ 
tion  as  a  function  of  some  cost  cable  for  the  specific  variable, 
as  well  as  an  overall  cost  for  an  assignment  of  Gi  and  G2. 
In  the  case  of  ciphertext  size  we  assign  the  cost  value  to  1 
for  each  group  element  that  appears  in  the  ciphertext,  and 
0  for  all  others.  For  encryption  time,  we  assign  a  cost  that 
corresponds  to  the  number  of  group  operations  applied  to 
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this  variable  during  the  encryption  operation.  The  overall 
cost  value  then  determines  the  cost  of  placing  a  value  in  one 
of  the  two  groups  -  for  size-related  calculations,  this  roughly 
corresponds  to  the  length  of  a  group  element’s  representa¬ 
tion,  and  for  operation  time  it  corresponds  to  the  cost  of  a 
single  group  operation.  By  assigning  these  costs  correctly, 
we  are  able  to  create  a  series  of  different  weight  functions 
that  represent  all  of  the  different  values  that  we  would  like 
to  minimize  (e.g.,  ciphertext  size,  parameter  size,  time). 

If  the  user  chooses  to  optimize  for  multiple  criteria  simul¬ 
taneously,  we  must  find  a  model  that  balances  between  all 
of  these  at  the  same  time.  This  is  not  always  possible.  For 
example,  some  schemes  admit  solutions  that  favor  a  min¬ 
imized  secret  key  size  or  ciphertext  size,  but  not  both.  In 
this  case,  we  allow  the  user  to  determine  which  constraint  to 
relax  and  thereby  select  the  next  best  solution  that  satisfies 
their  requirements. 

7.  Evaluate  and  Process  the  Solution.  Once  the 
application-specific  solution  is  obtained  from  the  solver,  the 
next  step  is  to  apply  the  solution  to  produce  an  asymmetric 
scheme.  As  indicated  earlier,  we  interpret  the  solution  for 
each  variable  as  0  =  Gi  and  1  =  G2.  To  apply  the  solution, 
we  first  pre-process  each  algorithm  in  SDL  to  determine  how 
the  pairing  inputs  are  affected  by  each  assignment.  Consider 
a  simplistic  example:  e(A,  B)  where  A  =  ga  and  B  =  hb. 
Let  us  assume  that  the  satisfying  solution  is  that  A  £  Gi  and 
B  £  G2.  Therefore,  we  would  rewrite  these  two  variables  as 
A  =  gi  and  B  =  h\  where  gi  £  Gi  and  A  2  €  G2.  The 
program  slice  recorded  for  each  pairing  input  in  step  (2) 
provides  the  necessary  information  to  correctly  rewrite  the 
scheme  in  the  asymmetric  setting. 

In  addition  to  rewriting  the  scheme,  AutoGroup  performs 
several  final  optimizations.  First,  it  removes  any  unused  pa¬ 
rameter  values  in  the  public  and  secret  keys.  For  signature 
schemes,  we  try  to  optimize  further  by  reducing  the  pub¬ 
lic  parameters  used  per  algorithm.  In  particular,  we  trace 
which  variables  in  the  public  key  are  actually  used  during 
signing  and  verification.  For  elements  that  appear  only  in 
the  signing  (resp.  decryption)  algorithms,  we  split  the  pub¬ 
lic  key  into  two:  one  is  kept  just  for  computing  signatures 
(resp.  decryption),  and  the  other  is  given  out  for  use  in 
encryption/verification.  Second,  AutoGroup  performs  an 
additional  efficiency  check  and  attempts  to  optimize  pair¬ 
ing  product  equations  to  use  as  few  pairings  as  possible. 
This  is  due  to  the  decoupling  of  pairings  in  earlier  phases 
of  translating  the  scheme  to  the  asymmetric  setting  or  per¬ 
haps,  just  a  loose  design  by  the  original  SDL  designer.  I11 
either  case,  we  apply  pairing  optimization  techniques  from 
previous  work  [3,  28]  to  provide  this  automatic  efficiency 
check.  Finally,  AutoGroup  outputs  a  new  SDL  of  the  mod¬ 
ified  scheme. 

We  do  not  offer  the  efficiency  check  of  AutoGroup  as  a 
standalone  tool  for  symmetric  groups  at  present,  because 
our  experience  inclines  us  to  believe  that  most  practitioners 
concerned  with  efficiency  will  want  to  work  in  asymmetric 
groups.  However,  our  results  herein  also  demonstrate  that 
a  simple  tool  of  this  sort  is  efficient  and  feasible. 

3.3  Security  Analysis  of  AutoGroup 

Whether  a  scheme  is  translated  by  hand  (as  is  done  to¬ 
day  [50])  or  automatically  (as  in  this  work),  a  completely 
separate  question  applying  to  both  is:  is  the  resulting  asym¬ 


metric  scheme  secure?  The  answer  is  not  immediately  clear. 
Unlike  the  signature  transformation  that  we  automate  in 
Section  4  that  already  has  an  established  security  proofs 
showing  that  the  transformations  preserve  security,  the  the¬ 
oretical  underpinnings  of  symmetric-to-asymmetric  transla¬ 
tions  are  less  explored.  Here  are  some  things  we  can  say. 

First,  the  original  proof  of  security  is  under  a  symmet¬ 
ric  pairing  assumption,  and  thus  can  no  longer  immediately 
apply  since  the  construction  and  assumption  are  changing 
their  algebraic  settings.  This  would  seem  to  require  the  iden¬ 
tification  of  a  new  complexity  assumption  together  with  a 
new  proof  of  security.  In  many  examples,  e.g.,  [20],  the  new 
assumption  and  proof  are  only  minor  deviations  from  the 
original  ones,  e.g.,  where  the  CDH  assumption  in  G  (given 
(g,ga,gb),  compute  gab)  is  converted  in  a  straight-forward 
manner  to  the  co-CDH  assumption  in  (Gi,  G2)  (given  (gi,  32, 
<72),  compute  g“).  However,  there  could  be  cases  where  a 
major  change  is  required  to  the  proof  of  security.  For  in¬ 
stance,  in  some  asymmetric  groups  it  is  not  possible  to  hash 
into  G2,  but  in  these  groups  there  exists  an  isomorphism 
from  G2  to  Gi.  In  other  groups  there  is  no  such  isomor¬ 
phism,  but  it  is  possible  to  hash  into  G2.  So  if  a  scheme 
requires  both  for  the  security  proof,  that  scheme  may  not 
be  realizable  in  the  asymmetric  setting  (see  [31]  for  more). 

In  best  practices  today,  a  human  first  devises  the  new 
construction  (based  on  their  desired  optimizations)  and  then 
the  human  works  to  identify  the  new  assumption  and  proof. 
Our  current  work  automates  the  first  step  in  this  process, 
and  hopefully  gives  the  human  more  time  to  spend  on  the 
second  step.  I11  this  sense,  our  automation  is  arguably  faster, 
and  no  less  secure  than  what  is  done  by  hand  today. 

However,  a  more  satisfactory  solution  requires  a  deeper 
theoretical  study  of  symmetric-to-asymmetric  pairing  trans¬ 
lations,  which  we  feel  is  an  important  open  problem,  but 
which  falls  outside  the  scope  of  the  current  work.  What  can 
one  prove  about  the  preservation  of  security  in  symmetric- 
to-asymmetric  translations?  Is  it  necessary  to  dig  into  the 
proof  of  security?  Or  could  one  prove  security  of  the  asym¬ 
metric  scheme  solely  on  the  assumption  of  security  of  the 
symmetric  one?  Will  this  work  the  same  for  encryption,  sig¬ 
natures  and  other  protocols?  Do  the  rules  by  which  trans¬ 
lations  are  done  (by  hand  or  AutoGroup)  need  to  change 
based  on  these  findings?  These  questions  remain  open. 

3.4  Experimental  Evaluation  of  AutoGroup 

To  determine  the  effectiveness  of  our  automation,  we  eval¬ 
uate  several  encryption  and  signature  schemes  on  a  variety  of 
optimization  combinations  supported  by  our  tool.  We  sum¬ 
marize  the  results  of  our  experiments  on  encryption  schemes 
in  Figure  3  and  signature  schemes  in  Figure  4. 

System  Configuration.  All  of  our  benchmarks  were  executed 
on  a  2  x  2.66GHz  6-core  Intel  Xeon  Mac  Pro  with  10GB 
RAM  running  Mac  OS  X  10.8.3  using  only  a  single  core  of 
the  Intel  processor.  Our  implementation  utilizes  the  MIR- 
ACL  library  (v5.5.4),  Charm  v0.43  [4]  in  C+- 1-  due  to  the  ef¬ 
ficiency  gains  over  Python  code,  and  Z3  SMT  solver  (v4.3.1). 
We  based  our  implementations  on  the  MIRACL  library  to 
fully  compare  each  scheme’s  performance  using  symmetric 
and  asymmetric  curves  at  the  same  security  level. 

Experiments  and  Results.  To  demonstrate  the  soundness  of 
AutoGroup  on  encryption  and  signature  schemes,  we  com¬ 
pare  algorithm  running  times,  key  and  ciphertext /signature 
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sizes  between  symmetric  and  asymmetric  solutions.  We  tested 
AutoGroup  on  a  variety  of  optimization  combinations  to  ex¬ 
tract  different  asymmetric  solutions.  In  each  test  case,  Au¬ 
toGroup  reports  all  the  unique  solutions,  obtains  the  best 
solution  for  given  user-specified  constraints,  and  generates 
the  executable  code  of  the  solution  in  a  reasonable  amount 
of  time.  AutoGroup  execution  time  on  each  test  case  is  re¬ 
ported  in  Figure  6. 

4.  AUTOSTRONG 

In  this  section,  we  present  and  evaluate  a  tool,  called  Au- 
toStrong,  for  automatically  generating  a  strongly-unforgeable 
signature  from  an  unforgeablc  signature  scheme. 

4.1  Background  on  Digital  Signatures 

A  digital  signature  scheme  is  comprised  of  three  algo¬ 
rithms:  key  generation,  signing  and  verification.  The  classic 
(or  “regular”)  security  definition  for  signatures,  as  formu¬ 
lated  by  Goldwasser,  Micali  and  R.ivest  [34],  is  called  exis¬ 
tential  unforgeability  with  respect  to  chosen  message  attacks, 
wherein  any  p.p.t.  adversary,  given  a  public  key  and  the  abil¬ 
ity  to  adaptively  ask  for  a  signature  on  any  message  of  its 
choosing,  should  not  be  able  to  output  a  signature/message 
pair  that  passes  the  verification  equation  and  yet  where  the 
message  is  “new”  (was  not  queried  for  a  signature),  with 
non-negligible  probability. 

An,  Dodis  and  Rabin  [6]  formulated  strong  unforgeability 
where  the  adversary  should  not  only  be  unable  to  generate 
a  signature  on  a  “new”  message,  but  also  be  unable  to  gen¬ 
erate  a  different  signature  for  an  already  signed  message. 
Strongly-unforgeable  signatures  have  many  applications  in¬ 
cluding  building  signeryption  [6],  chosen-ciphertext  secure 
encryption  systems  [27,  24]  and  group  signatures  [7,  17]. 

Partitioned  Signatures  In  2006,  Boneh,  Shen  and  Wa¬ 
ters  [21]  connected  these  two  security  notions,  by  provid¬ 
ing  a  general  transformation  that  converts  any  partitioned 
(defined  below)  existentially  unforgeable  signature  into  a 
strongly  unforgeable  one. 

Definition  4.1  (Partitioned  Signature  [21]).  A  sig¬ 
nature  scheme  is  partitioned  if  it  satisfies  two  properties  for 
all  key  pairs  ( pk ,  sk): 

Property  1:  The  signing  algorithm  can  be  broken  into 
two  deterministic  algorithms  Fi  and  F2  so  that  a  sig¬ 
nature  on  a  message  m  using  secret  key  sk  is  computed 
as  follows: 

1.  Select  a  random  r  from  a  suitable  randomness 
space. 

2.  Set  u  1  =  F\{m,r,  sk)  and  02  =  F2{r,  sk). 

3.  Output  the  signature  (or,  02). 

Property  2:  Given  m  and  02,  there  is  at  most  one 
cri  such  that  (<71,02)  verifies  as  a  valid  signature  on  m 
under  pk. 

As  one  example  of  a  partitioned  scheme,  Boneh  et  al.  par¬ 
tition  DSS  [45]  as  follows,  where  x  is  the  secret  key: 

Fi(m,r,x)  =  r-1  (m  +  xF2(r,x))  mod  9 
F2(r,  x)  =  (gr  mod  p)  mod  g 

Our  empirical  evidence  shows  that  many  discrete-log  and 
pairing-based  signatures  in  the  literature  are  partitioned. 


Interestingly,  some  prominent  prior  works  [14,  15]  claimed 
that  there  were  “few”  examples  of  partitioned  schemes  “be¬ 
yond  Waters  [56]”,  even  though  our  automation  discovered 
several  examples  existing  prior  to  the  publication  of  these 
works.  We  conjecture  that  it  is  not  always  easy  for  a  human 
to  detect  a  partition. 

Chameleon  Hashes  The  BSW  transform  uses  a  chameleon 
hash  [38]  function,  which  is  characterized  by  the  nonstan¬ 
dard  property  of  being  collision-resistant  for  the  signer  but 
collision  tractable  for  the  recipient.  The  chameleon  hash 
is  created  by  establishing  public  parameters  and  a  secret 
trapdoor.  The  hash  itself  takes  as  input  a  message  m  and 
an  auxiliary  value  s.  There  is  an  efficient  algorithm  that 
on  input  the  trapdoor,  any  pair  (mi,  si)  and  any  additional 
message  m2,  finds  a  value  S2  such  that  ChamHash(mi,  si)  = 
ChamHash(m2,  S2). 

Boneh  et  al.  [21]  employ  a  specific  hash  function  based 
on  the  hardness  of  finding  discrete  logarithms.4  Since  pair¬ 
ing  groups  also  require  the  DL  problem  to  be  hard,  this 
chameleon  hash  does  not  add  any  new  complexity  assump¬ 
tions.  It  works  as  follows  in  G,  where  g  generates  G  of  order 
p.  To  setup,  choose  a  random  trapdoor  t  €  Zp*  and  com¬ 
pute  h  =  g* .  The  public  parameters  include  the  description 
of  G  together  with  g  and  h.  The  trapdoor  t  is  kept  secret. 
To  hash  on  input  (m,  s)  €  Zp2,  compute 

ChamHash(m,  s)  =  gmh3 . 

Later,  given  any  pair  m,  s  and  any  message  m',  anyone  with 
the  trapdoor  can  compute  a  consistent  value  s'  €  Zp  as 

s'  =  (m  —  m')/t  +  s 

such  that  ChamHash(m,  s)  =ChamHash(m/,  s'). 

The  BSW  Transformation  The  transformation  [21]  is  ef¬ 
ficient  and  works  as  follows.  Let  np  =  (Genp,  Signp,  Verify^) 
be  a  partitioned  signature,  where  the  signing  algorithm  is 
partitioned  using  functions  Fi  and  F2.  Suppose  the  ran¬ 
domness  for  Signp  is  picked  from  some  set  R.  Let  ||  denote 
concatenation.  BSW  constructs  a  new  scheme  II  as: 

Gen(lA):  Select  a  group  G  with  generator  g  of  prime  order 
p  (with  A  bits).  Select  a  random  t  €  Zp  and  com¬ 
pute  h  —  g* .  Select  a  collision-resistant  hash  function 
Hcr  :  {0, 1}*  — >  Zp.  Run  Genp(lA)  to  obtain  a  key 
pair  ( pkp,  skp ).  Set  the  keys  for  the  new  system  as 
pk  =  (pkp,Hcr,G,g,h,p)  and  sk  =  ( pk,skp,t ). 

Sign(sfc,m):  A  signature  on  m  is  generated  as  follows: 

1.  Select  a  random  s  £  Zp  and  a  random  r  £  R. 

2.  Set  <72  =  Fi(r,  skp). 

3.  Compute  u  =  Her  (m 1 1  <72). 

4.  Compute  the  chameleon  hash  m'  =  gvhs . 

5.  Compute  ay  =  Fi(m' ,r,  skp)  and  output  the  sig¬ 
nature  <7  =  (<7l,  <72,  s). 

4Indeed,  we  observe  that  substituting  an  arbitrary 
chameleon  hash  could  break  the  transformation.  Suppose 
H(m,  s)  ignores  the  last  bit  of  s  (it  is  easy  to  construct  such 
a  hash  assuming  chameleon  hashes  exist.)  Then  the  BSW 
transformation  using  this  hash  would  result  in  a  signature 
of  the  form  (<71,  <72,  s),  which  is  clearly  not  strongly  unforge¬ 
able,  since  the  last  bit  can  be  flipped. 


Approved  for  Public  Release;  Distribution  Unlimited. 

6 

453 


SS1536VBN256* 


Encryption 

Keygen* 

Time 

Encrypt* 

Decrypt* 

Appro: 
Secret  Key 

x.  Size 
Ciphertext 

Num. 

Solutions 

ID-Based  Enc. 

BB04  [16]  Sym.T 

Asym.  (Min.  CT)* 

59.9ms 

4.8ms 

64.8ms 

7.8ms 

125.4ms 

27.6ms 

3072  bits 
2048  bits 

6144  bits 
3584  bits 

4 

Gentry06  [32]  Sym.t 

Asym.  (Min.  SK)* 

39.9ms 

1.4ms 

176.2ms 

41.0ms 

67.8ms 

19.1ms 

3072  bits 

512  bits 

7680  bits 
6400  bits 

4 

DSE09  [57]  Syml 

Asym.  (Min.  SK/CT/Exp)* 

294.6ms 

12.6ms 

286.8ms 

19.2ms 

612.8ms 

128.0ms 

13824  bits 
5376  bits 

18432  bits 
8704  bits 

256 

Broadcast  Encryption 

BGW05  [19]  Sym.  [§3.1]t  (n  =  100) 
Asym.  (Min.  SK)* 

1992.2ms 

70.4ms 

119.6ms 

25.7ms 

136.9ms 

28.5ms 

19200  bytes 
3200  bytes 

6144  bits 
5120  bits 

4 

•Average  time  measured  over  100  test  runs  and  the  standard  deviation  in  all  test  runs  were  within  ±1%  of  the  average. 


Figure  3:  AutoGroup  on  encryption  schemes  under  various  optimization  options.  We  show  running  times  and 
sizes  for  several  schemes  generated  in  CH — f-  and  compare  symmetric  to  automatically  generated  asymmetric 
implementations  at  the  same  security  levels  (roughly  equivalent  with  3072  bit  RSA).  For  IBE  schemes,  we 
measured  with  ID  string  length  at  100  bytes.  For  BGW,  n  denotes  the  number  of  users  in  the  system. 


Verify (pk,  m,a):  A  signature  o  =  (ay,  02,  s)  on  a  message  m 
is  verified  as  follows: 

1.  Compute  v  =  Hcr(m\ lay). 

2.  Compute  the  chameleon  hash  rn'  =  gvhs . 

3.  Output  the  result  of  Verifyp(pfcp,  m' ,  (ay,  <72)). 

Theorem  4.2  (Security  of  BSW  Transform  [21]). 
The  signature  scheme  II  =  (Gen,  Sign,  Verify)  is  strongly  ex¬ 
istentially  unforgeable  assuming  the  underlying  scheme  np  = 
(Genp,  Signp,  Verify^)  is  existentially  unforgeable,  Hcr  is  a 
collision-resistant  hash  function  and  the  discrete  logarithm 
assumption  holds  in  G. 

The  Bellare-Shoup  Transformation  The  BSW  trans¬ 
formation  [21],  which  only  works  for  partitioned  signatures, 
sparked  significant  research  interest  into  finding  a  general 
transformation  for  any  existentially  unforgeable  signature 
scheme.  Various  solutions  were  presented  in  [54,  36,  53,  14, 
55,  15],  as  well  as  an  observation  in  [14]  that  an  inefficient 
transformation  was  implicit  in  [33]. 

We  follow  the  work  of  Bellare  and  Shoup  [14,  15],  which  is 
less  efficient  than  BSW  and,  for  our  case,  requires  a  stronger 
complexity  assumption,  but  works  on  any  signature.  Their 
approach  uses  two-tier  signatures,  which  are  “weaker”  than 
regular  signatures  as  hybrids  of  regular  and  one-time  schemes. 
In  a  two-tier  scheme,  a  signer  has  a  primary  key  pair  and, 
each  time  it  wants  to  sign,  it  generates  a  fresh  secondary 
key  pair  and  produces  a  signature  as  a  function  of  the  both 
secret  keys  and  the  message.  Both  public  keys  are  required 
to  verify  the  signature.  Bellare  and  Shoup  transform  any 
regular  signature  scheme  by  signing  the  signature  from  this 
scheme  with  a  strongly  unforgeable  two-tier  scheme.  They 
also  show  how  to  realize  a  strongly  unforgeable  two-tier  sig¬ 
nature  scheme  by  applying  the  Fiat-Shamir  [29]  transfor¬ 
mation  to  the  Schnorr  identification  protocol  [51],  which  re¬ 
quires  a  one-more  discrete  logarithm-type  assumption. 

The  BS  transformation  works  as  follows.  Let  Lb  =  (Genr, 
Signr,  Verifyr)  be  a  regular  signature  scheme  and  let  IIt  = 
(PGent,  SGerii,  Signt,  Verifyt)  be  a  two-tiered  strongly  unforge¬ 
able  scheme.  A  new  signature  scheme  II  is  constructed  as: 

Gen(lA):  RunGenr(lA)  — >■  (pkr,  skr)  and  PGern(lA)  — >■  (ppk, 
psk).  Output  the  pair  PI<  =  (pkr,ppk)  and  SK  = 

( skr,psk ). 


Sign(SK,m):  A  signature  on  m  is  generated  as  follows: 

1.  Parse  SK  as  ( skr,psk ). 

2.  Run  SGern(lA)  — >  ( spk,ssk ). 

3.  Sign  the  message  and  secondary  key  as  ay  ■<— 
Signr(sfcr,  (spk\\m)). 

4.  Sign  the  first  signature  as  02  t—  Sign t(psk,  ssk ,  ay). 

5.  Output  the  signature  a  =  (ay,  02,  spk). 

Verify(PK,  m,  a):  A  signature  o  =  (01,02,  spk)  on  a  message 
m  is  verified  as  follows: 

1.  Parse  PK  as  (pkr,ppk). 

2.  If  Verify,,  (pfcr,  (spk\\m),oi)  =  0,  then  return  0. 

3.  If  Verifyt(ppfc,  spk,  ay,  02),  then  return  0. 

4.  Otherwise,  return  1. 

Theorem  4.3  (Security  of  BS  Transformation  [15]). 
If  the  input  scheme  is  existentially  unforgeable,  then  the  out¬ 
put  signature  is  strongly  existentially  unforgeable  assuming 
the  strong  unforgeability  of  the  two-tier  scheme. 


The  Transformation  used  in  AutoStrong  For  our  pur¬ 
poses,  we  employ  the  following  hybrid  transformation  com¬ 
bining  BSW  and  Bellare-Shoup.  On  input  a  signature  scheme, 
we  automate  the  following  procedure: 

1.  Identify  a  natural  partition  satisfying  property  1  and 
test  if  it  has  property  2.  (We  allow  false  negatives,  but 
not  false  positives.  See  Section  4.3.) 

2.  If  a  valid  partition  is  found,  apply  the  BSW  transfor¬ 
mation  [21]  (using  SHA-256  and  the  DL-based  chameleon 
hash  above). 

3.  If  a  valid  partition  is  not  found,  apply  the  Bellare- 
Shoup  transformation  [14,  15]  (using  the  Schnorr  Fiat- 
Shamir  based  two-tier  scheme  suggested  in  [15].) 

4.  Output  the  result. 

The  security  of  this  transformation  follows  directly  from 
the  results  of  [21,  15]  as  stated  in  Theorems  4.2  and  4.3.  The 
most  challenging  technical  part  is  step  one:  determining  if  a 
scheme  is  partitioned. 
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•Average  time  measured  over  100  test  runs  and  the  standard  deviation  in  all  test  runs  were  within  =bl%  of  the  average. 


Figure  4:  We  show  the  result  of  AutoGroup  and  AutoStrong  on  signature  schemes.  For  CL,  BB,  and 
Waters  (with  length  of  identities,  t  =  128),  we  first  apply  AutoStrong  to  determine  that  the  signature  scheme 
is  partitioned,  then  apply  the  BSW  transform  to  obtain  a  strongly  unforgeable  signature  in  the  symmetric 
setting.  We  then  feed  this  as  input  to  AutoGroup  to  realize  an  asymmetric  variant  under  a  given  optimization. 
We  also  tested  AutoStrong  on  the  DSE  signature  variant  and  ACDK  structure-preserving  signature,  even 
though  these  are  not  known  to  be  existentially  unforgeable.  A  partition  was  found  for  ACDK,  but  not  DSE. 
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Figure  5:  A  high-level  presentation  of  the  tool  AutoStrong,  which  uses  external  tools  Z3,  Mathematica  and 
SDL  Parser. 


4.2  How  AutoStrong  Works 

AutoStrong  takes  as  input  the  SDL  description  of  a  digital 
signature  scheme  along  with  some  metadata.* 5  At  a  high- 
level,  it  runs  the  transformation  described  at  the  end  of 
the  last  section,  where  the  most  challenging  step  is  testing 
whether  a  scheme  is  partitioned  according  to  Definition  4.1. 

We  now  describe  each  step  involved  in  testing  that  Prop¬ 
erties  1  and  2  are  satisfied  and  how  we  utilize  Z3  and  Math¬ 
ematica  to  prove  such  properties,  as  illustrated  in  Figure  5. 

Identify  Property  1.  The  first  goal  is  to  identify  the  vari¬ 
ables  in  the  signature  that  should  be  mapped  to  04  or  02 
according  to  Definition  4.1.  We  assume  that  the  input  sig¬ 
nature  scheme  is  existentially  unforgeable.6  Given  this  as¬ 
sumption,  our  objective  is  to  identify  the  portions  of  the 
signature  that  are  computed  based  on  the  message  and  des¬ 
ignate  that  component  as  04 .  All  other  variables  in  the  sig¬ 
nature  that  do  not  meet  this  criteria  are  designated  as  02. 
We  determine  that  we  have  designated  the  correct  variables 
for  property  1  if  and  only  if  the  variable  mapping  satisfy 

sThe  user  must  specify  the  variables  that  denote  message, 

signature,  key  material  in  a  configuration  file. 

6  We  remark  that  we  tested  the  partition  checker  for  Au¬ 
toStrong  on  schemes  that  are  not  existentially  unforgeable 
to  fully  vet  the  checker  (see  Figure  4),  but  the  resulting  out¬ 
put  in  these  cases  may  not  be  strongly  unforgeable. 


property  2.  We  test  only  the  most  “natural”  division  for 
property  1,  which  could  result  in  a  false  negative,  but  this 
won’t  impact  the  security,  so  our  system  allows  it. 

To  illustrate  each  step,  we  will  show  how  our  tool  identifies 
the  partition  in  the  CL  signature  scheme  [23]. 

CL  signatures  [23]:  Key  generation  consists  of  selecting  a 
generator,  g  £  G,  then  chooses  x  £  Zq  and  j  £  Z,.  It  sets 
sk  =  (at,  y)  and  pk  =  (g,X  =  gx ,Y  =  gy).  The  signature  is 
computed  as  a  =  (a,  b  =  ay ,  c  =  ax+m  x  y^  where  a  is  chosen 
randomly  in  G  and  m  denotes  the  message  in  Zg.  Finally, 
the  verification  algorithm  checks  that  e(a,  Y)  =  e(g,  b)  and 
e(X,  a)  ■  e(X,  b)m  =  e(g ,  c)  holds. 

Our  logic  would  identify  that  c  is  dependent  on  the  mes¬ 
sage,  therefore,  identifying  that  04  =  c  and  a 2  =  (a,  b)  which 
satisfies  the  definition  of  property  1.  The  next  challenge  is 
to  determine  whether  property  2  holds  given  our  identified 
mapping  for  04  and  ap¬ 
prove  Property  2.  Proving  that  a  scheme  satisfies  this 
property  requires  the  ability  to  abstractly  evaluate  the  ver¬ 
ification  equations  on  the  input  variables.  We  require  this 
ability  to  automatically  prove  that  there  exists  at  most  one 
04  which  verifies  under  a  fixed  (72,  m  and  pk  for  all  pos¬ 
sible  inputs.  To  this  end,  the  partition  checker  determines 
whether  a  a[  exists  such  that  04  ^  04  and  is  a  valid  sig¬ 
nature  over  the  fixed  variables.  Finding  such  a  means 
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Figure  6:  Running  time  required  by  the  AutoGroup  and  AutoStrong  routines  to  process  the  schemes  discussed 
in  this  work  (averaged  over  10  test  runs).  The  running  time  for  AutoGroup  includes  the  running  time  for 
executing  the  Z3  SMT  solver.  The  running  time  for  AutoStrong  also  includes  Z3  and  Mathematica  and  the 
application  of  the  BSW  transformation.  In  all  cases,  the  standard  deviation  in  the  results  were  within  ±3% 
of  the  average.  For  AutoGroup,  running  times  are  correlated  with  the  number  of  unique  solutions  found 
and  the  minimization  of  the  weighted  function  using  Z3.  AutoStrong  times  are  highly  correlated  with  the 
complexity  of  the  verification  equations. 


the  signature  is  not  partitioned.  The  checker  determines 
whether  it  can  find  a  solution  or  if  no  such  solution  exists. 
If  no  solutions  exist,  then  the  signature  is  indeed  partitioned. 
Stated  more  precisely,  does  there  exist  a  uj  ^  cri  such  that 
the  following  condition  holds: 

Verify (pk,  m,  (cq,  <t2))  =  1  A  Verify(pfc,  m,  (cq,  <72))  =  1 

At  a  high-level,  our  goal  is  to  evaluate  the  pairing-based 
verification  algorithms  in  a  way  that  allows  us  to  find  a 
contradiction  to  the  aforementioned  condition.  Recall  that 
the  bilinearity  property  of  pairings  states  that  e(ga,gb)  = 
e(g,  g)ab  holds  for  all  a,  6  £  Z9  where  g  £  G.  We  observe 
that  pairings  can  be  modeled  as  an  abstract  function  that 
performs  multiplication  in  the  exponent.  Because  the  rules 
of  multiplication  and  addition  hold  in  the  exponent,  we  can 
abstractly  reduce  pairings  to  basic  integer  arithmetic. 

To  accomplish  this,  we  leverage  Z3  to  model  the  bilinear¬ 
ity  property  of  pairings  so  that  it  is  possible  to  automatically 
evaluate  them.  Our  partition  checker  relies  on  Z3’s  uninter¬ 
preted  functions  and  universal  quantifiers  to  reduce  pairing 
product  equations  to  simpler  equations  over  the  exponents. 
However,  this  reduction  alone  is  not  sufficient  to  completely 
evaluate  the  verification  equations  as  required  for  detecting 
a  partitioned  signature.  To  satisfy  the  property  2  condition, 
we  also  need  a  way  to  evaluate  these  equations  on  all  possi¬ 
ble  inputs.  Z3  was  less  suited  for  this  task  and  instead,  we 
employ  the  Mathematica  scripting  framework  to  evaluate 
such  equations.  Our  solution  consists  of  five  steps: 

Step  1:  Decompose  Verification  Equations.  To  model 
pairings  using  an  SMT  solver,  we  encode  the  verification 
equations  into  a  form  that  the  solver  can  interpret.  The 
first  phase  extracts  the  verification  equations  in  SDL,  then 
decomposes  the  equations  in  terms  of  the  generators  and  ex¬ 
ponents  used.  We  leverage  recent  term  rewriting  extensions 
introduced  in  the  SDL  Parser  by  Akinyele  et  al.  [3].  Their 
improvements  keep  track  of  how  variables  are  computed  in 
terms  of  the  generators  and  exponents.  With  knowledge  of 
how  each  variable  is  computed,  we  are  able  to  fully  decom¬ 
pose  each  equation  in  an  automated  fashion. 

Our  technique  for  modeling  pairings  in  Z3  requires  that 
decomposition  of  verification  equations  be  guided  by  a  few 
rules.  First,  generators  must  be  rewritten  in  terms  of  a 
base  generator,  g ,  if  the  scheme  is  specified  in  the  symmetric 
setting.'  For  example,  the  random  generator  a  £  G  chosen 
in  CL  would  be  rewritten  as  ga  .  Second,  hashing  statements 
of  the  form  v  =  H(m )  where  v  £  G  are  rewritten  as  gv 

7The  same  applies  for  asymmetric  pairings  except  that  we 
specify  Gi  generators  in  terms  of  a  base  generator  gi  and 
G2  in  terms  of  gi- 


where  v  £  7Lq.  Third,  we  do  not  decompose  any  variable 
designated  as  cq  for  the  purposes  of  determining  whether 
a  signature  is  partitioned.  The  intuition  is  that  since  cq 
variables  are  adversarially  controlled  we  also  treat  cq  as  a 
black  box.  Finally,  whenever  we  encounter  dot  products,  we 
require  the  user  to  provide  an  upper  bound  (if  known)  so 
that  we  can  unroll  the  dot  product  then  further  apply  our 
rules.  When  these  reduction  rules  are  automatically  applied 
to  the  CL  signature,  we  obtain  the  following  equation: 
e{a,Y)  =  e(g,b)  becomes  e(ga'  ,gy)  =  e(g,  ( ga')v ) 

e(X,  a)  ■  e(X,  b)m  =  e(g,  c)  becomes 

e(gx,ga')-e(g*,(ga'yr=e(g,gc') 

Note  that  c  denotes  the  cq  for  CL  and  is  a  free  variable.  All 
other  variables  that  comprise  m,  pk,  and  cr2  are  fixed. 

Step  2:  Encode  Rules  for  Evaluating  Pairings.  Once 
we  have  decomposed  the  verification  equation  as  shown  above, 
the  next  step  is  to  encode  the  equations  in  terms  that  Z3  can 
understand.  After  the  pairing  equations  are  rewritten  en¬ 
tirely  using  the  base  generator,  we  can  model  the  behavior 
of  pairings  by  simply  focusing  on  the  exponents.  To  cap¬ 
ture  the  bilinearity  of  pairings,  we  rely  on  two  features  in 
Z3:  uninterpreted  functions  and  universal  quantifiers.  As 
mentioned  earlier,  uninterpreted  functions  enable  one  to  ab¬ 
stractly  model  a  function’s  behavior.  Our  model  of  a  pair¬ 
ing  is  an  uninterpreted  function,  E ,  that  takes  two  integer 
variables  and  has  a  few  mathematical  properties.  First,  we 
define  the  multiplication  rule  as  Vs,  t  :  E(s,  t)  =  s-t.  Second, 
we  define  the  addition  rule  as  Vs,  t,  u  :  E(s+t,  u )  =  s-u+t-u.8 
Third,  we  define  pairing  products  in  terms  of  multiplication 
with  E  and  division  as  subtraction. 

We  note  that  these  rules  are  straightforward  and  sufficient 
for  evaluating  pairings.  Moreover,  by  defining  exponents  in 
terms  of  integers,  Z3  can  apply  all  the  built-in  simplifica¬ 
tion  rules  for  multiplication  and  addition.  As  a  result,  the 
solver  uses  these  rules  to  reduce  any  pairing-based  verifica¬ 
tion  equation  into  a  simpler  integer  equation. 

To  automatically  encode  the  equations,  we  first  simplify 
the  decomposed  pairing  equation  as  much  as  possible  using 
previous  techniques  [3].  Then,  we  convert  each  pairing  to 
the  modeled  pairing  function,  E  and  remove  the  base  gener¬ 
ators.  Upon  simplifying  and  encoding  the  decomposed  CL 
equations,  we  obtain  the  following: 

e(ga'  ,gv)  =  e(g,(ga')v)  becomes  E(a',y)  =  E(l,a'  ■  y) 

e(gx,ga')  ■  e{g\  (ga')y)m  =  <9,9°')  becomes 
E(x,  a')  +  E(x  ■  m,a!  ■  y)  =  E(  1,  c') 

8Note  that  same  rule  applies  if  E(s,  t  +  u) 
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Step  3:  Execute  SMT  Solver.  After  encoding  the  pair¬ 
ing  functions  in  terms  of  E,  the  goal  is  to  employ  the  solver 
to  evaluate  it.  We  first  specify  our  rules  in  the  SMT  solver 
then  evaluate  these  rules  on  each  input  equation.  The  result 
is  a  simplified  equation  representation  of  the  verification  al¬ 
gorithm.  For  the  above  CL  formulas,  the  solver  determines 
that  the  first  equation  is  true  for  all  possible  inputs  because 
a'  and  y  are  fixed  variables.  For  the  second  equation,  the 
solver  produces:  a'  ■  x  +  a'  ■  m  ■  x  ■  y  =  c' . 

Step  4:  Evaluate  equations.  At  this  point,  we  have  ob¬ 
tained  the  equation  representation  of  the  verification  equa¬ 
tion,  we  can  now  concretely  express  the  conditions  for  prop¬ 
erty  2.  That  is,  d  =/=  c"  A 

a’  ■  x  +  a'  ■  x  ■  m  ■  y  =  d  A  a'  ■  x  +  a'  ■  x  ■  m  ■  y  =  c" 

We  use  Mathematica  to  prove  that  no  such  d'  exists  as¬ 
suming  the  verification  condition  is  correct  via  the  Mathe¬ 
matica  Script  API.  In  particular,  we  utilize  the  Findlnstance 
function  to  mathematically  find  proof  over  non-zero  real 
numbers  then  subsequently  finding  a  solution  over  integers. 
If  no  such  solution  exists,  the  Findlnstance  will  return  such 
a  statement  and  the  result  is  interpreted  as  a  fact  that  the 
signature  scheme  is  partitioned.  Otherwise,  the  scheme  may 
not  be  partitionable. 

During  this  step,  we  make  an  explicit  assumption  that  the 
verification  condition  is  mathematically  correct.  Suppose 
that  this  was  not  the  case.  In  this  scenario,  our  technique 
would  also  determine  that  it  is  not  possible  to  find  a  a[  such 
that  a[  ^  ai  and  verifies  over  fixed  variables.  In  reality, 
however,  no  ai  and  a 2  pair  can  ever  produce  a  valid  signa¬ 
ture  because  the  verification  equation  does  not  hold  for  any 
input.  To  limit  the  possibility  of  such  scenarios,  our  parti¬ 
tion  checker  offers  a  sanity  check  on  the  correctness  of  the 
input  verification  equations. 

By  relaxing  the  rule  for  decomposing  the  variables  that  are 
designated  as  01  in  step  1,  we  can  evaluate  the  verification 
equation  over  all  inputs  using  Mathematica.  For  the  CL 
scheme,  a  full  decomposition  would  produce  the  following 
equation  in  the  exponent: 

a'  ■  x  +  a'  ■  x  ■  m  ■  y  =  a'  ■  (x  +  x  ■  m  ■  y) 

It  is  sufficient  to  leverage  the  Simplify  function  within 
Mathematica  to  evaluate  that  this  holds  for  all  possible  in¬ 
puts.  Since  Mathematica  has  built-in  techniques  for  solving 
equations  of  this  sort,  it  becomes  trivial  to  show  that  the 
above  equation  is  correct  in  all  cases  (due  to  the  law  of  dis¬ 
tribution).  We  subsequently  inform  the  user  on  the  output 
of  this  sanity  check.  This  sanity  check  is  useful  for  deter¬ 
mining  the  correctness  of  SDL  signature  descriptions. 

Step  5:  Apply  Transformation.  Once  the  partition 
checker  determines  whether  the  signature  is  partitioned  or 
not,  we  apply  the  efficient  BSW  transform  if  deemed  parti¬ 
tioned  or  the  less-efficient  BS  transform  if  not  as  described 
in  Section  4.1.  We  elaborate  further  in  the  full  version. 

4.3  Security  Analysis  of  AutoStrong 

The  theoretical  security  of  the  unforgeable-to-strongly- 
unforgeable  transformations  that  we  use  in  AutoStrong  were 
previously  established  in  [21,  14,  15],  as  discussed  in  Sec¬ 
tion  4.1.  The  security  of  the  BSW  transform  only  holds, 
however,  if  the  input  scheme  is  partitioned.  Our  partition 
test  allows  false  negatives,  but  not  false  positives.  That  is, 
our  algorithm  may  fail  to  identify  a  scheme  as  partitioned 


even  though  it  is,  which  results  in  a  less  efficient  final  scheme, 
but  it  will  not  falsely  identify  a  scheme  as  partitioned  when 
it  is  not,  which  would  result  in  a  security  failure.  To  see  why 
this  claim  holds,  consider  that  the  partition  tester  guesses  a 
partition,  Z3  to  interprets  the  verification  equation  as  a  sys¬ 
tem  of  equations,  and  then  Mathematica  fixes  the  variables 
on  one  partition  side  and  asks  how  many  solutions  there  are 
for  the  free  variables  on  the  other  side.  If  0  or  1  are  found, 
then  the  scheme  meets  the  partitioned  definition.  If  more 
than  1  is  found,  then  it  is  not  partitioned.  If  there  is  no 
answer  (program  crash  or  times  out),  then  we  consider  it 
not  partitioned.  Thus,  false  negatives  can  occur,  but  not 
false  positives  (in  theory).  Proving  that  there  are  no  soft¬ 
ware  or  hardware  errors  in  AutoStrong,  Z3,  Mathematica 
or  the  underlying  software  and  hardware  on  which  they  run 
is  outside  the  scope  of  this  project.  However,  we  did  verify 
AutoStrong’s  outputs  experimentally  on  a  suite  of  test  cases 
and  no  errors  were  found. 

4.4  Experimental  Evaluation  of  AutoStrong 

In  2008  [15],  Bellare  and  Shoup  remarked  that  “unfortu¬ 
nately,  there  seem  to  be  hardly  any  [partitioned  signature] 
schemes”.  Interestingly,  our  experimental  results  show  that 
there  are  in  fact  many  partitioned  schemes,  including  a  sub¬ 
stantial  number  invented  prior  to  2008.  We  evaluated  Au¬ 
toStrong  by  testing  it  on  a  collection  of  signatures,  includ¬ 
ing  the  bilinear  Camenisch-Lysyanskaya  signature  [23],  the 
Boneh-Boyen  short  signature  [16],  the  Waters  signature  from 
CRYPTO  2005  [56],  the  Waters  Dual-System  (DSE)  signa¬ 
ture  from  CRYPTO  2009  [57],  and  a  structure-preserving 
signature  scheme  due  to  Abe  et  al.  [1]. 

Of  the  above  signatures,  all  but  one  -  the  Waters  DSE  sig¬ 
nature  -  were  successfully  partitioned,  leading  to  strongly 
unforgeable  signatures  via  the  BSW  transform.9  Figure  6 
shows  the  time  that  it  took  our  tool  to  identify  the  parti¬ 
tioning  and  output  the  revised  signature  equations.  Figure  4 
illustrates  the  performance  and  size  of  the  resulting  signa¬ 
tures,  when  evaluated  on  two  different  types  of  curve  (using 
AutoGroup  to  calculate  the  group  assignments). 

5.  CONCLUSION 

We  explored  two  new  tasks  in  cryptographic  automation. 
First,  we  presented  a  tool,  AutoGroup,  for  automatically 
translating  a  symmetric  pairing  scheme  into  an  asymmetric 
pairing  scheme.  The  tool  allows  the  user  to  choose  from  a  va¬ 
riety  of  different  optimization  options.  Second,  we  presented 
a  tool,  AutoStrong,  for  automatically  altering  a  digital  sig¬ 
nature  scheme  to  achieve  strong  un forgeability  [6].  The  tool 
automatically  tests  whether  a  scheme  is  “partitioned”  ac¬ 
cording  to  a  notion  of  Boneli  et  al.  [21]  and  then  applies  a 
highly-efficient  transformation  if  it  is  partitioned  or  a  more 
general  transformation  otherwise.  To  perform  some  of  these 
complex  tasks,  we  integrated  Microsoft’s  SMT  Solver  Z3 
and  Mathematica  into  our  tools.  Our  performance  mea¬ 
surements  indicated  that  these  standard  cryptographic  de¬ 
sign  tasks  can  be  quickly,  accurately  and  cost-effectively  per¬ 
formed  by  computers.  We  leave  open  the  question  of  which 
other  design  tasks  are  well  suited  for  SMT  solvers. 


9  However,  we  note  that  the  partitioning  of  the  Abe  et  al. 
signature  scheme  destroys  the  structure-preserving  property, 
making  this  result  somewhat  less  interesting. 
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ABSTRACT 

Recent  work  demonstrates  the  feasibility  and  practical  use  of  se¬ 
cure  two-party  computation  [5,  9,  15,  23].  In  this  work,  we  present 
the  first  Graphical  Processing  Unit  (GPU)-optimized  implementa¬ 
tion  of  an  optimized  Yao’s  garbled-circuit  protocol  for  two-party 
secure  computation  in  the  honest-but-curious  and  1 -bit-leaked  ma¬ 
licious  models.  We  implement  nearly  all  of  the  modern  protocol 
advancements,  such  as  Free-XOR,  Pipelining,  and  OT  extension. 
Our  implementation  is  the  first  allowing  entire  circuits  to  be  gen¬ 
erated  concurrently,  and  makes  use  of  a  modification  of  the  XOR 
technique  so  that  circuit  generation  is  optimized  for  implementa¬ 
tion  on  SIMD  architectures  of  GPUs.  In  our  best  cases  we  generate 
about  75  million  gates  per  second  and  we  exceed  the  state  of  the  art 
performance  metrics  on  modern  CPU  systems  by  a  factor  of  about 
200,  and  GPU  systems  by  about  a  factor  of  2.3.  While  many  re¬ 
cent  works  on  garbled  circuits  exploit  the  embarrassingly  parallel 
nature  of  many  tasks  that  are  part  of  a  secure  computation  protocol, 
we  show  that  there  are  still  various  forms  and  levels  of  paralleliza¬ 
tion  that  may  yet  improve  the  performance  of  these  protocols.  In 
particular,  we  highlight  that  implementations  on  the  SIMD  archi¬ 
tecture  of  modern  GPUs  require  significantly  different  approaches 
than  the  general  purpose  MIMD  architecture  of  multi-core  CPUs, 
which  again  differ  from  the  needs  of  parallelizing  on  compute  clus¬ 
ters.  Additionally,  modifications  to  the  security  models  for  many 
common  protocols  have  large  effects  on  reasonable  parallel  archi¬ 
tectures  for  implementation. 
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1.  INTRODUCTION 

A  company  may  wish  to  offer  a  generic  screening  service  which 
would  let  patients  know  if  they  are  susceptible  to  disease  based 
on  the  presence  of  different  proprietary  markers  in  their  DNA.  In 
such  a  scenario  the  company  does  not  want  to  divulge  its  propri¬ 
etary  markers,  and  the  consumer  does  not  want  to  divulge  their 
genetic  information  in  fear  that  it  will  be  exploited  by  the  com¬ 
pany.  The  above  problem  represents  a  specific  case  of  secure  two- 
party  computation,  in  which  there  are  two  parties  who  wish  to  com¬ 
pute  a  function  /  :  ({0,l}m)2  — »  {0,  l}m,  on  respective  inputs 
xo,xi  £  {0,  l}m,  with  the  guarantee  that  no  party  learns  anything 
beyond  what  can  be  efficiently  inferred  from  the  output. 

Cryptographers  have  studied  this  problem,  and  have  suggested 
solutions  in  various  security  models.  However,  while  theoretically 
interesting,  it  was  historically  believed  that  these  protocols  are  too 
inefficient  for  practical  implementation.  Work  by  Malkhi  et  al.  [18] 
gave  the  first  implementation  of  Yao’s  garbled-circuit  protocol  and, 
while  it  could  perform  very  modest  computations  in  a  reasonable 
amount  of  time,  the  result  seemed  to  validate  the  belief  that  these 
protocols  would  not  be  practical.  This  has  resulted  in  cryptogra¬ 
phers  pursuing  specific  protocols  to  solve  specific  instances  of  se¬ 
cure  two-party  computation.  For  example,  specific  algorithms  for 
looking  at  the  edit  distance  between  two  strings  (e.g.,  for  the  ge¬ 
netic  problem  discussed  above),  with  the  goal  of  making  practi¬ 
cal  algorithms  that  could  be  deployed.  However,  recent  advances 
and  improvements  to  Yao-based  protocols  and  implementations  (cf. 
[13,  21,  8])  have  shattered  the  belief  that  general  purpose  solutions 
are  too  inefficient  to  be  deployed  in  practice.  These  works  have 
lead  to  renewed  interest  in  practical  implementations  of  Yao’s  pro¬ 
tocol.  Research  now  focuses  on  determining  which  problems  might 
be  solved  by  efficiently  engineered  versions  of  Yao’s  garbled  cir¬ 
cuits.  Any  such  engineering  will  make  use  of  parallel  processing, 
as  Yao’s  circuit  protocol  (and  its  improvements),  have  a  high  level 
of  inherent  parallelism  for  both  the  honest-but-curious  and  mali¬ 
cious  security  models.  Importantly,  there  are  key  differences  in  the 
available  parallelism  available  in  the  two  security  models. 

In  this  paper,  we  provide  a  high-performance  parallel  imple¬ 
mentation  of  Yao’s  circuits  in  the  honest-but-curious  (HbC)  and 
1 -bit-leaked  malicious  model  (IBM).  The  implementation  is  op¬ 
timized  for  parallel  processing  architectures  with  both  multi-core 
CPUs  and  GPUs.  We  have  implemented  both  circuit  generation 
and  evaluation  on  GPUs.  Additionally,  on  multi-core  CPUs  we 
have  implemented  evaluation.  GPUs  have  shown  to  provide  more 
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GFLOPS  per  dollar  and  more  GFLOPS  per  watt  than  leading  x86 
CPUs,  and  the  gap  in  performance  is  expected  to  widen.  There¬ 
fore,  any  compute  intensive  task  that  can  naturally  be  parallelized, 
such  as  Yao’s  garbled  circuit  technique,  needs  to  be  investigated 
in  this  model.  Further,  it  has  previously  been  noted  that  GPUs 
can  potentially  be  used  as  cheap,  “off-the-shelf”  cryptographic  co¬ 
processors,  and  work  has  been  done  showing  their  use  for  imple¬ 
menting  both  symmetric  and  asymmetric  cryptographic  primitives, 
as  well  as  for  cryptanalysis. 

Frederiksen  and  Nielsen[5]  have  recently  produced  a  somewhat 
optimized  version  of  Yao’s  protocol  in  the  malicious  security  model 
for  GPUs.  Fiowever,  differences  in  Yao’s  protocol  for  the  malicious 
model,  as  compared  to  the  ones  we  consider,  necessitate  different 
architectural  approaches  for  implementation.  This  is  particularly 
poignant  due  to  the  the  Single  Instruction  Multiple  Data  (SIMD)  ar¬ 
chitecture  of  the  GPU:  small  changes  in  protocols  can  lead  to  large 
changes  in  the  appropriate  processing  units  for  a  GPU.  Thus,  our 
work  is  important  as  it  provides  a  new  GPU  work  scheduling  ar¬ 
chitecture  optimized  for  the  HbC  and  IBM  security  models,  which 
have  many  practical  deployment  scenarios. 

1.1  Our  Contributions 

We  present  the  first  modern  implementation  of  Yao’s  for  the 
Honest-but-Curious  (HbC)  and  One-bit  Leak  Malicious  (IBM)  se¬ 
curity  models.  There  are  many  settings  in  practice,  where  these 
security  models  are  more  than  sufficient  for  use  in  secure  compu¬ 
tation.  Due  to  the  fact  that  protocols  that  satisfy  these  weaker  se¬ 
curity  models  are  substantially  less  resource  demanding,  it  permits 
for  either  a  larger  array  of  circuits  to  be  evaluated,  or  for  systems 
to  potentially  be  much  faster. 

In  this  paper,  we  first  present  a  new  method  to  generate  garbled 
circuits  with  Free-XORs  so  that  generation  can  be  entirely  paral¬ 
lelized  on  the  GPU.  Prior  works  have  parallelized  the  generation  of 
“layers"  of  the  circuit,  but  suffered  from  inherent  data  dependen¬ 
cies  that  prevented  parallelizing  the  generation  of  the  entire  circuit 
due  to  the  Free-XOR  optimization  technique.  By  default,  garbled 
circuits  are  not  designed  to  be  optimal  for  GPUs  and  SIMD  compu¬ 
tation  when  using  the  Free-XOR  technique  because  this  technique 
creates  dependencies  in  XOR  gate  chains.  A  principle  contribution 
of  this  work  is  to  fix  this  issue  at  the  protocol  level;  we  are  the  first 
implementation  to  do  so  and  our  experimental  results  validate  the 
benefits  of  the  approach.  Our  resulting  GPU-based  implementa¬ 
tion  provides  significant  improvements  in  circuit  generation  speed, 
compared  to  all  previous  constructions,  both  those  using  GPUs  and 
those  that  do  not.  We  provide  a  more  detailed  explanation  of  our 
system  in  Sec.  7  and  additionally  discuss  implementation  issues 
for  the  GPU  and  some  simple  optimizations  to  implementations  of 
SHA1. 

Next  we  see  that  for  our  security  models  the  evaluation  of  cir¬ 
cuits  on  a  relatively  simple  CPU  implementation  outperforms  our 
GPU  implementation.  Therefore,  any  system  in  which  the  GPU  is 
going  to  be  used  to  maximal  capacity  for  evaluation  is  going  to  need 
to  improve  the  ability  to  fully  parallelize  evaluation.  Specifically, 
evaluation  of  a  garbled  circuit  has  an  inherent  data  dependency  be¬ 
tween  layers;  one  cannot  evaluate  layer  i  of  the  circuit  without  hav¬ 
ing  first  evaluated  all  the  gates  which  it  depends  on  layer  *  —  1.  A 
strong  deployment  will  need  to  have  a  finer  understanding  of  de¬ 
pendency  that  allows  for  gates  in  higher  levels  to  be  evaluated  (if 
possible),  before  all  lower  level  gates  are  evaluated.  Further,  our 
experiments  suggest  a  reasonable  architecture  for  Yao  circuits  in 
the  HbC  and  lbM  models  may  also  involve  a  hybrid  approach:  use 
the  GPU  for  generation  and  verification  and  then  splitting  evalua¬ 
tion  between  the  CPU  and  GPU. 


Overall  our  performance  results  are  better  or  comparable  to  the 
other  state  of  the  art  implementations,  with  results  varying  on  the 
facets  of  circuit  generation  or  evaluation  considered.  We  show  we 
can  generate  gates  using  the  GPU  significantly  faster  than  the  only 
other  GPU  implementation  of  Yao’s  [5],  and  on  a  per  system  basis 
we  can  generate  and  evaluate  gates  on  CPUs  faster  than  Kreuter 
et  al.  [15],  Specifically,  on  similar  top-end  hardware  from  2013, 
our  system  can  generate  roughly  74  million  gates/sec,  whereas  [5] 
achieves  21  million  gates/sec  and  Kreuter  et  al.  achieves  0.35  mil¬ 
lion  gates/sec. 

1.2  Roadmap 

In  Section  2  we  present  related  work.  Section  3  gives  a  brief 
overview  of  the  different  security  models  discussed  in  the  paper, 
and  of  Yao’s  protocol  and  its  variants.  In  Sections  4  and  5  we  briefly 
introduce  and  discuss  some  of  the  architectural  issues  in  GPU  de¬ 
velopment  and  multi-core  CPU  development  respectively.  In  Sec¬ 
tion  6,  we  discuss  how  the  different  security  models  induce  differ¬ 
ent  architectural  approaches  to  accommodate  the  different  types  of 
parallelism  in  the  underlying  protocols  and  the  resources  they  use. 
In  Section  7  we  detail  how  our  system  works,  and  our  modifica¬ 
tion  to  the  Free-XOR  technique  that  allows  for  faster  circuit  gen¬ 
eration.  In  Section  8,  we  provide  experimental  results  validating 
our  claims.  Section  9  gives  conclusions  and  discusses  our  current 
directions  with  this  work. 

2.  RELATED  WORK 

Malkhi  et  al.  [18]  describe  the  first  secure  multi-party  scheme  im¬ 
plementing  garbled  circuits  in  the  Fairplay  system.  Their  system 
uses  a  custom  circuit  definition  language  called  SFDL  compiled 
into  a  machine-readable  representation  language  called  SHDL. 

The  first  paper  to  consider  the  feasibility  in  practice  of  these 
schemes  was  Pinkas  et  al.  [22],  who  implemented  the  first  Free- 
XOR  scheme  [13]  and  OT  Extension,  and  introduced  the  notion 
of  Garbled  Row  Reduction  to  save  communication  costs.  They 
also  considered  all  modern  security  models.  Huang  et  al.  [8]  im¬ 
proved  Pinkas’  et  al.’s  performance  by  utilizing  a  number  of  en¬ 
hanced  construction  techniques  for  garbled  circuits  including  Free- 
XOR,  oblivious-transfer  extension  [11],  the  Naor-Pinkas  OT  pro¬ 
tocol  [20],  and  introducing  the  notion  of  pipelined  gate  generation 
and  evaluation.  The  system  still  used  serial  gate  generation  and 
evaluation,  but  the  authors  showed  the  potential  performance  ben¬ 
efits  of  well-crafted  circuits.  Finally,  the  scheme  was  implemented 
in  Java  which  is  highly  portable,  but  suffers  from  the  need  to  be  run 
through  the  virtual  machine. 

Pu  et  al.  [23]  gave  the  first  implementation  of  Yao’s  circuits  us¬ 
ing  a  GPU.  However,  their  implementation  only  used  the  GPU  as 
a  cryptographic  co-processor  to  calculate  symmetric  encryptions 
(i.e.  3DES)  and  elliptic  curve  operations.  They  do  not  attempt 
to  use  the  GPU  to  actually  build  or  evaluate  any  of  the  garbled 
circuits.  The  system  does  not  implement  any  of  the  modern  algo¬ 
rithmic  advances  in  garbled  circuits  such  as  Free-XORs,  Pipelin¬ 
ing,  OT-extension,  etc.  The  implementation  is  in  the  HbC  security 
model. 

Kreuter  et  al.  [15]  presented  the  first  garbled  circuit  protocol 
that  is  secure  against  malicious  adversaries  and  can  scale  to  handle 
circuits  with  several  billion  gates.  They  implement  all  of  the  mod¬ 
ern  efficiency  improvements  to  Yao’s  protocol,  such  as  Free-XOR, 
Pipelining,  OT-extension,  etc.  They  also  introduced  a  circuit  com¬ 
piler  that  translated  C-like  code  into  circuits  and  both  the  compiler 
and  Yao’s  system  could  scale  to  handle  several  billion  gates. 

Huang  et  al.[9]present  the  first  efficient  protocol  and  implemen¬ 
tation  of  Yao’s  in  the  IBM  model  suggested  by  Franklin  and  Mo- 
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hassel  [19],  but  do  not  consider  a  parallelized  implementation.  They 
implement  the  Free-XOR  technique,  garbled  row  reduction  and 
pipelining. 

Frederiksen  and  Nielsen  [5]  have  recently  implemented  Yao’s  on 
the  GPU  in  the  malicious  model.  Unlike  the  work  in  [23],  they  use 
the  GPU  not  only  to  compute  cryptographic  primitives  efficiently, 
but  to  generate  and  evaluate  the  circuit.  They  also  implement  mod¬ 
em  efhciency  improvements  such  as  Free-XOR,  garbled  gate  row 
reduction,  OT  extension.  They  do  not  implement  pipelining. 

Our  approach  is  similar  to  the  latter  two  works  in  that  we  ex¬ 
ploit  the  parallel  nature  of  certain  subproblems  of  garbled  circuits. 
Flowever,  we  target  the  HbC  and  IBM  security  models  and  thus 
the  protocols  we  are  implementing  have  less  inherent  parallelism. 
This  is  because  the  malicious  model  adds  another  layer  of  an  in¬ 
herently  parallelizable  protocol.  Thus  Kreuter  et  al.  accelerate  the 
cut-and-choose  technique  in  the  malicious  model  by  giving  each 
thread  (i.e.,  processor)  a  circuit.  They  use  a  large  compute  clusters 
with  hundreds  of  nodes  to  run  their  system.  In  particular,  their  MPI 
implementation  is  optimized  for  a  specific  type  of  cluster.  Their 
code  assumes  the  cluster’s  scheduler  allocates  work  at  the  granu¬ 
larity  of  processors.  Modern,  high-end  super  computing  clusters 
schedule  at  the  granularity  of  nodes  thus  will  not  work  optimally 
with  their  code.  Similarly,  Frederiksen  and  Nielsen  also  generate 
each  copy  of  a  circuit’s  gate  in  the  cut-and-choose  protocol  on  a 
separate  GPU  core. 

In  contrast,  our  system  parallelizes  the  generation  of  circuits 
themselves,  thus  each  core  generates  distinct  gates  of  the  circuit. 
Indeed,  doing  so  requires  changes  to  the  protocol  itself,  but  nonethe¬ 
less,  our  systems  are  highly  complementary,  and  a  garbled  circuit 
implementation  that  is  a  hybrid  of  our  techniques  could  provide 
high  performance.  Further,  because  of  the  differences  in  the  proto¬ 
col,  communication  overhead  in  the  HBC  or  IBM  security  model 
is  approximately  2  orders  of  magnitude  less  than  these  two  prior 
works.  This  means  that  circuit  generation  and  evaluation  times  are 
of  prime  importance,  as  compared  to  communication  overhead  as 
Frederiksen  and  Nielsen  observe  for  the  malicious  model. 

While  there  are  competing  approaches  for  constructing  two-party 
secure  computation  protocols,  it  appears  that  the  Yao  garbled  cir¬ 
cuits  approach  is  currently  one  of  the  fore-runner’s  in  performance, 
although  the  recent  SPDZ  system  of  Damgard  et  al.[3]  performs 
efficiently  on  some  forms  of  circuit  (such  as,  importantly,  AES). 
Still,  Major  questions  remain  on  how  to  optimize  Yao’s  garbled 
circuits  for  speed  depending  on  different  compute  models,  and  dif¬ 
ferent  security  models.  Solutions  have  currently  focused  on  four 
approaches:  i)  Implementation  Optimizations  (Parallelism,  pipelin¬ 
ing),  ii)  Security  Model  Compromises  (Hybrid  Model),  iii)  Con¬ 
struction  Optimizations  (Free-XOR  technique,  OT  Extension),  and 
iv)  Compiler  Optimizations  (Maximize  XOR  gates,  minimize  gate 
counts).  This  work  focuses  on  implementation  optimizations  us¬ 
ing  the  current  best  security  model  optimizations,  construction  op¬ 
timizations,  and  compiler  optimizations  from  the  state  of  the  art 
work.  Specifically,  we  focus  on  parallelizing  the  generation  and 
evaluation  of  garbled  circuits  so  as  to  perform  well  on  single  ma¬ 
chines  with  GPUs. 


3.  BACKGROUND 

We  (briefly)  review  Yao’s  garbled-circuit  approach  to  secure  com¬ 
putation  [25],  and  the  respective  security  models  of  interest:  honest- 
but-curious  (HbC),  malicious,  and  one-bit  leaked  malicious  (IBM). 

Garbled  circuits  provide  a  way  for  two  parties,  holding  inputs 
x  and  y  respectively,  to  compute  an  arbitrary  function  /  of  their 
inputs  without  revealing  anything  to  either  party  other  than  the  re¬ 
sult  f(x,y).  At  a  high  level,  the  idea  behind  the  base  protocol 


is  that  one  party — the  garbled-circuit  generator — prepares  an  “en¬ 
crypted”  version  of  a  boolean  circuit  for  /  (the  garbled  circuit)  and 
sends  it,  along  with  an  “encryption”  of  its  input  (say,  x),  to  the 
second  party.  This  other  party — the  garbled-circuit  evaluator — 
obtains  some  additional  information  from  the  garbled-circuit  gen¬ 
erator  (this  information  depends  on  the  evaluator’s  input  y),  and 
then  obliviously  computes  the  output  value  f(x,  y)  without  learn¬ 
ing  the  values  on  any  intermediate  wires  of  the  circuit. 

Security  Models. 

In  the  honest-but-curious  model,  both  parties  execute  a  proto¬ 
col  correctly,  but  the  parties  are  willing  to  try  and  extract  any  extra 
information  they  can  from  protocol  execution  in  other  external  pro¬ 
cesses.  Thus,  informally,  a  secure  protocol  must  ensure  that  no 
extra  information  other  than  the  output  can  be  extracted  or  deduced 
in  polynomial  time  from  the  protocol  transcripts.  A  secure  protocol 
in  the  malicious  model  is  one  that  ensures  the  same  even  when  an 
adversary  deviates  arbitrarily  from  the  protocols  specification.  The 
prior  two  models  apply  rather  genetically  to  many  cryptographic 
protocols.  The  final  model  is  the  one-bit-leaked  malicious  model. 
A  secure  computation  protocol  is  secure  in  this  model,  if  it  is  secure 
against  malicious  adversaries  with  the  relaxation  that  an  arbitrary 
predicate  of  the  private  inputs  can  be  leaked  to  the  adversary  during 
any  execution.  Formal  definitions  of  each  of  these  models  can  be 
found  in  [6,9], 

All  three  of  the  models  have  legitimate  practical  scenarios.  For 
example,  hospitals  might,  in  order  to  preserve  privacy  as  dictated  by 
law,  determine  if  they  have  patients  in  common  using  the  honest- 
but-curious  model.  Whereas,  its  use  to  securely  compute  in  the 
presence  of  an  adversary,  such  as  a  nation’s  intelligence  bureau, 
would  require  malicious  security.  Companies  might  use  secure 
computation  in  the  one-bit-leaked  malicious  model,  when  the  com¬ 
putation  is  not  repeated  frequently,  and  when  no  bit  of  the  data  is 
particularly  valuable. 


Yao’s  Protocol  for  the  Honest-but-Curious  Setting. 

Given  a  boolean  circuit  for  /  (pre-agreed  upon  by  the  parties), 
the  circuit  generator  chooses  two  random  cryptographic  keys  Wf ,  W} 
for  each  wire  i  of  the  circuit.  (The  semantics  are  that  W,-1  encodes 
a  0-bit  on  the  fth  wire,  while  W,-  encodes  a  1-bit.)  In  addition,  for 
each  wire  i  he  chooses  a  random  permutation  bit  ni,  and  assigns 
key  Wi  the  label  =  b  ©  7r;.  Next,  for  each  binary  gate  g  of 
the  circuit,  having  input  wires  i,j  and  output  wire  k,  the  circuit 
generator  computes  a  garbled  gate  consisting  of  the  following  four 
ciphertexts  (in  order): 
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where  Enc denotes  symmetric-key  encryption  of  plain¬ 
text  m  using  two  keys  W,  W' .  In  our  implementation,  we  define 
encryption  as 


Encgww,(m)  =  H(g\\W\\W’)(Bm, 

where  H  represents  a  cryptographic  hash  function  (SHA1)  whose 
output  is  truncated  to  the  length  of  the  given  plaintext.  The  set  of 
all  the  garbled  gates  constitutes  the  garbled  circuit  that  is  sent  to  the 
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evaluator.  In  addition,  the  circuit  generator  sends  the  permutation 
bit  7 Ti  for  any  output  wire  i  of  the  circuit. 

To  evaluate  the  garbled  circuit,  the  circuit  evaluator  must  obtain 
keys  for  each  input  wire  of  the  circuit;  specifically,  if  the  input  bit 
on  some  input  wire  i  is  bi,  then  the  evaluator  should  be  given  the 
key  Wf  along  with  the  label  A^1 .  (Furthermore,  for  each  input 
wire  it  should  get  only  that  key.)  For  input  wires  that  correspond  to 
the  input  of  the  circuit  generator,  x,  this  can  easily  be  arranged  by 
simply  having  the  generator  send  the  appropriate  key/label  for  each 
such  wire.  The  parties  can  use  oblivious  transfer  [6]  to  allow  the 
evaluator  to  obliviously  learn  the  appropriate  keys/labels  for  input 
wires  that  correspond  to  its  own  input,  y. 

Given  keys/labels  Wi ,  A;  and  Wj ,  Aj  associated  with  the  input 
wires  i,  j  of  some  gate  g,  the  evaluator  can  compute  a  key/label  for 
the  output  wire  of  that  gate  by  decrypting  the  ciphertext  in  position 
(Ai,  A  j)  of  the  garbled  table  for  g.  Proceeding  in  this  way  through 
the  entire  (garbled)  circuit  in  topological  order,  the  evaluator  can 
compute  keys/labels  for  each  output  wire  of  the  circuit.  Using  the 
permutation  bits  sent  to  him  by  the  circuit  generator,  this  means 
that  the  evaluator  can  determine  the  actual  bit  output  of  the  circuit. 
If  specified  as  part  of  the  protocol,  the  evaluator  can  send  that  result 
back  to  the  other  party. 

The  crucial  point  for  our  purposes  is  that  generation  of  all  the 
garbled  gates  can  be  done  in  parallel  once  the  wire  keys  and  per¬ 
mutation  bits  have  been  chosen.  Further  details,  along  with  a  proof 
of  security,  can  be  found  in  [17]. 

Malicious  Security  Model:  Cut-and- Choose. 

There  are  several  known  ways  to  modify  Yao’s  protocol  to  the 
malicious  model,  but  the  only  one  that  has  been  implemented  and 
deemed  practical  is  the  cut-and-choose  approach.  Here  the  circuit 
generator  creates  not  one  ‘encrypted’  circuit,  but  ss  k  ‘encrypted’ 
copies  of  the  circuit  (where  k  is  a  security  parameter).  The  gen¬ 
erator  sends  the  k  encrypted  circuits  (without  the  encryption  of  its 
input  to  the  generator).  The  evaluator  now  chooses  «  60%  of  the 
circuits  to  be  revealed,  at  which  point  the  generators  gives  all  the 
information  necessary  to  generate  the  circuit  to  the  evaluator  who 
then  verifies  that  all  the  circuits  are  legitimate  implementations  of 
the  correct  circuit  for  /.  If  not,  the  evaluator  quits.  If  so,  the  evalu¬ 
ator  asks  for  the  “encrypted”  inputs  to  the  remaining  ss  40%  of  the 
circuits,  and  computes  the  output.  The  evaluator  takes  as  its  output 
the  majority  output  of  the  many  evaluated  circuits.  The  argument 
for  the  security  of  this  protocols  is  beyond  the  scope  of  this  paper 
but  can  be  found  in  many  places  (cf.  [24]). 

One  Bit  Leaked  Malicious  Model. 

In  this  model,  the  protocol  is  modified  so  that  each  party  plays 
both  the  role  of  generator  and  evaluator.  Each  party  generates  a 
circuit  and  sends  it  to  the  other,  which  in  turn  evaluates  it.  After 
this  is  done,  a  specialized  protocol  that  is  secure  in  the  traditional 
malicious  model  does  a  secure  function  evaluation  to  ensure  that 
the  outputs  of  both  evaluated  circuits  are  the  same.  A  specialized 
and  efficient  protocol  (both  in  computation  and  communication)  for 
verifying  the  equality  of  outputs  in  the  malicious  security  model  is 
given  by  Huang  et  al.  [9]. 


4.  GPU  COMPUTING  AND  CUDA 

Modern  GPUs  are  massively  parallel  computational  devices,  but 
differ  from  modern  multi-core  CPUs  in  significant  aspects.  In  this 
section  we  provide  a  brief  overview  of  their  architecture.  Com¬ 
munication  to  and  from  the  GPU  occurs  over  the  system  PCI  bus, 


which  is  substantially  slower  than  the  regular  communication  path 
between  RAM  and  the  CPU  on  a  modern  machine. 

Anatomy  of  a  CUDA  GPU. 

The  smallest  execution  unit  on  a  CUDA1  GPU  is  called  a  stream¬ 
ing  processor  (SP),  or  CUDA  core,  which  is  capable  of  executing 
an  independent  thread.  These  cores  are  not  equivalent  to  CPU  cores 
but  more  equivalent  to  lanes  on  a  vector  processor.  An  SP  has  ac¬ 
cess  to  local  memory  and  registers.  Multiple  SPs  are  combined  to 
construct  one  Streaming  Multiprocessor  (SM).  The  number  of  SPs 
located  in  an  SM,  and  complexity  of  the  SM  depend  upon  the  GPU 
hardware  generation.  Every  NVIDIA  GPU  has  multiple  SMs. 

SMs  are  in  charge  of  scheduling  work  to  their  SPs.  SM’s  re¬ 
ceive  work  in  the  form  of  thread  blocks.  Thread  blocks  can  contain 
a  number  of  threads  defined  by  the  programmer  at  run  time.  The 
SM  then  splits  these  thread  blocks  into  groups  of  32  threads  called 
warps.  Each  warp  is  run  on  a  set  of  32  SPs.  Each  thread  in  a  warp 
executes  one  common  instruction  at  a  time  thus  warps  are  akin  to 
32-wide  vector  processors.  To  ensure  every  thread  is  executing  the 
exact  same  instruction,  each  thread  in  a  warp  must  execute  the  exact 
same  branch  in  program  flow.  If  different  threads  need  to  run  dif¬ 
ferent  branches,  the  GPU  serializes  them  by  having  the  appropriate 
threads  execute  the  branch,  while  non-branching  threads’  proces¬ 
sors  sit  idle.  When  such  a  divergence  in  execution  occurs  between 
threads  in  a  warp  it  is  termed  warp  divergence.  To  get  full  efficiency 
from  the  GPU  it  is  essential  that  programs  be  written  so  that  they 
can  be  broken  down  into  warps  where  all  threads  execute  the  same 
instruction ,  and  there  is  little  to  no  conditional  branching  that  does 
not  affect  all  the  threads  in  the  same  manner.  This  is  the  Single 
Instruction  Multiple  Data  (SIMD)  paradigm  for  parallel  program¬ 
ming,  where  the  same  instruction  is  applied  to  multiple  pieces  of 
data  at  a  time. 

Also  note  that  a  given  SM  might  be  concurrently  executing  mul¬ 
tiple  warps  via  “hyper-threading”.  If  one  warp  is  waiting  on  mem¬ 
ory  access  or  some  other  condition,  the  SM  may  start  to  execute 
another  warp.  There  is  little  to  no  cost  in  time  for  this  context 
switching,  however  it  does  mean  that  local  resources  such  as  regis¬ 
ters  and  local  memory  need  to  be  shared  between  these  warps. 

Relative  Speeds  of  Memory  and  CPU-GPU  bandwidth. 

GPUs  must  deal  with  latency  issues  caused  by  transferring  data 
from  the  host  machine  to  the  GPU  and  vice-versa.  Transfer  rates 
between  the  host  and  GPU  are  «  8GB/s  over  the  PCI-E  bus  when 
the  GPU  is  on  a  PCIe  card.  The  transfer  rates  are  orders  of  magni¬ 
tude  slower  than  the  GPU’s  theoretical  compute  throughput.  Mem¬ 
ory  transfer  on-board  the  GPU  is  several  orders  of  magnitude  faster 
than  the  bus  (e.g.,  global  memory  on  a  Tesla  card  transfers  at  177.6 
GB/s).  Therefore,  high  performance  requires  minimizing  memory 
transfers  and  the  communication  between  the  GPU  and  CPU,  and 
maximizing  the  local  computation  performed  on  the  GPU.  Differ¬ 
ing  types  of  memory  on  the  GPU,  including  global,  shared,  local 
(LI,  L2  cache),  and  registers,  also  operate  at  varying  speeds  and 
thus  create  a  memory  hierarchy  on  the  GPU  mirroring  that  on  a  typ¬ 
ical  machine.  Kernels  must  optimize  the  use  of  local  registers  and 
shared  memory  while  dealing  with  the  extremely  limited  resources 
of  each.  Register  dependencies,  such  as  when  a  read  directly  fol¬ 
lows  a  write  to  the  same  register,  can  also  increase  latency.  Thus 
we  want  to  maximize  register  usage  to  increase  speed,  however 
any  particular  thread  also  wants  to  minimize  usage  so  that  a  SM 


'By  CUDA  (Compute  Unified  Device  Architecture)  we  mean  an 
NVIDIA  GPU  that  supports  NVIDIA’s  CUDA  programming  envi¬ 
ronment.  The  most  commonly  developed  for  GPU. 
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can  “hyper-thread”  multiple  warps,  if  any  of  them  are  latent  due 
to  memory  fetches  or  other  reasons.  These  conflicting  goals  make 
register  usage  a  complicated  trade-off  in  GPU  programming. 

5.  MULTI-CORE  CPU  VS  CLUSTERS 

For  our  CPU  based  circuit  evaluation  system,  we  use  local  par¬ 
allelism  to  take  advantage  of  the  multi-core  environment  found  on 
modern  day  CPUs.  This  is  in  contrast  to  the  different,  if  not  compli¬ 
mentary,  approach  taken  by  Kreuter  et  al.  [15],  who  take  advantage 
of  the  parallelism  available  on  multi-node  compute  clusters.  We 
discuss  the  different  technological  approaches  next. 

MPI  and  OpenMP. 

OpenMP  and  MPI  (Message  Passing  Interface)  are  both  com¬ 
peting  and  complementary  standards  for  parallelization  in  High 
Performance  Computing  (HPC).  OpenMPI  is  currently  a  dominant 
MPI  implementation  but  is  not  related  to  OpenMP  beyond  being  a 
parallelization  technology. 

MPI  is  a  message  passing  technology  that  enables  “scale-out” 
parallelism  on  multi-device  compute  clusters,  such  as  super  com¬ 
puting  clusters.  The  developer  defines  an  MPI  process  that  is  launched 
many  times  on  many  different  compute  nodes.  These  MPI  pro¬ 
cesses  are  able  to  pass  messages  between  one  another  when  they 
need  to  share  computation.  It  works  best  for  large  jobs  on  large  sys¬ 
tems,  as  each  MPI  process  incurs  large  overhead.  MPI  requires  that 
any  machines  running  MPI  code  have  an  MPI  implementation’s  ex¬ 
ecutables  installed,  for  example,  Open  MPI’s  libraries  and  executa¬ 
bles.* 2  OpenMPI  is  the  technology  used  by  Kreuter  et  al.[15]. 

In  contrast,  OpenMP  is  an  HPC  technology  designed  for  “scale- 
up”  parallelism  on  a  single  machine.  It  is  a  standard  that  is  built 
in  to  compilers  such  as  GCC  and  includes  a  small  driver  library. 
Developers  use  OpenMP  to  easily  create  many  lightweight  threads 
with  minimal  syntax  compared  to  traditional  POSIX  thread  imple¬ 
mentations.  Unlike  POSIX  threads,  OpenMP  is  optimized  for  a 
data  parallel  programming  paradigm  and  not  a  task  parallel  pro¬ 
gramming  paradigm.  Data  parallelization  is  akin  to  the  SIMD  (Sin¬ 
gle  Instruction  Multiple  Data)  paradigm  and  task  parallelization  is 
akin  to  the  MIMD  (Multiple  Instruction  Multiple  Data)  paradigm. 
OpenMP  is  the  technology  we  use  for  our  parallel  multi-core  CPU 
evaluation  scheme. 

6.  SECURITY  MODEL  INDUCED  ARCHI¬ 
TECTURE  TRADE-OFFS 

While  GPUs  gain  with  massive  parallelism,  they  lose  in  terms  of 
algorithmic  flexibility.  Programmers  must  specify  the  logical  allo¬ 
cation  of  their  threads  in  terms  of  thread  blocks,  and  these  thread 
blocks  affect  physical  GPU  allocation.  If  this  logical  allocation  is 
poor  (e.g.,  setting  thread  blocks  to  have  one  thread)  then  poor  per¬ 
formance  follows,  as  many  cores  in  a  SM  sit  idle  while  a  single 
core  computes  the  thread.  We  compare  the  architectural  approach 
of  Frederiksen  and  Nielsen  [5]  and  Kreuter  at  al.  [15]  given  their 
malicious  model  implementations,  and  our  approach  in  the  HbC 
and  IBM  security  models.  Recall  that  in  the  cut-and-choose  ma¬ 
licious  implementation  the  generator  must  generate  «  k  circuits 
while  the  evaluator  will  evaluate  some  40%  of  those  circuits,  and 
verify  the  remaining  60%  to  ensure  they  were  properly  constructed. 

In  the  HbC  case  the  generator  must  generate  only  one  circuit  and 
the  evaluator  must  evaluate  only  one  circuit.  In  the  1 BM  case,  each 
party  must  generate  and  evaluate  one  circuit. 


2http : / / www . open-mpi . org/software/ompi/vl . 6/ 


Similarity  between  HbC  and  IBM. 

Implementation  details  between  HbC  and  IBM  protocols  are 
generally  identical  as  the  resources  they  need  are  very  similar.  The 
IBM  protocol  differs  in  only  requiring  one  more  circuit  genera¬ 
tion  and  one  more  circuit  evaluation  than  that  of  the  HbC  protocol. 
Therefore,  we  address  both  protocols  in  our  discussion  as  if  they 
were  the  same  model. 

Communication  Differences. 

One  immediate  observation  is  that  in  the  malicious  model,  rea¬ 
sonable  values  of  k  might  vary  between  60  and  120,  and  thus  the 
number  of  circuits  that  need  to  be  transferred  between  the  two 
agents  in  the  protocol  40%  of  this,  3  compared  to  the  one  or  two 
circuits  that  need  to  be  transmitted  our  protocols.  Frederiksen  and 
Nielsen  show  that  in  their  protocol  with  varying  security  parame¬ 
ters,  that  communication  costs  dominate,  often  by  a  factor  of  3  to  4 
times  the  generation  or  evaluation  times.  This  is  not  by  enough  that 
one  should  expect  them  to  dominate  in  the  HbC  or  IBM  scenario 
we  implement.  Further,  recent  advances  in  the  cut-and-choose  method¬ 
ology  by  Lindell  [16]  and  optimizations  that  Frederiksen  and  Nielsen 
did  not  implement  [24],  further  reduce  the  communication  burden.4 
Finally,  Frederiksen  and  Nielsen  also  increase  the  circuit-size  to 
include  a  universal  hash  of  the  inputs,  and  there  are  alternate  ap¬ 
proaches  that  will  not  increase  the  circuit  size  which  can  be  con¬ 
sidered.  Therefore,  we  can  consider  optimizations  that  disallow 
the  garbled  row-reduction  methodology,  and  also  slightly  increase 
communication  for  the  sake  of  efficiency. 

Malicious  Cut-and-Choose  and  the  GPU. 

Cut-and-choose  protocols  must  generate  k  circuits  at  a  time.  In¬ 
stead  of  having  each  thread  represent  a  gate,  in  cut-and-choose  each 
thread  represents  one  of  the  k  circuits  and  the  thread  block  is  used 
to  represent  an  individual  gate.  Thus,  each  thread  block  contains  k 
threads  and  each  thread  deals  with  the  generation  of  a  specific  gate 
for  each  of  the  k  circuits.  One  can  then  allocate  the  same  num¬ 
ber  of  thread  blocks  as  there  are  gates  in  the  circuit  to  the  GPU. 

As  each  thread  block  will  always  have  threads  processing  the  same 
gate  type,  there  is  no  fear  of  warp  divergence.  The  only  caveat  is 
the  thread  block  size,  and  thus  the  cut-and-choose  security  param¬ 
eter,  should  be  a  multiple  of  32  for  optimal  GPU  allocation  (again, 
the  SMs  allocate  32  threads  at  a  time).  Levels  are  evaluated  in  turn, 
but  this  is  less  problematic  to  performance,  circuit  widths  are  effec¬ 
tively  multiplied  by  fc,  meaning  the  GPU  spends  little  relative  time 
idle  waiting  for  a  level  to  complete  before  the  next  is  started.  Eval¬ 
uation  occurs  in  a  similar  manner,  but  must  use  the  level-by-level 
process  that  was  used  in  semi-honest  evaluation.  For  each  level 
there  will  be  a  thread  block  for  each  gate  in  that  circuit’s  level  and 
each  thread  block  will  contain  k  threads.  We  note  this  is  exactly 
the  approach  taken  by  Frederiksen  and  Nielsen  [5]. 

Honest-but-Curious  and  One-Bit  Malicious. 

The  previous  description  of  a  successful  approach  to  placing  cut- 
and-choose  on  the  GPU  should  make  it  clear  why  the  same  ap¬ 
proach  is  inefficient  for  the  semi-honest  case  (and  similarly  the 
1  BM  case).  If  only  one  circuit  is  being  generated  or  evaluated,  each 
thread  block  will  contain  only  one  thread,  and  only  one  thread  will 
be  allocated  by  the  SMs  on  the  GPU  for  each  gate  leaving  31/32 


Tt  is  known  that  only  the  circuits  that  are  being  evaluated  need 

to  be  transferred  as  noted  in  [7],  as  it  suffices  to  communicate  a 

collision  resistant  hash  of  the  verified  circuits. 

4In  practice  Frederiksen  and  Nielsen  evaluate  50%  of  the  circuits. 
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SPs  in  a  warp  dormant  (meaning  the  vast  majority  of  GPU  cores 
are  consistently  going  unused). 

We  describe  our  approach  to  implementing  HbC  and  IBM  on 
the  GPU.  For  simplicity  we  will  assume  the  circuit  we  are  generat¬ 
ing  and  evaluating  fits  in  GPU  memory,  although  our  approach  is 
not  limited  in  this  fashion.  As  we  are  only  concerned  with  a  single 
circuit,  we  will  pass  the  whole  circuit  description  to  the  GPU  for 
generation  and  evaluation.  In  the  case  of  generation,  each  thread 
represents  a  single  gate  in  the  circuit  and  the  number  of  threads  al¬ 
located  are  the  number  of  gates  in  the  circuit.  The  size  of  a  thread 
block  does  not  matter  for  the  HbC  or  IBM  case,  although  for  effi¬ 
ciency  it  should  be  a  multiple  of  32  (the  physical  thread  allocation 
count  by  the  SM).  We  can  handle  XOR  gates  with  one  kernel  and 
all  other  truth  table  gates  with  another  kernel.  The  latter  essen¬ 
tially  always  make  a  blank  truth  table,  and  the  converts  it  to  the 
appropriate  type  by  changing  each  line  of  the  table  to  describe  the 
appropriate  operator.  However,  to  construct  a  truth  table  gate  one 
needs  to  have  knowledge  of  its  input  wires’  labels.  This  too  can 
seemingly  be  solved  because  we  can  pseudo-randomly  generate  a 
wire’s  labels  based  on  the  wire’s  identifier,  but  this  conflicts  with 
the  Free-XOR  technique  (as  described  in  the  next  section).  We 
modify  the  Free-XOR  technique  at  the  cost  of  a  small  amount  of 
extra  communication,  and  allow  all  gates  in  the  circuit  to  be  gener¬ 
ated  in  parallel,  independent  of  the  level  on  which  they  reside. 

Evaluation  needs  to  occur  on  a  level-by-level  basis  to  honor  data 
dependencies  between  gates.  Again, we  would  have  two  kernels  for 
evaluating  the  two  types  of  gates,  truth  table  and  XOR.  Consider 
what  happens  when  evaluating  the  end  of  a  level:  it  is  likely  that 
many  symmetric  processors  will  sit  idle  waiting  for  the  level  to 
be  completed,  as  there  are  no  more  gates  on  the  current  level,  say 
i  —  1,  to  evaluate,  but  they  cannot  commence  processing  the  level 
i  gates  until  the  last  few  gates  on  level  i  —  1  are  evaluated  due  to 
potential  dependency  issues.  The  narrower  a  level  is,  the  larger 
the  inefficiency  if  many  of  the  GPU’s  cores  need  to  lay  latent  why 
completing  the  level.  Logic  to  check  for  dependencies  is  likely 
to  cause  divergence,  and  latency  problems.  Therefore,  for  circuits 
which  are  not  wide,  the  relative  amount  of  time  that  is  spent  by  the 
cores  being  idle  at  the  end  of  a  level  can  be  quite  large.  In  the  cut- 
and-choose  approach,  the  fact  that  there  are  k  copies  of  each  circuit 
has  the  effect  of  essentially  multiplying  the  width  of  each  circuit  by 
k,  making  the  issue  far  less  problematic.  Of  course,  for  particularly 
large  and  wide  circuits,  this  should  not  cause  much  of  an  issue  for 
the  HbC  or  IBM  implementations. 

7.  ARCHITECTURE  &  METHODOLOGY 

Several  optimizations  of  Yao’s  garbled-circuit  protocol  have  been 
proposed,  but  it  is  not  clear  how  all  of  them  can  be  efficiently  imple¬ 
mented  in  a  massively  parallel  system.  Here  we  discuss  the  major 
techniques  and  our  approach  to  implementing  them.  As  a  start¬ 
ing  point,  we  implement  the  folklore  “single  row  evaluation"  tech¬ 
nique  already  described  in  the  description  of  the  Yao  protocol  in 
Section  3.  This  optimization,  created  by  [18],  decreases  evaluation 
time  on  encrypted  gates  by  roughly  a  factor  of  4. 

On  the  other  hand,  one  popular  technique  for  reducing  the  size 
of  garbled  tables  by  1/4,  called  Garbled-row  reduction  [21],  is  not 
implemented  as  any  such  implementation  would  seem  to  slow  exe¬ 
cution  on  a  SIMD  parallelization.5  The  benefit  of  this  approach  is 

5There  are  two  issues:  i)  wires  in  level  i  +  1  of  the  circuit  will  now 

depend  on  the  gates  in  level  i,  making  parallel  generation  of  the 
circuit  difficult;  and  ii)  during  evaluation,  about  a  1/4  of  the  cores 
evaluating  encrypted  gates  would  evaluate  to  the  missing  row,  and 
require  different  code  than  is  required  for  the  remaining  3/4  of  the 
cores  (causing  warp  divergence). 


that  it  reduces  communication  by  25%,  but  as  discussed  our  secu¬ 
rity  models  prompts  us  to  be  less  concerned  about  communication 
costs  and  more  about  gate  generation  and  evaluation  timings. 

7. 1  Selection  of  the  Random-Oracle/Permutation 
Function 

The  Yao-garbled  circuit  technique  relies  on  symmetric  encryp¬ 
tion.  In  most  modern  implementations  the  symmetric  encryption  is 
provided  via  a  random  oracle  instantiated  by  a  cryptographic  hash 
(SHA1).  Recent  work  by  Bellare  et  al.  [1]  has  also  considered  the 
use  of  a  Random  Permutation  that  can  be  instated  with  fixed  key  in 
a  block-cipher  such  as  AES.  In  our  implementation,  we  choose  the 
SHA1  function  for  this  purpose.  Jang  et  al.  [12]  showed  that  AES 
had  substantially  slower  throughput  than  SHA1  on  GPU  architec¬ 
tures.  We  have  not  had  the  chance  to  consider  an  optimized  version 
of  AES  with  a  fixed  key,  as  suggested  in  [1],  and  this  should  be 
investigated.  We  experimentally  tested  BLAKE256,  a  SHA3  final¬ 
ist,  which  also  had  a  slower  throughput  on  the  GPU  than  SHA1, 
when  both  are  given  inputs  that  require  the  same  number  of  rounds 
of  Merkle-Damgard.Our  implementation  of  SHA1  is  a  hand  opti¬ 
mized  version  of  the  John  the  Ripper  implementation  of  SHAl.6  In 
particular,  we  are  able  to  reduce  the  number  of  rounds  we  typically 
need  to  calculate  in  SHAl  by  judiciously  choosing  the  values  we 
hash.  As  others  have  done,  we  ensure  that  we  never  need  to  hash 
more  than  one  block  of  data.  However,  by  ensuring  that  the  prefix 
of  the  values  we  hash  for  a  given  circuit  remain  relatively  constant, 
we  can  pre-compute  the  first  few  rounds  of  SHAl  for  each  query 
in  generating  or  evaluating  a  circuit.  This  allows  us  to  knock  off 
either  6  or  14  rounds  (out  of  the  80  rounds)  of  each  SHAl  call.  We 
also  note  that  to  allow  an  SM  to  be  able  to  “hyper-thread”,  we  need 
to  be  miserly  with  our  use  of  registers  in  this  code.  Profiling  clearly 
shows  that  hand  optimization  of  the  SHAl  code  is  a  worthwhile  en¬ 
deavor. 

7.2  GPUs  and  Free-XOR 

One  main  challenge  in  this  work  is  to  develop  a  version  of  the 
Free-XOR  technique  that  is  compatible  with  parallelization.  We 
begin  by  describing  the  technique. 

The  Free-XOR  technique  [13]  allows  XOR  gates  in  the  circuit 
to  be  evaluated  using  only  a  bit-wise  XOR  operation  instead  of 
the  standard  garbled-gate  evaluation.  In  this  approach,  the  circuit 
generator  chooses  a  global  random  offset  R,  and  then  ensures  that 
the  keys  for  every  wire  i  in  the  circuit  satisfy  W°  ©  Wl  =  R. 

This  is  usually  done  by  choosing  keys  for  each  wire  i  in  the  circuit 
that  is  not  the  output  of  an  XOR  gate  by  sampling  Wf  at  random 
(as  before)  but  then  setting  W}  =  W°  ©  R.  For  k  an  output  wire 
of  an  XOR  gate  with  input  wires  i,j,  the  evaluator  sets  W°  = 

Wi  ©  Wj  and  W/  =  W°  ©  R.  Note  that  if  the  circuit  evaluator 
holds  input- wire  keys  Wi,  Wj  associated  with  the  input  wires  to  an 
XOR  gate,  he  can  compute  the  corresponding  key  for  the  output 
wire  k  of  that  gate  as  Wk  =  Wi  ©  Wj.  Thus,  no  garbled  tables 
need  to  be  prepared  or  sent  for  such  gates. 

We  modify  this  technique  to  permit  efficient  parallel  gate  gener¬ 
ation.  In  particular,  note  that  when  the  circuit  alternates  between 
non-XOR  gates  and  XOR  gates  in  the  ‘encrypted’  circuit,  this  cre¬ 
ates  a  dependency  amongst  wire-labels  that  would  require  gates  to 
be  generated  in  leveled  order.  This  is  because  the  output  wire  labels 
from  the  first  XOR  gates  on  level  i  —  1  need  to  be  computed  for  use 
as  the  input  wires  on  level  i.  This  creates  a  dependency  regardless 
of  whether  or  not  the  gates  on  level  i  are  XOR  or  truth  tables. 

Our  modification  operates  by  first  virtually  generating  the  labels 
(Sec.  7.3)  for  all  wires  in  the  circuit,  even  if  the  wire  is  the  output 

‘’John  the  Ripper  is  a  brute  force  password  hashing  software  suite. 
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wire  from  a  XOR  gate.  This  differs  from  the  original  Free-XOR 
technique  which  does  not  randomly  generate  labels  for  XOR  gate 
output  wires.  Then,  after  wire  label  generation,  during  the  gener¬ 
ation  of  XOR  gate  i,  we  calculate  a  label  offset  (Vf)  and  a  p-bit 
offset  (Pf)  that  is  unique  for  XOR  gate  i  in  the  circuit.  In  the  orig¬ 
inal  Free-XOR  technique  it  is  at  this  point  where  an  XOR  gate’s 
output  wire  labels  would  be  generated.  Instead,  we  make  use  of  Vi 
and  Pi  to  modify  our  XOR  gate  to  our  previously  generated  wire 
label  and  p-bit.  The  V  and  P  values  for  every  XOR  gate  can  be 
calculated  in  parallel  on  the  GPU.  Our  scheme  adds  two  bitwise 
XOR  operations  to  XOR  gate  generation,  but  this  increased  over¬ 
head  is  minuscule  compared  to  locating  every  XOR  gate  chain  and 
then  serially  computing  each  gate  in  the  chain.  The  calculation  of 
our  V  and  P  values  during  generation  are  as  follows: 

1.  For  each  XOR-Gate  Gi  with  wires  Wc  =  XOR(Wa,  W4) 
where  Wa  =  K&£,P°),  (kl,pl)],  Wb  =  [(fcg ,p°),  (H 
Wc  =  {(k°,p°),  (kl,pl)},  and  tuple  [14,  PJ: 

(a)  Set  value  14  =  0  0  k°c  for  wire  Wc 

(b)  Set  value  Pc  =  p°a  0  p°  0  p°  for  wire  Wc 

The  use  of  V  and  P  during  evaluation  are  as  follows: 

1.  For  each  XOR-Gate  Gi  with  wires  Wc  =  XOR(W4, 114) 
where  Wa  =  (ka,pa),Wb  =  { kb,pb ),  and  tuple  [14,  Pc]: 

(a)  Compute  garbled  output  value  Wc  =  { kc,pc )  which 
is  equal  to  ( ka  0  h  0  14,  pa  0  Pi,  0  -Pc) 

Communication  Costs:  As  discussed,  this  modification  increases 
the  communication  costs  by  adding  an  extra  ‘key’  for  each  XOR 
gate  in  exchange  for  significant  parallelized  speed  improvements. 
This  modification  is  also  incompatible  with  the  Garbled  Row  Re¬ 
duction  (GRR)  optimization  [10],  which  performs  more  computa¬ 
tion  in  exchange  for  less  communication  because  GRR  also  induces 
a  dependence  on  a  circuit’s  wire  labels. 

7.3  GPU  Wire  Creation  and  Gate  Generation 

Our  system  implements  garbled  circuit  generation  on  the  GPU 
in  parallel.  We  first  note  a  method  of  virtually  generating  all  label 
pairs  and  permutation  bits  (ka,Pa),  { k\,p\ )  for  every  wire  in  the 
circuit.  Because  of  the  memory  hierarchy,  one  does  not  wish  to 
generate  all  of  the  keys  associated  with  labels  initially,  as  the  costs 
of  moving  and  storing  these  keys  in  memory  is  substantial.  Instead, 
we  use  wire  indexes  from  the  circuit  description  (which  are  much 
smaller  than  cryptographic  keys),  as  inputs  to  a  pseudo-random 
function  generator  (PRFG),  which  outputs  the  labels  for  a  given 
wire.  Specifically,  we  output  =  Ps(a)  and  k\  =  Ps(a)  ®  R 
for  a  PRFG  P  with  a  circuit  specihc  seed  s  and  the  global  Free- 
XOR  offset  R.  The  permutation  bits  are  handled  similarly.  Note 
that  wire-labels  are  not  actually  precomputed,  but  rather  only  vir¬ 
tually  assigned,  and  computed  when  constructing  the  gates  that  are 
attached  to  a  given  label,  for  implementation  optimization  reasons. 

7.4  GPU  Evaluation 

The  entire  circuit  cannot  be  evaluated  in  parallel  on  the  GPU. 
The  gates  in  the  circuit  must  be  topologically  sorted,  and  then  eval¬ 
uated.  That  is,  the  circuit  must  be  broken  into  smaller  sub  circuits 
such  that  each  subcircuit  S  has  a  start  gate  level  Ga  and  end  gate 
level  Ge  ■ 

Our  API  starts  GPU  evaluation  by  iteratively  transferring  sev¬ 
eral  consecutive  levels  of  truth  tables  and  XOR  gates  to  the  GPU’s 
memory,  and  then  evaluating  them.  The  next  grouping  of  levels 
can  be  asynchronously  transferred  to  the  GPU  while  the  previous 


grouping  of  levels  is  being  evaluated.  At  each  level  a  separate  ker¬ 
nel  must  be  used  to  evaluate  XOR  and  truth  table  gates. 

CPU  Evaluation. 

Besides  GPU  Evaluation  of  garbled  circuits  we  also  implemented 
system  to  evaluate  garbled  circuits  on  the  host  both  serially  and  in 
parallel.  Our  parallel  CPU  implementation  makes  use  of  OpenMP 
threads  (cf.  Sec.  5).  The  CPU  parallel  and  serial  evaluation  work 
using  the  similar  process  as  GPU  evaluation,  but  importantly  CPU 
evaluation  does  not  need  to  perform  any  data  transfers.  The  CPU 
evaluation  algorithm  iterates  over  each  circuit  level  in  the  same 
manner  as  GPU  evaluation.  Serial  CPU  evaluation  will  iterate  seri¬ 
ally  over  each  gate  in  a  level  and  evaluate  it.  The  parallel  CPU  eval¬ 
uation  algorithm  iterates  over  gates  in  a  level  in  parallel,  where  they 
are  divided  up  equally  among  all  available  threads  on  the  machine. 
Thus  if  a  level  contains  N  gates  and  the  machine  has  t  threads,  each 
thread  will  process  ‘J  gates.  No  balancing  is  done  to  try  and  ensure 
a  consistent  mix  of  XOR  and  truth  table  gates,  as  the  overheard  was 
deemed  higher  than  the  benefit.  Given  CPUs  are  MIMD  processors 
there  is  no  need  to  worry  about  divergent  branches,  thus  parallel 
evaluation  on  the  CPU  is  a  more  straightforward  process. 

8.  RESULTS 

In  this  section,  we  present  several  experiments  that  support  the 
main  claims  of  this  paper  and  give  data  on  GPU  circuit  genera¬ 
tion,  GPU  evaluation,  and  multi-core  CPU  evaluation.  Given  that 
there  are  now  several  implementations  in  different  security  mod¬ 
els,  such  as  HbC,  IBM,  and  malicious  security,  it  is  clear  a  critical 
metric  to  the  performance  of  these  systems  is  the  number  of  gates 
one  can  generate  and  evaluate  per  core  per  second.  In  the  HBC 
and  IBM  security  model,  gate  generation  and  evaluation  are  key, 
as  Huang  et  al.[9]  also  note.  Frederiksen  and  Nielsen  suggest  that 
communication  is  the  fundamental  limiting  factor  in  the  malicious 
model,  but  we  recall  that  there  are  are  now  several  communications 
improvements  that  will  help  to  alleviate  communication  overhead, 
as  discussed  in  Section  6,  which  suggest  that  these  metrics  should 
still  be  of  some  concern  in  the  malicious  model.  We  do  not  ad¬ 
dress  communication  or  its  latency  here,  as  it  is  not  in  scope  of  our 
investigation  on  the  use  of  different  parallelizing  technologies  to 
implement  efficient  and  practical  circuit  generation  and  evaluation. 
We  discuss  this  in  the  Future  Work  section. 

We  show  through  experiment  that  circuit  generation  in  the  HbC 
and  IBM  security  models  can  dramatically  benefit  from  a  combina¬ 
tion  of  the  fine-grained  parallelization  that  has  not  been  exploited  in 
prior  works  and  our  modification  of  the  Free-XOR  technique.  Fur¬ 
ther,  it  can  easily  be  accommodated  on  SIMD-style  architectures 
such  as  GPUs.  This  applies  to  creating  individual  circuits,  and  can 
be  carried  forward  to  many  duplicates  for  cut-and-choose  scenar¬ 
ios,  although  the  extra  communications  costs,  and  the  availability 
of  other  parallelization  techniques  in  that  model  may  make  our  ap¬ 
proach  for  that  security  model  less  feasible:  more  experiments  need 
to  be  performed. 

Finally,  we  show  that  circuit  evaluation  is  more  difficult  to  paral¬ 
lelize  for  individual  circuits,  but  can  perform  better  in  the  cut-and- 
choose  scenario  of  malicious  security. 

8.1  Explanation  of  our  Experiments  and  Data 

Producing  fair  comparisons  between  different  garbled  circuit  sys¬ 
tems  is  currently  challenging.  In  a  perfect  world  we  would  execute 
all  systems  on  the  same  machine  using  the  same  circuit  descriptor 
files,  and  provide  results.  Unfortunately,  we  do  not  have  access  to 
all  of  the  systems  and  circuit  description  files  necessary  to  do  this. 
We  were  able  to  get  the  Frederiksen  and  Nielsen  [5]  system  work- 
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ing  on  two  of  our  GPU  systems  for  a  direct  comparison  of  our  per¬ 
formance  to  theirs.  We  do  not  have  interchangeable  circuit  formats, 
but  we  can  provide  comparisons  on  a  per  gate  basis.  Interestingly, 
their  system  performs  better  on  an  older  architectural  generation  of 
GPU  card  then  it  was  designed  to  function,  so  we  compare  their 
best  performance  and  ours  on  both  generations  of  cards.  Further, 
since  their  implementation  is  in  the  malicious  model,  we  cannot 
simply  compare  execution  times  of  their  many  cut-and-choose  gen¬ 
erations  and  evaluations  with  a  single  generation  or  evaluation  on 
our  system.  We  took  different  AES  circuits  and  “copy  and  pasted” 
multiple  independent  copies  into  one  file  to  simulate  the  workload 
needed  to  generate  or  evaluate  many  copies  of  the  circuit  in  the 
cut-and-choose  protocol,  and  then  compare  on  a  per  gate  basis. 

In  the  case  of  Kreuter  at  al.  [15],  we  have  recently  been  able  to 
support  generating  and  evaluating  circuits  form  their  most  recent 
compiler  [14],  allowing  for  comparison  of  generation  between  the 
two  systems  on  identical  circuits,  but  we  have  not  yet  been  able 
to  fully  integrate  their  system  with  our  pipelining  code,  so  we  can 
only  compile  those  circuits  for  which  the  entire  final  circuit  fits  on 
the  GPU  at  one  time.  Larger  circuits  that  need  to  be  broken  up  and 
pipelined  onto  the  GPU  cannot  yet  be  directly  compared.  For  this 
reason,  the  comparisons  of  our  system  halt  in  the  experiments  when 
circuit  sizes  reach  the  maximal  that  will  fit  on  the  graphics  cards. 
We  note  that  of  our  two  systems,  one  system’s  card  has  a  newer 
architecture  than  the  other,  and  so  can  support  slightly  larger  cir¬ 
cuits.  Unfortunately,  we  did  not  have  access  to  a  version  of  Kreuter 
et  al.’s  system  that  would  work  on  a  non-clustered  machine,  so  we 
could  not  provide  bare-metal  side  by  side  comparisons.  Therefore, 
in  the  case  of  Kreuter  et  al.  [14],  we  take  the  results  from  their  pa¬ 
per  and  compare  them  with  the  same  circuits  on  our  machines.  All 
reported  results  from  our  experiments  are  the  average  of  100  runs. 
Experiments  from  Kreuter  at  al.  [14]  report  average  results  from 
50  runs. 

Most  prior  work  in  the  area  benchmarks  the  time  it  takes  to  gen¬ 
erate  and  evaluate  various  circuits.  This  process  indirectly  bench¬ 
marks  the  number  of  gates  generated  or  evaluated  per  second.  How¬ 
ever,  this  is  often  run  on  systems  with  varying  numbers  of  cores, 
and  to  a  lesser  extent  varying  speeds.  We  report  results  on  the  av¬ 
erage  number  of  gates  generated  or  evaluated  per  second  per  core. 
We  note  this  metric  seems  relatively  stable,  and  thus  we  use  it  for  a 
near  apples-to-apples  comparison.  Table  1  has  details  for  the  com¬ 
parison  systems.  We  note  that  even  though  EC2  has  multiple  GPUs, 
only  one  is  used  in  the  results  presented.7  EC2  is  run  on  Amazon’s 
elastic  compute  infrastructure,  and  is  running  under  a  Xen  hypervi¬ 
sor.  Since  we  do  not  have  direct  access  to  the  bare  metal,  we  cannot 
determine  how  much  overhead  the  Xen  hypervisor  entails,  but  Xen 
project  benchmarks  suggest,  assuming  appropriate  kernel  patches 
have  been  applied,  a  0-30%  performance  decrease  [2], 


System 

CPU 

Core/ 

Thrd. 

GHz 

Ram 

(GB) 

GPU 

Kreuter  et  al. 
[15] 

Xenon 

E5506 

4 

2.13 

8 

N/A 

EC2 

Xenon 

X5570 

8/16 

2.93 

24 

Tesla 

S2050 

Tie 

Xenon 

E5-2620 

12/12 

2 

64 

Tesla 

K20 

GPU 

Cores 

SMs 

GHz 

Memory 

(GB) 

Compute 

Capability 

S2050  (EC2) 

448 

14 

1.15 

2.7 

2.0 

K20  (Tie) 

2496 

13 

0.71 

4.8 

3.5 

Table  1:  Benchmark  system  descriptions.  EC2  runs  a  Xen  virtual 
machine. 


second.  Observe  that  we  generate  gates  at  about  2.3  times  the  rate 
on  the  Tie  system  compared  to  Frederiksen  and  Nielsen  on  the  EC2 
system.  Observe  that  we  generate  gates  at  about  3  times  the  rate  on 
the  Tie  system  compared  to  Frederiksen  and  Nielsen.  This  is  the 
benchmark  system,  as  Frederiksen'  and  Nielsen’s  code  is  targeted 
at  compute  capability  3.X  CUDA  cards. 

As  the  number  of  cores  on  systems  can  be  highly  variable,  in 
Fig.  lb  we  calculate  the  average  rate  of  gate  generation  per  core 
for  the  two  systems,  to  help  with  understanding  performance  on 
other  GPU  cards  with  varying  numbers  of  cores.  Note  that  in  the 
benchmarks  reported  in  Figs,  la  and  lb  we  have  commented  out 
any  code  in  our  system  necessary  to  split  large  circuits  into  smaller 
sub-circuits  so  that  they  can  fit  onto  the  GPU,  as  Frederiksen  and 
Nielsen  have  no  such  corresponding  code  as  they  simply  assume 
the  circuit  will  fit.  Thus  we  are  not  penalized  for  computing  over¬ 
head  that  the  other  system  also  does  not  compute. 


8.2  GPU  Circuit  Generation 

We  ran  circuit  generation  on  the  EC2  and  Tie  systems  (cf.  Ta¬ 
ble  1).  We  first  compare  our  results  to  those  of  Frederiksen  and 
Nielsen  [5]  in  Fig.  la.  We  remind  the  reader  that  we  compare  their 
circuit  generation  times  from  experiments  where  they  have  similar, 
but  not  identical  circuits,  due  to  the  need  to  simulate  the  cut-and- 
choose  malicious  protocol,  and  further,  while  we  did  have  access  to 
their  circuit  file,  we  could  not  execute  it  directly  as  we  do  not  sup¬ 
port  their  file  description  language  in  our  system,  and  their  binary 
file  format  was  not  conducive  to  easy  translation.  Thus,  we  show 
in  Fig.  la  that  under  similar  workloads  our  scheme  outperforms 
theirs  on  the  same  hardware  using  the  metric  of  gates  generated  per 


7We  discuss  multiple  GPUs  in  Sec.  9  with  respect  to  future  work 


(a)  (b) 

Figure  1:  la)  Circuit  gate  generation  rates  of  [5]  vs.  our  technique 
using  fully  parallelizable  circuit  generation,  lb)  Gates  generation 
rate  per  multi-processor  on  differing  circuit  sizes. 

Next,  we  considered  a  number  of  different  circuit  sizes  from  both 
Kreuter  et  al.[14],  and  circuits  that  we  have  constructed.  Given  our 
support  of  PCF  we  can  compare  the  same  circuits  as  are  tested  by 
Kreuter  et  al.  [14],  We  see  in  Fig.  2,  the  absolute  performance  of  our 
system  versus  that  of  Kreuter  et  al.  in  terms  of  Gates  per  sec,  and 
then  in  Figs.  4a  and  4b  the  relative  performance  per  core.  Note  that 
performance  per  core  is  relatively  stable  across  medium-to-large 
circuit  sizes.  Recall  that  our  cores  are  substantially  more  abundant, 
and  have  lower  cost  and  energy  usage  that  those  of  Kreuter  et  al. 
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Using  the  metric  of  gates  per  second  we  find  our  system,  in  the 
case  of  generation,  provides  significantly  higher  generation  rates: 
approximately  three  orders  of  magnitude.  Our  system  tops  out  at 
around  75  million  gates  per  second,  while  Kreuter  et  al  tops  out  at 
0.35  million  gates  per  second.  We  note  that  their  system  is  built 
for  cluster  computing,  and  so  they  pay  a  significant  overhead  to 
support  it. 


Figure  2:  Gate  Generation  Times  comparing  to  Kreuter  et  al.  [  14] . 


8.3  GPU  Evaluation 

While  on  generation  we  significantly  outperform  other  systems, 
we  only  comparable  performance  to  the  CPU  evaluation  techniques 
of  Kreuter  et  al.  [15],  and  are  slightly  less  efficient  on  a  than  the 
current  implementation  by  Frederiksen  and  Nielsen  [5],  Results  are 
given  in  Fig.  3. 

The  advantage  that  the  cut-and-choose  protocol  entails  to  parallel 
evaluation,  especially  on  the  SIMD  architecture,  makes  it  difficult 
for  an  FlbC  or  IBM  model  protocol  to  remain  competitive.  Our 
evaluation  problems  seem  to  stem  from  two  factors:  i)  It  is  difficult 
to  keep  the  GPU  fully  engaged  in  processing,  due  to  the  limited 
width  of  any  level  of  a  circuit  (recall  level  i  of  a  circuit  must  be 
evaluated  before  level  i  +  1);  and,  ii)  The  lack  of  memory  coa¬ 
lescence  in  our  circuit  evaluation  data  structure  seems  to  impose 
harsh  time  penalties  on  our  circuit  evaluation  times,  due  to  poor 
poor  memory  read/write  performance.  Memory  coalescence  occurs 
on  a  GPU  when  all  the  threads  in  a  warp  access  adjacent  memory 
locations.  Problem  ii)  is  one  we  believe  we  can  partially  improve 
upon  in  future  work,  although  we  doubt  it  is  possible  to  achieve 
the  same  levels  as  the  cut-and-choose  protocol  permits  (discussed 
below).  Problem  i)  is  inherently  more  problematic  for  the  HbC  and 
IBM  security  model  protocols,  as  one  can  never  have  guarantees 
that  there  are  k  identical  copies  of  each  gate  to  evaluate,  nor  do 
we  have  the  ability  to  naturally  multiply  the  width  of  circuits  by 
a  factor  of  O(k).  For  naturally  large  circuits,  there  may  be  some 
hope. 

Recall  core  utilization  rates  and  memory  coalescence  are  less  of 
an  issue  for  Frederiksen  and  Nielsen:  not  only  are  they  in  fact  com¬ 
puting  many  copies  of  the  AES  circuit  in  the  malicious  model  as 
we  are,  but  their  evaluation  algorithm  is  guaranteed  of  this  fact. 
This  allows  them  several  advantages  when  constructing  kernels  to 
evaluate  their  circuits.  In  particular,  they  can  solve  the  two  prob¬ 
lems  above.  First,  they  can  construct  a  kernel  for  evaluating  each 
gate  in  a  circuit,  and  they  can  evaluate  gates  from  lowest  level  to 
the  highest.  As  long  as  these  kernels  are  scheduled  in  a  leveled 
order — something  easily  done —  the  GPU  need  never  sit  with  low 
usage  while  waiting  on  kernels  to  complete  a  level.  Second,  since 


GPU  Evaluation  Comparison  GPU  Evaluation  Comparison 


(a)  Comparing  our  GPU  Eva]  Per  Sec  Per  Core  (b)  Comparing  our  GPU  Eval  Overall 

Figure  3:  GPU  Evaluation  Times  with  comparison  to  Kreuter  et  al. 
[14],  Frederiksen  and  Nielsen  [5]  and  our  GPU  implementation. 


the  evaluation  is  guaranteed  that  it  is  executing  multiple  copies  of 
an  identical  circuit,  it  is  easier  to  setup  kernels  that  i)  avoid  warp 
divergence,  as  warps  will  never  process  different  gate  types,  and 
ii)coalesce  circuit  data  in  the  GPU’s  global  memory,  by  simply 
storing  each  circuits  data  adjacent  in  memory.  Note  that  both  of 
these  solutions  depend  on  the  GPU  taking  advantage  of  multiple 
identical  copies  of  the  same  circuit  executing. 

We  see  that  our  GPU  marginally  outperforms  Kreuter  et  al.,  sug¬ 
gesting  that  they  are  paying  a  heavy  price  for  using  MPI  on  a  single 
machine  (but  of  course,  they  are  designed  to  run  on  large  com¬ 
pute  clusters,  and  huge  circuits  where  such  performance  penalties 
should  be  amortized). 

8.4  CPU  Evaluation 

Due  in  part  to  the  seemingly  structural  problems  of  evaluation 
on  a  SIMD  GPU,  we  implemented  a  multi-threaded  CPU  evalua¬ 
tion  scheme  in  OpenMP.  Results  can  be  seen  in  Fig.  4.  It  is  clear 
that  a  MIMD  architecture,  such  as  a  multi-core  CPU  will  not  suffer 
from  warp  divergence  or  memory  coalescing  problems  given  their 
advanced  memory  controllers  and  internal  logic.  A  lack  of  warp 
divergence  removes  the  fear  that  large  numbers  of  cores  sit  idle 
while  a  level  is  completed  is  less  of  a  problem.  Also,  we  do  not 
need  to  create  multiple  distinct  ‘kernels’  for  different  gate  types, 
nor  worry  that  different  cores  are  evaluating  different  gates.  Simi¬ 
larly,  the  fraction  of  cores  that  go  unused  while  waiting  for  a  level 
to  complete,  as  a  total  fraction  of  compute  power  will  be  smaller. 

While  we  continue  to  under  perform  Frederiksen  and  Nielsen, 
we  improve  over  Kreuter  et  al,  and  show  that  their  system  is  likely 
to  benefit  from  the  inclusion  of  threading  within  their  nodes  on  the 
compute-cluster,  as  opposed  to  having  all  of  the  parallelism  at  the 
node  level. 


9.  CONCLUSION,  UESSONS  LEARNED,  AND 
FUTURE  WORK 

Given  the  ability  of  the  GPU  to  generate  large  circuits  (or  large 
numbers  of  circuits)  efficiently,  and  the  CPUs  better  performance 
in  evaluation,  it  seems  that  an  implementation  that  aims  to  imple¬ 
ment  a  cut-and-choose  protocol,  should  do  verification  and  gener¬ 
ation  on  the  GPU,  and  evaluation  on  the  CPU  in  parallel.  Sim¬ 
ilarly,  IBM  implementations  should  implement  generation  on  the 
GPU,  and  evaluation  on  the  CPU.  With  appropriate  pipelining  these 
would  be  done  in  parallel.  The  technique  introduced  which  allows 
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Figure  4:  Our  Evaluation  Times  as  implemented  on  the  CPU  with 
comparison  to  Kreuter  et  al.  [14]  and  Frederiksen  and  Nielsen  [5]  . 


XOR  gates  to  be  generated  in  parallel  greatly  helps  in  the  circuit 
gate  generation  rate. 

While  we  do  not  report  the  results  here,  we  have  initial  work 
showing  there  is  potential  for  multiple  GPUs  to  be  used  in  a  sin¬ 
gle  system  to  further  speed  generation  and  evaluation  results,  but 
a  more  careful  implementation  must  be  done  that  carefully  splits 
work  amongst  the  GPUs,  and  takes  into  consideration  the  single¬ 
bus  bottleneck,  or  card-to-card  memory  transfer.  We  plan  to  pursue 
these  directions  as  future  work. 

It  is  clear  that  in  order  for  better  performance  comparisons  to 
be  made  in  the  future,  there  needs  to  be  a  test-bank  of  standard 
circuits  designed.  They  must  be  delineated  in  a  standard  file  for¬ 
mat  that  all  future  implementations  can  parse  (although,  they  may 
further  process  in  this  format).  Currently,  each  implementation  in 
the  field  is  rolling  its  own  file  format.  The  recent  development  of 
MPCLounge  aims  to  keep  track  of  such  circuits.  Similarly,  the 
SCAPI  project  by  Ejgenberg  et  al.  will  help  in  providing  a  long 
term  supported  test  environment  [4], 
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Abstract 

We  construct  a  Non-Malleable  Chosen  Ciphertext  Attack  (N  M-CCA1) 
encryption  scheme  from  any  encryption  scheme  that  is  also  plain¬ 
text  aware  and  weakly  simulatable.  We  believe  this  is  the  first  con¬ 
struction  of  a  NM-CCA1  scheme  that  follows  strictly  from  encryption 
schemes  with  seemingly  weaker  or  incomparable  security  definitions 
to  NM-CCA1. 

Previously,  the  statistical  Plaintext  Awareness  #1  (PAi)  notion  was 
only  known  to  imply  CCA1.  Our  result  is  therefore  novel  because  un¬ 
like  the  case  of  Chosen  Plaintext  Attack  (CPA)  and  Chosen  Chipher- 
text  Attack  (CCA2),  it  is  unknown  whether  a  CCA1  scheme  can  be 
transformed  into  an  NM-CCAi  scheme.  Additionally,  we  show  both 
the  Damgard  Elgamal  Scheme  (DEG)  [6]  and  the  Cramer-Shoup  Lite 
Scheme  (CS-Lite)  [5]  are  weakly  simulatable  under  the  DDH  assump¬ 
tion.  Since  both  are  known  to  be  statistical  Plaintext  Aware  1  (PAi) 
under  the  Diffie-Hellman  Knowledge  (DHK)  assumption,  they  in¬ 
stantiate  our  scheme  securely 

Furthermore,  in  response  to  a  question  posed  by  Matsuda  and 
Matsuura  [12],  we  define  cNM-CCAl-security  in  which  an  NM-CCA1- 
adversary  is  permitted  to  ask  a  c  >  1  number  of  parallel  queries  after 

*This  work  is  Sponsored  by  the  NSF  under  grant  0939718,  and  under  DARPA  and 
AFRL.The  views  and  conclusions  contained  in  this  document  are  those  of  the  authors  and 
should  not  be  interpreted  as  representing  the  official  policies,  either  expressed  or  implied, 
of  the  Defense  Advanced  Research  Projects  Agency  or  the  US  government.  This  research 
is  sponsored  by  the  Defense  Advanced  Research  Projects  Agency  (DARPA)  and  the  Air 
Force  Research  Laboratory  (AFRL)  under  contract  FA8750-11-C0080. 
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receiving  the  challenge  ciphertext.  We  extend  our  construction  to 
yield  a  cN  M-CCA1  scheme  for  any  constant  c.  All  of  our  constructions 
are  black-box. 

Keywords:  Public-Key  Encryption,  Plaintext- Awareness,  Non-Malleability. 


i  Introduction 

Public-key  encryption  is  one  of  the  most  commonly  used  cryptographic 
primitives  in  practice  and  theory.  However,  our  community's  understand¬ 
ing  of  its  different  security  definitions  and  their  relationships  is  still  poor. 
Goldwasser  and  Micali  [11]  formalized  the  notion  of  computational  secu¬ 
rity  against  passive  eavesdroppers  through  the  concept  of  semantic  secu¬ 
rity  or  chosen  plaintext  (CPA)  security.  However,  security  against  passive 
eavesdroppers  is  too  weak  to  be  used  in  modern  applications,  and  thus 
stronger  notions  of  security  have  been  proposed  and  studied. 

Naor  and  Yung  [15]  introduced  the  first  strengthening  of  security  by 
considering  adversaries  who  have  the  ability  to  decrypt  messages  of  their 
choice.  In  their  notion,  called  Chosen  Ciphertext  Attacks  #1  (CCAi),  the 
adversary  is  not  allowed  to  decrypt  ciphertexts  related  to  the  ciphertext 
of  interest.  Later,  a  more  comprehensive  notion  of  adversarial  decryption 
introduced  by  Simon  and  Rackoff  [17]  and  termed  CCA2  security  became 
the  gold  standard  requirement  for  decryption  on  the  Internet.  While  it  is 
clear  that  stronger  security  notions  imply  weaker  ones,  and  thus  CCA2- 
secure  schemes  imply  CCAi  secure  ones  which  in  turn  imply  CPA  secure 
ones,  the  converse  directions  are  not  known  to  be  true.  While  it  is  the  case 
that  a  CPA  (resp.  CCAi)  secure  encryption  scheme  need  not  be  CCAi 
(resp.  CCA2)  secure,  it  is  not  known  if  the  existence  of  a  CPA  (resp.  CCAi) 
secure  scheme  implies  the  existence  of  a  CCAi  (resp.  CCA2)  scheme.  These 
are  considered  some  of  the  major  open  questions  in  cryptography. 

The  CPA  and  CCAi  security  notions  for  encryption  suffer  another 
weakness  which  must  also  be  addressed  for  public  key  encryption  to 
function  in  modern  settings.  In  particular,  the  CPA  and  CCAi  security 
definitions  do  not  prevent  an  adversary  who  observes  an  encryption  of 
the  message  m  from  producing  an  encryption  of  the  message  f(m)  for 
some  function  /  (even  though  the  value  m  remains  private).  The  semi¬ 
nal  work  of  Dolev,  Dwork,  and  Naor  [10]  addressed  this  security  issue  by 
introducing  the  notion  of  non-malleable  cryptographic  primitives  such  as 
encryption  schemes,  commitment  schemes,  and  zero-knowledge.  Later, 
Pass,  shelat  and  Vaikuntanathan  [16]  strengthened  the  DDN  definition 
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and  presented  a  construction  from  CPA  to  non-malleable  CPA  encryp¬ 
tion  using  non-blackbox  use  of  the  CPA  encryption  scheme.  There  have 
been  many  follow-up  works  that  propose  more  efficient  constructions  of 
non-malleable  primitives.  A  notable  achievement  in  this  line  of  research 
has  been  the  construction  of  non-malleable  CPA  encryption  from  standard 
versions  of  encryption  in  a  black-box  manner  [3]. 

In  general,  any  progress  on  constructing  public-key  encryption  schemes 
with  stronger  security  properties  from  weaker  ones  is  of  great  interest  in 
furthering  our  understanding  of  public  key  encryption.  Beyond  theoretical 
importance,  it  is  of  practical  value:  when  new  cryptographic  assumptions 
are  shown  to  be  sufficient  for  public-key  encryption,  it  would  be  valuable 
to  know  that  they  are  simultaneously  sufficient  for  the  strong  forms  we 
need  for  use  in  modern  settings. 

With  this  in  mind,  we  consider  the  open  question  of  whether  an  N  M-CCA1 
encryption  scheme  can  be  constructed  from  a  CCA1  encryption  scheme. 
We  present  a  black-box  construction  of  an  NM-CCA1  encryption  scheme 
from  a  subset  of  CCA1  encryption  schemes  which  are  also  plaintext  aware 
under  multiple  keys  and  weakly  simulatable  (we  will  formally  define 
these  concepts  later).  Intuitively,  an  encryption  scheme  is  plaintext  aware 
(called  sPAi  in  [1])  if  the  only  way  that  a  ppt  adversary  can  produce  a 
valid  ciphertext  is  to  apply  the  (randomized)  encryption  algorithm  to  the 
public-key  and  a  message.  Notice  that  this  definition  does  not  imply  non¬ 
malleability  since  there  is  no  constraint  on  what  an  adversary  can  do  when 
given  a  valid  ciphertext.  In  fact,  both  plaintext-aware  encryption  schemes 
constructed  in  [1]  are  multiplica tively  homomorphic,  and  thus  clearly  mal¬ 
leable.  The  weakly  simulatable  property  in  our  construction  is  required  for 
technical  reasons  and  roughly  corresponds  to  the  ability  to  sample  cipher- 
texts  and  pseudo-ciphertexts  without  knowing  any  underlying  plaintext 
(if  such  a  plaintext  exists). 

Note  that  there  exist  encryption  schemes  that  satisfy  security  notions 
that  "sit  between"  standard  notions.  One  such  example  from  Cramer  et 
al.  [4]  consists  of  a  black-box  construction  of  a  (/-bounded  CCA2  encryption 
scheme  which  is  not  NM-CPA-secure1,  but  which  satisfies  a  stronger  secu¬ 
rity  notion  than  CPA.  In  particular,  as  a  generalization  of  NM-CPA,  Mat- 
suda  and  Matsuura  [12]  put  forth  the  challenge  of  constructing  encryption 
schemes  that  can  handle  more  than  one  parallel  query  after  revealing  the 
challenge  ciphertext.  They  write: 

IThe  [4]  construction  supports  only  q  queries,  whereas  an  NM-CPA  adversary  can  sub¬ 
mit  more  than  q  ciphertexts  in  its  final  parallel  query. 
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"Since  any  (unbounded)  CCA  secure  PKE  construction  from 
IND-CPA  secure  ones  must  first  be  secure  against  adversaries 
who  make  two  or  more  parallel  decryption  queries,  we  believe 
that  overcoming  this  barrier  of  two  parallel  queries  is  worth  tack¬ 
ling." 

In  this  spirit,  we  define  an  extension  over  NM-CCA1,  cNM-CCAl,  in 
which  the  adversary  can  make  c  adaptive  parallel  decryption  queries  after 
seeing  the  challenge  ciphertext,  where  each  parallel  decryption  query  can 
request  that  a  polynomial  number  of  ciphertexts  (excluding  the  challenge 
ciphertext)  be  decrypted.  Thus  that  NM-CCA1  is  cNM-CCAl  where  the  pa¬ 
rameter  c  is  set  to  be  one.  Next,  we  show  how  to  construct  a  cNM-CCAl  se¬ 
cure  encryption  scheme  for  an  arbitrary  constant  c.  Unfortunately,  the  size 
of  the  ciphertext  in  our  cNM-CCAl  encryption  scheme  is  multiplicatively 
polynomially  bigger  than  the  size  of  the  ciphertext  in  a  (c  —  1)NM-CCA1 
encryption  scheme  and  thus  c  must  be  a  constant  to  obtain  an  efficient 
construction. 

While  our  initial  goal  was  to  construct  an  NM-CCA1  scheme  from  a 
subset  of  the  CCAl-secure  schemes,  a  result  by  Bellare  and  Palacio  [1] 
shows  that  any  plain-text  aware  scheme  that  is  CPA  secure  is  also  CCAl- 
secure,  and  thus  formally  all  of  our  results  follow  from  any  CPA -secure 
that  also  has  the  necessary  plaintext  aware  and  simulatability  properties. 
However,  we  show  that  the  weak  simulatability  requirement  implies  CPA 
security,  and  therefore  all  of  our  results  follow  from  any  scheme  which  is 
weakly  simulatable  and  plaintext  aware. 

About  Knowledge  Extraction  Assumptions  Our  constructions  rely  on 
encryption  schemes  that  are  plaintext  aware  (sPAi^)  in  the  multi-key  setup 
and  are  weakly  simulatable.  In  Theorem  5,  we  show  that  such  encryption 
schemes  exist  under  a  suitable  extension  of  the  Diffie-Hellman  Knowledge 
(DHK)  assumption  that  was  originally  proposed  by  Damgard,  and  modi¬ 
fied  to  permit  interactive  extractors  by  Bellare  and  Palacio  [1].  Dent  [9]  has 
since  shown  that  it  is  secure  in  the  generic  group  model.  Some  critics  of 
the  DHK  assumption  have  commented  on  its  strength  and  observed  that 
it  is  not  efficiently  falsifiable  [14].  However,  it  is  not  our  goal  to  argue 
whether  or  not  it  is  an  assumption  which  should  be  used  in  deployable 
systems.  Instead  we  note  it  is  seemingly  a  weaker  assumption  than  the 
Random  Oracle  model,  which  is  known  to  be  incorrect  in  full  generality, 
cf.  [2]  and  is  yet  pervasively  used  in  theory  and  practice.  In  contradis¬ 
tinction,  we  are  not  aware  of  any  general  security  definitions  that  are  non- 
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trivially  weaker  or  incomparable  to  NM-CCA1  yet  imply  schemes  which 
are  NM-CCA1.  Similarly,  the  gap  between  NM-CCA1  and  CCA2  is  poorly 
understood. 

Techniques  Both  our  NM-CCA1  and  cNM-CCAl  constructions  are  based 
on  the  ideas  of  the  nested  encryption  construction  by  Myers  and  shelat 
in  [13].  We  first  encrypt  the  message  under  one  key  (we  refer  to  this  ci¬ 
phertext  as  the  inner  layer),  and  encrypt  the  resulting  inner  layer  ciphertext 
repetitively  under  an  additional  k  keys,  where  k  is  the  security  parameter 
(we  refer  to  these  k  keys  as  the  "outer  keys",  and  the  ciphertexts  they 
produce  as  the  "outer  layer").  During  decryption,  all  the  outer  layer  ci¬ 
phertexts  are  decrypted,  and  it  is  verified  that  they  all  encode  the  same 
inner  layer  value.  This  idea  is  combined  with  the  well-studied  notion  of 
non-duplicatable  set  selection  (in  this  case  of  public-keys  used  to  encrypt 
the  outer-layer  encryptions),  such  that  anyone  attempting  to  maul  a  ci¬ 
phertext  has  to  perform  their  own  independent  outer  layer  encryption. 
Intuitively,  anyone  that  can  encrypt  to  a  consistent  outer  layer  encryption 
under  a  new  key  must  have  knowledge  of  the  underlying  inner-layer. 

On  a  more  technical  level,  there  are  several  challenges  that  need  to  be 
overcome.  The  technical  difficulty  in  proving  weaker  public-key  encryp¬ 
tion  security  notions  imply  stronger  security  notions  lies  in  the  simulation 
of  a  decryption  oracle.  When  beginning  with  a  sPAi/-secure  encryption 
primitive,  we  can  easily  simulate  the  first  phase  decryption  oracle  in  the 
NM-CCA1  security  definition  by  using  the  plaintext  extractor  guaranteed 
by  the  sPAi,  security  definition.  However,  we  cannot  simply  use  the  ex¬ 
tractor  to  simulate  the  decryption  oracle  after  the  adversary  receives  the 
challenge  ciphertext  in  the  NM-CCA1  security  experiment.  This  is  because 
the  plaintext-aware  security  definition  does  not  guarantee  that  an  extrac¬ 
tor  works  if  the  underlying  randomness  used  to  create  the  ciphertext  by 
the  challenger  is  not  known  to  the  challenger.  Generally,  an  adversary 
that  mauls  an  input  ciphertext  may  not  have  access  to  this  underlying  ran¬ 
domness.  To  overcome  this  problem,  we  make  use  of  the  notion  of  weak 
simulatability. 

Contributions  To  summarize,  our  contribution  is  twofold.  Our  work 
shows  the  first  black-box  construction  of  a  non-malleable  CCA1  encryption 
scheme  in  the  standard  model  from  a  weaker  encryption  primitive.  Sec¬ 
ondly,  for  the  first  time,  we  show  how  to  construct  an  encryption  scheme 
that  is  not  CCA2  secure  but  is  secure  against  an  adversary  that  can  ask  a 
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bounded  number  of  polynomial-parallel  queries  after  receiving  the  chal¬ 
lenge  ciphertext,  satisfying  a  natural  extension  to  the  notion  of  NM-CCA1 
security  This  might  be  of  independent  interest  since  the  development  of 
constructions  that  satisfy  stronger  notions  than  non-malleable  CCA1  secu¬ 
rity  but  do  not  satisfy  CCA2  security  can  provide  insight  into  the  technical 
difficulties  with  understanding  the  relationship  between  CCA1  and  CCA2. 
For  example,  prior  to  this  work  the  authors  did  not  believe  it  was  clear  that 
such  schemes  existed.  At  least  one  of  the  authors  felt  it  was  plausible  that 
being  able  to  provide  multiple  parallel  queries  after  access  to  a  challenge 
ciphertext  was  equivalent  to  providing  an  arbitrary  polynomial  number  of 
parallel  queries. 

Finally,  we  note  that  none  of  our  constructions 


2  Notations  and  Definitions 

We  use  [n]  to  denote  the  set  {1,2,  ••  •  ,n\.  We  say  a  function  p  :  N  — t  R 
is  negligible  if  for  all  polynomials  p  and  all  sufficiently  large  n  :  \i  (n)  < 
1  /p(n).  Given  two  families  of  distributions  Do  =  {D0 ;};'6in  and  D i  = 
{Di  ,/}  ig]N,  we  denote  that  they  are  computationally  indistinguishable  by 
writing  Do  ~c  D 

We  use  the  standard  definition  for  CPA/CCA1 /CCA2  security,  and  a 
definition  of  non-malleability  for  CCA1  encryption  schemes  based  on  the 
non-malleability  definition  for  CPA  encryption  schemes  in  [16].  In  the 
NM-CCA1  game,  the  adversary  is  allowed  to  ask  an  unbounded  number 
of  decryption  queries  before  seeing  the  challenge  ciphertext,  and  one  par¬ 
allel  query  afterwards.  A  parallel  decryption  query  is  one  that  consists  of 
unbounded  number  of  ciphertexts,  none  of  which  will  be  decrypted  until 
all  the  ciphertexts  in  the  query  are  submitted. 

To  generalize  NM-CCA1  security,  we  can  define  cNM-CCAl  security 
identically  to  NM-CCA1  except  that  the  adversary  can  make  c  >  1  parallel 
queries  after  seeing  the  challenge  ciphertext.  For  example,  in  the  CCA2  se¬ 
curity  definition,  the  adversary  may  ask  an  unbounded  number  of  queries 
before  and  after  seeing  the  challenge  ciphertext;  thus,  cNM-CCAl  is  an 
intermediate  notion  that  we  study  to  understand  public  key  encryption. 

Definition  1  (cNM-CCAi).  For  an  integer  c  >  0,  we  say  that  a  scheme  IT  = 
(nmg,  nme,  nmd)  is  cNM-CCAl  or  (c)NME  secure  if  for  all  ppt  adversaries  and 
distinguishes  A  =  (Aq,  ...,  Ac )  and  V  respectively  and  for  all  polynomials  p,  we 
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have  that 


{(c)NME 0(rtc\A,'D,k,p(k))}k  «c  {(cjNME^nW  A,V,k,p(k))}k 
where  experiment  (c)NME  is  defined  in  Fig.  1. 


(c)NME6(n  ,A,V,k,p(k)) 

1 

(cnpk, cnsk)  <—  nmg(l'c) 

2 

(nio,nii,Si)  <—  ^md(CNSK'-) (cnpk)  s.t.  \mo\  =  \m\\ 

3 

y*  <—  n  me  (cnpk,  m&) 

4 

d\  i —  _L 

5 

for  i  =  1  to  c 

6 

(y,Sj+i)  <—  Ai(y*,Sj,dj)  where  \y\  =  p(k)  a:  why  do  we 

need  the  p(k)  here? 

7 

V;  e  [|y|],  di+lrj  <-  nmd(cNSK,y;)  if  y]  / 

y*  and  _L  otherwise 

8 

Output  V(y,dc+i,  Sc+i) 

Fig.  1:  The  (c)NME  Experiment  For  c  >  0  .  An  Adversary  A  gets  c 
parallel  queries  to  a  decryption  oracle. 


2.1  Weakly  Simulatable  Encryption  Scheme 

Dent  [8]  introduced  the  notion  of  simulatability  for  an  encryption  scheme. 
Intuitively,  an  encryption  scheme  is  simulatable  if  no  attacker  can  distin¬ 
guish  valid  ciphertexts  from  some  family  of  pseudo-ciphertexts  (which 
will  include  both  valid  encryptions  and  invalid  encryptions).  This  fam¬ 
ily  of  pseudo-ciphertexts  must  be  efficiently  and  publicly  sampleable  and 
somewhat  invertible  (given  any  pseudo-ciphertext,  one  can  find  a  ran¬ 
dom  looking  string  that  generates  it).  In  Dent's  definition,  a  distinguisher 
is  given  a  challenge  "ciphertext"  (i.e.,  either  a  legitimate  ciphertext  or  a 
pseudo-ciphertext)  and  must  classify  it.  The  distinguisher  has  access  to  a 
decryption  oracle  to  help  it  distinguish  between  pseudo-ciphertexts  and 
legitimate  ones,  but  it  cannot  query  the  oracle  on  the  challenges  that  it  is 
trying  to  distinguish.  We  introduce  a  weak  notion  of  simulatability  where 
the  attacker  is  not  given  access  to  the  decryption  oracle. 

Definition  2.  (Weakly  Simulatable  Encryption  Scheme)  An  asymmetric  en¬ 
cryption  scheme  IT  =  (gen,  enc,  dec)  is  weakly  simulatable  if  there  exist  two 
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poly-tune  algorithms  (/,/_1),  where  f  is  deterministic  and  f -1  is  probabilistic, 
such  that  for  all  k  E  N  there  exists  the  polynomial  function  p  where  l  =  p(k), 
and  the  following  correctness  properties  hold  for  every  pk  in  the  range  of  gen: 

1.  For  each  r  E  {0,  l}1,  assign  c  E-  f(pk,r)  where  c  E  C.  The  set  C  is  the  set 
of  all  " possible-ciphertext "  strings  that  can  be  submitted  to  the  decryption 
oracle  (notice  that  members  of  C  are  both  valid  and  invalid  ciphertexts). 

2.  For  each  c  E  C,  f  l  (pk,c)  E  {0,1  }l. 

3.  For  each  c  E  C,  f  (pk,  f~x  (pk,  c))  =  c. 

4.  For  every  efficient  distinguisher  A  and  all  k,  |  Pr[DISTn((/,/-1),^,  A)  = 

1]  —  1/2|  <  y(k),  where  p  is  some  negligible  function  and  the  DIST  ex¬ 
periment  is  defined  asfollozvs: 

DISTn  (k,(f,f-l),A) 

1:  (pk,sk)  E-  gen(lfc) 

2:  (m,a)  E-  A(pk),  where  a  is  state. 

3:  b  E-  {0,1},  r  E-  {0, 1  }z,  c  E-  encpjt(m) 

4:  ifb  =  0,  then  p  =  (r,  f(pk,r)) 

5:  else  p  =  (/_1(pfc,c),c). 

6:  b'  E-  A(cr,  p). 

7:  Output  1  if  b  =  b' . 

When  valid  ciphertexts  cannot  be  distinguished  from  pseudo-ciphertexts 
that  need  not  encode  messages,  CPA  security  is  immediate.  The  converse 
need  not  hold  because  ciphertexts  might  be  hard  to  generate  and  invalid 
ciphertexts  might  be  easily  distinguishable  from  illegitimate  ones  (for  ex¬ 
ample,  they  might  contain  a  zero-knowledge  proof  of  validity).  Notice  that 
the  weak  simulatability  notion  is  not  equivalent  to  the  Invertible  Sampling 
notion  introduced  in  [7]  since  in  this  definition  the  plaintext  is  not  needed 
to  compute  the  pseudo-random  string  that  generates  the  ciphertext. 

Theorem  1 .  If  E  is  a  weakly  simulatable  encryption  scheme,  then  E  is  CPA 
secure. 

Proof.  Let  E  be  weakly  simulatable  using  the  efficiently  computable  func¬ 
tions  (/, /  1 ) .  Let  A  =  (AifAz)  be  a  CPA  adversary,  that  breaks  the  CPA 
security  of  E  with  advantage  e.  We  will  show  that  if  E  is  a  weakly  simu¬ 
latable  encryption  scheme,  then  e  should  be  negligible. 

In  Fig.  2  we  present  a  distinguisher  2)  that  employs  A 

internally  and  tries  to  break  E's  weak  simulatability  property.  We  analyze 
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Ba,M) 

i:  (m0, m\, a)  <s-  A\{pk) 

2 -.d^~  {0,1} 

3:  Output (mdfCr'  =  ( a,d )) 

BazW  =  ( <r,d),(r,c )) 

1:  (f  c) 

2:  If  d  =  if  output  0,  otherwise  output  1 


Fig.  2:  The  distinguisher  Ba  used  in  the  DIST  experiment  to  break 

THE  WEAK  SIMULATABLE  SECURITY  OF  E. 

the  advantage  of  Ba  assuming  A  has  advantage  e  in  breaking  the  CPA 
security  of  E. 

Assuming  that  A  has  advance  e  in  breaking  the  CPA  security  of  E  implies 
that: 

pr  [d'  =  d\b  =  0\  >l/2  +  e(k)  (1) 

DISTE(fc,(/,/-i),B^) 

Notice  that  Pr  [cf  =  d\b  =  0]  is  the  probability  that  A  guesses  the  encrypted 
message  correctly  when  it  is  given  a  valid  ciphertext.  Also  E  is  weakly 
simulatable  if  and  only  if  for  some  negligible  function  e' 

|  Pr[b'  =  0\b  =  0]  —  Pr[b'  =  0\b  =  1]|  <  e'(k)  (2) 

Note  that  by  definition  in  DIST n(k,  (f,  f  ]),Ba),  b'  =  0  if  and  only  if 
d'  =  d.  Hence  Pr [b'  =  0| b  =  0]  =  Pr [d  =  d'\b  =  0]  and  Pr [b'  =  0| b  =  1]  = 
Pr [d  =  d'\b  =  1].  We  have  that 


Pr  [d  =  d'  |  b  =  1]  =  1/2  (3) 

because  whenever  b  =  1,  the  ciphertext  c  to  the  distinguisher  Ba,i  is  in¬ 
dependent  of  the  bit  d,  and  the  distinguisher 's  probability  guessing  the 
random  bit  d  is  exactly  1/2.  We  have  that: 

|  pr [b'  =  0| b  =  0]  -  Pr [b'  =  0\b  =  1]|  =  |  Pr [d  =  d'\b  =  0}-  Pr [d  =  d'\b  =  1] 

>  1/2  +  e  —  1/2  =  e 

(4) 

where  the  inequality  follows  from  substituting  the  (in)equalities  1  &  3 
respectively.  We  combine  the  inequalities  2  and  4: 

e<  |  Pr[f/  =  0\b  =  0]  —  Pr[b'  =  0\b  =  1]  |  <  e'(k) 
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— »  e  <  e'(/c) 

Since  e  is  at  most  a  negligible  value  in  the  security  parameter,  we  con¬ 
clude  that  A  has  at  most  negligible  advantage  in  breaking  the  CPA  security 
of  E.  Hence  E  is  CPA  secure. 

□ 

Instantiating  weak-simulatability  Following  the  ideas  of  Dent  [8],  we 
show  in  Appendix  A  how  the  Damgard  ElGamal  (DEG)  and  CS-lite  en¬ 
cryption  schemes — summarized  in  Fig.  8  for  convenience — can  both  be 
weakly  simulatable  when  instantiated  in  the  proper  groups. 

2.2  Plaintext  Awareness  For  Multiple  Key  Setup 

In  Fig.  3  we  present  a  slight  generalization  to  the  definition  of  sPAi  by  [l] 
in  which  multiple  keys  are  given  to  the  ciphertext  creator  and  the  extractor 
must  be  able  to  decrypt  relative  to  any  one  of  them. 


sPAi^(n  =  (gen,enc,  dec),  Crt,  Ext,k) 

i:  Let  R[Crt],  R[Ext]  be  randomly  chosen  bit  strings  for  Crt 
and  Ext 

2:  ((pkirski))iem]  <—  gen{lk) 

3=  st  ((Pki)iem)]'R^) 

4:  CnExt^  ((pfc;)f6[/(*)]) 

5:  Let  Q  =  {(qi  =  ( pky.,C;),m,- )}  be  the  set  of  queries  and 
responses  made  to  Ext. 

6:  Return  A- Si(mi  =  d ec^.  (c,-))  (Note  a  =  b  is  a  boolean) 
Fig.  3:  The  sPAi/  Definition 


Definition  3  (sPAi^-Security).  A  public-key  encryption  scheme  Yl  =  (gen,enc,  dec) 
is  said  to  be  sPAif  secure,  for  a  polynomial  i,  if  for  each  ppt  ciphertext  creator 
Crt,  there  exists  a  ppt  extractor  Ext  and  negligible  function  p  s.t.  for  all  k  E  N: 
Pr[sPAi^(n, Crt,  Ext,k)  =  0]  <  in  which  case  the  Ext  is  deemed  success¬ 
ful/or  Crt.  INe  define  AdvsFAll(E,  Crt,  Ext,k)  to  be  Pr [sPAii(E,  Crt,  Ext, k)  = 

0], 
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Notice  that  the  sPAi  definition  is  a  special  case  of  sPAi^  where  £(k)  = 

1.  In  Fig.  3,  Crt  is  a  ciphertext  creator.  Ext  is  a  stateful  ppt  algorithm  called 
the  extractor  that  takes  as  input  its  state  information  st  and  a  ciphertext 
given  by  the  ciphertext  creator  Crt.  Ext  will  return  the  decryption  of  that 
ciphertext  and  an  updated  state  st.  Ext's  initial  state  is  set  to  the  public- 
keys  pkj  and  Crt's  random  coins  R  [Crt],  The  state  gets  updated  by  Ext  as  it 
answers  each  decryption  query  that  Crt  submits. 

In  Appendix  B,  we  argue  that  Cramer-Shoup  Lite  (CS-Lite)  and  Damgard's 
ElGammal  (DEG),  described  in  Fig.  8,  are  sPAi/  secure  based  on  a  suitable 
modification  of  the  Diffie-Hellman  Knowledge  definition  that  was  origi¬ 
nally  proposed  by  Damgard,  and  then  later  modified  to  permit  interactive 
extractors  by  Bellare  and  Palacio  [i]. 

2.3  Why  sPAi^  does  not  follow  from  sPAi  security 

It  may  seem  that  the  sPAi/  definition  should  follow  naturally  from  sPAi 
by  composing  extractors.  The  following  toy  example  highlights  the  tech¬ 
nical  difficulty  with  natural  composition.  Let  ( g,e,d )  be  an  sPAi-secure 
primitive,  and  define  a  new  encryption  scheme  (g',e',d')  which  creates 
two  pairs  of  keys  from  the  original  encryption  scheme,  and  chooses  one 
(at  random)  to  use  to  encrypt  during  the  encryption  process.  Formally, 
g'(k)  =  (PK  =  (pko,  pki),  SK  =  ( sko,ski )),  where  (pAq,s/q,)  are  an  out¬ 
put  of  the  bth  invocation  of  g(k).  For  encryption,  e' (PK,m)  chooses  a 
random  coin  z  E  {0,1}  and  outputs  C  =  (z,e(pk„m));  decryption  is 
d'(SK,C  =  (z, c))  outputs  d(skz,c).  One  would  expect  that  the  resulting 
scheme  is  sPAi  secure,  but  it  is  not  clear  that  it  is.  In  particular,  one  would 
think  that  for  any  ciphertext  creator  for  the  modified  scheme,  one  could 
just  use  two  extractors  for  the  original  scheme  (one  for  each  public-key) 
to  simulate  an  extractor  for  the  creator.  However,  this  argument  does  not 
work,  and  we  are  not  aware  of  any  other  methods  for  proving  the  equiva¬ 
lence.  One  issue  is  that  if  a  creator  switches  between  making  encryptions 
under  pkb  and  pkx_b,  then  at  each  switch  we  must  incorporate  the  extractor 
in  to  the  original  ciphertext  creator  in  order  to  construct  a  new  extractor. 
The  extractors  must  be  continuously  incorporated,  because  definitionally 
they  have  no  ability  to  extract  encryptions  when  the  ciphertext  creator  has 
access  to  a  decryption  oracle  other  than  the  one  simulated  by  the  extractor. 

More  specifically,  consider  a  ciphertext  creator  Crt  =  (Crto,  Crt], ..,  Crt,;) 
for  the  scheme  (g',e',d')  where  Crt,  denotes  the  execution  after  the  zth 
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query.2  Let  Crt  switch  between  the  public-key  used  to  encrypt  messages 
for  each  query,  i.e.  it  encrypts  its  even  queries  with  pkQ  and  its  odd  queries 
with  pkv  To  make  an  extractor  for  Crt  (without  including  the  oracles  in  the 
definition,  as  we  have  done),  we  would  first  create  Crtg  using  the  standard 
sPAi  definition  and  the  extractor  for  pkQ  that  is  guaranteed  to  exist  for  Crto, 
call  it  Exto,  by  embedding  the  extractor  as  a  subroutine  into  Crto-  The  run¬ 
ning  time  of  Crtg  is  clearly  the  additive  combination  of  the  running  time  of 
Extg  and  Crtg.  One  would  then  compose  Crtg  with  Crt]  and  use  the  sPAi 
definition  to  construct  an  extractor  for  Crti  o  Crtg,  called  Exti,  which  only 
queries  decryptions  for  pkv  We  could  continue  this  inductively,  but  after 
a  super-constant  number  of  iterations,  the  running  time  of  the  resulting 
extractor  would  be  super-polynomial. 

Finally,  we  note  that  common  additional  definitional  traits,  like  the  no¬ 
tion  of  a  history  of  computation,  do  not  port  readily  to  these  extractability 
definitions.  In  essence,  one  needs  to  consider  the  possibility  that  a  history 
string  encodes  a  Turing  Machine,  which  is  then  run  by  an  extractor  acting 
as  a  Universal  Turing  machine.  The  semantic  effect  of  such  a  notion  in 
the  definition  is  to  swap  the  order  of  quantifiers  relating  to  the  extractor, 
further  strengthening  the  definition. 

2.4  A  Note  On  PAi+ 

Dent  [8]  also  investigated  an  augmented  notion  of  plaintext  awareness 
called  PAi+  in  which  he  provides  the  ciphertext  creator  access  to  an  oracle 
that  produces  random  bits.  The  extractor  receives  the  answers  to  any 
queries  generated  by  the  creator,  but  only  at  the  time  these  queries  are 
issued.  The  point  of  this  oracle  in  the  context  of  a  plaintext  awareness 
definition  is  to  model  the  fact  that  the  extractor  might  not  receive  all  of  the 
random  coins  used  by  the  creator  at  the  beginning  of  the  experiment.  Much 
in  the  spirit  of  "adaptive  soundness"  and  "adaptive  zero-knowledge",  this 
oracle  requires  the  extractor  to  work  even  when  it  receives  the  random 
coins  at  the  same  time  as  the  ciphertext  creator.  Therefore,  the  extractor 
potentially  needs  to  be  able  to  extract  some  ciphertexts  independent  of 
future  randomness.  This  modification  has  implications  when  the  notion 
of  plaintext  awareness  is  computational — as  in  the  case  of  Dent's  work. 
However,  in  the  case  of  statistical  plaintext  awareness,  we  argue  that  sPAif 
security  also  implies  sPAi/  security. 

2 We  can  assume  the  Crt,  outputs  its  state,  which  is  then  used  as  auxiliary  information 
and  passed  as  input  to  Crt;+1. 
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Definition  4.  Define  the  sPAif  experiment  in  a  similar  way  to  the  sPAi,  ex¬ 
periment.  The  only  difference  between  the  tzvo  is  that  during  the  sPAi ^  experi¬ 
ment,  the  ciphertext  creator  has  access  to  a  random  oracle  O  that  takes  no  input, 
but  returns  independent  uniform  random  strings  upon  each  access.  Any  time  the 
creator  access  the  oracle,  the  oracle's  response  is  forwarded  to  both  the  creator  and 
extractor. 

If  an  encryption  scheme  would  be  deemed  sPAi(  secure,  when  we  replace  the 
sPAif  experiment  in  the  definition  with  the  modified  sPAif  experiment,  then  the 
encryption  scheme  is  said  to  be  sPAif  secure. 

Lemma  1.  If  an  encryption  scheme  IT  is  sPAig  secure,  then  it  is  sPAit  secure. 

Proof.  Notice  that  the  only  difference  between  sPAi  and  sPAi+  security 
definitions  is  that  the  latter  makes  use  of  an  oracle  O  that  returns  random 
bits  upon  access  that  is  not  known  in  advance  to  either  the  adversary  or 
the  extractor.  If  the  adversary  Crt+  does  not  access  O  during  its  execu¬ 
tion  then  sPAi+  security  holds  since  i)  with  no  access  to  O,  sPAi+  and 
sPAi  security  are  equivalent,  ii)  sPAi  security  holds  (i.e.  for  any  given 
adversary,  there  exists  an  extractor  that  can  decrypt  the  queries  correctly). 
Hence  in  what  follows  we  only  argue  that  sPAi+  security  holds  if  the 
adversary  accesses  the  oracle  O  at  least  once. 

Let  Crt+  be  an  sPAi+  adversary.  The  intuition  for  this  argument  is 
that  the  answers  that  the  Crt+  receives  from  O  can  be  interpreted  as  "the 
end  of  the  random  tape"  for  some  sPAi  adversary  Crt.  In  other  words, 
Crt  runs  Crt+  internally  and  answers  the  queries  to  O  by  reading  the  end 
portion  of  its  random  tape.  By  properly  formalizing  this  to  handle  poly- 
nomially  many  queries  to  O,  it  is  easy  to  see  that  Crt  will  make  the  same 
distribution  of  queries  to  its  extractor  that  Crt+  makes  to  its  own  extractor 
Ext  .  By  sPAi-security,  there  exists  an  Ext  that  works  for  the  queries  that 
Crt  produces. 

This  observation  provides  a  plausible  model  for  how  Ext+  could  work: 
it  begins  by  sampling  a  random  tape  R+  ( R  |  r)  |  •  •  •  \r’n)  for  Crt  (i.e.,  with 
randomly  sampled  answers  r,  to  O  queries  at  the  end  of  the  tape).  When  it 
is  asked  queries  to  decrypt,  it  simply  runs  Ext  (which  must  work  properly) 
using  this  random  tape.  At  some  point,  the  first  oracle  query  to  O  will  be 
made  and  thus  Ext+  will  receive  a  random  string  r\  as  the  first  oracle  O 
query  answer.  At  this  point,  Ext+  updates  the  tape  R+  (Rjrilr^l  •  •  •  | r'n) 
with  the  correct  answer,  restarts  its  execution  of  Ext  on  this  new  tape  by 
feeding  it  all  of  the  same  decryption  queries  that  have  been  received  up 
until  this  point.  This  results  in  a  new  state  for  the  extractor  that  will 
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be  used  to  answer  future  decryption  queries.  The  remaining  decryption 
queries  and  queries  to  O  will  be  handled  similarly 

One  can  observe  that  if  £  queries  to  O  are  made,  then  Ext+  must  restart 
the  execution  of  Ext  £  times,  and  thus  its  running  time  will  be  a  summation 
of  £  running  times  of  Ext.  This  summation  will  still  be  polynomial  in  the 
security  parameter.  Moreover,  if  Ext+  fails  to  answer  a  decryption  query 
properly,  then  it  serves  as  a  polynomial-time  procedure  that — by  running 
Ext  at  most  £  times — is  able  to  produce  a  set  of  queries  that  breaks  sPAi- 
security.  In  what  follows,  we  present  a  more  formal  argument  that  shows 
how  an  sPAi+-adversary  Crt+  that  succeeds  in  causing  every  Ext+  to  fail 
can  be  used,  using  the  ideas  above,  to  produce  an  sPAi-adversary  Crt  that 
violates  sPAi-security. 

Assume  that  the  Crt 1  makes  polynomially  many  queries  using  its  ran¬ 
dom  tape  R,  then  accesses  O  once  (and  gets  in  return  some  random  coins 
r\)  and  asks  one  more  query  q  that  Ext+  fails  to  decrypt  correctly.  Assume 
that  (R|ri)  is  £  bits.  We  build  an  adversary  Crt  that  simulates  Crt+  using 
the  first  £  bits  of  its  random  tape.  Crt  reads  the  first  £  bits  of  its  random 
tape,  parses  it  as  (R|ri)  (call  the  rest  of  its  random  tape  r'2\r'3  \ . . .  \r'n)  and 
simulates  Crt+  on  random  coins  R.  Crt  submits  Crt+'s  queries  to  its  ex¬ 
tractor  and  forwards  back  the  answer  to  Crt+.  When  Crt+  calls  O,  Crt 
returns  the  r\  portion  of  its  tape.  Then  it  continues  running  Crt+  until  it 
gets  its  next  decryption  query  q,  submits  this  query  to  its  extractor,  and 
halts.  Notice  the  distribution  of  queries  that  Crt  asks  to  its  extractor  is  the 
same  as  Crt+.  Also,  Crt  does  a  perfect  simulation  of  the  sPAi+  game  for 
Crt+,  so  the  query  q  is  also  distributed  identically.  Since  IT  is  sPAi  secure, 
there  must  be  some  extractor  Ext  such  that  Pr[sPAi(lT,  Crt,  Ext,  k)  =  0]  is 
negligible  when  Ext  is  run  on  input  tape  (i^ | ri  | | r3 1  •  •  •  \r'n)  as  the  random 
coins  for  Crt.  Thus,  the  probability  that  Ext  answers  the  query  q  correctly 
must  be  1  —  e(k)  for  some  negligible  function  e.  However,  notice  that  Ext+ 
also  answers  q  by  running  Ext  on  (1^ |rj  |^2 lr3 1  •  •  •  Vn)  ant^  hence  returns  the 
same  correct  decryption  of  q  to  Crt+.  This  contradicts  our  assumption  that 
Ext 1  decrypt  q  incorrectly.  Similar  argument  can  be  made  about  any  other 
query  that  Crt+  makes  to  show  that  Ext+  returns  the  right  decryption  for 
that  query.  Hence  we  conclude  that  Ext+  always  returns  the  right  answer 
to  all  of  the  Crt+,s  queries.  □ 
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3  More  Than  Non-Malleable  CCA1  Encryption  Scheme 

We  show  how  to  construct  an  encryption  scheme  that  is  cNM-CCAl  secure 
where  c  is  a  constant.  The  high  level  idea  for  constructing  a  cNM-CCAl 
scheme  is  to  add  c  —  1  layers  of  encryption  atop  the  basic  encryption  of  a 
message  m,  effectively  redundantly  re-encrypting  the  previous  layer's  ci¬ 
phertext  and  forming  a  new  layer  of  encryptions.  Intuitively,  each  parallel 
query  that  the  adversary  asks  can  help  it  peel  back  the  security  of  one  of 
the  layers  of  encryption  in  the  challenge  ciphertext,  and  therefore  if  a  chal¬ 
lenge  ciphertext  is  composed  of  c  layers,  then  the  scheme  can  withstand  c 
parallel  queries. 

3.1  The  Construction 

For  the  base  case,  we  define  NMGetv  01  =  gen;  NMFnc+(0)  (pk,m,  SigVK)  = 
en c(pk,  m );  and  NMDec1"^  (sk,  c,  SigVK)  =  d ec(sk,  c)  where  the  weakly  sim- 
ulatable  and  sPAi/  secure  encryption  primitive  E  =  (gen,  enc,  dec)  is  the 
starting  point  for  our  work.  Next,  we  recursively  perform  multiple  re¬ 
dundant  parallel  encryptions  of  the  last  recursive  steps  output.  In  each 
of  these  steps,  we  use  the  standard  practice  of  interpreting  the  bits  of 
a  freshly  generated  verification  key  for  a  one-time  signature  scheme  to 
choose  appropriate  public  keys  with  which  to  encrypt.  The  resulting  set 
of  ciphertexts  is  finally  signed  with  the  one-time  signature's  signing  key  to 
form  the  final  encryption.  Decryption  proceeds  as  one  might  expect:  first 
the  signature  is  checked  for  validity,  and  next  the  encryption  is  recursively 
decrypted,  where  at  each  level  it  is  ensured  that  the  redundant  parallel 
decryptions  all  encode  the  same  underlying  "message".  The  encryption 
scheme  lTe)  parameterized  by  an  integer  c  >  0  appears  in  Fig.  4. 

3.2  Preliminary  Notion 

Before  we  present  our  security  proof,  we  introduce  an  intermediate  "tagged 
encryption"  security  game  to  simplify  our  proof.  We  call  this  notion 
(c)NME*  security  and  it  allows  each  ciphertext  to  have  an  associated  tag 
used  during  both  encryption  and  decryption.  The  challenge  ciphertext  is 
tagged  with  the  vector  0,  and  the  adversary  can  submit  any  query  with  a 
non-zero  tag. 

Along  with  this  new  definition,  we  present  a  natural  analog  of  our  original 
encryption  scheme  I  h!c)  in  Fig.  6.  The  difference  is  that  the  signature 
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NMGen(c)(lfc) 

1:  (npk(c-1),nsk(c_1))  <—  NMGen^-1-  (lk) 

2:  Mi  G  [k]  and  b  G  {0,1},  (pkl},skbj)  G-  gen(l,c)  s.t.  pkb  encrypts 
the  range  of  NMEnc+fc~  1 : 

3:  Output  npk(c)  =  {npk^1),  {pkb}  ieg  }  and  nsk^  = 

foe{o,i} 

{nsk(c_1), {sk1-}  j€|t]  } 

fce{o,i} 

NMEnc^  (npk}c),  m) 

1:  (SigSK, SigVK)  4r-  GenKey(lfc) 

2:  c  4—  NMEnc+^^(NPK^,m,  SigVK) 

3:  <r  SignSigSK(c) 

4:  Output  C  =  (c,  SigVK,  cr) 

NMEnc+<-^  (npk^,  m,  SigVK) 

1:  Parse  npk^  into  (npk^~  0,  pp  =  {pk\, . . .  ,p^)be{o,i}) 

2:  Let  SigVK,  be  the  /th  bit  of  SigVK. 

3:  Cq  g-  NMEnc+(c~1)(NPK(c^1),m,  SigVK) 

4:  c\  G-  enc^sigVK,  (cq);  Vi  G  [fc] 

5:  Output  c  =  d 
NMDec^  (nsk}c),  C) 

1:  Parse  C  as  (c,  SigVK,  cr)  and  let  SigVK,-  be  the  zth  bit  of  SigVK. 
2:  if  VerifySigVK(cr,  c)  =  0  then  Output  _!_ 

3:  Output  NMDec+^(NSK(c),c,  SigVK) 

NMDec+(c)  (nskW,  c,  SigVK) 

1:  Parse  nsk}c)  into  (nsk(c-1),s&  =  {skl{,. .  ■  ,sk\}h& {0/i}) 

2:  Mi  G  [k],  compute  c'  G-  dec .^sigVK,  (Ci) 

3:  if  3 i  G  [k]  s.t.  c\  7^  c •  then  Output  _L 
4:  Output  NMDec+(c_1)  (nsk(c_1),  c},  SigVK) 


Fig.  4:  The  cNM-CCAi  Encryption  Scheme  TP17' 


scheme  used  for  unduplicatable  set  selection  is  replaced  by  the  Gbit  tag  a. 
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(c)NMEt*(n  *,A,V,k,p(k)) 

1:  (npk,cnsk)  NMGen*(lfc) 

2:  (mo, mi, Si)  A-  A0  y  '(cnpk)  s.t.  |mo|  =  \mi\ 
The  oracle  NMDec*(NSK,  Y  =  (y,tx))  returns  _L  if  <x  =  0k 
3:  Y*  NMEnc*  (npk,  mj,,  a  =  0k) 

4:  di  (_L) 

5:  for  i  =  1  to  c 

6:  (Y,S/+i)  <-  Ai(Y*,Si,di)  where  |Y|  =  p(k) 

7:  If  a.  f  0k,  di+irj  NMDec*  (nsk,  Yj  =  (yj,  &)) 

8:  Else  di+irj  <—  _L;  V;  G  [|Y|] 

9:  Output  V(Y*,dc+i,Sc+ 1) 


Fig.  5:  The  (c)NME*  Experiment  For  c  >  0 


NMGen*(c)  (lk) 

1:  Defined  as  NMGen^(l,'L)  in  Fig.  4 
NMEnc*^(NPK^c)/wz/a  S  {0, 1  }fc) 

2:  Return  (NMEnc+(c)(NPK(c),m,a),a)  where  NMEnc+(c)  is  de¬ 
fined  in  Fig.  4, 

NMDec* (nsk^, Y  =  (y,cc  G  {0,1}*)) 

3:  Defined  as  NMDec+^c^(NSK^,j//a)  in  Fig.  4 


Fig.  6:  The  Encryption  Scheme  n*(c)  =  (NMGen*^, NMEnc* (c\ 
NMDec* 

As  the  next  lemma  shows,  there  is  no  difference  between  these  security 
games;  for  every  adversary  in  the  tagged  security  game,  there  exists  an 
equivalently  succesful  adversary  for  the  (c)NME  game. 

Lemma  2.  For  any  ppt  adversary  A,  integer  c  >  0,  polynomial  p  and  security 
parameter  k,  there  exists  an  adversary  B  s.t. 

{ (c) N M Efc (n(c),A  V, k,  pW)}fc  =  |(c)NM Eb* (n*(c),  B,  V, k,  p (k) ) } ^ 

Proof.  We  build  a  (c)NME  adversary  B  that  interacts  with  the  (c)NME' 
experiment  by  simulating  the  (c)NME  experiment  for  A.  B  receives  pk 
as  in  Line  2  of  the  experiment  (Fig.  5)  and  proceeds  to  generate  a  pair 
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of  signature  keys  (skSig*,  vkSig*)  <—  GenKeyf© ).  B  then  sets  pk'  t— 
ReArrange  (pk,  vkSig* )  where  the  function  ReArrange  is  presented  in  Fig.  7. 
Intuitively  this  function  rearranges  the  keys  in  pk  and  pk'  so  that  B  can  sign 
a  challenge  ciphertext  that  it  will  eventually  receive  using  skSig*  and  then 
produce  an  encryption  according  to  the  FFC)  scheme  using  only  the  keys 
in  pk.  B  runs  Aq  on  pk' . 


ReArrange  (pk,  vkSig* ) 

1:  Parse  pk  as  (pk0,  {ptf}ie[c-k]J>e{o,i}) 

2:  for  i  E  [0..C  —  1] 

3:  for  j  G  [k] 

4:  if  vkSig*  =  1  then  swap  the  values  pkkk+j  and  pk].k+j 

5:  endFor 

6:  endFor 

7:  Return  pk  =  (pfc0,{pfc?}f6[ o...cfc],be{o/L}) 


Fig.  7:  The  Definition  for  the  ReArrange  Function 

Whenever  Ao  asks  a  query  Y  =  (y,  J,  vkSig),  B  does  the  followings: 
B  returns  _L  to  Ao  as  the  answer  to  the  query  if  either  vkSig  =  vkSig*  or 
VerifyvkSig(c7/y)  =  0.  Otherwise  B  sets  a  <—  ©(vkSig*, vkSig)  where  ©  is 
the  bitwise  XOR  function  on  two  vectors  of  the  same  length.  Intuitively, 
this  finds  the  right  a.  that  shows  under  which  subset  of  pk  keys  the  vector 
y  is  encrypted. 

B  then  asks  (y,  oc )  to  its  oracle  and  forwards  the  answer  to  its  simulation 
of  Ao ■  Eventually  Aq  returns  {trio,  m\A\ )  and  halts.  B  outputs  (nio,  ni\ )  to 
the  environment  (i.e.,  its  experiment)  and  receives  a  challenge  ciphertext 
(y*,0k).  B  computes  a*  SignskSig(y*),  sets  Y*  (y*,<J*, vkSig*),  sets 
do  X  and  does  the  following  for  all  q  =  1  to  c: 

B  simulates  Aq  on  the  input  ( Y*,Sq,dq )  and  receives  in  return  a  vec¬ 
tor  of  ciphertexts  Y  and  the  state  information  S(;f  1 .  B  computes  the 
decryption  to  each  of  Y/s  in  the  same  way  that  it  computed  the  de¬ 
cryption  to  the  CCA1  queries  with  the  difference  that  it  asks  all  of 
the  queries  in  the  same  parallel  query  at  once  from  the  environment 
(instead  of  asking  sequentially).  Call  the  vector  of  decryption  of  the 
queries  dq+ 

Eventually  B  outputs  dc+ 1  and  Sc+i  and  halts.  □ 
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3.3  Main  Theorem 

The  heart  of  our  main  theorem  relies  on  Lemma  3  (introduced  shortly) 
which,  informally,  shows  that  for  any  ppt  adversary  A,  there  exists  a  ppt 
adversary  B  such  that 

{(c)NMEb*(n <c\A,V,k,v(k))}ik~c  {(c-l)NMEfc*(n <c~l\B,V,k,p{k))] 

Assuming  Lemma  3,  we  state  and  give  the  proof  our  main  theorem  below. 

We  then  formally  state  and  prove  Lemma  3. 

Theorem  2.  If  the  encryption  scheme  E  =  (gen,  enc,  dec)  is  weakly  simulatable 

and  sPAif  secure,  then  for  any  integer  c  >  0,  construction  nW  =  (. NMGen^c\NMEnc^c\NMDec ^) 

in  Fig.  4  is  (c)NME  secure. 

Proof.  By  applying  Lemma  3  c  times,  we  have  that 

{(c)NME0*(TI<c\A,V,k,p(k))}k  ~cem-a4  {(o)NME0*(n «°\B,V,k,p(k))}k 

In  Claim  1  (below),  we  show  that  construction  I  Lf0)  is  (o)NME'  -secure, 
and  thus  it  follows  that 

{ (c) N  M E0*  (rrM,  A,  v,  k,  p (k) ) } k  «c  { (o) N M Ei*  (n*^,  B,  V,  k,  p (k) )  }k 

Applying  Lemma  3  again  on  the  right  hand  side, ,  it  follows  that 

{(c)NME0\n<c\A,VXp(k))}k^c{(c)UME1\n*(c\A,V,k,p(k))}k 

Finally  applying  Lemma  2  to  show  equivalence  between  (c)NME  and  (c)NME* 
completes  the  theorem.  □ 

Claim  1.  If  the  encryption  scheme  E  =  (gen,  enc,  dec)  is  weakly  simulatable  and 
sPAif  secure,  then  for  all  ppt  adversaries  and  distinguishes  A  and  V  respectively 
and  for  all  polynomials  p: 

{(0)NME0*(n *(°>,AZ>,fc,p(*))}Jt«c  {(0)NMEi*(n *W,A,V,k,p(k))}k 

where  the  experiment  (O)NME*  is  defined  in  Fig.  5  and  the  encryption  scheme 
n*(°)  =  (NMGen*w,NMEnc*^\  NMDec *(°))  is  defined  in  Fig.  6. 
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Proof.  By  definition,  notice  that  NMEnc*^0^  =  NMEnc+(^(pk,  7?z,  a)  =  en c(pk,m); 
in  fact,  n*(0)  is  equivalent  to  E.  Second,  the  (O)NME*  experiment  has  no 
parallel  queries  after  the  challenge  has  been  submitted,  and  is  therefore 
(roughly)  equivalent  to  the  CCAi-security  game.  By  assumption,  E  is 
sPAi  ^-secure  and  therefore  CCAi-secure,  which  completes  the  claim.  □ 

It  remains  to  prove  the  key  technical  lemma;  we  first  present  a  high- 
level  overview  of  the  proof.  Our  goal  is  to  show  how  to  simulate  an  Ad¬ 
versary  A  that  makes  c  parallel  decryption  queries  when  given  a  c-layered 
challenge  ciphertext,  with  an  adversary  B  that  only  has  access  to  c  —  1  par¬ 
allel  decryption  queries,  and  a  c  —  1  layered  challenge  ciphertext.  It  is  easy 
to  see  how  we  can  simulate  the  extra  layer  of  the  challenge  ciphertext,  B 
can  simply  generate  its  own  keys  and  add  an  extra  layer  to  its  challenge 
ciphertext  to  simulate  A.  The  question  remains  how  to  simulate  the  extra 
parallel  decryption  that  A  has  access  to.  It  may  seem,  on  first  glance,  to 
follow  immediately  for  the  sPAif  security  of  the  underlying  encryption 
scheme,  because  the  whole  purpose  of  an  extractor  is  to  simulate  a  de¬ 
cryption  oracle.  However,  A  is  fed  a  challenge  ciphertext  which  it  did  not 
produce  (and  thus  there  is  no  extraction  guarantee),  and  A  might  create 
its  parallel  decryption  queries  based  on  the  challenge  ciphertext,  in  which 
case  there  is  no  a  priori  reason  to  believe  that  Ext^  will  be  able  to  "de¬ 
crypt"  properly  when  used  to  decrypt  the  "extra"  cth  parallel  decryption 
query. 

To  solve  this  issue,  we  use  the  non-duplicatable  set  selection  to  ensure 
that  there  is  a  new  public-key  with  respect  to  which  the  adversary  must 
have  generated  part  of  the  ciphertext  (and  not  just  mauled  part  of  the 
challenge  ciphertext);  we  can  then  be  assured  that  the  extractor  will  work 
on  this  portion  of  the  challenge  ciphertext.  However,  this  by  itself  does 
not  allow  us  to  simulate  the  consistency  check  in  the  decryption  algorithm 
that  ensures  that  all  of  the  encryptions  at  a  given  level  are  of  the  same 
message.  For  the  outer  layer  of  ciphertexts  that  need  to  be  decrypted,  we 
have  the  corresponding  secret-keys  since  B  generated  the  corresponding 
public-keys.  The  inner-layers  are  another  matter  entirely.  In  order  to  argue 
this,  we  use  the  sPAi^+  security  of  the  underlying  encryption  scheme  in 
conjunction  with  the  fact  that  it  is  weakly  simulatable.  In  essence  this 
means  that  the  extractor  cannot  tell  the  difference  between  when  the  outer 
layer  of  the  challenge  ciphertext  is  legitimate  encryptions  and  when  they 
were  instead  created  on  demand  using  the  simulator  with  randomness 
provided  via  an  oracle.  However,  in  the  latter  case,  by  the  definition  of 
sPAi/+  security,  the  extractor  must  function. 
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There  is  one  last  subtlety,  which  is  that  due  to  technical  requirements  of 
the  proof,  we  actually  do  not  necessarily  have  access  to  the  secret-keys  for 
the  outer  layer  of  the  encryptions  of  A  when  we  need  it,  and  therefore  can¬ 
not  perform  the  outer  layer  consistency  check  via  the  extractor.  It  suffices 
for  this  check  to  be  done  in  a  hybrid  experiment  using  the  actual  secret- 
key  (independent  of  where  it  comes  from).  However,  we  need  to  ensure 
that  the  responses  from  these  consistency  checks  do  not  affect  the  viability 
of  finding  a  suitable  extractor.  Here,  the  fact  that  we  have  p(k)  parallel  de¬ 
cryption  queries  to  simulate,  as  opposed  to  p(k)  adaptive  queries,  is  used. 
Essentially,  we  consider  a  system  which  decrypts  all  of  the  parallel  queries 
via  the  extractor,  ignoring  the  initial  consistency  checks. 

Lemma  3.  For  any  integer  c  >  0,  any  ppt  adversary  A,  polynomial  p  and 
security  parameter  k,  there  exists  a  ppt  adversary  B  such  that 

{(c)NME h*{Yl<c\A,VXp(k))}bk^c  {(c-l)NMEb*(n<c-1\B,V,k,p(k))}bk 

Proof.  Consider  the  following  hybrid  experiment: 

Experiment  Hf,* (Tl*(c\  A,V,k/  p(k))  proceeds  similarly  to  (c)NMEb*  with 
the  difference  that  the  former  experiment  handles  the  decryption  of  all 
ciphertexts  up  to  the  second  parallel  query  differently.  After  all  of  the 

public  keys  have  been  generated,  initialize  st  <—  (^{pkj} ie[2ck+i}'  where 
are  the  random  coins  that  will  be  used  to  run  A.  For  all  CCA1  queries 
that  A  makes  (i.e.,  queries  that  are  made  before  the  challenge  ciphertext 
is  produced),  everytime  that  NMDec*  calls  the  decryption  function  dec  on 
i/i,  the  experiment  calls  Ext_4  (sf,y,-,  •)  with  the  appropriate  pk  as  the  third 
argument.  After  A  receives  the  challenge  ciphertext,  the  first  parallel 
query  {dj}  is  decrypted  using  NMDecAlt  defined  below  (without  loss  of 
generality,  assume  that  d,  =  (C,<7,vkSig)).  The  remaining  (c  —  1)  parallel 
queries  are  decrypted  as  per  (c)NME*. 

NMDecAlt(df  =  (£,«)): 

1:  If  oc  =  0k  output  _L,  else  let  i'  be  the  first  index  at  which  a,/  f  0. 
2:  For  i  G  [k],  do  C-  <—  decsfc«,  (Q) 

3:  Call  Y^"1)  <_  Ext A(st,Ci',pkp') 

(notice  that  Y^-1)  =  (y  f  X\ ■  ■  ■  ,y[L  ^)  is  a  vector). 

4:  m  ExtractAll(pk,  Y(c-1),  (c  —  1  ),a) 

5:  If  3j  s.t.  C[  f  C',  return  T.  Else  return  m 

ExtractAll(pA:,  Y  =  ( y\, . . .  ,yck),c,a)  : 
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i:  for  i  =  c  —  1  to  0 
2:  for  j  =  1  to  k 

3:  yj  <-  Ext^(sf,y{,+1)/p^+1).Jt+;.) 

4:  if  3d  E  [k]  s.t.  y\  7^  return  _L 

5:  m  <—  Ext  .4  (sf,  y®,pk0) 

6:  Return  77Z 

Intuitively  ExtractAll  submits  the  inner  layer  of  the  query  yh_1)  to 
the  extractor  to  be  decrypted  under  the  appropriate  keys  until  it 
reaches  the  innermost  layer  containing  message  m. 

To  define  the  function  extractor  Ext^  used  in  NMDecAlt  above,  we  first 
define  an  sPAi^,fc+1  ciphertext  creator  Crt^  (which  makes  calls  to  an  ex¬ 
tractor  oracle)  that  roughly  mimics  the  queries  made  by  adversary  A  in 
the  H;,  experiment.  We  define  Crt^  as  follows: 

1.  Crt_4  receives 2 ck  + 1  public-keys pk  =  (j>k0,  {pkbj}i€[i___ck\,be{o,  1})  from 
the  sPAijcfc+1  experiment.  Crt^  reads  its  random  tape  as  R4  and 
runs  Ao(pk)  using  tape  R_ 4. 

2.  Whenever  Crt^  receives  a  query  ^ {  i/,  }K. [/,],« j  from  Aq,  it  returns  _L 

if  Oi  =  0k.  Otherwise,  Crt^  submits  each  (y,,  pkf )  to  its  extractor.  If 
all  of  the  queries  do  not  decrypt  to  the  same  value,  Crt^  returns  _L 
to  Ao  as  the  answer  to  that  query.  Call  the  decrypted  value  Yic  1] 
and  notice  that  it  should  be  a  vector  of  ciphertexts  encrypted  under  k 
public  keys  in  pk.  Next  Crt^  calls  m  <—  Extract  All  (pk,  a,  Y^c~1'l,c  —  1). 

Crp4  returns  m  to  Ao  as  the  answer  to  the  query.  Eventually  Aq 
returns  (mo,  mi,  St)  and  halts. 

3.  Crt_4  accesses  its  oracle  O  to  generate  k  blocks  of  £  random  bits 
(xi,...,xk)  and  then  computes  the  vector  y  =  (j(pkl[c_1)+1,xi), . . . ,  f(pk?k(c_1)+k,xk 

Crt_4  then  runs  A\(y*,St)  where  y*  =  (y, 0k)  and  St  is  the  state  in¬ 
formation  returned  by  Ao- 

4.  Ai  returns  a  vector  of  ciphertexts  Y  and  the  state  information  S  and 
halts.  For  each  query  Yj  =  ({y i} ie[k], ot) ,  Crt^  executes  steps  1,3, 
and  4  of  procedure  NMDecAlt  to  decrypt  the  message.  After  each 
ciphertext  in  the  first  parallel  query  has  been  decrypted  in  this  way, 

Crt_4  halts. 
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The  sPAi^1  security  of  E  implies  there  exists  an  extractor  Ext^  whose 
answers  to  the  decryption  queries  submitted  by  Crt^  are  indistinguishable 
from  their  true  decryptions.  We  have  now  defined  Ext^  used  in  NMDecAlt. 

Notice  that  Crt^  does  not  exactly  simulate  A's  view  in  H we  will  argue 
below  why  Ext^  continues  to  work  properly  when  it  is  used  in  H^. 

Claim  2.  ForbE  {0, 1},  {(c)NME&*  (n(cU,D,t,p(J:))}teN»c{Ht  (n  (cU,D,ipW)}teN 

Proof.  Experiments  (c)NMEb*  and  El;,  differ  only  if  Ext^  answers  with  an 
incorrect  decryption  in  the  latter  experiment.  The  assumption  on  the 
sPAi/-security  of  E  implies: 

Pr[sPAi+(n*(c),  Crt_4,  ExtA/k)  =  0]  <  ^  (k)  (5) 

for  some  negligible  ji\  and  therefore  Ext^  correctly  answers  all  of  the 
queries  issued  by  Crt^  with  very  high  probability  (recall  that  the  sPAi 
random  variable  being  o  corresponds  to  an  incorrect  decryption  event). 

As  mentioned,  Crt^  does  not  exactly  mimic  A's  view  in  EH /,  and  so  it  is  not 
obvious  that  Ext^  answers  correctly  in  EH /, .  The  two  notable  differences  are 
that  (i)  Crt_4  uses  the  weak  Simula tability  of  the  base  encryption  scheme 
to  create  the  challenge  ciphertext  instead  of  using  enc  to  produce  the  chal¬ 
lenge,  and  (ii)  Crt^  does  not  perform  a  consistency  check  that  all  C\  =  C' 
before  decrypting  the  inner  ciphertext  but  instead  uses  the  extractor  on 
the  outer  layer  at  a  position  in  which  ex.  differs  from  O'"  and  then  uses  the 
ExtractAll  method  on  the  resulting  inner  ciphertext. 

In  order  to  handle  the  first  difference,  we  analyze  Pr  [sPAi^+  (IT*(C),  Crt^,  Ext^,  k)  = 

0]  where  sPAi,,1  1  is  an  experiment  identical  to  sPAi^  with  two  differences: 

1.  First,  a  random  bit  d  is  selected  and  fixed  for  the  remainder  of  the 
game. 

2.  The  oracle  O  returns  random  bits  as  follows:  when  Crt^  accesses  the 

oracle  O  for  the  ith  time,  instead  of  r  S  { 0, 1 } ? ,  O  returns  {v^k(c-\)+i’ &ncpk°  Xmd))- 

We  argue  that  Ext^  answers  all  queries  correctly  in  these  two  games  must 
be  negligibly  close  by  the  weak-simulatability  property: 

Claim  3.  |  Pr [sPAif  (IT*(C),  Crt_4,  Ext A,k)  =  0]  —  Pr[sPAi^+(n*^c),  Crt_4,  Ext A,k)  = 

0]|  <  n(k). 
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Proof.  Consider  the  weak-simulatability  adversary  B  defined  as  follows: 

(Recall  that  in  the  first  step,  the  weak-simulatability  challenger  samples 
k  pairs  of  keys  (pk^skf)  <—  gen (1 k)  for  i  G  [k\  and  a  random  bit  b.)  The 
attacker  B  receives  k  public  keys  which  we  call  {pkk,c_ i)+t-}je[jt]  from  the 
environment.  B  then  samples  another  k  +  2(c  —  l)k  +  l  random  keys  using 
the  gen  algorithm  and  fresh  random  coins  to  build  the  public  key  pk  = 

{PkO'(Pkbi'ski)ie[ck],be{o,i}}  (notice  that  {pk°k(c_1)+i}ie[k]  in  pk  are  received 
from  the  environment  and  the  rest  are  generated  randomly).  B  samples 
random  coins  K  g  for  A  and  runs  step  (2)  of  the  description  of  Crt  g  using 
Expg.  Eventually  A  writes  (mo, mi)  to  its  write-only  tape.  B  randomly 
chooses  d  G  {0,1}  and  stores  c'd  =  NMEncf(‘c~1\pk' ,mli,0k)  where  pk'  = 
{pk0,  (pkbi,skbi)ie^c_1}k}j,e{o,i}}  (notice  that  pk'  is  the  public  key  for  the  inner 
layer  of  ciphertexts  encrypted  under  pk  for  the  I  I*(c)  encryption  scheme 
and  c'd  is  the  inner  layer  for  an  encryption  of  nij  under  pk).  For  ease  of 

notation,  we  refer  to  {pkk/c^i)+i}ie[k]  as  Pk"  (these  are  the  public  keys  for 
the  outer  layer  of  the  challenge  ciphertext).  Next  the  challenger  samples 
r,  G  {0,1}'  for  1  <  i  <  k  and  returns  [y,  =  {ri,f(pk'',ri))}ie^  if  b  =  0, 


and  | \j[  =  (^f(pk'',Ci  =  enc pp/(c'd)),Ci^  j  tfb  =  l.B  then  simulates  step 

(3)  of  Crt_g  by  running  A\(y*,St)  where  y*  =  (y, 0k)  and  St  is  the  state 
information  returned  by  Ao-  A\  returns  a  vector  of  ciphertexts  Y  and 
the  state  information  S  and  halts.  B  runs  step  (4)  of  Crtgi  on  Y.  Finally 
attacker  B  outputs  b'  =  0  if  all  the  queries  made  to  Ext  g  so  far  were 
answered  correctly  and  b'  =  1  otherwise.  This  check  can  be  done  by  using 
the  secret  keys  for  the  spots  in  pk  that  are  generated  by  B  (all  of  them 
except  {pkk(c-i)+i}ie[k]  which  is  received  from  the  environment)  because 
after  A  returns  (mo, mi),  the  only  queries  that  it  asks  to  its  extractor  are 
with  respect  to  ciphertexts  encrypted  under  the  mentioned  keys  in  pk. 

The  case  b  =  0  corresponds  to  experiment  sPAi^~(IT*(c),  Crt_g,  Ext^,k) 
and  the  case  b  =  1  corresponds  to  sPAi}  +  (I  Crtg,  Ext  g,  k).  For  con¬ 
venience,  in  the  following  equations,  we  abbreviate  the  two  experiments 


as  sPAi  and  sPAi  respectively.  It  follows  that: 


Pr[DIST m((f,f-l),k,B)  =  1]  =  Pr [b  =  0]  -Pr[sPAi+  =  0]  +  Pr [b  =  1]  -Pr[sPAi++  =  1] 

=  (l/2)Pr[sPAi+  =0]  +  (1/2)(1 -Pr[sPAi++  =0]) 

=  1/2  +  l/2(Pr[sPAi+  -  0]  -  Pr[sPAi++  =  0]) 


Since  the  weak-simulatability  property  of  E7  implies  that  |  Pr[DISTE/((/,/  1),k,B)  = 
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1]  —  1/2 1  <  }t(k)  for  some  negligible  function  ft,  it  must  then  follow  that 
|  Pr[sPAi^  =  0]  -  Pr[sPAi/+  =  0]|  <  2p{k) 
which  completes  the  proof  of  the  claim. 

□ 

Combining  (5)  with  Claim  2  implies  that  Pr[sPAi^+  =  0]  <  }ii(k)  for 
another  negligible  function  }i2-  Moreover,  by  Bayes  rule,  we  can  conclude 
that  there  exists  another  negligible  function  /Y3  such  that  both  Pr  [sPAi^+  = 
0  |  d  =  0]  <  ^3  (ft:)  and  Pr[sPAi^"+  =  0  |  d  =  1]  <  ^3  (ft:);  i.e.,  the  possibility 
for  incorrect  extraction  results  remains  negligible  no  matter  which  of  iuq 
or  mi  is  used  in  the  sPAit+  experiment. 

In  order  to  handle  (ii),  we  observe  that  Extg  only  receives  queries  gen¬ 
erated  by  the  first  parallel  query  in  both  sPAi^  1  and  experiment  H;,.  From 
the  beginning  of  both  experiments  and  up  to  the  point  of  the  challenge  ci¬ 
phertext  generation,  the  initial  state  st  and  the  distribution  of  queries  fed 
to  Exp4  in  H/,  is  identical  to  those  in  experiment  sPAi/  f .  (This  explains 
why  it  is  necessary  for  experiment  to  make  "dummy"  calls  to  Ext 41  for 
every  call  to  dec  during  the  decryption  of  the  CCAi  queries.) 

When  the  ciphertext  is  generated,  since  /(/  ](c))  =  c,  that  challenge 
ciphertext  in  experiments  H;,  and  sPAi^+  conditioned  on  d  =  b  will  also  be 
identically  distributed,  and  this  implies  that  the  parallel  query  that  A\  is¬ 
sues  will  also  be  identically  distributed.  Once  this  parallel  query  has  been 
fixed,  the  queries  that  are  sent  to  Extg  are  also  fixed  in  both  experiments. 
By  inspection,  again  because  NMDec*(c)*  issues  dummy  queries  to  Ext^ 
during  the  decryption  of  the  outer  layer,  it  follows  that  the  query  distri¬ 
bution  will  be  identical,  and  the  claim  follows.  Thus,  the  fact  that  Crt^ 
does  not  perform  the  same  consistency  check  is  irrelevant  since  the  same 
distribution  of  queries  is  fed  to  the  extractor  in  both  experiments. 

It  then  follows  that  with  high  probability,  all  of  the  responses  from 
Extyi  in  H/(  coincide  with  the  true  decryption,  and  therefore  (c)NME/'  and 
El;,  also  output  the  same  value  which  concludes  the  Claim.  □ 

Claim  4.  For  any  ppt  adversary  A,  polynomial  p  and  security  parameter  k,  there 
exists  an  adversary  B  such  that 

Hb{U<c\A,V,k,p{k))  =  (c  —  l)NME;,*(n*(c-1),  B,  V,k,  p(k)) 

Proof.  We  build  the  (c-l)NME'  adversary  B  as  follows:  B  receives  the 
public-key  npk*^1)  =  (pk'^pk1  =  {pk'ft}!e[(e_1) k],be{o,i})  from  the  envi¬ 
ronment  and  generates  another  2k  keys  as  (pkll’,sklb)  gen(h)  for  i  e[k] 
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and  b  E  {0,1}.  Let  pk  =  <^pk'0, pk', pk '  j .  B  generates  random  coins  /I  4  and 

initializes  st  <—  ({pkjl/epdc+lL^x) •  &  runs  Ao(pk;Ry{). 

For  any  CCA1  query  Y  =  (y,  a)  that  Aq  submits,  B  runs  NMDecAlt  us¬ 
ing  sk"  to  decrypt  the  outer  layer.  Eventually  Ao  returns  (mo,  mi)  and  the 
state  information  Si  and  halts.  B  then  forwards  (mo,m\)  to  the  environ¬ 
ment  and  receives  a  challenge  ciphertext  Y'  =  (y',0k)  from  the  environ¬ 
ment.  B  computes  {y*  4—  ertc(pk'i',  i/)}ie[fc]  and  sets  Y*  =  (y*,0fc).  B  also 
computes  {r,  4—  f^1(pk'i'  ,y*)}ie^j  and  forwards  {rz }ze to  Ext_4  and  runs 
A\  on  the  challenge  ciphertext  Y*  and  the  state  information  Si.  Eventu¬ 
ally  Ai  returns  a  vector  of  queries  (the  first  parallel  query)  Y  and  the  state 
information  S 2  and  halts.  B  submits  each  Y,  to  the  extractor  and  receives 
a  value  which  we  call  m '  from  it.  B  then  uses  sk  to  check  that  all  the 
ciphertexts  in  the  outer  layer  of  Y,  decrypts  to  the  same  value.  If  so,  it  sets 
m'  as  the  decryption  of  that  query  otherwise  it  sets  _L  as  the  decryption  of 
that  query.  We  refer  to  the  resulting  vector  of  decryptions  to  Y  as  d\. 

For  all  q  =  2  to  c,  B  runs  Aq  on  Y* ,  S2  and  dq  and  gets  in  return  a  vector 
of  ciphertexts  Y  and  the  state  information  S(?  t  i .  B  decrypts  Y,  =  (y,  a)  as 

follows:  the  decryption  is  X  if  a  =  0k.  Otherwise  B  uses  sk  to  check  all 
the  ciphertexts  in  the  outer  layer  of  Yz  decrypts  to  the  same  value  yo-  If 
not,  the  decryption  to  this  query  will  be  X.  Otherwise  B  sets  Y\  =  (1/0,  tx) 
and  moves  to  the  next  query.  After  processing  all  queries,  B  submits  Y' 
to  the  environment  and  gets  in  return  a  vector  of  decryptions  to  the  Y' . 
Using  these  answers  and  the  results  from  the  checks,  B  sets  dj  (which  is 
the  vector  of  the  decryption  to  Y,).  Eventually  B  outputs  dc+ 1  and  the  state 
information  Sc+i  and  halts. 

B  performs  a  perfect  simulation  of  the  Hj,(n*^c^,  A,V,k,  p(k))  experi¬ 
ment,  and  thus  the  claim  follows. 

□ 

Combining  Claim  2  and  Claim  4  completes  the  proof  of  Lemma  3.  □ 

3.4  Remarks  about  the  proof 

In  our  construction,  we  use  the  k-bit  outer-most  signature  SigVK  to  pick 
the  unduplicatable  set  for  each  of  the  c  layers  of  encryption.  Not  only  is 
this  choice  an  efficiency  improvement  in  that  only  one  signature  key  is 
needed  (instead  of  c),  it  is  also  a  critical  feature  of  our  proof.  This  point 
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is  used  in  Claim  4.  Adversary  B  must  not  submit  a  0-tag  query  to  its 
(c-l)NME  challenger;  but  if  each  layer  could  use  a  different  a  tag,  then  A 
might  select  0  as  the  tag  for  the  (c  —  1)  layer  and  therefore  prevent  B  from 
submitting  it  to  its  oracle. 


4  Conclusions 

We  have  shown  both  the  first  construction  of  a  non-malleable  CCAi  en¬ 
cryption  scheme  from  a  seemingly  weaker  primitive,  and  that  it  is  possi¬ 
ble  to  realize  cNM-CCAi  schemes  without  achieving  full  CCA2  security 
All  of  our  constructions  are  black-box,  although  based  on  hardness  as¬ 
sumptions  that  are  not  efficiently  falsifiable.  Major  open  questions  in  the 
area  are  clearly  if  CPA  security  implies  CCAi  security,  CCAi  security  im¬ 
plies  CCA2,  or  the  transitive  closure.  Progress  on  any  of  these  questions, 
with  either  black-box  or  white-box  constructions  (or  impossibility  results), 
would  be  of  foundational  importance  to  the  field. 
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A  Instantiating  weak-simulatability 


Algorithm  1:  DEG 

Algorithm  2:  CS-Lite 

Q(lk) 

GAk) 

1:  (PN’g)  <-  G(lfc) 

1:  (p,q,gi)  G{lk);g2  1-  Gq\{  1} 

2:  X\  Z^;  Xj  <—  gXl  mod  p 

2:  x1  <r-  Z.q;x2  <T-  Zq;z  <r-  Zq 

3:  x2  <-  Z,;  X2  V-  gx 2  mod  p 

3-  X  <-  gf  .gxf  mod  p;  Z  <-  g[  mod  p 

4:  Return  ( pk  =  [p,q,g,X i,X2), 

4:  Return  [pk  =  ( p,q,gi,g2,X,Z ), 

sk=  (PN’g'Xl'X2)) 

(p,^,^i,^2/Yi,x2,z)) 

£(pk,M) 

£{pk,M ) 

gV  mod  p 

1:  r  e-  Z? 

2:  W  e-  X\-,  V  e-  Xf  mod  p 

2:  Rj  e-  mod  p;  R2  «—  mod  p 

3:  U  <—  V  ■  M  mod  p 

3:  E  «—  Zr  ■  M  mod  p;  V  Xr  mod  p 

4:  Return  C  =  (Y,  W,  U) 

4:  Return  C  =  (Rj,  R2,  E,  V) 

V(sk,C) 

V(sk,C) 

1:  if  W  Y-  YXl  mod  p  then  Return  _L 

1:  if  V  A  '  R{2  mod  p  then  Return 

2:  Return  M  <—  U  ■  Y~Xl  mod  p 

2:  Return  M  E  ■  R^z  mod  p 

Fig.  8:  The  Encryption  Schemes  DEG  and  CS-Lite 


Definition  5.  (Simulatable  Group)  [8]  A  family  of  groups  { G/J^r  in  is  simu- 
latable  if  there  exist  two  poly-time  functions  and  a  polynomial  i,  such 

that  the  following  correctness  requirements  are  met. 

1.  Yk,Yr  G  {0,1  y(k\h(r)  G  G \. 

2.  h -1  is  probabilistic.  V/c,Va  G  Gp,/i_1(a)  G  {0, 1}^. 

29 


Approved  for  Public  Release;  Distribution  Unlimited. 
498 


3.  Vk,  h(h  1(«))  =  oi  for  all  x  S  Gk. 

Similarly,  the  following  two  security  requirements  are  met,  for  all  probabilistic 
distinguisher  A  and  all  k  E  IN,  there  exists  a  negligible  function  e  such  that: 
Pr[l NV4 (*:,(>, ft”1))  =  1]  <  1/2  +  e(k)  and  Fr[\mA{G}(k,h)  =  1]  <  1/2  + 
e(k),  inhere  the  experiments  are  defined  in  Fig.  9. 


IN VA(k, 

l:b<r-  {0,1} 

O  lc 

2:  b'  A  h’h  ^■i(fk),  where  oracle  Ohh- 1  b  responds  to  a  query 
by 

sampling  r  E  {0, l}w',  and  returning  r  if  b  =  0  or  1  (/j (r) )  if 

b  =  1 

3:  Output  1  iff  b  =  b' 

\mA[G}(k,h) 

1:  be  {0,1} 

2:  f>'  <—  A°b’h(lk),  where  ObA  responds  to  a  query  by 
sampling  r  £  {0,  l},^-)  and  sampling  h  £  Gk  and  returning  h{r)  if 
b  —  Oorhiib  —  1 

3:  Output  1  iff  b  —  b' 


Fig.  9:  The  Experiments  IND^  and  INV^|G|  used  to  define  security  for 

WEAKLY  SIMULATABLE  SECURITY  OF  A  GROUP  FAMILY  {G}. 

Dent  showed  that  groups  in  which  the  DDH  assumptions  are  believed 
to  hold  are  simulatable. 

Lemma  4.  [8]  For  an  infinite  sequence  of  pairs  of  primes  q  and  p,  where  p  = 
2 q  +  1,  let  G(p/<;)  be  the  subgroup  of  Z*  of  order  q,  then  { G +,+  }  is  simulatable 
group  family. 

Theorem  3.  The  DEG  encryption  scheme  is  weakly  simulatable  if  it  is  instanti¬ 
ated  with  a  simulatable  group  family  {Gjt}  on  which  the  DDH  problem  is  hard. 

Proof.  Let  (h,  h  1 )  be  the  efficiently  computable  functions  that  exist  by  the 
fact  that  the  { Gk }  is  a  simulatable  group  family  Lor  ease  of  notation  in 
this  proof,  we  assume  all  functions  get  the  required  public  parameters  (e.g. 
the  public-key)  as  part  of  their  input.  We  need  to  give  the  two  functions 
(f,  f  1 )  for  DEG  required  by  the  definition  of  weakly  simulatable.  De¬ 
fine  f(x  =  (x1,x2,x3))  =  (h(x1),h(x2)/h(x3)),  and  /^(c  =  (ci,c2,c3))  = 
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(h^(c\),h^{c2),h^  (c3)).  From  the  properties  in  the  definition  of  a  Sim¬ 
ula  table  group  (family),  (/,  /  1 )  satisfies  the  corresponding  requirements 
given  in  the  definition  of  a  weakly  simulatable  encryption  scheme. 

We  now  need  to  argue  the  final  property  of  a  weakly  simulatable  en¬ 
cryption  scheme:  no  ppt  adversary  can  distinguish  between  a  valid  cipher- 
text  and  one  sampled  via  /  (which  may  not  be  a  valid  ciphertext).  Namely, 
we  need  to  show  Pr[DISTDEG(X  (/ f1)^)  =  1]  ~  1/2 

To  meet  this  goal,  we  design  a  series  of  games  (or  experiments)  to 
show  the  advantage  of  an  adversary  being  able  to  distinguish  between 
legitimate  ciphertexts,  and  sampled  outputs  of  /  is  negligible.  Let  Wgt 
be  the  random  variable  output  of  the  security  experiment  in  Game  i  with 
security  parameter  k. 

Let  Game  1  be  exactly  the  experiment  DISTdeg(^/  (/,/_1),v4). 

Let  Game  2  be  a  modification  of  Game  1,  in  which  the  ciphertext  c 
produced  on  Line  3  of  DIST  returns  an  encryption  of  1,  independent  of 
the  value  of  m. 

Claim  5.  {W1/k}k  fac  {W2/k}k. 

Proof.  Follows  from  CPA  security  of  the  DEG  encryption  scheme.  □ 

Let  Game  3  be  a  modification  of  Game  2  in  which  again  in  Line  3  of 
DIST,  the  value  W  computed  in  Line  2  of  the  DEG  encryption  algorithm 
is  computed  as  follows:  W  <—  gr ,  where  r'  G  Z^  (instead  of  W  <—  Xj/). 

Claim  6.  {W2rk}  ~c  {W3/Jt} 

Proof,  (sketch)  If  there  is  any  distinguisher  D  that  can  distinguish  {W2//c} 
from  { W3  }  with  reasonable  probability,  then  one  can  use  D  be  used  to 
build  a  DDH  distinguisher  D'.  In  particular,  D'  when  given  either  a  tuple 
(g ’  gXl  ’  gy ’  gXiy)  or  {%'  gXl  *  gy *  gr )/  can  choose  a  random  x2,  simulate  a  pk 
for  the  DEG  scheme,  and  use  x2  and  the  provided  information  to  compute 
an  appropriate  encryption  for  a  perfect  simulation  of  the  either  Game  2  or 
Game  3.  We  can  then  simulate  D,  and  use  the  result  to  break  DDH.  □ 

Let  Game  4  be  a  modification  of  Game  3  where  the  value  U  in  Line 
2  of  the  DEG  encryption  algorithm  is  computed  as  U  =  gr  for  randomly 
selected  r"  G  Z?. 

Claim  7.  {W3Jc}  {W4/,} 
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Proof,  (sketch)  The  proof  of  this  claim  parallels  that  of  the  previous.  If 
there  is  a  distinguisher  D  of  {  Wjyt}  and  { Wy( }  then  to  can  be  used  to  build 
a  DDH  distinguisher  D'.  In  particular,  D'  given  a  tuple  ( g,gX2rgy  ,gX2y )  or 
(y,  gXl'Sy ’gr )'  it  choose  a  random  X|,  simulates  a  pk  for  the  DEG  scheme, 
and  use  X\  and  the  provided  information  to  provide  an  appropriate  en¬ 
cryption,  for  a  perfect  simulation  of  the  either  Game  3  or  Game  4.  □ 

In  Game  4  each  of  the  components  of  the  ciphertext  in  Line  3  of  DIST 
is  now  random  group  element.  In  Game  5  we  replace  these  random  group 
elements  with  random  output  from  the  group  element  sampling  algorithm 
h,  which  due  to  the  simulatable  group  properties  are  indistinguishable 
from  random  group  elements.  Specifically,  in  Game  5  in  Line  5  of  DIST  we 
return  the  "ciphertext"  (Y  =  h(r\ ),  W  =  hfr?),  U  =  h(rf)),  for  randomly 
chosen  n,r2,r 3  G  {0,1}^. 

Claim  8.  Pr{W4/fc}  ~c  {W5/k} 

Proof.  Lollows  immediately  from  simulatable  group  properties  of  G  and 
h.  □ 

We  note  that  by  the  definition  of  /,  the  output  of  the  encryption  al¬ 
gorithm  in  Game  5  Line  5  of  DIST  is  an  identically,  but  independently 
distributed  random  variable  as  the  one  output  on  Line  4  of  DIST  (i.e., 
/(D/L2/T3)  for  randomly  chosen  r\,r2,rf).  It  is  clear  that  PrfW^s  =  1]  = 
1/2. 

Therefore,  since  we  can  combine  all  the  claims  to  show  that  Pr  [  Wjt,i  = 
1]  ~c  Pr  [lA//,p  =  1]  =  1/2  we  conclude  that  DEG  is  weakly  simulatable.  □ 

Theorem  4.  The  Cramer-Shoup  lite  encryption  scheme  is  weakly  simulatable  if 
it  is  instantiated  on  a  simulatable  group  G  on  which  the  DDH  problem  is  hard. 

Proof.  Similar  to  the  proof  of  Theorem  3.  □ 

B  Instantiating  SPA  secure  schemes 

Definition  6  (DHK,  Assumption  (modification  of  [1])).  Let  G  be  a  prime- 
order-group  generator.  Let  Crtc  be  an  algorithm  that  has  access  to  an  oracle, 
takes  an  i  sequence  of  two  primes  and  two  group  elements,  and  returns  nothing. 
Let  Extc  be  an  algorithm  that  takes  a  pair  of  group  elements  and  some  state 
information,  and  returns  an  exponent  and  a  new  state.  We  call  Crtc  a  DHK#- 
adversary  and  Extc  a  DHK?-extractor. 
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DHIQ(G,  CrtG,  ExtG,fc) 

i:  {Pi,qi,gi  G(lfc);  «i  <-  z9i;  A,  <-  gf  mod  pOis^fc) 

2:  Let  R[CrtG]  and  R  [ExtG]  be  randomly  selected  strings  for  CrtG  and 
ExtG 

3:  st  <-  ((pir^gi/^iOfe^/^lCrtG]) 

4:  while  Simulate  CrtG((p!/^1/^/Ai)/6^(fc)];R[CrtG])  do 
5:  if  CrtG  queries  (i,  B,  W)  then 

6:  (b,st)  <—  ExtG((i,  B,  W),sf;R[ExtG]) 

7:  if  W  =  B"!  mod  pi  and  B  f  g^  mod  p;  then  Return  1 

8:  else  Return  b  to  CrtG 

9:  Return  o 


Fig.  10:  DHIQ:  An  Extension  to  the  DHK  Definition 


We  say  that  G  satisfies  the  DHK g  assumption  if  for  every  polynomial-time 
CrtG  there  exists  a  polynomial-time  ExtG  and  negligible  function  p,  s.t.  for  all 
k  E  N:  Pr[DHfQ(G,  CrtG/  ExtG/jfc)  =  1]  <  fi(k). 

Our  modification  to  DHK/  versus  the  definition  in  [1]  requires  that  the 
ciphertext  creator  be  able  to  generate  ciphertexts  relative  to  a  polynomial 
number  of  randomly  chosen  public-keys.  It  seems  reasonable  to  conjecture 
that  any  extractor  that  could  extract  exponents  with  respect  to  single  value 
A  =  gn,  could  do  so  efficiently  for  many  Aj.  We  now  argue  that  DEG  is 
sPAi/  secure  under  the  DHK,  assumption. 

Theorem  5.  For  any  polynomial  i,  if  the  DHK ^  assumption  holds  and  the  DEG 
scheme  is  instantiated  with  a  simulatable  group  family  { G k},  then  the  DEG 
scheme  is  sPAig  secure. 

Proof.  We  need  to  show  that  for  any  adversary  Crt  there  exists  an  ex¬ 
tractor  Ext  that  can  decrypt  its  queries  flawlessly.  Ext  receives  (pkt  = 

(pi,  qi, gi,  At,  Aj))iem)  and  R  [Crt]  as  state  information.  Then  Ext  builds 
the  DHIQ  adversary  CrtG  that  runs  the  sPAi,  adversary  Crt  internally  and 
simulates  the  sPAi,  experiment  for  it.  CrtG  receives  (pi,  qi,gi,  Ai)iem\  and 
its  random  coins  from  Ext  and  parses  its  random  coins  as  (/G 1  (Ai)) I  R[Crt] 
(prepared  by  Ext  where  Aj  is  a  random  group  element  in  G).  Notice  that 
since  G,  the  group  from  which  Aj  is  sampled  from,  is  simulatable,  it  fol¬ 
lows  that  /G 1  (Aj)  is  indistinguishable  from  random  bits  and  should  have 
indistinguishable  effect  on  the  output  of  the  extraction.  Because  CrtG  is 
a  DHIQ  adversary,  therefore  there  exists  an  extractor  for  it  ExtG.  For 
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each  i  S  [£(k)]f  Crt^  sets  pkj  (p„  Cjlrgi,  A,,  At).  Crt^  then  runs  Crt  on 
(P^i)ie[£{k)]  and  the  random  coins  R [Crt]  until  Crt  halts,  answering  Crt's 
queries  as  follows:  upon  receiving  the  query  C  =  ( i,Y,W,U )  from  Crt, 
Crtc  submits  (/, Y,  W)  to  the  DHK,  extractor  Ext(-.  The  DHK,  extrac¬ 
tor  Extc  returns  the  value  b.  If  Y  ^  g1-  mod  p,  or  W  ^  A-7  mod  p, 
then  Crtc  returns  _L  as  the  answer  to  this  query,  otherwise  Crtc  com- 
putes  M  <—  U  ■  ( Aj  mod  p,  and  return  the  result  to  Crt.  Notice  that 

since  Crtc  is  a  DHIQ  adversary,  the  extractor  ExtC;  should  return  the  right 
answer  to  the  queries  Crtc  submits.  Since  Ext  makes  a  mistake  in  an¬ 
swering  Crt's  queries  only  when  there  is  a  mistake  in  Ext^'s  answers  to 
Crtc's  queries,  we  conclude  that  Ext  also  returns  the  right  decryption  to 
the  queries  submitted  by  Crt  and  is  an  extractor  for  it. 

□ 


Theorem  6.  For  any  polynomial  i,  The  CS-Lite  scheme  is  sPAip  secure  if  the 
followings  hold:  i)  the  DHKf  assumption ,  and  ii)  CS-Lite  is  instantiated  with  a 
simulatable  group  family  {G*,}. 


Proof.  Similar  to  the  proof  of  Theorem  5. 


□ 


34 


Approved  for  Public  Release;  Distribution  Unlimited. 

503 


Constant-Round  Concurrent  Zero  Knowledge 
From  P-Certificates 

Kai-Min  Chung*  Huijia  Lin'  Rafael  Pass* 


Abstract 

We  present  a  constant-round  concurrent  zero-knowledge  protocol  for  NP.  Our  protocol  relies 
on  the  existence  of  families  of  collision-resistant  hash  functions,  and  a  new,  but  in  our  eyes, 
natural  complexity-theoretic  assumption:  the  existence  of  P-certificates — that  is,  “succinct” 
non-interactive  proofs/arguments  for  P.  As  far  as  we  know,  our  results  yield  the  first  constant- 
round  concurrent  zero-knowledge  protocol  for  NP  with  an  explicit  zero-knowledge  simulator 
based  on  any  assumption. 
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1  Introduction 


Zero-knowledge  (ZfC)  interactive  proofs  [GMR89]  are  paradoxical  constructs  that  allow  one  player 
(called  the  Prover)  to  convince  another  player  (called  the  Verifier)  of  the  validity  of  a  mathematical 
statement  x  G  L,  while  providing  zero  additional  knowledge  to  the  Verifier.  Beyond  being  fasci¬ 
nating  in  their  own  right,  ZfC  proofs  have  numerous  cryptographic  applications  and  are  one  of  the 
most  fundamental  cryptographic  building  blocks. 

The  notion  of  concurrent  zero  knowledge,  first  introduced  and  achieved  in  the  paper  by  Dwork, 
Naor  and  Sahai  [DNS04],  considers  the  execution  of  zero-knowledge  proofs  in  an  asynchronous  and 
concurrent  setting.  More  precisely,  we  consider  a  single  adversary  mounting  a  coordinated  attack 
by  acting  as  a  verifier  in  many  concurrent  executions  (called  sessions).  Concurrent  ZfC  proofs  are 
significantly  harder  to  construct  and  analyze.  Since  the  original  protocol  by  Dwork,  Naor  and  Sahai 
(which  relied  on  so  called  “timing  assumptions”),  various  other  concurrent  ZfC  protocols  have  been 
obtained  based  on  different  set-up  assumptions  (e.g.,  [DS98,  DamOO,  CGGMOO,  Gol02,  PTV12, 
GJO+12]),  or  in  alternative  models  (e.g.,  super-polynomial-time  simulation  [Pas03b,  PV10]). 

In  the  standard  model,  without  set-up  assumptions  (the  focus  of  our  work,)  Canetti,  Kilian, 
Petrank  and  Rosen  [CKPR01]  (building  on  earlier  works  by  [KPR98,  RosOO])  show  that  concurrent 
ZfC  proofs  for  non-trivial  languages,  with  “black-box”  simulators,  require  at  least  D(logn)  number 
of  communication  rounds.  Richardson  and  Kilian  [RK99]  constructed  the  first  concurrent  ZfC 
argument  in  the  standard  model  without  any  extra  set-up  assumptions.  Their  protocol,  which  uses 
a  black-box  simulator,  requires  0(ne)  number  of  rounds.  The  round-complexity  was  later  improved 
in  the  work  of  Kilian  and  Petrank  (KP)  [KP01]  to  0(log2n)  round.  Somewhat  surprisingly,  the 
simulator  strategy  of  KP  is  “oblivious” — the  “rewinding  schedule”  of  the  simulator  ignores  how 
the  malicious  verifier  schedules  its  messages.  The  key  insight  behind  this  oblivious  simulation 
technique  is  that  a  single  “rewinding”  may  be  helpful  for  simulating  multiple  sessions;  in  essence, 
KP  performs  an  amortized  analysis,  which  improves  the  round-complexity.  (As  we  shall  see  shortly, 
such  an  amortized  analysis  will  play  an  important  role  also  in  this  work.)  More  recent  work  by 
Prabhakaran,  Rosen  and  Sahai  [PRS02]  improves  the  analysis  of  the  KP  simulator,  achieving  an 
essentially  optimal,  w.r.t.  black-box  simulation,  round-complexity  of  0(log?r);  see  also  [PTV12]  for 
an  (arguably)  simplified  and  generalized  analysis. 

The  central  open  problem  in  the  area  is  whether  a  constant-round  concurrent  ZfC  protocol  (for 
a  non-trivial  language)  can  be  obtained.  A  major  breakthrough  towards  resolving  this  question 
came  with  the  work  of  Barak  [BarOl],  demonstrating  a  new  non-black-box  simulation  technique  that 
seemed  amenable  for  constructing  constant-round  protocols  that  are  resilient  to  concurrent  attacks. 
Indeed,  Barak  demonstrated  a  constant-round  bounded- concurrent  argument  for  NP  based  on  the 
existence  of  collision-resistant  hash-functions;  bounded-concurrency  here  means  that  for  every  a- 
priori  polynomial  bound  m  on  the  number  of  concurrent  executions,  there  exists  a  protocol  (which 
depends  on  m)  that  remains  zero-knowledge  as  long  as  the  number  of  concurrent  execution  does 
not  exceed  m.  (In  particular,  in  the  protocol  of  Barak,  the  message  length  of  the  protocol  grows 
linearly  with  the  a-priori  bound  m  on  the  number  of  concurrent  executions.) 

But  a  decade  later,  the  question  of  whether  “full”  (i.e.,  unbounded)  concurrent  zero- knowledge 
is  achievable  in  a  constant  number  of  rounds  is  still  wide  open.  Note  that  it  could  very  well  be 
the  case  that  all  “classic”  zero-knowledge  protocol  already  are  concurrent  zero-knowledge;  thus, 
simply  assuming  that  those  protocols  are  concurrent  zero-knowledge  yields  an  assumption  under 
which  constant-round  concurrent  zero- knowledge  (trivially)  exists — in  essence,  we  are  assuming  that 
for  every  attacker  a  simulator  exists.  Furthermore,  as  we  discuss  in  Section  1.4,  if  we  make  strong 
“concurrent  extractability”  assumptions  of  the  knowledge-of-exponent  type  [Dam91,  HT98,  BP04b], 
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concurrent  zero-knowledge  is  easy  to  construct.1  But  such  extractability  assumptions  also  simply 
assume  that  for  every  attacker,  a  simulator  (“the  extractor”)  exists.  In  essence,  rather  than  basing 
constant-round  concurrent  zero-knowledge  on  a  hardness  assumption,  it  is  based  on  a  “knowledge” 
assumption;  that  is,  an  assumption  that  is  very  similar  in  flavour  to  simply  assuming  that  a  protocol 
is  zero-knowledge.  The  central  question  that  we  address  in  this  paper  is  thus  the  following: 

Can  constant-round  concurrent  zero-knowledge  be  based  on  any  (reasonable)  complexity- 
theoretic  hardness  assumption? 

As  an  additional  point,  even  under  the  above-mentioned  strong  “knowledge”  assumptions,  an 
explicit  construction  of  the  concurrent  zero-knowledge  simulator  is  not  known — it  is  simply  as¬ 
sumed  that  one  exists.  For  some  applications  of  zero-knowledge  such  as  deniability  (see  e.g., 
[DNS04,  Pas03b]),  having  an  explicit  simulator  is  crucial.  As  far  as  we  know,  there  are  currently  no 
assumptions  (no  matter  how  crazy)  under  which  constant-round  concurrent  zero-knowledge  with 
an  explicit  simulator  is  known. 

In  fact,  even  in  the  common  reference  string  (CRS)  model,  there  are  no  known  constructions 
of  constant-round  concurrent  zero- knowledge  where  the  simulator  does  not  “program”  the  CRS; 
such  zero-knowledge  protocols  were  referred  to  as  deniable  zero-knowledge  in  the  CRS  model  in 
[Pas03b].2  Indeed,  as  shown  in  [Pas03b],  the  black-box  lower-bounds  for  concurrent  zero- knowledge 
in  the  plain  model  extend  also  to  such  a  “non-programmable”  CRS  model. 

1.1  Our  Results 

In  this  work,  we  present  new  complexity-theoretic  assumptions,  which  in  our  eyes  are  both  natu¬ 
ral  and  reasonable  (and  can  be  efficiently  falsified),  under  which  constant-round  concurrent  zero- 
knowledge  is  achievable.  Furthermore,  we  provide  an  explicit  zero-knowledge  simulator. 

P-certificates  We  consider  an  analogue  of  Micali’s  non-interactive  CS-proofs  [MicOO]  for  lan¬ 
guages  in  P.  Roughly  speaking,  we  say  that  {P,V)  is  a  P -certificate  system  if  (P,V)  is  a  non¬ 
interactive  proof  system  (i.e.,  the  prover  send  a  single  message  to  the  verifier,  who  either  accepts 
or  rejects)  allowing  an  efficient  prover  to  convince  the  verifier  of  the  validity  of  any  deterministic 
polynomial-time  computation  M(x)  =  y  using  a  “certificate”  of  some  fixed  polynomial  length  (in¬ 
dependent  of  the  size  and  the  running-time  of  M )  whose  validity  the  verifier  can  check  in  some 
fixed  polynomial  time  (independent  of  the  running-time  of  M).  That  is,  a  P-certificate  allows 
every  deterministic  polynomial-time  computation  to  be  “succintly”  certified  using  a  “short”  certifi¬ 
cate  (of  a-priori  bounded  polynomial  length)  that  can  be  “quickly”  verified  (in  a-priori  bounded 
polynomial-time) . 

We  may  consider  the  existence  of  P-certificates  either  in  the  “plain”  model  (without  any  set¬ 
up),  or  with  some  set-up,  such  as  the  CRS  model.  We  may  also  consider  various  different  notions 
of  soundness:  uniform  computational  soundness — which  states  that  no  uniform  polynomial-time 
algorithm  can  output  an  accepting  certificate  for  any  false  statement,  non-uniform  computational 
soundess — where  the  same  condition  holds  also  w.r.t.  non-uniform  polynomial-time  attackers,  and 
statistical  soundness — where  soundness  condition  holds  also  with  respect  to  unbounded  attackers 
restricted  to  selecting  statements  of  polynomial  length. 

furthermore,  as  shown  in  the  recent  independent  work  of  [GS12],  even  a  “non-concurrent”  (but  quite  strong  in 
a  different  way)  extractability-type  assumption  can  be  used. 

2Again,  if  the  simulator  gets  to  program  the  CRS,  such  a  simulator  cannot  be  used  to  get  deniability. 
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Note  that  in  the  plain  model,  non-uniform  soundness  and  statistical  soundnes  are  equivalent, 
since  if  an  accepting  proof  of  a  false  statement  exists,  a  non-uniform  efficient  attacker  can  simply 
get  it  as  non-uniform  advice.  In  the  CRS  model,  however,  the  notions  are  (seemingly)  distinct. 

For  our  application  we  will  require  a  slightly  stronger  soundness  condition:  soundness  needs  to 
hold  even  against  T(-)-time  attackers  attempting  to  prove  the  validity  also  of  T(-)-time  computa¬ 
tions,  where  T(-)  is  some  “nice”  (slightly)  super-polynomial  function  (e.g.,  T(n)  =  nlogloglogn).  We 
refer  to  such  proof  systems  as  strong  P -certificates. 

On  the  Existence  of  P-certificates  In  the  plain  model,  a  candidate  construction  of  uniformly 
computationally-sound  P-certihcate  systems  come  from  Micali’s  CS-proofs  [MicOO].  These  con¬ 
structs  provide  short  certificates  even  for  all  of  NEXP.  However,  since  we  here  restrict  to  cer¬ 
tificates  only  for  P,  the  assumption  that  these  constructions  are  sound  (resp.  strongly  sound) 
P-certificates  is  falsifiable  [Pop63,  Nao03]:  Roughly  speaking,  we  can  efficiently  test  if  an  attacker 
outputs  a  valid  proof  of  an  incorrect  statement,  since  whether  a  statement  is  correct  or  not  can  be 
checked  in  deterministic  polynomial  time.3 

In  our  eyes,  on  a  qualitatively  level,  the  assumption  that  Micali’s  CS-proofs  yield  strong  P- 
certihcates  is  not  very  different  from  the  assumption  that  e.g.,  the  Full  Domain  Hash  [BR93]  or 
Schnorr  [Sch91]  signature  schemes  are  existentially  unforgeable:  1)  whether  an  attacker  succeeds  can 
be  efficiently  checked,  2)  no  attacks  are  currently  known,  and  3)  the  “design-principles”  underlying 
the  construction  rely  on  similar  intuitions. 

As  a  final  point,  recall  that  Micali’s  CS-proofs  rely  on  the  Fiat-Shamir  heuristic,  which  in  general 
may  result  in  unsecure  schemes  [BarOl,  GK03];  however,  note  that  whereas  Micali’s  construction 
is  unconditionally  secure  in  the  random  oracle  model,  the  counterexamples  of  [BarOl,  GK03]  ex¬ 
tensively  rely  on  the  underlying  protocol  only  being  computationally  secure;  as  such,  at  this  time, 
we  have  no  reason  to  believe  that  the  Fiat-Shamir  heuristic  does  not  work  for  Micali’s  protocol  (or 
any  other  protocol  that  is  unconditionally  secure  in  the  random  oracle  model). 

In  the  CRS  model,  we  may  additionally  assume  that  Micali’s  CS-proofs  satisfy  non-uniform 
computational  soundness.  Additionally,  several  recent  works  provide  constructions  of  “SNARGs” 
(succinct  non-interactive  arguments)  for  NP  in  the  CRS  model  [GrolO,  Lipl2,  BCCT13,  GGPR13]; 
such  constructions  are  trivially  P-certificates  with  non-uniform  comptuational  soundness  in  the 
CRS  model.  However,  since  we  restrict  to  languages  in  P,  checking  whether  soundness  of  any  of 
these  constructions  is  broken  now  becomes  efficiently  checkable  (and  thus  assuming  that  they  are 
secure  becomes  falsifiable). 

Finally,  let  us  remark  that  even  statistically-sound  P-certificates  may  exist:  Note  that  the  exis¬ 
tence  of  statistically-sound  strong  P-certificates  is  implied  by  the  assumption  that  1)  DTIME(ntJ  (B)  C 
NP  and  2)  NP  proofs  for  statements  in  DTIME(f)  can  be  found  in  time  polynomial  in  t  [BLV06]. 

In  essence,  these  assumptions  says  that  non-determinism  can  slightly  speed-up  computation,  and 
that  the  non-deterministic  choices  can  be  found  efficiently,  where  efficiency  is  measured  in  terms 
of  the  original  deterministic  computation.  Although  we  have  no  real  intuition  for  whether  this 
assumption  is  true  or  false,4  it  seems  beyond  current  techniques  to  contradict  it.  (As  far  as  we 
know,  at  this  point,  there  is  no  substantial  evidence  that  even  SUBEXP  (Z  NP.) 

From  P-certificates  to  O(l)-round  Concurrent  ZKL  Our  main  theorem  is  the  following. 

3In  contrast,  as  shown  by  Gentry  and  Wichs  [GW11],  (under  reasonable  complexity  theoretic  assumptions)  non¬ 
interactive  CS-proofs  for  NP  cannot  be  based  on  any  falsifiable  assumption  using  a  black-box  proof  of  security. 

4As  far  as  we  know,  the  only  evidence  against  it  is  that  it  contradicts  very  strong  forms  of  derandomization 
assumptions  [BLV06,  BOV07]. 


Approved  for  Public  Release;  Distribution  Unlimited. 

3 


507 


Theorem.  Assume  the  existence  of  families  of  collision-resistant  hash-functions  secure  against 
polynomial-size  circuits,  and  the  existence  of  a  strong  P -certificate  system  with  uniform  (resp.  non- 
uniform)  soundness.  Then  there  exists  a  constant-round  concurrent  zero-knowledge  argument  for 
NP  with  uniform  (resp.  non-uniform)  soundness.  Furthermore,  the  protocol  is  public-coin  and  its 
communication  complexity  depends  only  on  the  security  parameter  (but  not  on  the  length  of  the 
statement  proved). 

Let  us  briefly  remark  that  from  a  theoretical  point  of  view,  we  find  the  notion  of  uniform 
soundness  of  interactive  arguments  as  well- motivated  as  the  one  of  non-uniform  soundness;  see  e.g., 
[Gol93]  for  further  discussion.  From  a  practical  point  of  view  (and  following  Rogaway  [Rog06])5,  an 
asymptotic  treatment  of  soundness  is  not  needed  for  our  results,  even  in  the  uniform  setting:  our 
soundness  proof  is  a  constructive  black-box  reduction  that  (assuming  the  existence  of  families  of 
collision- resistant  hash- functions) ,  transforms  any  attacker  that  breaks  soundness  of  our  concurrent 
ZfC  protocol  on  a  single  security  parameter  1"  into  an  attacker  that  breaks  the  the  soundness  of  the 
P-certificate  systems  with  comparable  probability  on  the  same  security  parameter  ln,  with  only  a 
“small”  polynomial  overhead.  In  particular,  if  some  attacker  manages  to  break  the  soundness  of  a 
particular  instantiation  of  our  protocol  using  e.g.,  Micali’s  CS-proof  for  languages  in  P  implemented 
using  some  specific  hash  function  (e.g.,  SHA-256),  then  this  attacker  can  be  used  to  break  this 
particidar  implementation  of  CS-proofs. 

Furthermore,  by  the  above  argument,  we  may  also  instantiate  our  protocol  with  P-certificates  in 
the  CRS  model,  leading  to  a  constant-round  concurrent  zero-knowledge  protocol  (with  non-uniform 
soundness)  in  the  non-programmable  CRS  model. 

Beyond  Concurrent  ZfC  Since  the  work  of  Barak  [BarOl],  non-black-box  simulation  techniques 
have  been  used  in  several  other  contexts  (e.g.,  [BGGL01,  DGS09,  BP12,  Lin03,  PR03a,  Pas04a, 
BS05,  GJ10].  We  believe  that  our  techniques  will  be  applicable  also  in  those  scenarios.  In  particular, 
in  Section  1.3,  we  show  that  our  protocols  directly  yield  a  constant-round  simultanously- resettable 
ZfC  [BGGL01,  DGS09]  for  NP,  and  discuss  applications  to  concurrent  secure  computation. 

1.2  Outline  of  Our  Techniques 

We  here  provide  a  detailed  outline  of  our  techniques.  The  starting  point  of  our  construction  is 
Barak’s  [BarOl]  non-black-box  zero-knowledge  argument  for  NP.  Let  us  start  by  very  briefly 
recalling  the  ideas  behind  his  protocol  (following  a  slight  variant  of  this  protocol  due  to  [PR03b]). 
Roughly  speaking,  on  common  input  ln  and  x  G  {0,  ljP01^™),  the  Prover  P  and  Verifier  V,  proceed 
in  two  stages.  In  Stage  1,  P  starts  by  sending  a  computationally-binding  commitment  c  G  {0,  l}n  to 
0n;  V  next  sends  a  “challenge”  r  G  {0,  l}2n.  In  Stage  2,  P  shows  (using  a  witness  indistinguishable 
argument  of  knowledge)  that  either  x  is  true,  or  there  exists  a  “short”  string  a  G  {0,  l}n  such  that 
c  is  a  commitment  to  a  program  M  such  that  M(a)  =  r.6 

Soundness  follows  from  the  fact  that  even  if  a  malicious  prover  P*  tries  to  commit  to  some 
program  M  (instead  of  committing  to  0re),  with  high  probability,  the  string  r  sent  by  V  will 
be  different  from  M(a)  for  every  string  a  G  {0,  l}n.  To  prove  ZK,  consider  the  non-black-box 

5Rogaway  used  this  argument  to  formalize  what  it  means  for  a  concrete  hash  function  (as  opposed  to  a  family  of 
hash  functions)  to  be  collision  resistant. 

6We  require  that  C  is  a  commitment  scheme  allowing  the  committer  to  commit  to  an  arbitrarily  long  string 
m  £  {0, 1}*.  Any  commitment  scheme  for  fixed-length  messages  can  easily  be  modified  to  handle  arbitrarily  long 
messages  by  asking  the  committer  to  first  hash  down  m  using  a  collision-resistant  hash  function  h  chosen  by  the 
receiver,  and  next  commit  to  h(m). 
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simulator  S  that  commits  to  the  code  of  the  malicious  verifier  V*;  note  that  by  definition  it  thus 
holds  that  M(c )  =  r,  and  the  simulator  can  use  a  =  c  as  a  “fake”  witness  in  the  final  proof. 
To  formalize  this  approach,  the  witness  indistinguishable  argument  in  Stage  2  must  actually  be 
a  witness  indistinguishable  universal  argument  (WIUA)  [MicOO,  BG08]  since  the  statement  that  c 
is  a  commitment  to  a  program  M  of  arbitrary  polynomial-size,  and  that  M(c)  =  r  within  some 
arbitrary  polynomial  time,  is  not  in  NP. 

Now,  let  us  consider  concurrent  composition.  That  is,  we  need  to  simulate  the  view  of  a  verifier 
that  starts  m  =  poly(n )  concurrent  executions  of  the  protocol.  The  above  simulator  no  longer 
works  in  this  setting:  the  problem  is  that  the  verifier’s  code  is  now  a  function  of  all  the  prover 
messages  sent  in  different  executions.  (Note  that  if  we  increase  the  length  of  r  we  can  handle  a 
bounded  number  of  concurrent  executions,  by  simply  letting  a  include  all  these  messages). 

So,  if  the  simulator  could  commit  not  only  to  the  code  of  V*,  but  also  to  a  program  M  that 
generates  all  other  prover  messages,  then  we  would  seemingly  be  done.  And  at  first  sight,  this 
doesn’t  seem  impossible:  since  the  simulator  S  is  actually  the  one  generating  all  the  prover  messages, 
why  don’t  we  just  let  M  be  an  appropriate  combination  of  S  and  V*1  This  idea  can  indeed  be 
implemented  [PR03b,  PRT11],  but  there  is  a  serious  issue:  if  the  verifier  “nests”  its  concurrent 
executions,  the  running-time  of  the  simulation  quickly  blows  up  exponentially — for  instance,  if  we 
have  three  nested  sessions,  to  simulate  session  3  the  simulator  needs  to  generate  a  WIUA  regarding 
the  computation  needed  to  generate  a  WIUA  for  session  2  which  in  turn  is  regarding  the  generation 
of  the  WIUA  of  session  1  (so  even  if  there  is  just  a  constant  overhead  in  generating  a  WIUA,  we  can 
handle  at  most  logro  nested  sessions). 

P-certificates  to  The  Rescue  Our  principal  idea  is  to  use  P-certificates  to  overcome  the  above- 
mentioned  blow-up  in  the  running  time.  On  a  very  high-level,  the  idea  is  that  once  the  simulator  S 
has  generated  a  P-certificate  7 r  to  certify  some  partial  computation  performed  by  S'  in  a  particular 
session  i,  then  the  same  certificate  may  be  reused  (without  any  additional  “cost”)  to  certify  the 
same  computation  also  in  other  sessions  i!  i.  In  essence,  by  reusing  the  same  P-certificates, 
we  can  amortize  the  cost  of  generating  them  and  may  then  generate  WlUA’s  about  WlUA’s  etc., 
without  blowing-up  the  running  time  of  the  simulator.  Let  us  briefly  mention  how  the  two  salient 
features  of  P-certificates,  namely  “non-interactivity”  and  “succinctness” ,  are  used:  Without  non¬ 
interactivity,  the  same  certificate  cannot  be  reused  in  multiple  sessions,  and  without  succinctness, 
we  do  not  gain  anything  by  reusing  a  proof,  since  just  reading  the  proof  may  be  more  expensive 
than  verifying  the  statement  from  “scratch” . 

Implementing  the  above  high-level  idea,  however,  is  quite  non-trivial.  Below,  we  outline  our 
actual  implementation.  We  proceed  in  three  steps: 

1.  We  first  present  a  protocol  that  only  achieves  bounded-concurrent  ZIC,  using  P-certificates, 

2.  We  next  show  how  this  bounded-concurrent  protocol  can  be  slightly  modified  to  become  a 
(fully)  concurrent  ZK,  protocol  assuming  the  existence  of  so-called  unique  P-certificates —  P- 
certificates  having  the  property  that  for  every  true  statement,  there  exists  a  single  accepting 
certificate. 

3.  In  the  final  step,  we  show  how  to  eliminate  the  need  for  uniqueness,  by  generating  P- 
certificates  about  the  generation  of  P-certificates  etc.,  in  a  tree-like  fashion. 

Step  1:  Bounded  Concurrency  Using  P-certificates  In  this  first  step,  we  present  a  (some¬ 
what  convoluted)  protocol  using  strong  P-certificates  that  achieves  m(-)-bounded  concurrency  (us¬ 
ing  an  even  more  convoluted  simulation).  As  mentioned,  Barak’s  original  protocol  could  already 
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be  modified  to  handle  bounded  concurrency,  without  the  use  of  P-certificates;  but  as  we  shall  see 
shortly,  our  protocol  can  later  be  modified  to  handle  full  concurrency. 

The  protocol  proceeds  just  as  Barak’s  protocol  in  Stage  1  except  that  the  verifier  now  sends  a 
string  r  £  {0,  i}2m(n)n“  (instead  of  length  2 n).  Stage  2  is  modified  as  follows:  instead  of  having  P 
prove  (using  a  WIUA)  that  either  x  is  true,  or  there  exists  a  “short”  string  a  £  {0, 1  }m(n)n  such 
that  c  is  a  commitment  to  a  program  M  such  that  M(a)  =  r,  we  now  ask  P  to  use  a  WIUA  to 
prove  that  either  x  is  true,  or 

•  commitment  consistency:  c  is  a  commitment  to  a  program  Mi,  and 

•  input  certification:  there  exists  a  “short”  string  a  £  {0,  l}m(n)n,  and 

•  prediction  correctness:  there  exists  a  P-certificate  ir  of  length  n  demonstrating  that 
Mi  (<t  )  =  r. 

(Note  that  the  only  reason  we  still  need  to  use  a  universal  argument  is  that  there  is  no  a-priori 
upper-bound  on  the  length  of  the  program  M\\  the  use  of  the  P-certificate  takes  care  of  the  fact 
that  there  is  no  a-priori  upper-bound  on  the  running-time  of  Mi,  though.)  Soundness  follows  using 
essentially  the  same  approach  as  above,  except  that  we  now  also  rely  on  the  strong  soundness  of 
the  P-certificate;  since  there  is  no  a-priori  upper-bound  on  neither  the  length  nor  the  running-time 
of  Mi,  we  need  to  put  a  cap  on  both  using  a  (slightly)  super-polynomial  function,  and  thus  to 
guarantee  soundness  of  the  concurrent  zero-knowledge  protocol,  we  need  the  P-certificate  to  satisfy 
strong  soundness. 

Let  us  turn  to  (bounded-concurrent)  zero-knowledge.  Roughly  speaking,  our  simulator  will 
attempt  to  commit  to  its  own  code  in  a  way  that  prevents  a  blow-up  in  the  running-time.  Recall 
that  the  main  reason  that  we  had  a  blow-up  in  the  running-time  of  the  simulator  was  that  the 
generation  of  the  WIUA  is  expensive.  Observe  that  in  the  new  protocol,  the  only  expensive  part  of 
the  generation  of  the  WIUA  is  the  generation  of  the  P-certificates  ir;  the  rest  of  the  computation 
has  a-priori  bounded  complexity  (depending  only  on  the  size  and  running-time  of  V*).  To  take 
advantage  of  this  observation,  we  thus  have  the  simulator  only  commit  to  a  program  that  generates 
prover  messages  (in  identically  the  same  way  as  the  actual  simulator),  but  getting  certificates  7?  as 
input. 

In  more  detail,  to  describe  the  actual  simulator  S,  let  us  first  describe  two  “helper”  simulators 
,Si,  S‘2-  S i  is  an  interactive  machine  that  simulates  prover  messages  in  a  “right”  interaction  with 
V* .  Additionally,  Si  is  expecting  some  “external”  messages  on  the  “left” — looking  forward,  these 
“left”  messages  will  later  be  certificates  provided  by  S2.  See  Figure  1  for  an  illustration  of  the 
communication  patterns  between  Si ,  S2  and  V* . 

S 1  proceeds  as  follows  in  the  right  interaction.  In  Stage  1  of  every  session  i,  S 1  first  commits  to 
a  machine  Si  (j1 ,  r)  that  emulates  an  interaction  between  Si  and  V* ,  feeding  Si  input  r  as  messages 
on  the  left,  and  finally  Si  outputs  the  verifier  message  in  the  jhth.  communication  round  in  the 
right  interaction  with  V*.  (Formalizing  what  it  means  for  Si  to  commit  to  Si  is  not  entirely  trivial 
since  the  definition  of  Si  depends  on  Si;  we  refer  the  reader  to  the  formal  proof  for  a  description  of 
how  this  circularity  is  broken.7  Si  next  simulates  Stage  2  by  checking  if  it  has  received  a  message 
(j.  tv  j )  in  the  left  interaction,  where  j  is  the  communication  round  (in  the  right  interaction  with 
V*)  where  the  verifier  sends  its  random  challenge  and  expects  to  receive  the  first  message  of  Stage 
2;  if  so,  it  uses  Mi  =  Si  (and  the  randomness  it  used  to  commit  to  it),  j  and  a  being  the  list  of 
messages  received  by  Si  in  the  left  interaction,  as  a  ’’fake”  witness  to  complete  Stage  2. 

7Roughly  speaking,  we  let  Si  take  the  description  of  a  machine  M  as  input,  and  we  then  run  Si  on  input  M  =  Si. 
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Figure  1:  Simulation  using  P-certificates. 


The  job  of  S2  is  to  provide  P-certificates  ttj  for  Si  allowing  Si  to  complete  its  simulation.  S2 
emulates  the  interaction  between  Si  and  V* ,  and  additionally,  at  each  communication  round  j,  S2 
feeds  Si  a  message  (j,  Hj)  where  ttj  is  a  P-certificate  showing  that  5j  (j,  a<j)  =  rj,  where  cr<j  is  the 
list  of  message  already  generated  by  S2,  and  r}  is  the  verifier  message  in  the  j’th  communication 
round.  Finally,  S2  outputs  its  view  of  the  full  interaction. 

The  actual  simulator  S  just  runs  S2  and  recovers  from  the  view  of  S2  the  view  of  V*  and  outputs 
it.  Note  that  since  Si  has  polynomial  running-time,  generating  each  certificate  about  Si  (which  is 
just  about  an  interaction  between  Si  and  V*)  also  takes  polynomial  time.  As  such  S2  can  also  be 
implemented  in  polynomial  time  and  thus  also  S.  Additionally,  note  that  if  there  are  m(n)  sessions, 
the  length  of  a  is  at  most  0(m(n)n)  <C  m(n)n 2 — for  each  of  the  m(n)  sessions,  and  for  each  round 
of  the  constant  number  of  rounds  in  each  session,  we  need  to  store  a  pair  (j,  7 r)  where  7r  is  of  length 
n;  therefore,  the  simulation  always  succeeds  without  getting  “stuck”. 

Finally,  indistinguishability  of  this  simulation,  roughly  speaking,  should  follow  from  the  hiding 
property  of  the  commitment  in  Stage  1,  and  the  WI  property  of  the  WIUA  in  Stage  2.  Or  does  it? 
Note  that  since  S±  is  committing  to  its  own  code  (including  its  randomness),  it  is  committing  to  a 
message  that  depends  on  the  randomness  used  for  the  commitment.  (In  the  language  of  [BCPT12], 
this  constitutes  a  randomness-dependent  message  (RDM)  attack  on  the  commitment  scheme.)  This 
circularity  can  be  easily  overcome  (as  in  [PRT11])  by  simply  not  committing  to  the  randomness  of 
Si,  and  instead  providing  it  as  an  additional  input  to  Sj  that  may  be  incorporated  in  <7;  without 
loss  of  generality,  we  may  assume  that  the  randomness  is  “short”  since  Si  can  always  use  a  PRG 
to  expand  it.  But  the  same  circularity  arises  also  in  the  WIUA,  and  here  a,  which  contains  the  seed 
used  to  generate  the  randomness  of  Si,  needs  to  be  an  input.  To  overcome  it,  we  here  require  Si 
to  use  a  forward- secure  PRG  [BY03]  to  expand  its  randomness;  roughly  speaking,  a  forward-secure 
PRG  ensures  that  ’’earlier”  chunks  of  the  output  of  the  PRG  are  indistinguishable  from  random, 
even  if  a  seed  generating  the  ’’later”  ones  is  revealed.  We  next  have  Si  use  a  new  chunk  of  the 
output  of  the  PRG  to  generate  each  new  message  in  the  interaction,  but  uses  these  chunk  in  reverse 
order  (i.e. ,  in  step  1,  the  last  chunk  of  the  output  of  the  PRG  is  used,  etc.);  this  means  that  we 
can  give  proofs  about  ’’earlier”  computations  of  Si  (which  requires  knowing  a  seeds  expanding 
the  randomness  used  in  the  computation)  while  still  guaranteeing  indistinguishability  of  ’’later” 
messages.8 

8Although  the  language  of  forward-security  was  not  used,  it  was  noticed  in  [PR03b]  that  GGM’s  pseudo-random 
function  [GGM86]  could  be  used  to  remove  circularity  in  situations  as  above.  A  related  trick  is  used  in  the  contem¬ 
porary  work  of  [CLP  12]. 
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Step  2:  Full  Concurrency  using  Unique  P-certificates  The  reason  that  the  above  approach 
only  yields  a  bounded  concurrent  zero- knowledge  protocol  is  that  for  each  new  session  i,  we  require 
S2  to  provide  Si  with  new  certificates,  which  thus  grows  the  length  of  a.  If  we  could  somehow  guar¬ 
antee  that  these  certificates  are  determined  by  the  statement  proved  in  the  WIUA,  then  soundness 
would  hold  even  if  a  is  long.  Let’s  first  sketch  how  to  do  this  when  assuming  the  existence  of  unique 
strong  P-certificates — that  is,  P-certificates  having  the  property  that  for  each  true  statement  x, 
there  exists  a  single  proof  7 r  that  is  accepted.  (We  are  not  aware  of  any  candidates  for  unique 
P-certificates,  but  using  them  serves  as  a  simpler  warm-up  for  our  actual  protocol.)  We  simply 
modify  the  input  certification  and  prediction  correction  conditions  in  the  WIUA  to  be  the  following: 

•  input  certification:  there  exists  a  vector  A  =  ((1, 7Ti),  (2, 7^), . . .)  and  a  vector  of  messages 
m  such  that  7 q  certifies  that  M\  (A<j)  output  mj  in  its  j’tli  communication  round,  where 
A <j  =  ((1,  tti),  •  •  • ,  (j  ~  1,  TTj- 1)),  and 

•  prediction  correctness:  there  exists  a  P-certificate  7r  of  length  n  demonstrating  that 
Mi  (A)  =  r. 

Soundness  of  the  modified  protocol,  roughly  speaking,  follows  since  by  the  unique  certificate  prop¬ 
erty,  for  every  program  Mi  it  inductively  follows  that  for  every  j,  mj  is  uniquely  defined,  and  thus 
also  the  unique  (accepting)  certificate  ttj  certifying  M\  (A<j)  =  rrij ;  it  follows  that  Mi  determines  a 
unique  vector  A  that  passes  the  input  certification  conditions,  and  thus  there  exists  a  single  r  that 
make  M \  also  pass  the  prediction  correctness  conditions.  Zero-knowledge,  on  the  other  hand,  can 
be  shown  in  exactly  the  same  way  as  above  (using  S\,  S2),  but  we  can  now  handle  also  unbounded 
concurrency  (since  there  is  no  longer  a  restriction  on  the  length  of  the  input  A). 

Step  3:  Full  Concurrency  Using  (Plain)  P-certificates  Let  us  finally  see  how  to  implement 
the  above  idea  while  using  “plain”  (i.e.,  non-unique)  P-certificates.  The  above  protocol  is  no  longer 
sounds  since  we  cannot  guarantee  that  the  proofs  7 Tj  are  unique,  and  thus  the  messages  mj  may  not 
be  unique  either,  which  may  make  it  possible  for  an  attacker  to  pass  the  “prediction  correctness” 
condition  (without  knowing  the  code  of  V*)  and  thus  break  soundness.  A  natural  idea  would 
thus  be  to  ask  the  prover  to  commit  to  a  machine  M2  (which  in  the  simulation  will  be  a  variant 
of  S2)  that  produces  the  certificates  7 Tj,  and  then  require  the  prover  to  provide  a  ”  second- level” 
certificate  that  the  "first-level”  certificates  were  generated  (deterministically)  by  running  M2.  But 
have  we  really  gained  anything?  Now,  to  perform  the  simulation,  we  need  to  provide  the  second- 
level  certificates  as  input  to  both  Mi  and  M2;  however,  for  these  second-level  certificates,  we  have 
no  guarantees  that  they  were  deterministically  generates  and  again  there  is  no  a-prior  upper  bound 
on  the  number  of  such  certificates,  so  it  seems  we  haven’t  really  gained  anything. 

Our  main  observation  is  that  a  single  ”  second- level”  certificate  can  be  used  to  to  certify  the 
(deterministic  generation)  of  n  ’’first-level” certificates.  And  a  sequence  of  n  “second-level”  cer¬ 
tificates  can  be  certified  by  a  single  “third-level”  certificate,  etc.  At  each  level,  there  will  be  less 
than  n  certificates  that  are  not  certified  by  a  higher-level  certificate;  we  refer  to  these  as  “dan¬ 
gling”  certificates.  See  Figure  2  for  an  illustration  of  the  tree  structure,  and  certified  and  dangling 
certificates. 

Note  that  since  the  number  of  messages  in  the  interaction  with  V*  is  polynomially  bounded,  we 
only  have  a  polynomial- number  of  level- 1  certificates,  and  thus,  the  above  higher- level  certification 
process  does  not  go  beyond  a  constant  number  of  levels  (at  each  level  we  need  a  factor  of  n  less 
certificates).  Finally,  note  that  the  total  number  of  “dangling”  (uncertified)  certificates  is  bounded 
by  the  number  of  levels  times  n  (and  is  thus  bounded  by,  say,  n2.)  This  means  that  all  the  dangling 
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Figure  2:  An  illustration  of  the  tree  structure  for  generating  P-certificates.  Nodes  that  are  not 
circled  are  “certified”  certificates;  nodes  that  are  circled  are  “dangling”  certificates. 


certificates  may  be  provided  as  a  “short”  input  o  to  the  committed  program,  and  all  the  certified 
certificates  can  be  provided  as  a  “long”  (but  certified  deterministically  generated)  input  A. 

Let  us  explain  this  idea  more  closely  using  only  second- level  certificates;  this  still  only  gives  us 
bounded-concurrency,  but  we  may  now  handle  0(m(ri)n)  sessions  (instead  of  just  m{n)).  (More 
generally,  if  we  use  ^-levels  of  certification,  we  can  handle  m.{n)nk  sessions.)  We  now  change  Stage 
2  of  the  protocol  to  require  P  to  use  a  WIUA  to  prove  that  either  x  is  true,  or 

•  commitment  consistency:  c  is  a  commitment  to  programs  Mi,  M2,  and 

•  input  certification:  there  exists 

—  a  vector  of  ’’certified  level-1  certificates”  A1  =  ((1, 7Ti),  (2, 7^), . . . ,  (an,  it  an)), 

—  a  ’’small”  number  of  ’’dangling  level- 1  certificates”  a1  =  (a\ ,  o\, . . . ,  a1-, ) ,  where  j'  <  n 
and  for  each  j  <  j' ,  crj  £  {0,  l}n, 

—  a  <  m(n )  level-2  certificates  a2  =  (a2  ,  a2n,  ■  ■  ■ ,  cr2n)  where  for  each  j  <  a,  a2n  £  {0,  l}n, 
such  that, 

—  a2n  certifies  that  M2(cr\an)  generates  the  certificates  A1, 
and 

•  prediction  correctness:  there  exists  a  P-certificate  7r  of  length  n  demonstrating  that 
Mi(A1,cr1,  a2)  =  r. 

Soundness  of  this  protocol  follows  since  the  total  length  of  “arbitrary”  (not  deterministic)  input  is 
bounded  by  (m(n)+n)n  <C  m(n)n2.  m(n)n-bounded  concurrent  zero-knowledge  on  the  other  hand, 
roughly  speaking,  follows  by  letting  M\  be  as  above  (i.e.,  Si)  and  M2  be  a  variant  of  the  simulator 
S2  that  outputs  all  the  certificates  generated  by  S2.  We  then  define  a  simulator  S3  responsible 
for  generating  second-level  certificates  for  S2,  and  finally  outputs  its  full  view  of  the  interaction. 
The  final  simulator  S  runs  S3  and  outputs  the  view  of  V*  in  the  interaction.  See  Figure  3  for  an 
illustration  of  the  communication  patterns  of  Si,  S2,  S3  and  V* . 

Note  that  as  long  as  there  are  less  than  m(ri)n  message  in  the  interaction  with  V* ,  the  number 
of  first-level  certificates  is  bounded  by  m(n)n,  and  thus  we  have  enough  “spots”  for  second-level 
certificates  (in  a2)  to  perform  the  simulation. 
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Figure  3:  Simulation  using  second-level  P-certificates. 


In  the  final  protocol,  we  instead  have  the  simulator  commit  to  a  sequence  Mi,  M2, ...  of  machine; 
roughly  speaking,  M\  will  be  as  above,  M2  is  responsible  for  generating  first-level  certificates  (while 
receiving  level  A;  >  1  certificates  externally),  M3  will  be  responsible  for  generating  second- level 
certificates  (while  receiving  level  k  >  2  certificates  externally),  etc.  Note  that  although  there  is  a 
(potentially)  exponential  blow-up  in  the  time  needed  to  generate  higher-level  certificates,  since  we 
only  have  a  constant-number  of  levels,  simulation  can  be  performed  in  polynomial-time. 

1.3  Applications 

Our  techniques  are  useful  also  beyond  concurrent  ZK.  For  instance,  by  applying  the  transformation 
of  [BGGL01]  to  our  protocol,  we  directly  get  a  constant-round  resettably-sound  concurrent  ZK.  By 
additionally  applying  the  transformation  of  [DGS09]  to  the  resulting  resettably-sound  concurrent 
ZK  protocol,  we  get  a  constant-round  simultanously-resettable  ZK  protocol. 

For  another  application,  a  recent  result  by  Goyal  on  concurrent  secure  computation  [Goyl2], 
demonstrates  classes  of  two-party  functionalities  that  can  be  securely  computed  in  a  concur¬ 
rent  “single- input”  setting — that  is,  we  consider  a  “client-server”  setting,  where  the  (honest) 
server  is  using  the  same  input  in  all  concurrent  sessions.  By  using  our  simulation  techniques, 
we  can  get  a  crisp  condition  on  the  class  of  functions  that  can  be  securely  computed  in  this 
setting  (that  significantly  expands  beyond  the  class  considered  in  [Goyl2])  :  any  function  / 
for  which  there  exists  an  efficient  procedure  M  that  on  input  an  arbitrary  polynomial  sequence 
[x\,  f(x\,  y)),  (x2,  f(x2,  y))-,  ■  ■  ■  {xm,  f(xm,  y))  can  output  a  circuit  of  a-priori  bounded  (indepen¬ 
dent  of  m)  size  C  and  an  input  y'  of  a-priori  bounded  length  such  that  for  every  i  E  [m], 
f(xi,y )  =  C(xi,y').  Note  that  if  there  exists  an  efficient  procedure  for  finding  the  input  y  (i.e. , 
inverting  the  function  f'{x\,  X2,  ■  ■  ■  xm,  y)  =  f{x\,y)  . . .  f(xm,y))}  then  this  condition  is  trivially 
satisfied  by  simply  setting  C  =  f,y  =  y' .  (We  remark  that  this  condition  is  very  related  to 
the  “bounded-entropy”  conjecture  of  [Goyl2].)  This  result  is  obtained  by  simply  plugging- in  our 
concurrent  ZK,  protocol  into  the  bounded-concurrent  secure  two-party  computation  protocol  of 
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[Pas04b]  and  noticing  that  once  “straight-line”  concurrent  ZKL  simulation  is  achieved  (as  it  is  in 
our  protocol),  the  only  obstacle  for  fully  concurrent  simulation  is  the  need  to  “compress”  outputs 
from  trusted  party  computing  /;  the  above  condition  stipulates  that  such  a  compression  is  always 
possible.  (We  expand  on  these  result  in  the  final  version  of  the  paper.) 

1.4  Related  Work 

We  provide  a  detailed  discussion  of  some  other  related  works: 

•  As  mentioned  in  the  introduction,  constant-round  concurrent  zero-knowledge  protocols  with 
super-polynomial-time  simulators  have  been  constructed  in  the  plain  model  [Pas03a,  PV08]. 
For  the  protocol  of  [Pas03a],  the  only  super-polynomial-time  “advantages”  needed  by  the 
simulator  is  to  find  a  pre-image  x'  =  f~1(y)  to  any  point  y  output  by  the  malicious  verifier 
V*,  as  long  as  y  actually  is  in  the  range  of  some  one-way  function  /.  If  we  assume  that  the 
only  way  for  V*  to  output  some  y  in  the  range  of  /  is  by  applying  /  to  an  input  x  that  it 
explicitly  knows ,  then  the  protocol  of  [Pas03a]  is  concurrent  zero-knowledge.  A  problem  with 
formalizing  this  is  that  V*  may  already  get  some  string  y  =  f(x)  as  its  auxiliary  input  and 
thus  may  not  know  x.  As  in  the  literature  on  “knowledge-of-exponent”-type  extractability 
assumptions  (see  e.g.,  [Dam91,  HT98,  BP04b,  CD09,  BCCT12,  DFH12,  GLR11]),  this  issue 
can  be  resolved  by  having  the  prover  select  the  one-way  function  /  from  a  family  T  of  one-way 
functions.  Now  the  extractability  assumption  we  need  is  that  for  every  polynomial-time  oracle 
machine  M,  there  exists  some  polynomial-time  machine  M'  such  that  given  any  z  6  {0, 1}*, 
and  uniformly  selected  functions  f  =  /i ,  •  •  •  /poiy(n)  £  J 7,  M°^(ln,z,  f)  and  M'  (ln ,  z,  f) 
generate  the  same  output,  where  0(f)  is  an  oracle  that  inverts  the  functions  in  /.  In  other 
words,  we  are  assuming  that  in  the  simulation,  the  simulator  together  with  the  verifier  can 
— in  polynomial-time — emulate  the  one-way  function  inverter  used  in  [Pas03a].  Note  that  the 
above  extractability  assumption  is  stronger  than  the  typical  “knowledge-of-exponent”-type 
extractability  assumptions  since  we  require  simultaneous  “concurrent”  extractability  of  many 
images  y  that  are  chosen  adaptively  by  the  adversary.9  However,  as  shown  in  [Pas03b],  any 
sufficiently  length-expanding  random  oracle  satisfies  exactly  such  an  concurrent  extractability 
assumption — this  was  used  in  [Pas03a]  to  construct  a  concurrent  ZKL  protocol  in  the  “non¬ 
programmable”  random  oracle  model. 

A  very  recent  work  by  Gupta  and  Sahai  [GS12]  independent  of  the  current  work  present  an  al¬ 
ternative  “non-concurrent”  extractability  assumption  under  which  constant-round  concurrent 
zero-knowledge  can  be  achieved. 

One  important  difference  between  the  above  approaches  and  our  work  is  that  we  here  provide 
an  explicit  concurrent  ZKL  simulator.  The  above-mentioned  approaches  simply  assume  that 
such  a  simulator  exists;  and,  even  if  the  assumption  is  true,  it  is  not  clear,  how  to  find  it.  In 
particular,  for  the  purpose  of  deniability  (see  e.g.,  [DNS04,  Pas03b])  it  is  not  clear  whether 
the  approach  based  on  “extractability”  assumptions  provides  sufficient  guarantees  (unless  an 
explicit  simulator  strategy  is  found). 

•  Barak,  Lindell  and  Vadhan  [BLV06]  show  that  under  the  assumptions  that  1)  DTIME(n"  (!))  C 
NP  and  2)  NP  proofs  for  statements  in  DTIME(f)  can  be  found  in  time  polynomial  in  t. 
2-round  proof  exists  that  are  zero-knowledge  for  uniform  verifiers  that  do  not  receive  any 

9  On  the  other  hand,  it  is  weaker  that  most  other  usages  of  extractability  in  it  requires  less  structure  from  the 
function  (i.e. ,  only  one-wayness). 
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auxiliary  input.  Their  zero-knowledge  simulator  is  non-black-box.  As  mentioned  in  the 
introduction,  the  above-mentioned  assumptions  imply  the  existence  of  statistical  strong  P- 
certificates.  We  note  that  the  protocol  of  [BLV06]  is  not  known  to  be  concurrent  (or  even 
sequential)  zero-knowledge,  even  with  respect  to  uniform  malicious  verifiers. 

•  Contemporary  work  by  Canetti,  Lin  and  Paneth  [CLP12]  constructs  a  public-coin  concur¬ 
rent  zero- knowledge  protocol  using  non-black-box  simulation  techniques10.  As  shown  by 
Pass,  Tseng  and  Wikstrom  [PTW11],  public-coin  concurrent  (and  in  fact  even  parallel)  zero- 
knowledge  protocols  require  non-black-box  simulation,  no  matter  what  the  round-complexity 
is.  The  protocol  of  [CLP12]  is  in  the  “non-programmable”  CRS  model  of  [Pas03a]  but  as 
showed  in  [Pas03a]  black-box  separation  of  the  Goldreich-Krawczyk  [GK96]  type  (and,  in 
particular,  the  [PTW11]  one,  falls  into  this  category)  extend  also  to  zero-knowledge  in  the 
non-programmable  CRS  model;  thus  non-black-box  simulation  is  necessary  also  for  their  re¬ 
sult.  In  contrast  to  our  protocol,  theirs,  however,  requires  0(log1+£n)  number  of  rounds  for 
arbitrarily  small  constant  e,  but  instead  only  relies  on  the  existence  of  families  of  collision- 
resistant  hash  functions.  (Additionally,  [CLP12]  note  that  if  assuming  the  existence  of  a 
single  hash  function  that  is  collision-resistant  against  uniform  adversaries,  their  protocol  can 
be  instantiated  also  in  the  plain  model  with  uniform  soundness.) 

On  a  technical  level,  both  our  work  and  theirs  provide  methods  for  overcoming  the  exponential 
blow-up  in  the  simulation  time  when  dealing  with  non-black-box  simulations,  but  the  actual 
details  of  the  methods  are  very  different:  [CLP  12]  increases  the  round-complexity  to  tackle 
this  blow-up,  and  relies  on  ideas  from  the  literature  on  concurrent  zero-knowledge  with  black¬ 
box  simulation  [RK99,  KP01,  PRS02];  as  a  result,  their  techniques  only  apply  in  the  context 
of  super- logarithmic  round  protocols.  In  contrast,  we  rely  on  P-certificates  to  overcome  the 
blow-up  and  obtain  a  constant-round  protocol. 

•  A  recent  work  by  Bitansky,  Canetti,  Chiessa,  Tronrer  [BCCT13]  present  techniques  for  com¬ 
posing  SNARKs  (succinct  non-interactive  arguments  of  knowledge)  for  NP;  roughly  speaking, 
[BCCT13]  shows  that  if  for  some  sufficiently  large  c,  any  non- deterministic  nc  computation 
can  be  proved  using  an  “argument  of  knowledge”  of  length  n  that  can  be  verified  in  time  n2, 
then  for  any  d.  every  non-deterministic  nd-tinre  computation  can  be  also  be  proved  (using  a 
SNARK  of  length  n  that  can  be  verified  in  time  n2).  This  is  achieved  by  having  the  prover 
first  generate  a  SNARK  for  each  subcomputation  of  nc  steps,  and  then  for  each  “chunk”  of  n 
SNARKs,  having  the  prover  prove  that  it  knows  SNARKs  that  are  accepted  for  all  these  sub¬ 
computations,  and  so  on  in  a  tree-like  fashion.  Finally,  the  prover  only  provides  the  verifier 
with  a  “top-level”  SNARK  that  it  knows  lower-level  SNARKs  that  proves  that  it  knows  even 
lower-level  SNARKs  etc.  This  type  of  proof  composition  was  previously  also  used  by  Valiant 
[Val08].  To  prove  that  this  type  of  composition  works  it  is  crucial  to  work  with  languages 
in  NP  (since  we  are  proving  statements  about  the  existence  of  some  SNARKs);  additionally, 
it  is  crucial  that  we  are  dealing  with  arguments  of  knowledge — SNARKs  of  false  statements 
may  exists,  so  to  guarantee  soundness,  the  prover  needs  to  show  that  not  only  appropriate 
SNARKs  exists,  but  also  that  it  “knows”  them. 

At  a  superficial  level,  our  simulator  strategy  also  uses  a  tree  of  “proofs” .  However,  rather  than 
proving  knowledge  of  lower-level  “proofs”  etc,  in  our  approach,  higher-level  P-certificates  are 
only  used  to  demonstrate  that  lower-level  P-certificates  have  been  deterministically  generated. 
As  a  consequence,  we  do  not  need  to  certify  non-deterministic  computations;  additionally,  we 

10  Our  results  and  theirs  were  developed  in  parallel 
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do  not  need  the  certificates  to  satisfy  an  argument  of  knowledge  property.  Indeed,  this  is 
what  allows  us  to  base  P-certificates  on  a  falsifiable  assumption. 
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2  Preliminaries 

Let  M  denote  the  set  of  positive  integers,  and  [n]  denote  the  set  {1,  2, . . . ,  n}.  We  denote  by  PPT 
probabilistic  polynomial  time  Turing  machines.  We  assume  familiarity  with  interactive  Turing 
machines,  denoted  ITM,  interactive  protocols.  Given  a  pair  of  ITMs,  A  and  R,  we  denote  by 
(A(x),  B(y))(z)  the  random  variable  representing  the  (local)  output  of  B,  on  common  input  z  and 
private  input  y,  when  interacting  with  A  with  private  input  x,  when  the  random  tape  of  each 
machine  is  uniformly  and  independently  chosen,  and  Views  ( A(x),B(y ))  (z)  the  random  variable 
representing  R’s  view  in  such  an  interaction.  The  term  negligible  is  used  for  denoting  functions 
that  are  (asymptotically)  smaller  than  one  over  any  polynomial.  More  precisely,  a  function  u(-) 
from  non- negative  integers  to  reals  is  called  negligible  if  for  every  constant  c  >  0  and  all  sufficiently 
large  n,  it  holds  that  v(n)  <  n~c. 

2.1  Witness  Relations 

We  recall  the  definition  of  a  witness  relation  for  a  NP  language  [GolOl]. 

Definition  1  (Witness  relation).  A  witness  relation  for  a  language  L  £  NP  is  a  binary  relation 
Rl  that  is  polynomially  bounded,  polynomial  time  recognizable  and  characterizes  L  by  L  =  {x  : 
3 ys.t .  (x,y)  £  Rl} 

We  say  that  y  is  a  witness  for  the  membership  x  £  L  if  (x,y)  £  Rl-  We  will  also  let  Rl(x) 
denote  the  set  of  witnesses  for  the  membership  x  £  L,  i.e.,  Rl(x)  =  {y  :  (x,y)  £  L}.  In  the 
following,  we  assume  a  fixed  witness  relation  Rl  for  each  language  L  £  NP. 

2.2  Computational  Indistinguishability 

The  following  definition  of  computational  indistinguishability  originates  in  the  seminal  paper  of 
Goldwasser  and  Micali  [GM84],  Let  A  be  a  countable  set  of  strings.  A  probability  ensemble  indexed 
by  A  is  a  sequence  of  random  variables  indexed  by  A.  Namely,  any  element  of  A  =  {Ax}xex  is  a 
random  variable  indexed  by  A. 

Definition  2  (Indistinguishability).  Let  A  be  a  countable  set.  Two  ensembles  {AU:X}n£x,x£ A"  and 
{Bn,x}n£N,x£X  are  said  to  be  computationally  indistinguishable  over  N  if  for  every  probabilistic 
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machine  D  (the  distinguisher)  whose  running  time  is  polynomial  in  its  first  input,  there  exists  a 
negligible  function  v{-)  so  that  for  every  n  E  N  and  x  £  X: 

|Pr  [a  £-  AniX  :  D(ln,  x,  a)  =  1]  -  Pr  [b  £-  B,,hX  :  D(ln,  x,  b)  =  1]|  <  v{n) 

2.3  Interactive  Proofs  and  Arguments 

We  recall  the  standard  definitions  of  interactive  proofs  [GMR89]  and  arguments  (a.k.a  computa¬ 
tionally  sound  proofs)  [BCC88].  In  our  definition  of  arguments,  we  distinguish  between  uniform 
soundness,  where  soundness  only  needs  to  hold  against  a  uniform  probabilistic  polynomial-time 
algorithms,  and  non-uniform  soundness,  where  it  holds  against  non-uniform  polynomial-time  algo¬ 
rithms.  Typically,  in  the  literature  on  zero- knowledge  argument,  non-uniform  soundness  is  more 
commonly  used  (but  there  are  exceptions,  see  e.g.,  [BP04a]).  We  find  the  uniform  model  of  com¬ 
putation  as  well-motivated  as  the  non-uniform  one;  see  e.g.,  [Gol93]. 

Definition  3  (Interactive  Proof  System).  A  pair  of  interactive  machines  ( P ,  V)  is  called  an  inter¬ 
active  proof  system  for  a  language  L  if  there  is  a  negligible  function  //(•)  such  that  the  following 
two  conditions  hold: 

•  Completeness:  For  every  n  £  A,  x  £  L,  and  every  w  £  Rl{x ), 

Pr[(P(w),P)(ln,x)  =  1]  =  1 

•  Soundness:  For  every  pair  of  machines  B i,  B2  and  every  n  £  N, 

Pr[(x,  z )  £-  B\(ln)  :  x  ^  L  A  (^(z),  V)(ln ,  x)  =  1]  <  v(n) 

If  the  soundness  condition  only  holds  against  all  polynomial-time  (resp.  non-uniform  polynomial¬ 
time)  machines  the  pair  (P.  V)  is  called  a  uniformly- sound  (resp.  non-uniformly  sound) 

interactive  argument  system. 

2.4  Witness  Indistinguishability 

An  interactive  protocol  is  witness  indistinguishable  (WI)  [FS90]  if  the  verifier’s  view  is  “indepen¬ 
dent”  of  the  witness  used  by  the  prover  for  proving  the  statement. 

Definition  4  (Witness-indistinguishability).  An  interactive  protocol  (P,  V)  for  L  £  NP  is  witness 
indistinguishable  for  Ri  if  for  every  PPT  adversarial  verifier  V*,  and  for  every  two  sequences 
{wn,x} n£N,x£Lr{o,i}poly(-ri'>  and  {wn,x} neN ,xeL such  that  wk,z>wl,x  G  Rl(x)  for  every 
n  £  N  and  x  £  Lfl{0,  i}Poly(n);  ^jie  following  ensembles  are  computationally  indistinguishable  over 
N: 

•  {View,,*  (P(iu^x),V*(z))  (ln,x)}n£Nt 

xeLn{o,i}p°ly(n)  ,26(0,1}* 

•  {View,,.  (P{wljX),  V*(z))  (1  n,*)}„ejv,xeLn{o,i}p‘>I»("),*e{o,i}* 
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2.5  Commitment  Schemes 

Commitment  protocols  allow  a  sender  to  commit  itself  to  a  value  while  keeping  it  secret  from 
the  receiver ;  this  property  is  called  hiding.  At  a  later  time,  the  commitment  can  only  be  opened 
to  a  single  value  as  determined  during  the  commitment  protocol;  this  property  is  called  binding. 
Commitment  schemes  come  in  two  different  flavors,  statistically  binding  and  statistically  hiding;  we 
only  make  use  of  statistically  binding  commitments  in  this  paper.  Below  we  sketch  the  properties 
of  a  statistically  binding  commitment;  full  definitions  can  be  found  in  [GolOl]. 

In  statistically  binding  commitments,  the  binding  property  holds  against  unbounded  adver¬ 
saries,  while  the  hiding  property  only  holds  against  computationally  bounded  (non-uniform)  ad¬ 
versaries.  The  statistical-binding  property  asserts  that,  with  overwhelming  probability  over  the 
randomness  of  the  receiver,  the  transcript  of  the  interaction  fully  determines  the  value  committed 
to  by  the  sender.  The  computational-hiding  property  guarantees  that  the  commitments  to  any  two 
different  values  are  computationally  indistinguishable. 

Non-interactive  statistically-binding  commitment  schemes  can  be  constructed  using  any  one-to- 
one  one-way  function  (see  Section  4.4.1  of  [GolOl]).  Allowing  some  minimal  interaction  (in  which 
the  receiver  first  sends  a  single  random  initialization  message),  statistically-binding  commitment 
schemes  can  be  obtained  from  any  one-way  function  [Nao91,  HILL99]. 

2.6  Universal  Arguments 

Universal  arguments  (introduced  in  [BG08]  and  closely  related  to  the  notion  of  CS-proofs  [MicOO]) 
are  used  in  order  to  provide  “efficient”  proofs  to  statements  of  the  universal  language  Ly  with 
witness  relation  defined  in  [BG08,  MicOO].  A  triplet  y  =  ( M,x,t )  €  Lu  if  the  non-deterministic 
machine  M  accepts  input  X  within  t  <  T(|x|)  steps,  for  a  slightly  super-polynomial  function 
T(n)  =  nloglogn.  We  denote  by  Tm(x,w)  the  running  time  of  M  on  input  x  using  the  witness  w. 
Notice  that  every  language  in  NP  is  linear  time  reducible  to  Ly.  Thus,  a  proof  system  for  Ly 
allows  us  to  handle  all  NP-statements.  Below  we  recall  the  definition  in  [BG08]. 

Definition  5  (Universal  argument).  A  pair  of  interactive  Turing  machines  (P.V)  is  called  a  uni¬ 
versal  argument  system  if  it  satisfies  the  following  properties: 

•  Efficient  verification:  There  exists  a  polynomial  p  such  that  for  any  y  =  ( M,x,t ),  the  total 
time  spent  by  the  (probabilistic)  verifier  strategy  V,  on  common  input  ln,  y.  is  at  most 
p(n  +  |y|).  In  particular,  all  messages  exchanged  in  the  protocol  have  length  smaller  than 
p{n+\y\). 

•  Completeness  by  a  relatively  efficient  proven:  For  every  n  G  N ,  y  =  (Af,  x,  t )  6  Ly  and  w  in 

Rw(y), 

Pr[(P(w),V)(ln,  (M,x,t))  =  1]  =  1 

Furthermore,  there  exists  a  polynomial  q  such  that  the  total  time  spent  by  P(w),  on  common 
inputs  ln  and  (Af,  x,  t),  is  at  most  q(n  +  |y|  +  Tm(x,  w ))  <  q(n  +  |y|  +  t). 

•  Computational  Soundness:  For  every  polynomial  size  circuit  family  {P*}nejv,  there  is  a  neg¬ 
ligible  function  v,  such  that,  for  every  n  6  N  and  every  triplet  (. M,x,t )  G  {0,  l}P°U(n)  \  f,w, 

Pr[(P*,U)(ln,(M,s,t))  =  l]  <i/(n) 
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•  Weak  proof  of  knowledge:  For  every  positive  polynomial  p  there  exists  a  positive  polynomial 
p'  and  a  probabilistic  polynomial-time  oracle  machine  E  such  that  the  following  holds:  for 
every  polynomial-size  circuit  family  {P*}neN,  every  sufficiently  large  n  £  N  and  every  y  = 
(M,  x,  t)  £  {0,l}poly(n)  if  Pr[(P*,  V)(ln,  y)  =  1]  >  1  /p(n)  then 

Pr[3u;  =  wi,. .  .wt  €.Ru{y)  s.t.  Vi  £  [t],  E^  (ln,  y,  i)  =  wf\  >  —j— 
r  p  (n  j 

def 

where  R^(y)  =  {w  :  (y,w)  £  R^}  and  Ern(-7  •,  •)  denotes  the  function  defined  by  fixing  the 
random-tape  of  E  to  equal  r,  and  providing  the  resulting  Er  with  oracle  access  to  P*. 

The  weak  proof-of-knowledge  property  of  universal  arguments  only  guarantees  that  each  indi¬ 
vidual  bit  Wi  of  some  witness  w  can  be  extracted  in  probabilistic  polynomial  time.  Given  an  input 
ln  and  y  =  (. M,x,t )  in  Ly  n  {0,  l}poly(n);  since  the  witness  w  £  R u(y)  is  of  length  at  most  t,  it 
follows  that  there  exists  a  extractor  running  in  time  polynomial  in  poly(n)  •  t  that  extracts  the 
whole  witness;  we  refer  to  this  as  the  global  proof-of-knowledge  property  of  a  universal  argument. 

The  notion  of  witness  indistinguishability  of  universal  argument  for  R^  is  defined  similarly 
as  that  for  interactive  proofs/arguments  for  NP  relations;  we  refer  the  reader  to  [BG08]  for  a 
formal  definition.  [BG08]  (based  on  [MicOO,  Kil95] )  presents  a  witness  indistinguishable  universal 
argument  based  on  the  existence  of  families  of  collision-resistant  hash  functions. 

2.7  Concurrent  Zero-Knowledge 

An  interactive  proof  is  said  to  be  zero-knowledge  if  it  yields  nothing  beyond  the  validity  of  the 
statement  being  proved  [GMR89]. 

Definition  6  (Zero- knowledge).  An  interactive  protocol  (P,  V)  for  language  L  is  zero-knowledge 
if  for  every  PPT  adversarial  verifier  V* ,  there  exists  a  PPT  simulator  S  such  that  the  following 
ensembles  are  computationally  indistinguishable  over  n  £  N: 

•  {Viewv*  ( P(w),V*(z ))  (ln ,  x)} n£NtX£Ln{01poiy(n) ,w(zRL(x)tZe{o,i}poly{n) 

•  {S(in,x,A>}neJV)  xeLn{o,i}p°ly(n\weRL(x),ze{o,i}polyW 

In  this  work  we  consider  the  setting  of  concurrent  composition.  Given  an  interactive  protocol 
(P,  V)  and  a  polynomial  rn.  an  m-session  concurrent  adversarial  verifier  V*  is  a  PPT  machine  that, 
on  common  input  x  and  auxiliary  input  z,  interacts  with  up  to  m{\x\)  independent  copies  of  P 
concurrently.  The  different  interactions  are  called  sessions.  There  are  no  restrictions  on  how  V* 
schedules  the  messages  among  the  different  sessions,  and  V*  may  choose  to  abort  some  sessions 
but  not  others.  For  convenience  of  notation,  we  overload  the  notation  Viewv*  ( P ,  V*(z))  ( ln,x )  to 
represent  the  view  of  the  cheating  verifier  V*  in  the  above  mentioned  concurrent  execution,  where 
F*’s  auxiliary  input  is  z,  both  parties  are  given  common  input  ln,  x  £  L,  and  the  honest  prover 
has  a  valid  w  witness  of  x. 

Definition  7  (Concurrent  Zero-Knowledge  [DNS04]).  An  interactive  protocol  (P,V)  for  language 
L  is  concurrent  zero- knowledge  if  for  every  concurrent  adversarial  verifier  V*  (i.e.,  any  m-session 
concurrent  adversarial  verifier  for  any  polynomial  m),  there  exists  a  PPT  simulator  S  such  that 
following  two  ensembles  are  computationally  indistinguishable  over  n  £  N. 

•  {Viewy*  ( P(w),V*(z ))  (ln,  a;)}nejv,a;ein{0,i}poiy(TO),we7?.i(x),ze{0,i}poly(n) 

•  {S(in,x,z)}n6JV)  a;eLn{0,l}Poly(™),«)e7eL(a;)ye{0,l}poly(n) 
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2.8  Forward  Secure  PRG 


Roughly  speaking,  a  forward-secure  pseudorandom  generator  (PRG)  (first  formalized  by  [BY03], 
but  early  usages  go  back  to  [BH92])  is  a  pseudorandom  generator  where  the  seed  is  periodi¬ 
cally  updated — thus  we  have  a  sequence  of  seeds  si,  S2,  ■  ■  ■  generating  a  pseudorandom  sequence 
qi,  <72,  •  •  • — such  that  if  the  seed  s*  is  exposed  (and  thus  the  “later”  sequence  qt+i,  qt+ 2,  •  •  •  is  also 
exposed),  the  “earlier”  sequence  qi,...,qt  still  remains  pseudorandom. 

We  provide  a  simple  definition  of  a  forward  secure  pseudorandom  generator,  where  the  “expo¬ 
sure”  time  t  is  statically  selected.11 

Definition  8  (Forward-secure  Pseudorandom  Generator).  We  say  that  a  polynomial-time  com¬ 
putable  function  G  is  a  forward  secure  Pseudo-Random  Generator  (fsPRG)  if  on  input  a  string 
s ,  and  £  6  N,  it  outputs  two  sequences  (si,  S2,  ■  ■  ■  S()  and  (<?i,  (72,  ■  •  • ,  qe)  such  that  the  following 
properties  hold: 

•  Consistency:  For  every  n,£  6  N,  s  G  {0,  l}n,  the  following  holds 

-  if  G(s,i)  =  ((si,s),(qi,q)),  then  G(s u£-  1)  =  (s,q). 

•  Forward  Security:  For  every  polynomial  p,  the  following  ensembles  are  computationally  in¬ 
distinguishable 

~  Is  Un,(s,q)  -f-  G(s,£)  :  st,q<t}neN,£e\p(n)],te[e\ 

-  {st  Un,q  <(—  (UnY  :  st,q<t}neN,ee\p(n)],te[ei 

where  XJn  is  the  uniform  distribution  over  {0, 1}"  and  q<t  =  (qi,  ■ . . ,  qt)- 

Any  (traditional)  PRG  implies  the  existence  of  a  forward  secure  PRG;  thus  by  the  result  of 
[HILL99]  the  existence  of  forward  secure  PRGs  are  implied  by  the  existence  of  one-way  functions. 

In  our  application  of  forward  secure  PRGs,  we  will  use  the  outputs  of  the  PRG  in  reverse 
order ,  and  thus  write  G(s,  £)  =  (s£,  S£- 1, . . .  si),  (q£,  qe~i, . . . ,  qi).  As  a  consequence,  we  may  reveal 
a  seed  St  “explaining”  the  “earlier”  sequence  ((st~  1, . . .  si),  (qt- 1, . . . ,  q\ ))  while  guaranteeing  that 
the  “later”  sequence  (qt,  ■  ■  -  qt)  still  is  indistinguishable  from  random. 

3  P-certificates 

In  this  section  we  define  the  notion  of  P-certificates.  On  a  high-level,  P-certificates  can  be  viewed 
as  an  analogue  of  Micali’s  CS-proofs  [MicOO],  but  where  we  restrict  to  languages  in  P.  As  we  shall 
see,  by  restricting  to  languages  in  P,  we  can  make  the  soundness  condition  of  (a  restricted  class 
of)  P-certificates  falsifiable. 

Roughly  speaking,  we  say  that  (P,  V)  is  a  P -certificate  system  if  ( P ,  V)  is  a  non-interactive  proof 
system  (i.e.,  the  prover  send  a  single  message  to  the  verifier,  who  either  accepts  or  rejects)  allowing 
an  efficient  prover  to  convince  the  verifier  of  the  validity  of  any  deterministic  polynomial-time 
computation  M(x)  =  y  using  a  “certificate”  of  some  fixed  polynomial  length  (independent  of  the 
size  and  the  running-time  of  M)  whose  validity  the  verifier  can  check  in  some  fixed  polynomial  time 
(independent  of  the  running-time  of  M );  that  is,  any  deterministic  polynomial-time  computation 
can  be  certified  using  a  “short”  certificate  that  can  be  “quickly”  verified. 

nThe  definition  of  [BY03]  allows  an  attacker  to  adaptively  select  the  exposure  time  t.  For  our  purposes  the  simpler 
non-adaptive  notion  suffices. 
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To  formalize  this,  we  consider  the  following  canonical  languages  for  P:  for  every  constant  c  E  N, 
let  Lc  =  {( M,x,y )  :  M (x)  =  y  within  \x\c  steps}.  Let  Tm(x )  denotes  the  running  time  of  M  on 
input  x. 

Definition  9.  A  pair  of  probabilistic  interactive  Turing  machines,  (-PCert,  Fcert),  is  a  P -certificate 
system  if  there  exist  polynomials  gp,gvA  such  that  the  following  holds: 

•  Efficient  Verification:  On  input  c  >  1,  lk  and  a  statement  q  =  (. M ,  x,y)  E  Lc,  and  7r  €  {0, 1}*, 
i4ert  runs  in  time  at  most  gv(k  +  |(/|); 

•  Completeness  by  a  Relatively  Efficient  Proven.  For  every  c,d  E  N,  there  exists  a  negligible 
function  y  such  that  for  every  k  E  N  and  every  q  =  ( M,x,y )  E  Lc  such  that  |c/|  <  kd, 

Pr[7T  <—  PCert(c,  lk ,  q)  :  Kert(c,  lfc,<?,7r)  =  1]  >  1  -  //(fc) 

Furthermore,  Pcert  on  input  (c,  lfc,(?)  outputs  a  certificate  of  length  t{k)  in  time  bounded  by 
gp{k  +  \M  |  +  Tm{x)). 

•  Soundness :  For  every  c  E  IV,  and  every  PPT  P* ,  there  exists  a  negligible  function  y  such 
that  for  every  k  E  IV, 

Pr[(g,  7r)  E-  P*(c,  lfc)  :  Pcert(c,  1A',  q,  7r)  =  1  A  g  ^  Lc]  <  /r(fc) 

We  also  consider  a  stronger  soundness  condition  stipulating  that  soundness  holds  even  if  the  at¬ 
tacker  selects  a  slightly  super-polynomial-size  statement  and  specifies  some  slightly  super-polynomial 
runtime. 

•  Strong  Soundness:  There  exists  some  “nice”  super-polynomial  function12  T{k )  E  and 

some  “nice”  super-constant  function13  C(-)  E  w(l)  such  that  for  every  probabilistic  algorithm 
P*  with  running-time  bounded  by  T(-),  there  exists  a  negligible  function  y,  such  that,  for 
every  k  E  N,  c<  C(k ) 

Pr[(c,  q,  7r)  E-  P*(lk)  :  Pcert(c,  1A',  q,  vr)  =  \  l\qfL  Lc]  <  y(k) 

We  say  that  (-PCert5  Pcert)  is  a  statistically -sound  P -certificate  system  (resp.  statistically  sound  strong 
P- certificate  system  if  the  soundness  condition  holds  also  against  (unbounded)  P*  with  polynomially- 
bounded  (resp.  T(-)-bounded)  output. 

Remark  1.  The  reason  that  we  do  not  consider  a  notion  of  computational  soundness  with  respect  to 
non-uniform  polynomial-time  attackers  is  that  such  a  notion  is  equivalent  to  statistical  soundness: 
if  an  accepting  proof  of  a  false  statement  exists,  a  non-uniform  efficient  attacker  can  simply  get 
it  as  non-uniform  advice.  Nevertheless,  it  still  makes  sense  to  consider  a  notion  of  a{-)- bounded- 
non-uniform  soundness,  where  soundness  holds  for  attacker  that  on  input  the  security  parameter 
1A’  additionally  receive  a(k )  bits  of  non-uniform  advice.  Our  results  regarding  uniform  soundness 
directly  extend  also  to  the  regime  of  bounded  non-uniform  soundness. 

As  we  shall  see  shortly,  a  candidate  construction  of  a  (computationally-sound)  P-certificate 
systems  comes  from  Micali’s  CS-proofs  [MicOO].  We  also  note  that  the  assumption  that  statistically- 
sound  strong  P-certificates  exists  is  implied  by  the  assumption  that  1)  DTIME(nw Pi)  C  N P  and 
2)  NP  proofs  for  statements  in  DTIMEft )  can  be  found  in  time  polynomial  in  t  [BLV06].  (In 
essence,  the  assumption  says  that  non-determinism  can  slightly  speed-up  computation,  and  that 
the  non-deterministic  choices  can  be  found  efficiently,  where  efficiency  is  measured  in  terms  of  the 
original  deterministic  computation.) 

12 For  instance,  T{n )  =  nlogloglos". 

13For  instance,  C(k)  =  log  log  log  n. 
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3.1  Time-Representation  Invariant  P-certificates 

At  first  sight  it  may  seem  that  since  we  consider  only  languages  in  P,  the  sound  (resp.,  strongly 
soundness)  condition  of  P-certificates  is  falsifiable  [Pop63,  Nao03]:  we  should  be  able  to  efficiently 
test  if  an  attacker  outputs  a  valid  proof  of  an  incorrect  statement,  since  whether  a  statement  is 
correct  or  not  can  be  checked  in  deterministic  polynomial  time. 

This  intuition  is  somewhat  misleading:  recall  that  soundness  needs  to  hold  for  all  polynomial¬ 
time  computations,  where  the  time-bound  nc  may  be  selected  by  the  attacker  trying  to  break 
soundness.  Since  there  is  no  a-priori  constant  bound  on  c,  the  attacker  may  make  the  test  (checking 
whether  soundness  was  broken)  run  in  super-polynomial-time  (by  selecting  a  large  c.)  The  situation 
is  even  worse  for  the  case  of  strongly  sound  P-certificates. 

At  first  one  may  think  that  this  issue  can  be  easily  resolved  by  restricting  to  certificate  systems 
where  the  prover  is  asked  to  provide  an  upper-bound  on  the  running-time  of  M  in  unary;  this 
certainly  makes  the  soundness  condition  falsifiable,  but  such  certificates  are  no  longer  “short”.  We 
overcome  this  issue  by  allowing  for  a  more  flexible  representation  of  (upper-bound  on)  the  running¬ 
time  of  M,  and  restrict  to  time-representation  invariant  P-certificates — namely  proof  systems  where 
whether  the  verifier  accepts  a  proof  of  a  statement  x  does  not  depend  on  how  the  time-bound  is 
represented.  For  a  time-invariant  P-certificate,  it  suffices  to  define  soundness  in  the  case  that  the 
attacker  specifies  the  running-time  bound  in  unary;  by  the  time-representation  invariance  condition, 
this  implies  soundness  also  for  other  (more  efficient)  representations. 

Towards  this,  we  consider  an  alternative  variant  of  canonical  languages  in  P:  for  every  constant 
c  £  N,  let  L'c  =  {( M ,  x ,  y,  ln)  :  M (x)  =  y  within  nc  steps}. 

Definition  10.  A  pair  of  probabilistic  interactive  Turing  machines,  ( Pcert ,  Wert),  is  a  time-representation 
invariant  P-certificate  system  if  there  exist  polynomials  gp,gv,£  such  that  the  following  holds: 

•  Efficient  Verification:  On  input  c  >  1,  lk  and  a  statement  q  =  (M,x,y,  ln)  £  Z/c,  and 
7r  £  {0, 1}*,  Kert  runs  in  at  most  gvifi  +  \q\)  time. 

•  Time- Representation  Invariant  Verification:  There  exists  a  negligible  function  y  such  that 
every  c,c,n,h,  such  that  nc  =  hc ,  every  k  £  N  and  every  ( M,x,y )  £  {0,1}*  and  every 
certificate  it  £  {0, 1}*, 

I  Pr[Vrcert(c,  lfc,  (. M,x,y ,  ln),7r)  =  1]  -  Pr[Pcert(c,  lk,  (. M,x,y ,  ln),vr)  =  1]|  <  y(k) 

•  Completeness  by  a  Relatively  Efficient  Prover.  For  every  c,d  £  N,  there  exists  a  negligible 
function  y  such  that  for  every  k  £  N  and  every  q  =  (M,  x,  y,  ln)  £  L'c  such  that  |c/|  <  kd, 

Pr[7T  £-  PCert(c,  lk ,  q)  :  Kert (c,  lk ,  q,  7r)  =  1]  >  1  -  y(k) 

Furthermore,  Pcert  on  input  (c,lk,q)  outputs  a  certificate  of  length  at  most  £(k)  in  time 
bounded  by  gp(k  +  \M\  +  nc ). 

•  Soundness  for  L{:  For  every  PPT  P* ,  there  exists  a  negligible  function  y  such  that  for  every 
k  £  N, 

pr[(g,7r)  £-  P*( lk)  :  Vcert(lfik ,q,Ti)  =  1  A  q  <£  L[\  <  y{k) 

We  say  that  (PCert,  Pcert)  is  a  strong  time-representation  invariant  P-certificate  system  if  there 
exists  some  “nice”  T(k )  £  kP^  such  that  the  soundness  for  condition  holds  with  respect 
to  all  probabilistic  algorithms  with  running-time  bounded  by  T(-).  We  say  that  (Pcert-  Kert)  is 
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a  statistically- sound  time-representation  invariant  P -certificate  system  (resp.  statistically  sound 
strong  time-representation  invariant  P -certificate  system)  if  the  soundness  for  L'x  condition  holds 
also  against  (unbounded)  P*  with  polynomially-bounded  (resp.  T(-)-bounded)  output. 

Note  that  the  soundness  condition  of  time-representation  invariant  P-certificates  is  clearly  fal- 
sihable  since  checking  whether  the  attacker  actually  outputs  a  statement  q  c[  L ^  can  be  done  in 
linear-time  in  the  length  of  the  statement,  and  verification  of  a  certificate  n  for  a  statement  q  can 
be  done  in  polynomial-time  by  definition. 

Let  us  briefly  outline  a  candidate  construction  of  time-representation  invariant  P-certificates 
(where  both  Pcert  and  Vcert  are  deterministic). 

A  Candidate  Construction  Based  on  CS-proofs.  Micali’s  CS  proofs  [MicOO]  are  obtained  by 
first  constructing  a  public-coin  4-round  interactive  argument  for  NEXP  (similar  to  the  “succinct” 
4-round  interactive  argument  for  NP  of  [Kil95] )  and  then  eliminating  interaction  through  the  Fiat- 
Shamir  paradigm  [FS90]:  that  is,  the  verifier’s  random  message  are  generated  by  applying  a  random 
oracle  to  the  prover’s  messages,  and  next  the  random  oracle  may  be  instantiated  with  a  concrete 
family  of  hash  function  {hk}k&N-  More  precisely,  CS  proofs  are  used  to  prove  membership  of  the 
CS  language  Lqs  with  witness  relation  Rqs  as  defined  in  [MicOO].  A  quadruple  ( M,x,y,t )  G  Lqs 
iff  the  lengths  of  x  and  y  are  smaller  than  t  and  M(x)  =  y  in  t  steps.  Roughly  speaking,  to  prove 
a  statement  q  =  (M,x,y,t),  the  prover,  on  input  a  security  parameter  lfc,  proceeds  in  two  steps. 
In  the  first  step,  it  constructs  a  PCP  (Probabilistically  Checkable  Proof)  [BFLS91,  FGL+91]  proof 
7 t1  for  q  and  computes  a  Merkle’s  hash  tree  [Mer89]  with  it'  as  the  leaves  using  a  hash  function 
hk,  producing  a  root  r.  Then,  in  the  second  step,  it  computes  a  polylogarithmic  number  l  of  PCP 
queries,  determined  by  the  hash  value  hk{r );  for  each  PCP  query  i,  it  finds  the  authentication 
path  a,  that  reveals  the  corresponding  PCP  answer  6j.  Finally,  the  prover  sends  a  CS  proof 
7T  =  1 1| r || || ai||  •  •  ■  1 1 1 1 a;.  The  verifier,  on  input  a  statement  x  and  such  a  proof  7r,  checks  whether 
all  the  authentication  paths  are  accepting  w.r.t.  r,  recomputes  the  PCP  queries  using  hk(r)  and 
checks  whether  all  the  PCP  answers  are  accepting. 

In  our  language  L'c,  recall  that  a  statement  is  of  form  q  =  ( M,x,y ,  1").  The  prover  and  the 
verifier  on  input  c,  and  q  can  thus  recover  a  time  bound  t  by  computing  nc  and  then  recover 
the  corresponding  CS  language  instance  ( M,x,y,t ),  and  next  simply  runs  the  prover  and  verifier 
algorithms  of  CS-proofs.  By  construction  it  follows  that  the  above  construction  satisfies  prover’s 
relative  efficiency  and  completeness.  Additionally,  since  the  verification  procedure  only  depends  on 
the  time  bound  t  =  nc,  and  not  on  the  values  of  n  and  c,  the  verification  procedure  also  has  the 
time-representation  invariance  property. 

Finally,  in  our  eyes,  assuming  that  the  above  construction  satisfies  the  soundness  condition  of 
time-representation  invariant  P-certificates  is  a  reasonable  and  “well-behaved”  complexity  theoretic 
assumption:  on  a  qualitatively  level,  the  assumption  is  not  very  different  from  the  assumption 
that  e.g.,  the  Full  Domain  Hash  [BR93]  or  Schnorr  [Sch91]  signature  schemes  are  existentially 
unforgeable:  1)  whether  an  attacker  succeeds  can  be  efficiently  checked,  2)  no  attacks  are  currently 
known,  and  3)  the  “design-principles”  underlying  the  constructions  rely  on  similar  intuitions  (e.g., 
that  instantiating  random-oracles  with  hash  functions  in  “natural”  schemes  lead  to  secure  protocol). 

Finally,  recall  that  Micali’s  CS-proofs  rely  on  the  Fiat-Shamir  heuristic,  which  in  general  may 
result  in  unsecure  schemes  [BarOl,  GK03];  however,  note  that  whereas  Micali’s  construction  is  un¬ 
conditionally  secure  in  the  random  oracle  model,  the  counterexamples  of  [BarOl,  GK03]  extensively 
rely  on  the  underlying  protocol  only  being  computationally  secure;  as  such,  at  this  time,  we  have  no 
reason  to  believe  that  the  Fiat-Shamir  heuristic  does  not  work  for  Micali’s  protocol  (or  any  other 
protocol  that  is  unconditionally  secure  in  the  random  oracle  model). 
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Time  Representation  Invariant  P-certificates  in  the  CRS  model  In  the  CRS  model,  we 
may  additionally  assume  that  Micali’s  CS-proofs  satisfy  non-uniform  computational  soundness. 
Additionally,  several  recent  works  provide  constructions  of  “SNARGs”  (succinct  non-interactive 
arguments)  for  NP  in  the  CRS  model  [GrolO,  Lipl2,  BCCT13,  GGPR13];  such  constructions 
are  trivially  P-certificates  with  non-uniform  comptuational  soundness  in  the  CRS  model.  It  follows 
using  exactly  the  same  argument  as  above  that  these  new  constructions  also  are  time-representation 
invariant. 

From  Time-Representation  Invariant  P-certificates  to  P-certificates  As  we  now  show, 
time-representation  invariant  P-certificates  imply  P-certificates. 

Theorem  1.  Assume  the  existence  of  a  time-representation  invariant  P -certificate  system  ( resp . 
a  strong  time-representation  invariant  P -certificate  system)  (P(.en,Vfert)-  Then,  there  exists  a  P- 
certificate  system  (resp.  a  strong  P -certificate  system)  (Pcen,  Rcert)-  Furthermore  if  (P(ert,  Cert) 
statistically  sound  (resp.  statistically  strong  sound),  then  (PCerti  kcert)  is  so  as  well. 

Proof.  Let  (P(ert,Vfert)  be  a  time-representation  invariant  P-certificate  system.  Consider  a  P- 
certificate  system  (Pcert,  Cert)  where  PCert  and  Vcert  simply  runs  P(en  and  Vfert  respectively  with  n 
fixed  to  the  length  of  the  input  x.  More  precisely,  -PCert  on  input  c,  1A:  and  a  statement  q  =  (M,  x,  y)  £ 
Lc,  lets  q'  =  (M,x,y,  1^1)  £  L'c,  runs  P(.en(c,lk,q')  and  outputs  whatever  P(ert  outputs.;  Vcert  on 
input  (c,  lfc,  q,  7 r)  computes  q'  in  exactly  the  same  way,  runs  Vc !ert(c,  lk,  q',  n)  and  outputs  the  verdict 
of  Vfert.  It  follows  from  the  relative  prover  efficiency  and  completeness  properties  of  (P(ert,Vfert) 
that  (Pcert,  Rcert)  also  satisfies  relative  prover  efficiency  and  completeness.  Let  us  turn  to  soundness. 
We  only  prove  the  case  of  strong  soundness  (assuming  that  (Pce rt,  Vcert)  is  strongly  sound),  all  the 
other  cases  follow  analogously. 

Assume  for  contradiction  that  for  every  T(k )  £  kP^  and  C(k)  £  tu(l),  there  exists  a  T(k)~ time 
cheating  prover  A ,  and  a  polynomial  p  such  that  for  infinitely  many  k  £  N  and  <  C(k ),  it 
holds  that  the  probability  that  A(\k)  outputs  c &,  a  false  statement  q  =  (M,x,y)  0  LCk  and  a 
certificate  7r  for  q  £  LCk  that  is  accepted  by  Ucert  (that  is,  Vcert(ck,  lk,q,ir)  =  1)  is  at  least  l/p(k). 
Fix  some  arbitrary  function  T'{k )  £  fcC1).  Let  T(k)  £  kP^  and  C(k)  £  w(l)  be  two  functions 
such  that  T(k)c (fc)  <  T'{k).  By  our  assumption,  there  exists  a  cheating  prover  A  that  violates  the 
strong  soundness  property  of  (Pcert,  Kert)  w.r.t.  the  functions  T(k)  and  C(k)  with  some  polynomial 
probability  l/p(k).  Using  A,  we  construct  another  cheating  prover  A1  that  violates  the  strong 
soundness  for  L\  of  (P(en-  lPert)  w.r.t.  function  T'{k )  with  the  same  probability  l/p(k).  Machine  A' 
on  input  lk  simply  runs  A(lk)  to  obtain  c^,  q  =  ( M,x,y )  and  7r;  it  then  sets  n  =  \x\Ck  and  outputs 
q'  =  ( M,x,y ,  ln)  and  7 r.  Clearly,  A'  runs  in  time  T{k)c W  <  T'(k).  By  construction  of  UCert,  the 
probability  that  Ucert(cfc,  lk ,  q,  7r)  =  1  is  the  same  as  the  probability  that  Uc/ert(cfc,  lfc,  q,  i r)  =  1,  where 
q  =  (M,  x,  y,  1^1).  Furthermore,  by  the  time- representation-invariance  of  VferV  the  probability  that 
V(en(ck,  lfc,  q,  7r)  =  1  is  negligibly  close  to  the  probability  that  Vrc/ert(l,  lfc,  q' ,  7r)  =  1.  It  follows 
that  A '  (whose  running-time  is  bounded  by  T'{k ))  outputs  accepting  proofs  of  false  statements 
with  probability  negligibly  close  to  for  infinitely  many  k  £  N.  Since  the  above  holds  for  any 
function  T'(k),  we  have  that  (P(en,  Vfert)  is  not  strongly  sound  for  L\ ,  which  is  a  contradiction.  □ 

4  Constant-round  Concurrent  ZK) 

In  this  section,  we  present  our  construction  of  a  constant-round  concurrent  ZKL  protocol.  To 
simplify  the  exposition  (and  following  the  description  in  the  introduction),  as  a  warm-up,  we  first 
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present  a  protocol  that  only  uses  one  level  of  P-certificates  and  thus  only  handles  a  bounded 
number,  0(m(n)),  of  concurrent  executions;  we  refer  to  this  protocol  as  “Protocol  1”.  We  then 
generalize  Protocol  1  and  describe  a  protocol  that  uses  k  levels  of  certificates  and  can  handle  0(nk) 
concurrent  executions;  we  refer  to  this  protocol  as  “Protocol  fc”.  By  setting  k  to  be  super-constant, 
say,  k  =  log  n,  we  obtain  a  (fully)  concurrent  ZIC  protocol. 

4.1  Protocol  1 

We  proceed  to  describe  Protocol  1,  (Pi,  V\ ),  which  we  prove  is  m-bounded  concurrent  zero- knowledge. 
The  protocol  relies  on  the  following  primitives: 

•  A  commitment  scheme  com:  for  simplicity  of  presentation,  we  assume  that  com  is  a  non¬ 
interactive  commitment  scheme,  but  the  protocol  can  be  modified  in  a  straight-forward  way 
to  work  for  any  two-message  commitment  scheme  (as  in  [Nao91]). 

•  A  strong  P-certificate  system  (Pce rtilcert)  with  parameter  T(-)  and  C'(-),  where  T(-)  is  a 
“nice”  super-polynomial  function  and  C{- )  is  a  “nice”  super-constant  function:  for,  simplicity 
of  exposition,  we  assume  that  both  Pcert  and  Pcert  are  deterministic.  We  discuss  in  Section 
4.3  how  to  modify  the  protocol  to  also  handle  randomized  P-certificate  systems. 

•  A  family  of  hash  functions  {'Hn}n-  to  simplify  the  exposition,  we  here  assume  that  both 
com  and  {Pn}n  are  collision  resistant  against  circuits  of  size  T'(-),  where  T'(-)  is  “nice” 
super-polynomial  function.  As  in  [BG02],  this  assumption  can  be  weakened  to  just  collision 
resistance  against  polynomial-size  circuits  by  modifying  the  protocol  to  use  a  “good”  error- 
correcting  code  ECC  (i.e.,  with  constant  distance  and  with  polynomial-time  encoding  and 
decoding),  and  replace  commitments  com(/i(-))  with  com(/i(ECC(-))). 

Let  us  now  turn  to  specifying  the  protocol  (Pi,  Vj ).  The  protocol  makes  use  of  three  parameters: 
m(-)  is  a  polynomial  that  upper  bounds  the  number  of  concurrent  sessions;  T(-)  is  a  “nice”  super¬ 
polynomial  function  such  that  T(n),T' (n)  £  T(n)“’^1\  and  D(-)  is  a  “nice”  super-constant  function 
such  that  D(n)  <  C(n).  Let  m  =  m{n ),  T  =  T(n)  and  D  =  D(n).  In  the  description  below,  when 
discussing  P-certificates,  we  always  consider  the  language  Lp. 

The  prover  Pi  and  the  verifier  V±,  on  common  input  ln  and  x  and  private  input  a  witness  w  to 
Pi,  proceed  as  follow: 

Phase  1:  Pi  and  V\  exchanges  the  following  three  messages. 

1.  Vi  chooses  a  randomly  sampled  hash  function  h  <—  T-Ln. 

2.  Pi  sends  a  commitment  to  0n  using  com. 

3.  V\  replies  with  a  random  “challenge”  r  of  length  3 mn. 

Phase  2:  Pi  gives  a  WIUA  argument  of  the  statement  that  either  x  £  L  OR  there  exists  Si  £ 
{0,  l}r*-n\  j  £  [m],  s  £  {0,  l}n,  7 r  £  {0,  l}n,  a  £  {0,  l}r(n\  p,  such  that 

1.  Commitment  Consistency:  c  =  com(/i(5i);  p), 

2.  Input  Certification:  |oj  <  2 mn, 

3.  Prediction  Correctness:  7r  certifies  that  S\(ln,j,s,a)  =  r. 

A  formal  description  of  the  protocol  can  be  found  in  Figure  4  and  5. 
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Protocol  1 


Common  Input:  A  security  parameter  ln  in  unary  and  an  instance  a:  of  a  language  L  £  NP  with 
witness  relation  R^. 

Parameters:  m  =  m(n)  is  an  upper  bound  on  the  number  of  concurrent  sessions.  T  =  T(n)  and 
D  =  D{n )  are  respectively  upper  bounds  on  the  size  of  the  committed  program  and  the  time 
bound. 

Phase  1: 

V\  —►Pi:  Send  h  ■£-  'Hn. 

P[  — ►  V\ :  Send  c  =  com(0";  p). 

Pi  -►  Pi:  Send  r  {0,  l}3mn. 

Phase  2: 

Pi  «=>  p  :  A  WIUA  (Pua,  Pja)  proving  the  OR  of  the  following  statements: 

1.  3  w  £  {0,  i}poly(M)  s  ^  Rl(x,  w)  =  1. 

2.  3  (Suj,s,Tr,<T,p)  s.t.  R s({h,c,r) ,  (Sltj,s, n,a,p))  =  1. 


Figure  4:  A  public-coin  non-black-box  bounded  concurrent  zero- knowledge  protocol. 


Our  Simulator.  As  explained  in  the  introduction,  the  goal  of  our  simulator  is  to  try  to  “commit 
to  its  own  code”  in  a  way  that  prevents  a  blow-up  in  the  running-time.  Note  that  in  our  protocol, 
the  only  expensive  part  of  the  generation  of  the  WIUA  is  the  generation  of  the  P-certificates  7 r;  the 
rest  of  the  computation  has  a-priori  bounded  complexity  (depending  only  on  the  size  and  running¬ 
time  of  V*).  To  take  advantage  of  this  observation,  we  thus  have  the  simulator  only  commit  to  a 
program  that  generates  prover  messages  (in  identically  the  same  way  as  the  actual  simulator),  but 
getting  certificates  7r  as  input. 

In  more  detail,  to  describe  the  actual  simulator  S,  let  us  first  describe  two  “helper”  simula¬ 
tors  S'i ,  S‘2-  Roughly  speaking,  Si  is  an  interactive  machine  that  simulates  prover  messages  in  a 
“right”  interaction  with  V* .  Additionally,  S\  is  expecting  some  “external”  messages  on  the  “left”; 
these  “left”  messages  will  be  certificates  provided  by  S-2-  See  Figure  1  in  the  introduction  for  an 
illustration  of  the  communication  patterns  between  Si ,  S2  and  V* . 

Let  us  turn  to  a  formal  description  of  the  Si  and  S2.  To  simplifiy  the  exposition,  we  assume 
w.l.o.g  that  V*  has  its  non-uniform  advice  z  hard-coded,  and  is  deterministic  (as  it  can  always  get 
its  random  tape  as  non-uniform  advice). 

On  a  high-level,  Si(ln,  x,  M,  s,  £)  acts  as  a  prover  in  a  “right”  interaction,  communicating  with 
a  concurrent  verifier  V*,  while  receiving  some  additional  “external”  messages  on  the  “left”.  (The 
input  x  is  the  statement  to  be  proved,  the  input  M  will  later  be  instantiated  with  the  code  of  Si, 
and  the  input  (s,£)  is  used  to  generate  the  randomness  for  Si;  s  is  the  seed  for  the  forward  secure 
pseudorandom  generator  g,  and  £  is  the  number  of  n-bit  long  blocks  to  be  generated  using  g .)  A 
communication  round  in  the  “right”  interaction  with  V*  refers  to  a  verifier  message  (sent  by  V*) 
followed  by  a  prover  message  (sent  by  Si). 

Let  us  now  specify  how  Si  generates  prover  messages  in  its  “right”  interaction  with  V* . 
Si(ln,  x,  M,  s,  £)  acts  as  follows: 

•  Upon  invocation,  Si  generates  its  “random-tape”  by  expanding  the  seed  s;  more  specifically, 
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Instance:  A  triplet  (. h,c,r }  £  l~Ln  x  {0,  l}poly(n)  x  {0,  l}3mT\ 

Witness:  (Si,  j,  s,  n,  a,  p):  A  program  S  £  {0,  l}r,  an  integer  j  £  [m],  a  seed  s  £  {0,  l}ra,  a  P-certificate 
7r  €  {0, 1} ” ,  a  string  a  £  {0,  l}r,  a  randomness  p  £  {0,  l}n. 

Relation:  Rs((/i ,  c,  r) ,  (Si,  j,  s,  TT,a,p})  =  1  if  and  only  if: 

1.  Commitment  Consistency:  c  =  com(/i(Si);  p), 

2.  Input  Certification:  |<r|  <  2 mn, 

3.  Prediction  Correctness:  Vjert(-D,  ln,  (Si,  (1™,  j,  s,  cr),  r),  7r)  =  1  (i.e.,  7r  certifies  that 
Si(ln,  j,  s,oj  =  r). 


Figure  5:  Ry,  a  relation  that  Protocol  1  uses  in  WIUA  of  Phase  2. 

let  (sg,  S£-i, . . .  si),  (qe,  ■ ■ ■ ,  qi)  be  the  output  of  g(s,£).  We  assume  without  loss  of 
generality  that  S\  only  needs  n  bits  of  randomness  of  generate  any  prover  message  (it  can 
always  expand  these  n  bits  into  a  longer  sequence  using  a  PRG);  in  order  to  generate  its  j’th 
prover  message,  it  uses  q3  as  randomness. 

•  Upon  receiving  a  hash  function  hi  in  session  i  during  the  j-th  communication  round,  S\  pro¬ 
vides  a  commitment  ct  to  (the  hash  of)  the  program  Sj(ln,  j,  s',  r)  =  wrap(M (ln ,  x,  M,  s',j), 
V*,  r,  j),  where  wrap(A ,  B,r,j)  is  the  program  that  lets  A  communicate  with  B  for  j  rounds, 
while  allowing  A  to  receive  r  as  external  messages,  and  finally  outputting  B' s  message  in  the 
j’th  communication  round.  (That  is,  <Sj(ln,  j,  s',  r)  emulates  j  rounds  of  an  execution  between 
Si  and  V*  where  Si  expands  out  the  seed  s'  into  j  blocks  of  randomness  and  additionally 
receives  t  as  external  messages.) 

•  Upon  receiving  a  challenge  rq  in  session  i  during  the  j’th  communication  round,  Si  needs 
to  provide  a  WIUA.  To  do  so,  it  checks  whether  it  was  received  an  external  message  (j, ttj), 
and  if  so,  it  uses  the  certificate  ttj  to  complete  the  WIUA  (and  otherwise  halts).  More  pre¬ 
cisely,  Si  provides  an  honest  WIUA  that  C{  is  a  commitment  to  Si  and  that  ttj  certifies  that 
Sj(ln,  j,  Sj,  r)  =  rt  where  r  is  list  of  external  messages  received  by  Si  so  far.  (Note  that 
since  we  only  require  Sj  to  generate  the  j’th  verifier  message,  giving  him  the  seed  ( Sj,j )  as 
input  suffices  to  generate  all  prover  messages  in  rounds  j'  <  j.  It  follows  from  the  consistency 
requirement  of  the  forward  secure  PRG  that  Sj  using  (. Sj,j )  as  seed  will  generate  the  exact 
same  random  sequence  for  the  j  —  1  first  blocks  as  if  running  Sj  using  (s,£)  as  seed.) 

S2(ln,  x,  M,  s,  £)  internally  emulates  £  messages  of  an  execution  between  Sj(ln,  x,  Af,  s,  £)  and 
V* .  In  each  communication  round  j,  after  V*  generates  a  verifier  message  rrij,  S-2  generates  a 
certificate  irj  (using  PCert)  that  Sj(ln,  j,  Sj,  a)  =  rrij ,  where  a  is  the  list  of  external  messages 
received  by  Sj  so  far,  and  feeds  ( j,TTj )  to  Sj .  Finally,  Sj  outputs  its  view  (which  in  particular, 
contains  the  view  of  V*)  at  the  end  of  the  execution. 

The  final  simulator  S'(ln,x)  simply  runs  S<2(ln,  x,  Si,  s,  T(n  +  |a:|)),  where  s  is  a  uniformly 
random  string  of  length  n  and  T(n  +  \x\)  is  a  polynomial  upper-bound  on  the  number  of  messages 
sent  by  V*  given  the  common  input  ln,  x.  and  extracts  out,  and  outputs,  the  view  of  V*  from  the 
output  of  Sj. 
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Running-time  of  S.  Let  us  first  argue  that  S±  runs  in  polynomial  time.  Clearly  it  only  takes 
Si  polynomial-time  to  generate  the  commitments  in  Phase  1  (since  V*  has  a  polynomial-length 
description,  and  thus  also  the  code  of  Si).  During  the  WIUA  in  Phase  2,  the  length  of  the  witness 
used  by  the  simulator  is  polynomial  in  length  of  the  description  of  Si  and  the  length  of  the  certificate 
7 r  used  by  Si;  both  are  of  polynomial  length.  Since  the  P-certificates  verification  time  is  polynomial 
in  the  length  of  the  statement  proved,  it  follows  that  the  relation  being  proved  in  the  WIUA  has  a 
time  complexity  that  is  upper  bounded  by  a  fixed  polynomial  in  the  length  of  V* .  By  the  relative 
prover  efficiency  condition  of  the  WIUA,  each  such  proof  only  requires  some  fixed  polynomial-time, 
and  thus  the  whole  execution  of  Si  takes  some  fixed  polynomial  time  (in  the  length  of  V*  and  thus 
also  in  the  length  of  x.)  It  directly  follows  that  also  Si’s  running-time  is  polynomially  bounded. 

Finally,  since  S2  is  simply  providing  certificates  about  the  execution  of  Si,  it  follows  by  the 
relative  prover  efficiency  condition  of  P-certificates,  that  S2  runs  in  polynomial  time,  and  thus  also 
S. 

Indistinguishability  of  the  simulation  Assume  that  there  exists  a  cheating  verifier  V*,  a 
distinguisher  D  and  a  polynomial  p  such  that  the  real  view  and  the  simulated  view  of  V*  can  be 
distinguished  by  D  with  probability  for  infinitely  many  n.  More  formally,  for  infinitely  many 

n  G  N,  x  £  L  n  {0,  l}P°ly(n),  w  £  Rl(.t)  and  2  E  {0,  l}poly(n),  it  holds  that 

|Pr[D(Viewv*  (P(w),  V*(z))  (ln,  x))  =  1]  -  Pr[D(S(ln,  x,  z))  =  1] |  > 

p[n) 

Consider  a  hybrid  experiment  Realy*  (n,  x,  z)  that  proceeds  just  as  the  real  experiment  except 
that  all  phase  1  commitments  are  generated  by  committing  to  the  code  of  Si  (as  done  by  S).  We 
also  denote  by  Realy*  (n,  x,  z )  the  view  of  the  verifier  V*  in  the  hybrid.  It  follows  by  a  simple  hybrid 
argument  that  there  exists  a  polynomial  p'  such  that  the  view  of  V*  in  the  hybrid  Real7  and  in 
simulation  by  S  can  be  distinguished  by  D  with  probability  ,  I  .  for  infinitely  many  n.  That  is, 

p  yn) 

for  infinitely  many  {0,  l}Poly(n),  w  g  RL(x)  and  2:  £  {0,  l}Poly(n)5  it  holds  that 

| Pr [I? (Realy*  (n,  x,  w,  z)))  =  1]  -  Pr[D(S(ln,  x,  z))  =  1]|  >  — (1) 

p  [n ) 

Consider  such  n,  x,  z  (and  assume  that  2  is  hard-coded  into  the  description  of  V*),  and  consider 
T  =  T(n+\x\)  hybrid  experiments  (recall  that  T(n+\x\)  is  the  maximum  number  of  communication 
rounds  given  common  input  ln,x).  In  hybrid  Hj,  the  first  j  communication  rounds  are  simulated 
exactly  as  by  S  (using  pseudo-randomness),  but  all  later  communication  round  f  >  j  are  simulated 
by  S  (and  more  specifically  by  Si)  using  true  randomness  being  uniformly  distributed  in  {0,  l}n; 
additionally,  to  complete  all  WIUA  that  begin  at  or  after  communication  round  j,  Si  uses  the  true 
witness  w  instead  of  the  “fake”  witness  used  by  Si.  (Note  that  once  we  start  using  real  randomness 
is  some  session  i,  it  is  no  longer  clear  whether  simulation  of  “later”  sessions  can  be  completed. 
To  deal  with  this  issue,  we  thus  also  switch  all  WIUA  that  begin  at  or  after  round  j  to  use  a  real 
witness;  if  some  WIUA  already  began  at  some  communication  round  j'  <  j,  then  the  simulation  of 
this  WIUA  can  still  be  completed.) 

It  follows  by  Equation  1  and  a  hybrid  argument  that  there  exist  some  j  and  a  polynomial 
p"  such  that  D  distinguishes  Hj  and  Hj+ 1  with  probability  pii\n)  ■  Now,  consider  another  hybrid 

experiment  Hj  that  proceeds  just  at  Hj ,  but  where  true  randomness  is  used  in  communication 
round  j  +  1  (but  still  using  the  fake  witness).  It  follows  by  the  forward  security  of  the  PRG  g 
that  the  outputs  of  Hj+ 1  and  Hj  are  indistinguishable — the  reason  we  need  forward  security  is 
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that  to  emulate  communication  rounds  j'  <  j,  the  seeds  sy  may  need  to  be  known  (as  they  are 
used  by  S\  to  provide  WlUA’s).  Indistinguishability  of  Hj  and  Hj  follows  directly  by  the  witness 
indistinguishability  property  of  the  Will  A.  It  thus  leads  to  a  contradiction  and  completes  the  proof 
of  the  indistinguishability  of  the  simulation. 


4.2  Protocol  k 

We  move  on  to  describe  our  actual  concurrent  ZJC  protocol:  Protocol  k,  ( Pk,Vk ).  We  refer  the 
reader  to  the  introduction  for  the  ideas  underlying  this  protocol. 

As  with  Protocol  1,  Protocol  k  proceeds  in  two  phases.  In  Phase  1,  the  prover  Pj.  and  the 
verifier  Vf:  proceeds  exactly  as  in  Protocol  1  but  the  length  of  the  “challenge”  r  is  modified  to  be 
3 kn2.  Next,  Phase  2  is  modified  as  follows: 

Phase  2:  P \  gives  a  WIUA  argument  of  the  statement  that  either  x  €  L  OR  there  exists  S\, . . . ,  Sk  G 
{0,l}r(n),  0  <  j  <  nk,  s\...,sk  G  {0,1}",  7r\...,7Tfc  G  {0, l}n,  a\...,ak  G  {0,l}r("), 
A1, . . . ,  \k  G  {0,  l}r(-n\  p ,  such  that 

1.  Commitment  Consistency:  c  =  com(h(Si, . . . ,  Sk)',  p), 

2.  Input  Certification: 

(a)  \a\  <  2 kn2]  and 

(b)  Let  l*  be  the  largest  l  such  that  j  >  n l~l.  Then  X-1*  =  null  and  for  2  <  l  <  P,  irl 

certifies  that  5/(1",  [j\ni-%,sl,  ([A^]  ,  °~1))  =  Ai_1. 

3.  Prediction  Correctness:  7T1  certifies  that  Si(l",  j,  s1,  ( [A— 1]_7- ,  o--1)))  =r 

where  [j\x  =  j  —  ( j  mod  x),  and  the  bracket  operator  [•]_,-  is  defined  as  follows:  The  input 
is  expected  to  be  a  set  of  triples  of  the  form  (/,/',  7rj,),  and  the  output  is  a  subset  of  these 
obtained  by  removing  elements  with  j'  >  j;  that  is,  we  are  “filtering  out”  all  messages  that 
were  generated  in  communication  round  j  or  later.  Roughly  speaking,  the  bracket  operator 
is  used  to  eliminate  “unnecessary”  inputs  to  the  program.  We  require  this  to  be  able  to  reuse 
P-certificates;  we  provide  a  more  detailed  explanation  of  why  this  is  needed  in  Remark  2, 
after  having  formalized  the  simulator. 

Using  the  notation  from  the  introduction,  the  messages  A  are  “certified”  certificates  (each  compo¬ 
nent  of  A  may  of  an  unbounded  polynomial  length),  and  the  messages  a  are  “dangling”  certificates 
(each  component  of  a,  however,  is  “short”  by  the  input  certification  condition). 

A  formal  description  of  Protocol  k  can  be  found  in  Figure  6  and  7. 

We  will  be  analyzing  (iA,  Vk)  when  k  =  logn  (but  the  analysis  works  as  long  as  k  is  a  “nice” 
super-constant,  but  polynomially-bounded,  function).  It  is  easy  to  check  that  the  protocol  is 
complete.  Furthermore,  since  the  honest  prover  P};,  on  private  input  a  valid  witness  w  of  the 
statement  x,  always  succeeds  in  the  Phase  2  by  proving  that  x  G  L ,  by  the  prover  and  verifier 
efficiency  conditions  of  WIUA,  both  the  honest  prover  P ^  and  verifier  V).  run  in  some  fixed  polynomial 
time.  Furthermore  note  that  the  communication  complexity  of  the  protocol  depends  only  on  the 
security  parameter  1"  but  not  the  length  of  the  statement  x;  thus  the  protocol  is  “succinct” . 

We  turn  to  showing  that  (Pk,  14 )  is  sound  and  concurrent  ZIC  when  k  =  logn. 
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Protocol  k 


Common  Input:  A  security  parameter  ln  and  an  instance  a:  of  a  language  L  £  NP  with  witness 
relation  R^. 

Parameters:  m  =  m(n)  is  an  upper  bound  on  the  number  of  concurrent  sessions.  T  =  T(n)  and 
D  =  D{n )  are  respectively  upper  bounds  on  the  size  of  the  committed  program  and  the  time 
bound. 

Phase  1: 

Vk  — t*  Pk'.  Send  h  ( —  hLn. 

Pk  — >  Vk'-  Send  c  =  com(0”;  p). 

Vk^Pk:  Send  r  ■£-  {0,  f}3fe™2 . 

Phase  2: 

Pk  Vk'.  A  WIUA  (Pua,  Vua)  proving  the  OR  of  the  following  statements: 

1.  3  w  e  {o,  i}poly(ixi)  s  p  rl(x,  w)  =  l. 

2.  3  (S,j,s,n,d,X,p)  s.t.  R s({h,c,r) ,  ( S,j,s,n,d,X,p })  =  1. 


Figure  6:  A  public-coin  non-black-box  concurrent  zero-knowledge  protocol. 

4.2.1  Soundness  of  Protocol  k 

Lemma  1.  Under  the  above-mentioned  cryptographic  assumptions,  (Pk,Vk)  is  uniformly  sound. 
Additionally,  if  (Pcen,  Wert)  is  a  statistically  strong  P-certificate  system,  then  (Pk,\ 4)  is  non- 
uniformly  sound. 

Proof.  We  prove  this  lemma  w.r.t.  uniform  soundness  assuming  (Pce rt,  Wert)  is  a  strong  P-certificate; 
the  non-uniform  part  of  the  lemma  follows  in  identically  the  same  way. 

Assume  for  contradiction  that  there  is  a  probabilistic  polynomial  time  cheating  prover  P*  and 
a  polynomial  p,  such  that  for  infinitely  many  n  £  N,  with  probability  l/p(n),  P*  selects  a  false 
statement  x  £  {0,  l}poly(n)  \  p  anc[  convinces  V\.  of  the  membership  of  x  in  L. 

Fix  one  such  n.  Let  P*  .  be  the  “residual”  deterministic  WIUA  prover  resulting  from  fixing  P*’ s 
randomness  to  u  and  feeding  it  the  messages  h  and  r.  Let  E  be  the  “global”  proof-of-knowledge 
extractor  of  the  WIUA.  Note  that  E  runs  in  time  poly(r(n)).  Let  Es  denote  E  with  randomness 
fixed  to  s.  Now,  consider  the  following  experiment  Exp: 

•  Sample  a  tuple  ( u ,  h,  r ,  s )  uniformly  at  random. 

p * 

•  Let  (x,c)  <—  P*  hr  and  w'  Esu,h’r,  where  x  is  the  statement  selcted  by  P*hr,  c  is  the 

p* 

commitment  generated  by  Pfhr,  and  w'  is  the  witness  extracted  by  Esu,h’r. 

P*  7}  -> 

Let  BAD  denote  the  event  that  Esu,h'r  extracts  a  valid  “fake”  witness  w'  =  (S,  j' ,  s',  n' ,  a',  A',  p')  £ 
R s(h,c,r)  in  the  above  experiment. 

Let  us  first  argue  that  by  our  assumption  (that  P*  breaks  soundness),  BAD  happens  with  non- 
negligible  probability:  By  an  averaging  argument,  with  probability  at  least  1/2 p(n)  over  ( u ,  h,  r),  the 
statement  x  selected  by  P*  .  is  not  a  member  of  L  and  yet  P*  ^  convinces  the  WIUA  verifier  with 
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Instance:  A  triplet  (. h,c,r )  £  Hn  x  {0,  i}pijly(«)  x  {0,  l}3fen  . 

Witness:  (S,j,  s,  n,  a,  A,  p):  A  sequence  of  programs  S  =  (Si, . . . ,  Sk)  £  {0, 1}A  r,  an  integer  j  £  [nfe], 
a  sequence  of  seeds  s  =  (s1,. sk)  £  {0,  1}A”,  a  sequence  of  P-certificates  i r  =  (7T1, . . . ,  irk)  £ 
{0,  l}kn,  a  sequence  a  =  (cr1 , . . . ,  crfc)  £  {0, 1}^  r,  a  sequence  A  =  (Ai,...,Ajt)  £  {0,  l}A  r,  a 
randomness  p  £  {0,1}”. 

Relation:  R s((h,  c,  r) ,  (S,  j,  s,  if,  a,X,p))  =  1  if  and  only  if: 

1.  Commitment  Consistency:  c  =  com(h(S);  p), 

2.  Input  Certification: 

(a)  \a\  <  2 kn2,  and 

(b)  Let  1*  be  the  largest  l  such  that  j  >  n i_1.  X-1  =  null  and  for  2  <  l  <  l*, 

Vcen(D,ln,(Si,(ln,[j\ni-i,sl,([X-l]ijj  l_1,a-l)),Xl~1),TTl)  =  1  (i.e.,  nl  certifies  that 
Si(ln,  [j \ni-i ,  sl ,  ([X-l}ijjnl_1 ,  a-1))  =  A'-1). 

3.  Prediction  Correctness:  Vcert(D,  1",  (Si,  (1”,  j,  s1,  ([A— 1]y ,  cr-1)),  r),  7T1)  =  1  (i.e.,  tt  cer¬ 
tifies  that  5i(l",  j,  s1,  ([A-1]^,  cr-1))  =  r). 

where  \J\X  —  j  —  ( j  mod  x),  and  the  operator  [-] j  is  defined  as  follows:  The  input  is  expected  to 
be  a  set  of  triples  of  the  form  (j' ,  l',  7rj,),  and  the  output  is  a  subset  of  these  obtained  by  removing 
elements  with  j1  >  j. 


Figure  7:  R5,  a  relation  that  Protocol  k  uses  in  WIUA  of  Phase  2. 


probability  1/2 p(n).  For  each  such  a  tuple  ( u,h,r ),  by  the  “global”  proof-of-knowledge  property  of 

P* 

WIUA,  Esu’  ,r  extracts  a  valid  “fake”  witness  w'  £  R s(h,c,r)  with  some  non-negligible  probability 
l/q(n)  (over  the  randomness  s ).  It  follows  that  BAD  happens  with  non-negligible  probability. 

We  now  show  that  under  our  cryptographic  assumptions,  BAD  can  only  happen  with  negligible 
probability,  which  is  a  contradiction. 

First,  note  that  by  the  soundness  of  (PCert,  Fcert)  with  parameters  T(-)  and  C(- ),  and  the  fact 

that  T(n)  =  r(n)“’^1^  and  D(n)  <  C(n ),  we  have  that  except  with  negligible  probability  over  the 

-./  p* , 

choice  of  ( u,h,r,s ),  whenever  the  P-certificates  pi  that  Esu'  ,r  extracts  out  are  convincing,  their 
corresponding  statements  are  true;  otherwise,  we  can  construct  a  uniform  poly(r(n))-time  adversary 

p* 

that  samples  u,h,r,s  uniformly  at  random,  runs  Esu’  'r,  and  outputs  a  random  certificate  from 
w' .  Additionally,  by  the  binding  property  of  com  and  the  collision-resistant  property  of  T~Ln  it 
follows  that  with  overwhelming  probability  over  ( u,h ),  there  exists  a  vector  of  machines  S*  such 

p * 

that  except  with  negligible  probability  over  the  choice  of  r,s,  it  holds  that  if  Es  u’  ’ r  outputs  a 
valid  w'  £  R s(h,c,r),  then  the  machines  S  in  w'  equals  S’*.14  By  a  union  bound  it  follows  that 
with  overwhelming  probability  over  (u,h),  there  exists  a  vector  of  machines  S*  such  that  except 

p* 

with  negligible  probability  over  the  choice  of  r,  s,  the  following  holds:  a)  if  Es  u"  ’r  outputs  a  valid 
w'  £  R s(h,c,r),  then  the  machines  S  in  w'  equals  S* ,  and  b)  all  accepting  certificates  7 ?  prove 

14Note  that  for  this  to  hold,  we  here  rely  on  the  fact  that  binding  of  com  and  collision-resistancy  of  T-Ln  hold  also  for 
circuits  of  size  poly(r(n));  however,  as  mentioned,  by  slightly  modifying  the  protocol  as  in  [BG02],  this  assumption 
can  be  weakened  to  just  collision  resistance  against  polynomial-size  circuits. 
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true  statements.  Let  us  refer  to  such  pairs  (u,h)  as  good. 

For  any  valid  “fake”  witness  w'  =  (S,  j'  ,3  ,Tr'  ,X! ,  p')  £  R s(h,c,r)  define  a  machine  Mw> 

(using  S  in  w ')  that  given  the  input  (f,  s' ,  o')  of  length  smaller  than  2 kn2,  outputs  r: 

Machine  Mwr.  Mw>(ln.  j.  s,  a)  lets  l*  be  the  largest  l  such  that  j  >  n1^1 .  Mw/  next  runs  the 
machines  Si*,  S)*_i, . . . ,  S'i  in  sequence  as  follows:  Si*  is  run  on  input  1  n,jl  ,  sl *  and  a1  ;  let 
A^*-1  denote  its  output.  Next  for  each  l  <  l*,  Si  is  given  1”,  jl ,  sl,o-1  and  [A -l]j,i  where  X-1 
are  the  outputs  of  the  executions  of  Si+ 1, . . .  ,£>i*.  Finally,  M  outputs  the  string  r  returned 
by  S'i. 

Note  that  by  definition,  if  all  the  P-certificates  in  w'  prove  true  statements,  then  Mwi  given  the 
input  (/,  s*,  cr')  indeed  outputs  r.  However,  for  any  machine  M ,  since  the  input  to  the  machine 
M  is  of  length  2 kn2,  it  follows  by  a  counting  argument  that  only  for  a  negligible  fraction  of  length 
3 kn2  strings  r,  there  exists  some  input  that  makes  M  output  r.  Thus,  whenever  (u,  h )  is  good 
(which  happens  with  overwhelming  probability),  except  with  negligible  probability  (over  the  choice 
of  r,  s )  BAD  cannot  happen;  it  follows  that  BAD  can  only  happen  with  negligible  probability, 
which  is  a  contradiction. 

□ 

4.2.2  Concurrent  ZKL  of  Protocol  k 

The  simulator  S  for  Protocol  k  will  define  k  +  1  “helper”  simulators  Si, ,  Sj^+i-  Before  providing 
the  formal  definition  of  S'i, ... ,  S'^+i,  let  us  first  describe  the  interaction  among  them. 


Figure  8:  Simulation  of  protocol  ( P 14)  for  k  =  3. 


Recall  that  in  the  simulation  of  Protocol  1,  Si  is  an  interactive  machine  that  communicates 
with  a  concurrent  verifier  V* ,  on  the  “right”,  while  expecting  to  receive  a  P-certificates  (j,TTj) 
from  S*2 ,  on  the  “left” ,  for  every  communication  round  j  in  the  right  interaction  with  V* ;  S’i  then 
makes  use  of  these  certificates  to  complete  the  right  interaction  with  V*  (and  more  specifically, 
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to  complete  the  WlUAs  it  is  supposed  to  provide  V*).  In  the  simulation  of  Protocol  k,  S±  still 
communicates  with  V*  on  the  “right”,  but  now  additionally  expects  to  receive  P-certificates  from 
all  of  52, ,  Sk+i  on  the  “left”.  In  more  detail,  recall  that  a  communication  round  in  the  “right” 
interaction  refers  to  a  verifier  message  (sent  by  V*)  followed  by  a  prover  message  (sent  by  5i). 
Now,  in  each  communication  round  j  in  the  right  interaction,  upon  receiving  a  message  from  the 
verifier  V*,  S\  also  expects  to  receive  (j,  l,7rj)  from  S2,  and  furthermore,  for  every  2  <  l  <  k,  if 
j  mod  n1-1  =  0,  then  5i  additionally  expects  to  receive  (j,  Z,7rj)  from  5/+ 1.  In  other  words,  5i 
expects  to  receive  a  “level-/”  certificate  (of  the  form  (j  =  a  ■  nl~l ,  Z,  tt^)  for  some  a)  from  5;+ 1  every 
n1^1  communication  rounds.  Roughly  speaking,  each  such  “level-/”  certihcatate,  certifies  that  all 
“level-(Z  —  1)”  certificates  up  to  round  j  were  actually  generated  by  Si ;  and  those  “level-(Z  —  1)” 
certificates  certify  that  5;_  1  actually  generated  the  “level-(Z  —  2)”  certificates  up  until  round  j,  etc. 
See  Figure  8  for  an  illustration  of  the  communication  pattern  between  U*,  5 1, . . . ,  5^+ 1. 

For  every  2  <  l  <  k,  for  Si  to  be  able  to  generate  its  level  (/  —  1  (-certificates,  Si  internally 
emulates  the  interaction  among  5;_  1, . .  .  ,  5i,U*,  but  additionally  needs  to  receive  all  level-/'  cer¬ 
tificates,  where  /'  >  /;  thus  each  machine  5/  produces  level-/  —  1  certificates  on  the  “right”,  while 
receiving  level-/,  level-(Z  +  1),  ...  level-/?  certificates  from  respectively  5;+ 1,  Si+ 2;  •  •  •  5^+ 1,  on  the 
“left”.  See  Figure  9  for  an  illustration  of  5/. 
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Figure  9:  Simulator  5/. 

We  now  define  Si.  As  before,  on  a  high-level,  5i(ln,  x,  M ,  s,  £),  acts  as  a  prover  in  a  “right” 
interaction,  communicating  with  a  concurrent  verifier  V*,  while  receiving  some  additional  “exter¬ 
nal”  messages  on  the  “left”.  (The  input  x  is  the  statement  to  be  proved,  the  input  M  will  later  be 
instantiated  with  the  codes  of  Si,.. .  5’/c ,  and  the  input  (s,£)  is  used  to  generate  the  randomness 
for  5i;  s  is  the  seed  for  the  forward  secure  pseudorandom  generator  g,  and  £  is  the  number  of  ?r-bit 
long  blocks  to  be  generated  using  g.) 

Let  us  now  specify  how  5i  generates  prover  messages  in  its  “right”  interaction  with  V*. 
5i(ln,  x,  M ,  s,  £)  acts  as  follows: 

•  Upon  invocation,  5i  generates  its  “random-tape”  by  expanding  the  seed  s;  more  specifically, 
let  ( S£ ,  S£- 1, . . .  si),  ( qi ,  qt-i, . . . ,  q\)  be  the  output  of  g(s,  £).  Again,  we  assume  without  loss 
of  generality  that  5i  only  needs  n  bits  of  randomness  of  generate  any  prover  message;  in  order 
to  generate  its  j’th  prover  message,  it  uses  qj  as  randomness. 

•  Upon  receiving  a  hash  function  hi  for  session  i  in  communication  round  j,  S±  provides  a 
commitment  Cj  to  the  hash  of  the  programs  Si,...,Sk  defined  as  follows. 

-  5i(ln,  j,  s',  a)  =wrap(Mi(ln,x,M,s',j),V*,a,j). 
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—  For  2  <  l  <  k,  Si(ln ,  j ,  s' ,  a)  =  wrap'(Mi(ln,x,M,s',j),a,j)  where  wrap' (A,  a,  j)  is  the 
program  that  executes  A  for  j  “communication  rounds,”  while  allowing  A  to  receive  a  as 
external  messages  “on  the  left” ,  and  finally  outputs  the  set  of  messages  generated  by  A 
“on  the  right” — recall  that  Mi  will  be  instantiated  by  Si,  who  emulates  the  interaction 
among  S/_i, . . . ,  Si,  V*,  receives  level-/'  certificates  for  l'  >  l  externally  “on  the  left”, 
and  generates  level- (l  —  1)  certificates  on  the  “right”;  “communication  rounds”  here  still 
refer  to  the  communication  rounds  of  Si  and  V*.  (wrap'  simply  returns  _L  whenever  A 
does  not  have  the  specified  structure.) 

•  Upon  receiving  a  challenge  rt  in  session  i  during  the  jth  communication  round,  Si  needs  to 
provide  a  WIUA.  To  do  so,  Si  collects  the  witness  as  follows. 

—  Let  l*  be  the  largest  l  such  that  j  >  n l~l . 

—  For  1  </</*,  set  sl  =  (_1  (i.e. ,  the  seed  corresponding  to  communication  rounds 

recall  that  [j \x  =  j  -  ( j  mod  re)). 

—  For  1  <  l  <  l*,  recall  that  Si  expects  to  have  received  a;  =  [j  ]  ni-i messages  from 
Si+ 1  of  the  form  (a  •  ra/_1,  l,  irla  for  a  G  [a/]. 

*  Let  tt1  be  the  P-certificate  in  the  last  message  received  from  Si+ 1;  by  construction, 

this  message  was  received  in  round  [j\ni-i  and  thus  we  have  it1  =  ;  ^ 

*  Let  A;  be  the  messages  received  from  S/+i  up  until  and  including  round  [j\nr,  by 
construction,  since  S/_ |_i  generates  a  message  every  n1^1  communication  rounds,  X1 
contains  a  total  of  \_j\ni/,n11  messages. 

*  Let  a1  be  the  messages  generated  by  S)+i  after  round  [j\ni  but  before  round  [j\ni-i 
(thus,  we  exclude  the  last  message  nl  and  the  messages  included  in  X1);  since  there 
are  at  most  nl  communication  rounds  after  round  [j\ni  and  before  round  UJn*-1! 
and  (again)  Si+\  generates  a  message  every  rounds,  a1  contains  at  most  n 
messages;  each  such  message  is  of  length  n  +  O(logn)  <  2 n. 

—  For  l*  <  l  <  k,  let  A /  =  null.  (Note  that  also  A i*  =  null  since  =  0-) 

—  Finally,  let  p  and  S  be  the  randomness  and  machines,  respectively,  used  to  generate  the 
commitment  c*  in  the  ith  session. 

If  S\  fails  to  find  a  valid  witness,  Si  simply  halts.  Otherwise,  Si  uses  the  above  witness  to 
provide  an  honest  WIUA  to  V*  that 

1.  (Commitment  consistency:)  Cj  =  com(/ij(Si, . . . ,  Sfc);  p), 

2.  (Input  certification:)  \a\  <  2 kn2,  X-1  =  null  and  for  2  <  l  <  l*,  nl  certifies  that 

=  A^_1’ 

3.  (Prediction  correctness:)  ^ r1  certifies  that  Si(ln,j,  s1,  ([A-1]^,  cr-1))  =  r* 

Remark  2.  Above,  for  every  1  <  l  <  l* ,  S\  uses  the  P -certificates  tt1  to  certify  that  the  execution  of 
Si  up  until  communication  round  LiJn*-1  when  providing  Si  with  the  “certified”  inputs  [A-^jj  l_1 
and  “dangling”  inputs  a-1.  The  bracket  operator  is  used  to  ensure  that  the  inputs  given  to  Si 
are  identically  the  same  as  were  given  to  it  when  generating  the  I* -certificate  -k1  at  round  [ j\ni 
(or  else  the  statement  proved  by  n1  would  be  different  from  the  one  that  Si  needs  to  provide  a 
certificate  about).  The  bracket  operator  simply  “ filters ”  out  all  messages  that  are  generated  at  or 
after  communication  round  UJn*-1- 
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As  noted  above,  by  construction,  a  always  satisfies  the  appropriate  length  restrictions.  Thus, 
the  only  thing  we  need  to  ensure  is  that  the  certificates  received  by  S i  indeed  prove  the  “right” 
statements  for  S i  to  be  able  to  complete  its  WlUAs;  we  shall  see  why  this  is  the  case  shortly. 

We  now  turn  to  defining  S;  for  2  <  l  <  k  +  1,  inductively.  Suppose  Si,... ,  S/_]  are  defined. 
Si(  ln,  x,  M,  s,  t)  emulates  the  interaction  among  S/_i(ln,  x.  M ,  s,  (l7^,  x ,  M,  s ,  £),  F*  for  £ 

communication  rounds,  while  expecting  to  receive  external  messages  “on  the  left”. 

•  In  each  communication  round  j  with  j  mod  nl~l  =  0,  after  V*  sends  a  verifier  message  rrij, 
we  distinguish  two  cases. 

—  If  l  =  2,  S2  generates  a  certificate  7rj  (using  PCert)  that  wrap(Si(ln,x,M,Sj,j),V*,T,j) 
=  rrij,  where  r  is  the  set  of  messages  Si  has  received  so  far,  and  outputs  (j,  l,7rj). 

—  If  l  >  2,  Si  continues  to  emulate  the  round  to  the  point  that  (the  internally  emulated) 
Si— 1  outputs  its  message  (jj  —  2,7rj~2),  and  then  Si  generates  a  certificate  ir j-1  that 
wrap' (Si- i(ln,  x ,  M,  Sj,j),  r,  j )  =  77,  where  r  is  the  set  of  messages  that  S/_i  has  received 
so  far  and  p  is  the  set  of  messages  S;_i  has  generated  so  far  (in  the  internal  emulation). 
Then  Si  outputs  the  message  ( j,l  —  l,7rj_1). 

•  In  each  communication  round  j  s.t.,  j  mod  nl  =  0,  after  generating  its  message  (j,l  —  1,  n j-1), 
5;  expects  to  receive  external  messages  (j,  l!  —  1, 7rj  _1)  “on  the  left”  for  every  l'  >  l  such  that 
j  mod  nl’~l  =  0.  Si  simply  relays  these  messages  to  its  internally  emulated  Si- 1, . . .  Si. 

Finally,  Si  outputs  its  own  view  at  the  end  of  the  execution  (which  in  particular,  contains  the  view 
of  V* ,  and  all  the  messages  generate  by  Si). 

Note  that  the  construction  of  S2,  ■  ■  ■ ,  <Sfc+i  ensures  that  Si  will  always  have  the  appropriate 
certificates  to  complete  every  WIUA  it  reaches;  as  a  consequence,  Si  never  gets  “stuck”. 

Let  S  =  (Si, . . . ,  Sfc).  The  final  simulator  S(lra,  x)  simply  runs  Sfc'(ln,  x,  S,  s,T(n  +  |x|)),  where 
s  is  a  uniformly  random  string  of  length  n,  T(n+  |x|)  is  a  polynomial  upper-bound  on  the  number  of 
messages  sent  by  V*  on  input  ln  and  statement  x  E  {0,  l}poly(n),  and  k '  =  |"logn T(n+  \ x |)~|  +1,  and 
then  extracts  and  outputs  the  view  of  V*  from  the  output  of  S/y.  Note  that  since  T  is  polynomial 
in  n,  k’  is  a  constant. 

Running-time  of  S  We  first  note  that  essentially  the  same  argument  as  for  Protocol  1  shows  that 
Si  runs  in  polynomial  time:  It  only  takes  Si  polynomial-time  to  generate  the  commitments  in  Phase 
1  (since  V*  has  a  polynomial- length  description,  and  the  programs  S/’s  have  length  polynomial  in 
the  size  of  V*).  During  the  WIUA  in  Phase  2,  the  length  of  the  witness  used  by  the  simulator  is 
polynomial  in  length  of  the  programs  S/’s,  and  their  inputs  and  outputs,  all  of  which  are  polynomial 
in  the  circuit-size  of  V*.  Since  the  P-certificates  verification  time  is  polynomial  in  the  length  of 
the  statement  proved,  it  follows  that  the  relation  being  proved  in  the  WIUA  has  a  time  complexity 
that  is  upper  bounded  by  a  fixed  polynomial  in  the  length  of  V*.  By  the  relative  prover  efficiency 
condition  of  the  WIUA,  each  such  proof  only  requires  some  fixed  polynomial-time,  and  thus  the 
whole  execution  of  Si  takes  some  fixed  polynomial  time  (in  the  size  of  V*  and  thus  also  in  the 
length  of  x.)  It  directly  follows  that  also  Si’s  running-time  is  polynomially  bounded. 

It  now  follows  by  an  induction  that  S/  and  thus  S/  run  in  polynomial  time  for  every  constant 
l.  Suppose  S/_i  and  S/_i  run  in  polynomial  time.  Since  S/  is  simply  providing  certificates  about 
the  execution  of  S/_i,  it  follows  by  the  relative  prover-efficiency  condition  of  P-certificates,  that  S/ 
runs  in  polynomial  time,  and  thus  also  S/.  Finally,  as  S  simply  runs  S/y  with  a  constant  k1 ,  the 
running-time  of  S  is  polynomially  bounded  as  well. 

Approved  for  Public  Release;  Distribution  Unlimited. 

32 


536 


Indistinguishability  of  the  simulation  Note  that  by  construction  of  S,  it  follows  that  the 
simulation  never  gets  “stuck”  in  the  sense  that  whenever  V*  expects  a  Will  A  in  some  session,  S 
has  an  appropriate  “fake”  witness  and  can  complete  the  Will  A  using  this  “fake”  witness.  Indistin- 
guishability  of  the  simulation  follows  in  identically  the  same  way  as  for  Protocol  1. 

4.3  Dealing  with  Randomized  P-certificates 

As  mentioned  above,  to  simplify  the  exposition,  our  protocol  uses  strong  P-certificate  system 
(-fcert,  Wert)  with  deterministic  prover  and  verifier  strategies.  We  here  sketch  how  to  deal  with  the 
case  when  Pcert  and  Wert  are  randomized. 

•  Handling  randomized  Wert*  If  Wert  is  randomized,  we  simply  need  to  the  verifier  V  generate 
the  randomness  for  Wert)  but  to  guarantee  soundness  of  the  P-certificate,  V  needs  to  do  so 
after  the  P-certificates  are  determined.  We  do  this  by  adding  a  new  communication  round 
before  Phase  2  where  the  prover  first  is  asked  to  commit  to  the  k  P-certificates  irl, ...  ,irk 
that  it  wants  to  use  in  Phase  2  (the  honest  prover  should  simply  commit  to  0fc'n)  and  next  the 
verifier  selects  randomness  p1, . . . ,  pk  for  Wert  for  each  of  these  certificates.  In  Phase  2,  the 
prover  is  then  asked  to  demonstrate  that  for  each  certificate  l  £  [k\,  Wert  using  randomness 
pl  accepts  7 t1. 

•  Handling  randomized  PCert*  If  Pcert  is  randomized,  the  helper  simulators  S‘>.  ■  ■  ■  ■  Sk+i  also 
become  randomized.  As  with  Si,  there  is  now  a  potential  “randomness-dependent”  issue 
since  the  simulators  generate  certificates  about  their  own  behaviour  in  earlier  communication 
rounds  (in  particular,  Si  needs  to  know  the  randomness  of  all  “helper”  simulators).  We  can 
break  the  circularity  by  using  forward  secure  PRGs  in  exactly  the  same  way  as  was  done  for 
Si;  each  the  simulator  Si  use  independent  seeds  s®  for  a  forward  secure  PRG  to  expand  the 
randomness  for  generating  level- (Z  —  1)  certificates  in  each  communication  round,  and  then 
uses  the  seed  s®  as  an  input  to  Si’ s  when  generating  certificates  at  communication  round  j. 

4.4  A  Note  on  Uniform  Assumptions 

We  remark  that  even  in  the  case  of  uniform  soundness,  our  protocol  currently  relies  on  families  of 
hash-functions  collision-resistant  also  for  non-uniform  polynomial-time.  Note,  however,  that  for  our 
soundness  proof,  it  suffices  to  use  commitment  schemes  that  are  binding  for  uniform  polynomial¬ 
time  algorithms  and  a  Will  A  where  the  proof  of  knowledge  property  is  proven  secure  using  a 
uniform  security  reduction.  (We  still  need  the  hiding  and  the  witness  indistinguishability  properties 
to  hold  for  non-uniform  polynomial-time  to  establish  ZKL  with  arbitrary  auxiliary  inputs).  We 
see  no  obstacles  in  getting  these  properties  by  instantiating  our  protocol  with  statistically-hiding 
commitments  and  a  “special-purpose”  WIUA  from  [PR05],  which  also  relies  on  statistically-hiding 
commitments,  but  we  haven’t  verified  the  details.  In  particular,  if  we  only  rely  on  statistically- 
hiding  commitments  where  the  (computational)  binding  hold  against  uniform  polynomial-time 
algorithms,  such  commitment  can  be  based  on  families  of  hash  functions  collision-resistant  against 
uniform  polynomial-time. 
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Abstract 

We  present  barriers  to  provable  security  of  two  fundamental  (and  well-studied)  cryptographic 
primitives  perfect  non-interactive  zero  knowledge  (NIZK),  and  non-malleable  commitments: 

•  Black-box  reductions  cannot  be  used  to  demonstrate  adaptive  soundness  (i.e. ,  that  sound¬ 
ness  holds  even  if  the  statement  to  be  proven  is  chosen  as  a  function  of  the  common 
reference  string)  of  any  statistical  (and  thus  also  perfect)  NIZK  for  MV  based  on  any 
“standard”  intractability  assumptions. 

•  Black-box  reductions  cannot  be  used  to  demonstrate  non-malleability  of  non-interactive,  or 
even  2-nressage,  commitment  schemes  based  on  any  “standard”  intractability  assumptions. 

We  emphasize  that  the  above  separations  apply  even  if  the  construction  of  the  considered  prim¬ 
itives  makes  a  non-black-box  use  of  the  underlying  assumption. 

As  an  independent  contribution,  we  suggest  a  taxonomy  of  game-based  intractability  as¬ 
sumptions. 
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1  Introduction 


Modern  Cryptography  relies  on  the  principle  that  cryptographic  schemes  are  proven  secure  based 
on  mathematically  precise  assumptions;  these  can  be  general — such  as  the  existence  of  one-way 
functions — or  specific — such  as  the  hardness  of  factoring  products  of  large  primes.  The  security 
proof  is  a  reduction  that  transforms  any  attacker  A  of  the  scheme  into  a  machine  that  breaks  the 
underlying  assumption  (e.g.,  inverts  an  alleged  one-way  function).  This  study  has  been  extremely 
successful,  and  during  the  past  three  decades  many  cryptographic  tasks  have  been  put  under 
rigorous  treatment  and  numerous  constructions  realizing  these  tasks  have  been  proposed  under  a 
number  of  well-studied  complexity-theoretic  hardness  assumptions. 

In  this  paper,  we  study  two  fundamental  cryptographic  primitives — perfect  non-interactive  zero- 
knowledge  with  adaptive  statements  and  non-interactive  non-malleable  commitments — for  which 
security  proofs  based  on  well-studied  intractability  assumptions  have  remained  elusive. 

Perfect  NIZK  with  Adaptive  Inputs  A  non-interactive  zero-knowledge  (NIZK)  protocol  [?] 
is  protocol  between  two  parties,  a  Prover,  and  a  Verifier,  through  which  the  Prover  can  non- 
interactively  (i.e. ,  by  sending  a  single  message  ir)  convince  the  Verifier  of  the  validity  of  a  statement 
x,  only  if  x  is  true  (this  is  called  the  soundness  property),  while  at  the  same  time  revealing  nothing 
beyond  the  fact  that  x  is  true  (this  is  called  the  zero-knowledge  property).  To  make  such  constructs 
possible  both  parties  are  additionally  assumed  to  have  access  to  a  “Common  Reference  String” 
(CRS)  that  has  been  ideally  sampled  according  to  some  distribution.  The  original  definition  of 
[?]  only  considered  non-adaptive  notions  of  soundness  and  zero-knowledge:  Roughly  speaking, 
the  (non-adaptive)  soundness  condition  requires  that  for  every  false  statement  x  ^  L,  with  high 
probability  over  the  choice  of  the  CRS,  any  proof  it  output  by  a  malicious  prover  will  be  rejected 
by  the  verifier.  The  (non-adaptive)  zero-knowledge  property,  on  the  other  hand,  requires  that  for 
every  true  statement  x  £  L,  the  joint  distribution  consisting  of  the  reference  string,  and  an  honestly 
generated  proof,  can  be  reconstructed  by  a  simulator.  In  both  of  these  properties,  the  statement  x  is 
required  to  be  fixed  before  the  reference  string  is  known.  Feige,  Lapidot  and  Shamir  [?]  introduced 
stronger  adaptive  notions  of  both  soundness  and  zero-knowledge;  roughly  speaking,  here  soundness 
and  zero-knowledge  should  hold  even  if  the  statement  x  is  adversarially  chosen  as  a  function  of  the 
reference  string. 

As  with  traditional  zero-knowledge  protocols,  NIZKs  come  in  several  flavors:  computational 
NIZK ,  statistical  NIZK,  and  perfect  NIZK.  In  the  computational  notion,  the  simulator’s  output  is 
only  required  to  be  computationally  indistinguishable  from  an  honestly  generated  view,  whereas 
in  the  statistical  (resp.  perfect)  variants,  it  is  required  to  be  statistically  close  (resp.  identical)  to 
an  honestly  generated  view.  Computational  NIZK  with  adaptive  zero-knowledge  and  soundness 
were  constructed  early  on  based  on  standard  cryptographic  intractability  assumptions  [?,  ?],  but 
constructions  of  statistical  and  perfect  NIZK  were  elusive. 

Only  recently,  a  breakthrough  result  by  Groth,  Ostrovsky  and  Sahai  (GOS)  [?]  provided  a 
construction  of  a  perfect  NIZK  for  MV  based  on  the  hardness  of  a  number  theoretic  assumption 
over  bilinear  groups.  Their  protocol  satisfies  the  adaptive  notion  of  zero-knowledge;  however,  it  only 
satisfies  the  non-adaptive  notion  of  soundness  (that  is,  soundness  is  no  longer  guaranteed  to  hold 
if  the  attacker  chooses  a  statement  x  L  as  a  function  of  the  common  reference  string).  We  focus 
on  whether  there  exists  a  perfect  NIZK  for  MV  with  both  adaptive  soundness  and  zero-knowledge. 

A  step  towards  answering  this  question  appears  in  the  work  of  Abe  and  Fehr  [?],  which  presented 
a  perfect  NIZK  for  MV  with  both  adaptive  soundness  and  zero-knowledge,  using  an  “knowledge- 
extractaction”  assumption  (simular  to  the  “knowledge-of-exponent”  assumption  of  [?]),  as  opposed 
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to  a  computational-intractability  assumption.  Abe  and  Fehr  also  demonstrate  that  certain  (ar¬ 
guably  natural)  types  of  proof  techniques — which  they  refer  to  as  “direct”  black-box  reductions — 
cannot  be  used  to  prove  adaptive  soundness  of  perfect  NIZKs  for  MV .  Their  notion  of  a  “direct” 
proof,  however,  is  quite  restrictive  (very  roughly  speaking,  it  requires  the  security  reduction  to 
“directly  embed”  some  hard  instance  into  the  CRS  in  a  “structure  preserving  way”).1 

Non-interactive  Non-malleable  Commitments  Often  described  as  the  “digital”  analogue  of 
sealed  envelopes,  commitment  schemes  enable  a  sender  to  commit  itself  to  a  value  while  keeping  it 
secret  from  the  receiver.  This  property  is  called  hiding.  Furthermore,  the  commitment  is  binding , 
and  thus  in  a  later  stage  when  the  commitment  is  opened,  it  is  guaranteed  that  the  “opening”  can 
yield  only  a  single  value  determined  in  the  committing  stage.  For  many  applications,  however,  the 
most  basic  security  guarantees  of  commitments  are  not  sufficient.  For  instance,  the  basic  definition 
of  commitments  does  not  rule  out  an  attack  where  an  adversary,  upon  seeing  a  commitment  to  a 
specific  value  v,  is  able  to  commit  to  a  related  value  (say,  v  —  1),  even  though  it  does  not  know 
the  actual  value  of  v.  This  kind  of  attack  might  have  devastating  consequences  if  the  underlying 
application  relies  on  the  independence  of  committed  values  (e.g.,  consider  a  case  in  which  the 
commitment  scheme  is  used  for  securely  implementing  a  contract  bidding  mechanism).  In  order 
to  address  the  above  concerns,  Dolev,  Dwork  and  Naor  introduced  the  concept  of  non-malleable 
commitments  [?].  Loosely  speaking,  a  commitment  scheme  is  said  to  be  non-malleable  if  it  is 
infeasible  for  an  adversary  to  “maul”  a  commitment  to  a  value  v  into  a  commitment  to  a  related 
value  v. 

More  precisely,  we  consider  a  man-in-the-middle  (MIM)  attacker  that  participates  in  two  con¬ 
current  executions  of  a  commitment  scheme  II;  in  the  “left”  execution  it  interacts  with  an  honest 
committer;  in  the  “right”  execution  it  interacts  with  an  honest  receiver.  Additionally,  we  assume 
that  the  players  have  n-bit  identities  (where  n  is  polynomially  related  to  the  security  parameter), 
and  that  the  commitment  protocol  depends  only  on  the  identity  of  the  committer;  we  sometimes 
refer  to  this  as  the  identity  of  the  interaction.2  Intuitively,  II  being  non-malleable  means  that  if 
the  identity  of  the  right  interaction  is  different  than  the  identity  of  the  left  interaction  (i.e.,  A  does 
not  use  the  same  identity  as  the  left  committer),  the  value  A  commits  to  on  the  right  does  not 
depend  on  the  value  it  receives  a  commitment  to  on  the  left;  this  is  formalized  by  requiring  that 
for  any  two  values  V\,V2,  the  value  A  commits  to  after  receiving  left  commitments  to  v\  or  V2  are 
indistinguishable . 3 

The  first  non-malleable  commitment  protocol  was  constructed  by  Dolev,  Dwork  and  Naor  [?] 
in  1991.  The  security  of  their  protocol  relies  on  the  minimal  assumption  of  one-way  functions  and 
requires  D(logfc)  rounds  of  interaction,  where  k  6  N  is  the  length  of  party  identities.  The  round- 
complexity  of  non-malleable  commitments  has  since  been  extensively  studied  (see  e.g.,  [?,  ?,  ?,  ?, 
?,  ?,  ?]),  leading  up  to  constant  round  protocols  based  on  one-way  functions  [?,  ?]. 

1  Among  other  things,  the  structure  preserving  property  requires  that  if  the  “hard  instance”  being  directly  embed¬ 
ded  in  the  CRS  is  true,  the  CRS  is  valid,  and  if  the  hard  instance  is  false,  then  the  CRS  is  “invalid” .  This  property 
can  never  hold  when  considering  NIZK  in  the  Uniform  Reference  String  model  (as  every  CRS  is  valid),  and  as  such 
their  result  holds  vacuously  when  considering  NIZK  in  the  Uniform  Reference  String  model. 

2Non-malleable  commitments  are  sometimes  also  considered  in  settings  where  players  do  not  have  identities. 
However,  as  shown  in  [?],  any  non-malleable  commitment  that  handles  sufficiently  long  identities  can  be  turned  into 
a  non-malleable  commitment  without  identities  (and  any  non-malleable  commitment  without  identities  can  trivially 
be  turned  into  one  with  identities).  Since  our  goal  is  to  prove  lower  bounds,  we  focus  on  the  more  general  (relaxed) 
notion  of  non-malleability  with  respect  to  identities. 

3Note  that  the  value  A  commits  to  is  not  efficiently  computable  from  the  transcript  of  the  right  interaction; 
nevertheless,  if  the  commitment  is  statistically  binding,  the  value  is  determined  with  overwhelming  probability.  Our 
focus  here  is  on  non-malleability  for  statistically-binding  commitments  (as  is  typically  the  case  in  the  literature. 

Approved  for  Public  Release;  Distribution  Unlimited. 

2 


545 


The  question  of  whether  non-interactive ,  or  even  2-round,  non- malleable  commitments  exist, 
however,  is  wide  open.  (We  note  that  in  the  Common  Reference  String  model,  constructions  of 
non-interactive  non-malleable  commitments  are  known  [?];  we  here  focus  on  constructions  in  the 
plain  model,  without  any  set-up.)  Some  initial  progress  towards  this  question  can  be  found  in 
[?]  where  a  construction  of  non-interactive  non-malleable  commitments  based  on  a  new  hardness 
assumption  is  given.  This  assumption,  however,  has  a  strong  non-malleability  flavor;  as  such,  it 
provides  little  insight  into  the  question  of  whether  non-malleability  can  be  obtained  from  a  “pure” 
hardness  assumptions  (such  as  e.g.,  the  hardness  of  factoring). 

1.1  Our  results 

The  main  result  of  this  paper  is  showing  that  Turing  (i.e.,  black-box)  reductions  cannot  be  used  to 
base  the  security  of  the  above-mentioned  primitives,  on  a  general  class  of  intractability  assumption. 

More  precisely,  following  Naor  [?]  (see  also  [?,  ?,  ?,  ?,  ?]),  we  model  an  intractability  assump¬ 
tion  as  an  arbitrary  game  between  a  (potentially)  unbounded  challenger  C,  and  an  attacker  A. 
The  attacker  A  is  said  to  break  the  challenger  C  with  respect  to  the  threshold  t  if  it  can  make  C 
output  1  with  probability  non-negligibly  higher  than  the  threshold  t.  An  intractability  assumption 
is  defined  as  a  pair  (C,  t )  where  C  is  a  challenger  and  t  is  a  threshold.  All  traditional  cryptographic 
hardness  assumptions  (e.g.,  the  hardness  of  factoring,  the  hardness  of  the  discrete  logarithm  prob¬ 
lem,  the  decisional  DifRe- Heilman  problem  etc.)  can  be  modeled  as  2-round  challengers  C  with  the 
threshold  t  being  either  0  (in  case  of  the  factoring  or  discrete  logarithm  problems)  or  1/2  (in  case 
of  the  decisional  Diffie-Hellman  problem).4  In  all  these  examples,  C  is  polynomial-time;  Naor  [?] 
and  Gentry  and  Wichs  [?]  refer  to  such  assumptions  as  “falsifiable” .  For  generality,  we  (following 
[?])  refer  to  these  as  “efficient-challenger”  assumptions.  More  generally,  we  refer  to  an  assumption 
where  the  challenger  can  be  implemented  in  time  (resp.  circuit  size)  T(-)  as  a  “T(-)-time  (resp. 
size)  challenger  assumption”  Note  that  some  “esoteric”  assumptions  such  as  the  “one-more  dis¬ 
crete  logarithm  assumption”  [?,  ?],  or  “adaptive  one-way  functions”  [?],  are  not  efficient-challenger 
assumptions,  but  they  are  exponential-time  challenger  assumptions. 

Our  first  result  rules  out  basing  statistical  (and  thus  also  perfect)  NIZK  with  adaptive  soundness 
on  efficient-challenger  (a.k.a  falsifiable)  assumptions. 

Theorem  1  (Informally  stated).  Assume  the  existence  of  (non-uniformly  hard)  one-way  func¬ 
tions.  Then  there  exists  an  AfV -language  L  such  that  the  following  holds.  Let  H  be  a  statistical 
non-interactive  adaptively  zero-knowledge  argument  for  L,  and  let  ( C ,  t )  be  an  efficient  challenger 
assumption.  Assume  there  exists  a  polynomial-time  (resp.  polynomial-size)  Turing  reduction  R 
such  that  Ra  breaks  the  C  w.r.t.  the  threshold  t  for  every  A  that  breaks  adaptive  soundness  of  n. 
Then  C  can  be  broken  in  polynomial-time  (resp.  by  a  polynomial- size  circuit)  with  respect  to  the 
threshold  t. 

We  also  show  that  if  we  additionally  assume  the  existence  of  sub-exponential  one-way  functions, 
and  consider  constructions  of  NIZK  for  proving  any  polynomial-length  (in  the  security  parameter) 
statement  in  MV  based  on  a  particular  exponential-time  challenger  assumption  (C,t),  then  the 
assumption  can  already  be  broken  in  polynomial  time. 

Moving  on  to  non-interactive  non-malleable  commitments,  we  show  that  if  non-malleability  of 
a  non-interactive,  or  two  message,  commitment  scheme  n  can  be  based  on  a  efficient-challenger 
(resp.  T(-)-size)  challenger  assumption  (C,t)  using  a  polynomial-time  (resp.  T(-)-sized)  security 
reduction,  then  C  can  be  broken  in  polynomial-time  (resp.  by  a  poly(T(-))-sized  circuit). 

4For  instance,  for  the  case  of  factoring,  the  challenger  C  picks  two  random  fc-bit  primes  p,  q,  and  outputs  N  =  pq; 
the  attacker  A  sends  back  a  number  p'  and  C  finally  outputs  1  iff  p'  £  {p,  q}. 
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Theorem  2  (Informally  stated).  Let  U  be  a  two-message  commitment  scheme,  and  let  ( C,t )  be 
an  efficient- challenger  ( resp .  T(-)-size)  assumption.  Assume  there  exists  a  polynomial-time  (resp. 
T(-)-size)  Turing  reduction  R  such  that  RA  breaks  C  w.r.t.  the  threshold  t  for  every  A  that  breaks 
non-malleability  of  II.  Then  C  can  be  broken  in  polynomial-time  (resp.  by  a  poly (T(-))-sized  circuit) 
with  respect  to  the  threshold  t. 

We  emphasize  that  for  all  the  above-mentioned  results,  the  construction  of  the  protocols  II  need 
not  make  use  of  the  underlying  assumption  in  a  black-box  way;  the  only  restriction  we  impose  is 
that  the  security  reduction  (establishing  the  security  of  II)  is  a  Turing  (i.e.,  black-box)  reduction. 

Why  these  primitives?  On  a  very  high-level,  non-interactive  statistical  NIZK  and  non-interactive 
non-malleable  commitments  share  three  properties  that  enable  our  unprovability  results:  1)  they 
are  both  “non-interactive”  primitives,  and  2)  whether  the  primitives  get  broken  cannot  be  veri¬ 
fied  efficiently,  and  3)  they  both  have  a  zero-knowledge  flavor  (explicitly  in  the  case  of  NIZK,  and 
implicitly  for  the  case  of  commitments).  These  are  exactly  the  properties  that  we  need  for  our  un¬ 
provability  results5,  and  consequently  both  unprovability  results  have  significant  overlaps  in  terms 
of  the  techniques  employed. 

Dealing  with  “Slightly”  Non-black-box  Security  Reductions  In  this  work  we  focus  on 
ruling  out  security  reductions  that  only  use  the  attacker  in  a  black-box  way.  In  particular,  the 
security  reduction,  although  it  may  be  a  non-uniform  algorithm,  may  not  get  any  non-uniform 
advice  about  the  attacker  (more  precisely,  if  it  is  a  non-uniform  algorithm,  the  same  non-uniform 
advice  should  work  for  every  attacker).  In  contrast,  some  quite  commonly  used  proof  techniques 
in  cryptography  rely  on  the  reduction  receiving  a  non-unform  advice  string  that  depends  on  the 
attacker — this  may  be  viewed  as  a  slightly  non-black-box  use  of  the  attacker.  We  mention  that  a 
recent  work  by  Chung,  Lin,  Mahmoody  and  Pass  [?]  provides  techniques  for  extending  certain  types 
of  separation  results  for  the  black-box  setting  to  deal  also  with  reductions  receiving  non-uniform 
advice  about  the  attacker.  These  techniques  readily  apply  to  our  results,  which  thus  also  extend 
to  rule  out  such  “slightly  non-black-box”  security  reductions. 

A  Taxonomy  of  Intractability  Assumption  As  an  independent  contribution,  we  slightly 
generalize  the  notion  of  an  intractability  assumption  from  [?]  (see  also  [?,  ?,  ?,  ?,  ?])  and  provide  a 
natural  taxonomy  of  intractability  assumptions  based  on  1)  the  security  threshold ,  2)  the  number  of 
communication  rounds  in  the  security  game,  3)  the  computational  complexity  of  the  game  challenger, 
4)  the  communication  complexity  of  the  challenger,  and  5)  the  computational  complexity  of  the 
security  reduction.  Our  results,  combined  with  [?,  ?],  demonstrate  several  natural  primitives  that 
may  be  (trivially)  based  on  an  assumption  of  a  certain  type  (e.g.,  the  soundness  condition  of  a 
perfect  NIZK  can  trivially  be  viewed  as  a  bounded-round  assumption),  but  cannot  be  based  on 
a  different  type  of  assumption  (e.g.,  an  assumption  where  the  challenger  is  efficient).  Our  results 
focus  on  understanding  limitations  in  terms  of  items  1,  2,  3  and  5;  we  leave  open  an  exploration  of 
item  4,  i.e.,  the  communication  complexity  of  the  challenger.  More  generally,  we  are  optimistic  that 
cryptographic  tasks  may  be  classified  in  this  taxonomy,  based  on  whether  they  can  be  achieved — 
even  using  a  non-black-box  construction — based  on  a  class  of  assumptions  in  this  taxonomy,  but 
not  on  another. 

5But  our  results  do  not  apply  to  all  primitives  satisfying  these  properties;  for  instance,  computational  NIZK  also 
satisfies  them. 
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A  Note  on  Random  Oracles  Let  us  point  out  that  in  the  Random  Oracle  model  [?],  both 
of  the  above-mentioned  primitives  are  easy  to  construct.  Perfect  NIZK  were  constructed  in  [?] 
(by  relying  on  the  “Fiat-Shamir  heuristic”  [?]  which  is  sound  in  this  model)  and  non-interactive 
non-malleable  commitments  in  [?].  Indeed,  many  practical  protocols  rely  on  the  assumption  that 
a  “good”  hash  function  behaves  like  a  non-interactive  non-malleable  commitment,  and  on  non¬ 
interactive  zero- knowledge  arguments  constructed  by  applying  the  “Fiat-Shamir  heuristic”  [?]  to 
a  three-message  perfect  zero-knowledge  protocol.  Our  results  show  that  such  commonly  used  sub¬ 
protocols  cannot  be  proven  secure  based  on  standard  hardness  assumptions.  Note  that  these  results 
are  incomparable  to  those  of  e.g.,  [?,  ?]  on  the  “uninstantiability  of  random  oracles”:  the  results 
of  [?,  ?]  are  stronger  in  the  sense  that  any  instantiation  of  their  scheme  with  a  concrete  function 
can  actually  be  broken ,  whereas  we  just  show  that  the  instantiated  scheme  cannot  be  proven  secure 
using  a  Turing  reduction  based  on  standard  assumptions.  On  the  other  hand,  the  separations  of 
[?,  ?]  consider  “artificial  protocols”,  whereas  the  protocols  we  consider  are  natural  (and  commonly 
used  in  practice). 

1.2  Related  Separation  Results 

There  is  a  large  literature  on  separation  results  between  cryptographic  primitives  and/or  assump¬ 
tions.  We  distinguish  between  two  types  of  results. 

Separations  for  fully  black-box  constructions  The  seminal  work  of  Impagliazzo  and  Rudich 
[?]  provides  a  framework  for  proving  black-box  separations  between  cryptographic  primitives.  We 
stress  that  this  framework  considers  so-called  “fully-black-box  constructions”  (see  [?]  for  a  taxonomy 
of  various  black-box  separations);  that  is,  the  framework  considers  both  black-box  constructions 
(i.e.,  the  higher- level  primitive  only  uses  the  underlying  primitive  as  a  black-box),  and  black-box 
reductions. 

Separations  for  black-box  reductions  In  recent  years,  new  types  of  black-box  separations 
have  emerged.  These  types  of  separation  apply  even  to  non-black-box  constructions,  but  still  only 
rule  out  black-box  proofs  of  security:  Pass  [?]  and  Pass,  Tseng  and  Venkitasubramaniam  [?]  (re¬ 
lying  on  the  works  of  Brassard  [?]  and  Akavia  et  al  [?],  demonstrating  limitations  of  “NP-hard 
Cryptography”6)  demonstrate  that  under  certain  (new)  complexity  theoretic  assumptions,  various 
cryptographic  task  cannot  be  based  on  one-way  functions  using  a  black-box  security  reduction,  even 
if  the  protocol  uses  the  one-way  function  in  a  non-black-box  way.  Very  recently,  two  independent 
works  demonstrate  similar  types  of  separation  bounds,  but  this  time  ruling  our  security  reductions 
to  a  general  set  of  intractability  assumptions:  Pass  [?]  demonstrates  impossibility  of  using  black¬ 
box  reductions  to  prove  the  security  of  several  primitives  (e.g.,  Schnorr’s  identification  scheme, 
commitment  scheme  secure  under  weak  notions  of  selective  opening,  Chaurn  Blind  signatures,  etc) 
based  on  any  “bounded-round”  intractability  assumption  (where  the  challenger  uses  an  a-priori 
bounded  number  of  rounds,  but  is  otherwise  unbounded).  Gentry  and  Wichs  [?]  demonstrate  (as¬ 
suming  the  existence  of  strong  pseudorandom  generators)  impossibility  of  using  black-box  security 
reductions  to  prove  soundness  of  “succinct  non-interactive  arguments”  based  on  any  “falsifiable” 
assumption  (where  the  challenger  is  computationally  bounded).  Both  of  the  above-mentioned  work 
fall  into  the  ”  meta-reduction”  paradigm  of  Boneh  and  Venkatesan  [?],  which  was  earlier  used  to 

6See  also  the  results  of  Feigenbaum  and  Fortnow  [?]  and  the  result  of  Bogdanov  and  Trevisan  [?]  that  demonstrate 
limitations  of  NP-hard  cryptography  for  restricted  types  of  reductions. 
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prove  separations  for  restricted  types  of  reductions  (see  e.g.,  [?,  ?,  ?,  ?]).'  Our  separation  results 
are  in  the  vein  of  these  two  works,  and  follows  some  of  their  techniques. 

1.3  Proof  Overview:  Ruling  out  Perfect  NIZK  with  Adaptive  Inputs 

Following  in  an  overview  of  the  proof  of  Theorem  1.  Assume  there  exists  a  perfect  NIZK  (P.  V )  for 
a  hard-on-the  average  language  L;  for  simplicity,  let  us  further  assume  that  there  exists  efficient 
algorithms  SarriL ,  Sami  such  that  a)  with  overwhelming  probability,  SamL  (resp  Sami )  sample 
elements  i£ln  {0,  l}n  (resp  x  6  L  n  { 0,  l}n),  and  b)  elements  sampled  by  SamL  and  Sami  are 
indistinguishable.  Such  an  L  exists  based  on  the  existence  of  one-way  functions,  which  exists  by 
hypothesis. 

For  simplicity,  in  this  proof  overview  we  focus  on  the  case  when  the  reference  string  is  uniformly 
random  (i.e.,  we  consider  only  NIZK  in  the  so-called  Uniform  Reference  String  (URS)  Model). 
Assume,  further,  that  there  exists  a  Turing  reduction  R  such  that  RA  breaks  the  assumption  C 
(with  respect  to  some  thresholds  t)  whenever  A  breaks  adaptive  soundness  of  ( P ,  V).  Following  the 
“meta-reduction”  paradigm  by  Boneh  and  Venkatesan  [?]  (which  is  used  in  both  [?]  and  [?],  and 
also  [?]),  we  want  to  use  R  to  directly  break  C. 

More  precisely  (just  as  in  [?,  ?])  we  exhibit  a  particular  attacker  A  to  the  adaptive  soundness  of 
( P ,  V )  and  next  show  how  to  “emulate”  this  attacker  for  R  without  disturbing  R7 s  interaction  with 
C.  Whereas  in  [?]  the  emulation  was  statistically  close  (and  thus  the  separation  could  be  applied 
also  to  unbounded  challengers),  in  [?]  the  emulation  was  only  computationally  indistinguishable , 
but  this  still  suffices  for  convincing  C  as  long  as  C  is  computationally  efficient.  We  here  follow  the 
approach  of  [?]. 

Let  us  turn  to  describing  our  attacker  A,  and  next  explain  how  to  emulate  it.  Given  a  CRS  p,  A 
first  attempts  to  recover  the  random  coins  r  used  by  the  simulator  S  when  outputting  the  CRS  p; 
since  the  simulation  is  perfect,  such  a  string  r  exists  (but  finding  r  might  require  super-polynomial 
time  and  so  A  is  not  necessarily  polynomial-time).  (Recall  that  since  we  are  dealing  with  adaptive 
zero-knowledge,  the  zero-knowledge  simulator  needs  to  output  a  reference  string  p  before  knowing 
what  statement  it  needs  to  simulate  a  proof  of.)  Next,  A  samples  a  false  instance  x  ^  L  that  is 
indistinguishable  from  a  true  instance  (by  hypothesis,  this  can  be  done  efficiently).8  Finally,  it  runs 
the  simulator  S  on  the  random  coins  r  to  generate  p,  and  next  feeds  it  the  instance  x,  and  lets  it 
denote  the  proof  output  by  S  (again  this  final  step  is  efficient). 

Let  us  argue  that  the  proof  it  of  x  is  accepted  by  V (p).  Towards  this,  consider  a  hybrid  attacker 
A!  that  performs  exactly  the  same  steps  as  A,  but  instead  samples  a  true  instance  x  G  L.  It  follows 
from  the  ZK  property  (combined  with  the  completeness  property)  that  V  accepts  the  proofs  output 
by  A! .  Now,  intuitively,  it  should  follow  from  the  hard-on-the-average  property  of  L  that  V  also 
accepts  the  proofs  output  by  A.  But  there  is  a  problem:  recall  that  A  is  not  (necessarily)  efficient. 
However,  since  it  is  only  the  first  step  of  A  that  is  inefficient,  we  can  fix  the  random  string  r 
non-uniformly  and  still  use  the  remaining  steps  of  A  and  the  efficient  verifier  V  to  contradict  the 
hard-on-average  property  of  L,  as  long  as  we  assume  that  L  is  hard-on-average  for  non-uniform 
polynomial-time.  Note  that  we  here  rely  on  the  fact  that  A  is  allowed  to  choose  the  statement  x 
after  having  seen  the  reference  string  p  (i.e.,  we  rely  on  A  breaking  adaptive  soundness) — this  is 
what  allows  us  to  non-uniformly  choose  r  as  a  function  of  p,  before  sampling  x  €  L. 

7For  instance,  these  separations  results  restrict  to  “algebraic”  reductions,  or  reductions  that  run  the  attacker  in  a 
“straigth-line”  fashion. 

8The  careful  reader  may  notice  that  A  actually  does  not  choose  the  statement  x  adaptively.  The  fact  that  the 
reduction  needs  to  work  for  attackers  A  that  may  choose  the  statement  adaptively,  and  as  a  consequence  must  output 
the  reference  string  p  before  A  gets  to  pick  the  statement,  suffices  for  us. 
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Now  given  this  breaker  A.  let  us  see  an  efficient  attacker  A  that  is  computationally  indistin¬ 
guishable  from  A.  On  inputs  a  URS  p,  A(p)  simply  picks  a  random  true  statement  x  together 
with  a  witness  w,  and  next  runs  the  honest  prover  strategy  P(p,  x,  w)  to  produce  a  proof  n  (this 
strategy  is  similar  to  the  one  used  in  [?]).  It  follows  by  the  ZK  property  that  the  output  of  C  when 
communicating  with  A  and  A!  are  indistinguishable,  and  we  can  then  apply  a  similar  argument  as 
above  (but  more  complicated)  to  argue  that  the  output  of  C  when  communicating  with  A'  and  A 
are  indistinguishable,  and  thus  RA  breaks  C  with  roughly  the  same  probability  as  RA  does. 

Generalizing  Theorem  1  to  Exponential-time  Challenger  Assumptions  In  case  the  running¬ 
time  of  the  challenger  C  is  super-polynomial  in  the  security  parameter  k,  the  above  approach  seem¬ 
ingly  fails:  the  fact  that  A  generates  computationally  indistinguishable  messages  does  not  suffice  to 
argue  that  C  still  accepts  in  the  interaction  with  RA.  However,  if  we  assume  that  the  language  L  is 
hard-on-the-average  for  non-uniform  subexponential  time,  then  the  above  approach  still  works,  as 
long  as  C  is  subexponential  time;  in  fact,  it  rules  out  also  subexponential-time  reductions.  To  deal 
with  also  exponential-time  challenger  assumptions,  we  proceed  as  follows.  If  the  same  assumption 
C  can  be  used  to  prove  any  statement  in  MV  of  length  polynomial  in  the  security  parameter,  then 
if  the  language  L  is  hard-on-the-average  for  non-uniform  sub-exponential  time,  it  suffices  to  pick 
statements  x  that  are  sufficiently  long  (but  still  of  polynomial  length)  to  ensure  that  A  generates 
messages  that  are  indistinguishable  from  those  sent  by  A,  even  by  C. 

1.4  Proof  Overview:  Ruling  out  Non-interactive  Non-malleable  Commitments 

Following  is  an  overview  of  the  proof  of  Theorem  2.  Assume  there  exists  a  non-interactive  commit¬ 
ment  scheme  R  for  simplicity  of  exposition  we  here  focus  only  on  non-interactive,  as  opposed  to 
two-message,  commitments.  Assume,  further,  that  there  exists  a  Turing  reduction  R  such  that  RA 
breaks  the  assumption  C  (with  respect  to  some  thresholds  t)  whenever  A  breaks  non-malleability  of 
n.  Recall  that  an  attacker  A  that  breaks  non-malleability  of  n  participates  in  two  interactions — one 
on  the  “left”  acting  as  a  receiver,  and  one  on  the  “right”  acting  as  a  committer.  To  be  successful 
A  needs  to  choose  a  different  identity  for  the  left  and  right  interactions,  and  must  commit  to  a 
value  v  which  is  related  to  the  value  v  it  receives  a  commitment  to  on  the  left.  Consider  a  strong 
attacker  A  that  chooses  identity  0  on  the  left,  and  identity  1  on  the  right,  and  upon  receiving  a 
commitment  c  recovers  (using  brute  force)  the  unique  value  v  that  c  is  a  commitment  to  (if  the 
value  is  not  unique  v  is  set  to  _L),  and  next  honestly  commits  to  v  on  the  right.  Clearly  A  breaks 
non-malleability  of  R  and  thus  RA  also  breaks  C  w.r.t.  t. 

Let  us  now  see  how  to  efficiently  “emulate”  A.  We  simply  consider  a  “trivial”  adversary  A 
that  picks  identity  0  on  the  left  and  1  on  the  right  (just  as  A),  but  instead  of  trying  to  commit  to 
v  on  the  right,  it  simply  commits  to  0  on  the  right.  Now,  intuitively,  if  the  reduction  R  and  the 
challenger  C  are  polynomial-time,  then  it  should  follow  by  the  hiding  property  of  n  that  RA  still 
breaks  C  (w.r.t.  t).  Note,  however,  that  R  may  be  asking  its  oracle  to  break  non-malleability  of 
multiple  commitments  (rather  than  a  single  one  as  we  implicitly  assumed  above),  and  since  A  is  not 
efficiently  computable,  we  need  to  be  a  bit  careful  when  doing  the  hybrid  argument.  Nevertheless, 
using  a  careful  ordering  of  the  hybrids,  relying  on  the  non-uniform  security  of  n  (more  precisely, 
that  n  is  hiding  w.r.t.  non-uniform  PPT  algorithms)  we  can  show  that  RA  still  breaks  C  (w.r.t. 
t). 

Note  that  the  above  proof  idea  applies  to  a  very  weak  notion  of  “one-sided”  non-malleability, 
where  the  attacker  always  uses  identity  0  on  the  left  and  identity  1  on  the  right;  Liskov  et  al  [?] 
call  commitments  satisfying  this  weak  notion  of  non-malleability,  mutually  independent.  Interest- 
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ingly,  [?]  shows  a  construction  of  a  mutually  independent  commitment  based  on  the  existence  of 
subexponentially-hard  one-way  permutations.  The  idea  (a.k.a.  “complexity-leveraging”  [?])  is  sim¬ 
ple:  Let  Como  be  a  commitment  scheme  that  is  hiding  for  subexponential  time,  and  let  Com\  be  a 
(polynomial-time)  secure  commitment  scheme  whose  hiding  property  can  be  fully  broken  (i.e.,  the 
commited  value  can  be  recovered)  in  subexponential  time.  A  committer  with  identity  b  £  {0, 1} 
shall  use  Comb •  Now,  if  a  MIM  upon  receiving  a  commitment  of  v  using  Como  is  able  to  output 
a  commitment  to  a  related  value  v  using  Com\ ,  then  we  can  violate  the  hiding  of  Como  by  simply 
breaking  Com\  by  brute-force.  This  security  reduction,  however,  is  super-polynomial  (subexponen¬ 
tial)  time.  A  natural  question  is  whether  subexponential  time/size  reductions  may  be  helpful  for 
constructing  “full-fledged”  (as  opposed  to  one-sided)  non-interactive  commitments.9  We  proceed  to 
rule  out  such  reductions  (or  rather  to  show  that  if  there  exists  such  a  reduction,  then  the  reduction 
itself  must  already  break  the  assumption). 

Consider  a  T(k)- sized  reduction  R,  where  T{k )  is  super-polynomial,  for  basing  non-malleability 
on  an  efficient  challenger  assumption  C10,  and  consider  the  algorithms  A  and  A  described  above. 
Note  that  if  R  has  super-polynomial  size,  we  have  no  guarantees  that  RA  breaks  C  even  when  RA 
does;  indeed,  since  hiding  of  II  is  only  required  to  hold  for  polynomial-sized  algorithms,  RA,s  success 
probability  may  be  very  different  from  RA,s  success  probability.  But,  in  this  case,  intuitively,  R 
itself  must  be  able  to  break  the  hiding  of  commitments  using  identity  1  (recall  that  A  and  A  use 
identity  1  on  the  right). 

So,  very  roughly,  if  RA  does  not  already  convince  C,  we  can  use  R  (in  conjunction  with  C )  to 
obtain  a  circuit  D  that  distinguishes,  say,  commitments  to  0k  and  lk  using  identity  l.11  We  may 
then  use  D  to  construct  a  man-in-the-middle  attacker  A1  that  chooses  identity  1  on  the  left  and  0  on 
the  right  (as  opposed  to  0  on  the  left  and  1  on  the  right,  as  A  and  A  did)  to  break  non-malleability 
of  II,  and  finally  use  R  combined  with  A '  to  directly  break  C.  So,  summarizing,  either  RA  works, 
or  else,  we  use  R  in  order  to  construct  an  MIM  A1  that  breaks  non-malleability,  and  then  use  RA 
to  convince  C — in  essence,  we  use  R  “on  itself”  to  convince  C. 

1.5  Overview  of  the  Paper 

We  provide  some  preliminaries  and  standard  definitions  in  Section  2.  We  provide  definitions  of 
intractability  assumptions  and  black-box  reductions  in  Section  3;  this  section  also  contains  our 
taxonomy  of  intractability  assumptions.  We  formally  state  and  prove  our  results  about  NIZK  in 
Section  4.  We  formally  state  and  prove  our  results  about  non- malleable  commitments  in  Section  5. 

2  Preliminaries 

2.1  Notation 

Integer,  Strings  and  Vectors.  We  denote  by  N  the  set  of  natural  numbers.  Unless  otherwise 
specified,  when  given  as  an  input  to  an  algorithm,  a  natural  number  is  presented  in  its  binary 

9Indeed,  [?]  rely  on  intuitions  similar  to  those  from  mutually  independent  commitments  to  construct  a  “full- 
fledged”  non-malleable  commitment,  but  this  construction  requires  multiple  communication  rounds. 

10The  assumption  that  C  is  an  efficient  challenger  is  only  made  here  to  simplify  exposition;  our  actual  proof  also 
works  when  C  is  T(k)- sized. 

nAs  in  the  previous  proof,  to  obtain  a  machine  that  breaks  the  hiding  of  the  commitment,  we  need  to  rely  a 
polynomial-length  non-uniform  advice  to  deal  with  the  above-mentioned  inefficiency  issue  in  the  hybrid  argument; 
this  is  why  we  work  with  circuits  here. 
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expansion  (with  no  leading  Os).  For  n  £  N,  we  denote  by  ln  the  unary  expansion  of  n  (i.e.,  the 
concatenation  of  n  l’s). 

Probabilistic  notation.  We  employ  the  following  probabilistic  notation  from  [?].  We  focus  on 
probability  distributions  X  :  S  — >  R+  over  finite  sets  S. 

Probabilistic  assignments.  If  D  is  a  probability  distribution  then  “x  D”  denotes  the  elementary 
procedure  consisting  of  choosing  an  element  x  at  random  according  to  D  and  returning  x.  If 
I7  is  a  finite  set,  then  the  notation  “x  F ”  denotes  the  act  of  choosing  x  uniformly  from  F. 

Probabilistic  experiments.  Let  p  be  a  predicate  and  D\ .  D2,  ■  ■  ■  probability  distributions,  then  the 
notation  Pr  \x\  D\\  X2  <—  Dy  ■  ■  ■  :  p(x i,X2,  ■  ■  •)]  denotes  the  probability  that  p{x i,X2,  ■  ■  •) 

will  be  true  after  the  ordered  execution  of  the  probabilistic  assignments  x\  Dy  X2  <— 
Dy  ... 

New  probability  distributions.  If  D 1,  D2,  ...  are  probability  distributions,  the  notation  {x  «— 
Dy y  •(—  Dy  •  •  •  :  (x,  y,  ■  ■  ■ )}  denotes  the  new  probability  distribution  over  {(x,  y,-  ■  gen¬ 
erated  by  the  ordered  execution  of  the  probabilistic  assignments  x  <—  D\,  y  D2,  ■  ■  ■  ■ 

Probability  ensembles.  A  probability  ensemble  is  an  infinite  sequence  of  random  variables  X  = 
{Xn}n£]y.  We  will  consider  ensembles  of  the  form  X  =  {Xn}n£N  where  Xn  ranges  over 
strings  of  length  p(k),  for  some  fixed,  positive  polynomial  p. 

In  order  to  simplify  notation,  we  sometimes  abuse  of  notation  and  employ  the  following  “short¬ 
cut”  :  Given  a  probability  distribution  X,  we  let  X  denote  the  random  variable  obtained  by  selecting 
x  i —  X  and  outputting  x. 

Algorithms.  We  employ  the  following  notation  for  algorithms. 

Probabilistic  algorithms.  By  a  probabilistic  algorithm  we  mean  a  Turing  machine  that  receives  an 
auxiliary  random  tape  as  input.  If  M  is  a  probabilistic  algorithm,  then  for  any  input  x,  the 
notation  “Mr(x)”  denotes  the  output  of  the  M  on  input  x  when  receiving  r  as  random  tape. 
We  let  the  notation  “M(x)”  denote  the  probability  distribution  over  the  outputs  of  M  on 
input  x  where  each  bit  of  the  random  tape  r  is  selected  at  random  and  independently,  and 
then  outputting  Mr(x). 

Oracle  algorithms.  An  oracle  algorithm  is  a  machine  that  gets  oracle  access  to  another  machine. 
Given  a  probabilistic  oracle  algorithm  M  and  a  probabilistic  algorithm  A,  we  let  MA(x) 
denote  the  probability  distribution  over  the  outputs  of  the  oracle  algorithm  M  on  input  x, 
when  given  oracle  access  to  A.  We  emphasize  that  if  the  algorithm  A  is  probabilistic,  M  does 
not  get  to  control  the  randomness  of  A,  and  each  time  A  is  invoked  fresh  randomness  is  used 
by  A.  The  fact  that  we  do  not  allow  black-box  reductions  to  control  the  randomness  of  the 
oracle  they  communicate  with  may  seem  restrictive.  As  we  shall  see  later  on,  however,  our 
result  apply  even  if  we  consider  reductions  that  work  only  for  deterministic  attackers  using  a 
technique  from  Goldreich  and  Krawczyk  [?];  see  Remark  2  for  more  details. 

Negligible  functions.  The  term  “negligible”  is  used  for  denoting  functions  that  are  asymp¬ 
totically  smaller  than  the  inverse  of  any  fixed  polynomial.  More  precisely,  a  function  v{-)  from 
non-negative  integers  to  reals  is  called  negligible  if  for  every  constant  c  >  0  and  all  sufficiently  large 
k,  it  holds  that  v(k)  <  k~c. 
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Subexponential  Function.  We  say  that  a  function  /(•)  is  subexponential  if  there  exists  some 
constant  c  <  1  such  that  for  all  sufficiently  large  k,  it  holds  that  f(k)  <  2k° . 

2.2  Indistinguishability 

The  following  definition  of  (computational)  indistinguishability  originates  in  the  seminal  paper  of 
Goldwasser  and  Micali  [?]. 

Let  X  be  a  countable  set  of  strings.  A  probability  ensemble  indexed  by  X  is  a  sequence  of  random 
variables  indexed  by  X.  Namely,  any  element  of  A  =  {Ax}x^x  is  a  random  variable  indexed  by  X. 

Definition  1  (Indistinguishability).  Let  X  C  {0,1}*.  Two  ensembles  {An:X}n&x,xex  and  {Bn:X}ne n,x£X 
are  said  to  be  computationally  indistinguishable,  if  for  every  probabilistic  machine  D  (the  “distin- 
guisher”)  whose  running  time  is  polynomial  in  its  first  input,  there  exists  a  negligible  function  n(-) 
so  that  for  every  n  £  N,x  £  X : 


|Pr  [D(n,  x ,  An,x)  =  1]  -  Pr  [D(n,  x,  BUtX)  =  1]  |  <  u{k) 

In  the  above  expression,  D  is  simply  given  a  sample  from  Ax<y  and  Bx>y,  respectively.  {An^x}n£x, x&x 
and  {BntX}n£x,x£X  are  said  to  be  statistically  indistinguishable  over  X  if  the  above  condition  holds 
for  all  (possibly  computationally  unbounded)  machines  D. 

2.3  Witness  Relations 

We  recall  the  standard  definition  of  a  witness  relation  for  an  MV  language. 

Definition  2  (Witness  relation).  A  witness  relation  for  a  language  L  £  MV  is  a  binary  relation 
Rl  that  is  polynomially  bounded,  polynomial  time  recognizable  and  characterizes  L  by  L  =  {x  : 
3w  s.t.  (x,  w)  £  Rl}- 

We  say  that  w  is  a  witness  for  the  membership  x  £  L  if  (x,w)  £  Rl-  We  will  also  let  Rl(x) 
denote  the  set  of  witnesses  for  the  membership  x  £  L,  i.e.,  Rl(x)  =  {w  :  (x,w)  £  L}. 

3  Intractability  Assumptions  and  Black-box  Reductions 

Our  definition  of  an  intractability  assumption  closely  follows  [?].  Following  Naor  [?]  (see  also 
[?,  ?,  ?]),  we  model  an  intractability  assumption  as  an  interaction  (or  game)  between  a  probabilistic 
machine  C — called  the  challenger — and  an  attacker  A.  Both  parties  get  as  input  lk  where  k  is  the 
security  parameter.  Any  such  challenger  C,  together  with  a  threshold  function  t(-)  intuitively 
corresponds  to  the  assumption: 

For  every  polynomial-time  adversary  A,  there  exists  a  negligible  function  p  such  that 
for  all  k  £  N,  the  probability  that  C  outputs  1  after  interacting  with  A  is  bounded  by 
t(k )  +  p(k). 

Hence,  we  say  that  A  breaks  C  w.r.tt  with  probability  p  on  common  input  1 k  if  Pr  [(A,  C)(lk)  =  l]  > 
t(k)  +p. 

If  the  challenger  C  is  polynomial-time  in  the  length  of  the  messages  it  receives,  we  say  that 
the  assumption  is  efficient  challenger;  such  assumptions  are  referred  to  as  falsifiable  assumptions 
by  Naor  [?]  and  Gentry  and  Wichs  [?].  More  generally,  we  refer  to  an  assumption  as  having  a 
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T(-,-)-time  (resp.  size)  challenger  if  C  can  be  implemented  in  time  (resp.  size)  T(k,£)  on  input 
the  security  parameter  lk,  and  when  receiving  messages  of  length  l.  Hence,  (C,t)  is  an  efficient 
challenger  assumption  if  C  is  a  T(-,  ^-assumption  where  T(k,£ )  is  polynomial  in  both  k  and  £.  For 
simplicity,  we  here  consider  either  poly(&,  £)-time  (or  size)  challengers,  or  T(k,£ )  =  T(k)- time  (or 
size)  challengers,  where  the  running-time  of  the  challenger  is  bounded  only  as  a  function  of  the 
security  parameter. 

A  Taxonomy  of  Intractability  Assumption  We  can  easily  model  all  “traditional”  crypto¬ 
graphic  assumptions  as  efficient  challengers  C  and  a  threshold  t.  For  instance,  the  assumption  that 
a  particular  function  /  is  (strongly)  one-way  corresponds  to  the  threshold  t(k)  =  0  and  the  2-round 
challenger  C  that  on  input  lk  pick  a  random  input  x  of  length  k,  sends  f(x)  to  the  attacker,  and 
finally  outputs  1  iff  the  attacker  returns  an  inverse  to  f(x).  Indistinguishability  assumptions  (such 
as,  e.g.,  the  decisional  Diffie- Heilman  problem,  or  the  assumption  that  a  particular  function  g  is  a 
pseudorandom  generator)  can  also  easily  be  modelled  as  2-round  challengers  but  now  we  have  the 
threshold  t(k)  =  1/2.  More  esoteric  assumptions  such  as  the  “one-more  discrete  logarithm  assump¬ 
tion”  [?,  ?],  or  “adaptive  one-way  functions”  [?],  are  not  efficient-challenger  assumptions:  for  these 
notions  of  one-way  functions,  the  attacker  gets  (some  restricted)  access  to  an  inversion  oracle  that 
cannot  be  implemented  in  polynomial-time  (or  else  the  function  could  not  be  one-way)  ;  however, 
these  assuption  can  be  modeled  as  exponential-time  challenger  assumptions  (the  challenger  can  now 
implement  the  oracle  for  the  attacker). 

We  may  also  consider  other  restricted  types  of  intractability  assumptions.  For  instance,  [?]  con¬ 
siders  challengers  C  that  are  computationally  unbounded,  but  for  which  there  exists  a  polynomial 
upper  bound  (in  the  terms  of  the  security  parameter  k )  on  the  number  of  communications  rounds 
by  C;  we  refer  to  these  assumptions  as  bounded-round  intractability  assumptions.  Another  interest¬ 
ing  class  of  assumptions  is  obtained  by  further  restricting  the  communication  complexity  of  C ;  for 
instance,  we  may  require  that  there  is  a  polynomial  bound  (again  in  terms  of  the  security  parameter 
k)  on  the  communication  complexity  of  C;  we  refer  to  these  assumptions  as  bounded- communication 
intractability  assumption. 

Finally,  let  us  note  that  our  notion  of  an  assumption  (C.  t )  does  not  talk  about  the  complexity 
of  the  attacker  A  that  attempts  to  break  the  assumption.  Rather,  we  simply  let  security  reduction 
used  to  based  some  primitive  P  on  the  hardness  of  (C.  t )  dictate  computational  complexity  limita¬ 
tions  on  the  attacker.  For  instance,  if  we  have  a  polynomial-time  (resp.  polynomial-size)  security 
reduction  to  an  assumption  ( C,t ),  the  security  of  P  is  based  on  the  hardness  of  breaking  (C,t) 
w.r.t.  polynomial-time  (resp.  polynomial-size)  attackers  A.  Similarly,  super-polynomial  hardness 
of  an  assumption  can  be  captured  by  allowing  super-polynomial-time  reductions  to  the  assumption. 

The  above  way  of  modeling  assumptions,  provides  an,  in  our  eyes,  natural  taxonomy  of  in¬ 
tractability  assumptions  based  on  1)  the  security  threshold  t,  2)  the  number  of  communication 
rounds  used  by  C,  3)  the  computational  complexity  of  C,  4)  the  communication  complexity  of  C, 
and  5)  the  computational  complexity  of  the  security  reduction  (specifying  whether  we  consider  e.g., 
polynomial-time  hardness  or  subexponential-time  hardness). 

Let  us  end  this  section  by  noting  that  “knowledge-extractaction”  assumptions  (similar  to  the 
“knowledge-of-exponent”  assumption  of  [?])  do  not  fit  within  our  taxonomy  of  intractability  as¬ 
sumption.  This  is  because  such  assumption  actually  are  not  intractractability  assumptions:  they 
are  tractability  assumption!  Roughly  speaking,  such  assumption  stipulate  feasibility  of  efficiently 
performing  some  particular  task  (namely  “extraction”  of  some  inputs  from  every  machine  that  wins 
some  game). 
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Classifying  Cryptographic  Tasks  As  mentioned  above,  the  assumption  that  a  particular  func¬ 
tion  is  a  one-way  function  can  be  formalized  as  a  2-round  efficient-challenger  assumption;  so  can 
the  DDH  assumption.  But  also  security  properties  of  more  elaborate  cryptographic  tasks  can  also 
be  formalized  as  intractability  assumptions  of  the  above  kind:12 

•  For  instance,  the  notion  of  “IND-CPA  security”  of  an  encryption  scheme  [?]  can  be  formalized 
as  a  4-round  efficient-challenger,  bounded-communication,  assumption  using  the  standard 
CPA  security  game.  (Recall  that  the  classic  notion  of  Chosen  Plain-text  Attack  (CPA) 
security  considers  an  attacker  that  first  receives  a  public  key,  next  picks  two  messages  m\  and 
m2,  then  receives  an  encryption  c  of  a  (a  randomly)  selected  choice  of  these  messages  mb ;  the 
attacker  wins  if  he  manages  to  guess  the  bit  h.) 

•  On  the  other  hand,  the  security  game  of  a  signature  scheme  [?]  requires  using  an  unbounded- 
round  (and  thus  also  communication)  challenger,  but  still  has  an  efficient  challenger.  (Recall 
that  the  standard  notion  of  security  for  signatures  schemes  considers  an  attacker  than  receives 
the  verification  key  for  a  signature  scheme,  and  then  gets  oracle  access  of  a  “signing”  oracle 
that  signs  any  message  of  the  attackers  choice:  the  attacker  finally  wins  the  game  if  it  manages 
to  come  up  with  a  valid  signature  on  a  “new”  message  m  on  which  it  has  not  queries  its 
signature  oracle.  To  model  this  assumption  (C,  t ),  we  simply  have  the  challenger  C  implement 
the  signing  oracle.) 

•  Also  note  that  non-malleability  of  a  two-round  commitment  and  adaptive  soundness  of  NIZKs 
can  be  formalized  as  bounded-round,  bounded-communication  assumptions,  but  they  require 
an  inefficient  challenger  (to  check  whether  the  attack  was  successful). 

We  refer  to  the  intractability  assumption  associated  with  the  (game-based)  security  definition  of 
an  instantiation  of  a  cryptographic  task  as  the  trivial  intractability  assumption  on  which  it  can 
be  based  (for  instance,  clearly,  the  security  of  a  particular  signature  scheme  can  be  based  on  the 
intractability  assumption  that  the  scheme  is  secure.)  Note,  however,  that  not  all  cryptographic 
tasks  have  even  a  trivial  intractability  assumption  on  which  they  can  be  based  (e.g.,  it  is  not  clear 
whether  the  zero-knowledge  property  of  a  protocol  can  be  formalized  as  a  game-based  security 
property) . 

Many  major  results  in  the  cryptographic  literature  demonstate  “jumps”  in  our  taxonomy:  we 
base  the  security  of  some  cryptographic  tasks  on  an  intractability  assumption  of  a  more  restrictive 
nature.  For  instance, 

•  When  we  construct  a  pseudorandom  generator  from  a  particular  one-way  permutation  [?,  ?] 
or  even  a  one-way  function  [?],  we  base  a  primitive  (the  pseudorandom  generator)  whose 
trivial  associated  intractability  has  2-rounds,  is  efficient  challenger,  and  threshold  of  1/2,  on 
an  intractability  assumption  that  is  2-round,  efficient  challenger,  but  threshold  0.13 

•  When  we  base  the  security  of  a  signature  scheme  on  one-way  functions  [?,  ?],  or  when  we 
based  pseudorandom  functions  on  one-way  functions  [?,  ?],  we  base  primitives  whose  associ¬ 
ated  trivial  intractability  assumption  are  unbounded-round,  on  a  2-round  efficient  challenger 
assumption  (with  bounded  communication). 

12Specifically,  this  refers  to  all  cryptographic  task  with  “game-based”  definition  of  security  (e.g.,  one-way  functions, 
signatures  etc),  as  opposed  to  simulation-based  definitions  of  security  (e.g.  zero-knowledge). 

13 Any  threshold  t  assumption  can  always  be  turned  into  a  threshold  t  +  6  assumption  by  having  the  challenger 
accept  with  probability  <5,  and  otherwise  proceed  as  before.  The  other  direction  is  less  clear. 
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In  contrast,  some  intractability  assumptions  may  be  unbridgable  at  least  as  far  as  black-box 
reductions  are  concerned,  ndeed,  as  mentioned  above,  the  results  of  [?,  ?]  yield  some  results  in 
this  direction,  separating  unbounded-round  and  bounded-round  assumptions  [?]  and  unbounded- 
challenger  and  efficient-challenger  assumptions  [?].  The  results  in  this  paper  further  elucidate  this 
landscape;  among  other  things,  separating  unbounded  challenger  and  exponential-time  challenger 
assumptions,  and  exponential-time  and  efficient-challenger  assumptions. 

Black-box  Reductions  We  consider  probabilistic  polynomial  time  Turing  reductions-  i.e. ,  black¬ 
box  reductions.  A  black-box  reduction  refers  to  a  probabilistic  polynomial-time  oracle  algorithm. 
Roughly  speaking,  a  black-box  reduction  for  basing  the  security  of  a  primitive  P  on  the  hardness 
of  an  assumption  C,  is  a  probabilistic  polynomial-time  oracle  machine  R  such  that  whenever  the 
oracle  O  “breaks”  P  with  respect  to  the  security  parameter  k,  then  R°  “breaks”  C  with  respect  to 
a  polynomially-related  security  parameter  k!  such  that  k!  can  be  efficiently  computed  given  k.  We 
restrict  to  the  case  when  k!  =  k.  This  is  without  loss  of  generality  because  we  can  always  redefine 
the  challenger  C  so  that  it  on  input  k  acts  as  if  its  input  actually  was  k!  (since  k!  can  be  efficiently 
computed  given  k).  To  formalize  this  notion,  we  thus  restrict  to  oracle  machines  R  that  on  input 
lk  always  query  their  oracle  on  inputs  (lfc,  •). 

Definition  3.  We  say  that  R  is  a  security-parameter  preserving  black-box  reduction  if  R  is  an 
oracle  machine  such  that  R(lk)  only  queries  its  oracle  with  inputs  of  the  form  (1  k,y),  where  y  6 
{0,1}R 

A  more  liberal  notion  of  a  black-box  reduction  allows  the  reduction  R  to  (on  input  lfc)  query 
its  oracle  on  multiple  security  parameters  (that  are  all  polynomially  related  to  k).  In  our  eyes, 
such  a  liberal  notion  is  less  justified  from  a  practical  point  of  view  (and  as  far  as  we  are  aware, 
cryptographic  reductions  typically  do  not  rely  on  such  liberal  reductions);  nevertheless,  all  our 
proofs  directly  apply  also  for  such  a  notion  of  black-box  reductions.14  i 

4  Security  of  Perfect  Adaptive  NIZK 

We  recall  the  definition  of  non-interactive  proofs  in  the  Common  Reference  String  (CRS)  model. 
For  generality  (and  since  we  are  proving  a  lower  bound)  we  allow  the  CRS  to  be  generated  by  an 
arbitrary  polynomial-time  distribution  (as  opposed  to  requiring  it  to  be  uniformly  random) .  In  the 
adaptively-sound  notion  of  a  non-interactive  proof/argument,  we  require  that  soundness  holds  even 
if  the  attacker  may  adaptively  pick  the  statement  after  having  seen  the  CRS.  We  consider  only 
proofs/arguments  for  languages  in  AfV  where  the  prover  is  efficient  when  given  an  AfV -witness. 

Definition  4  (Non-Interactive  Proofs/ Arguments).  A  triple  of  algorithms,  (V,P,V),  is  called  a 
non-interactive  proof  system  (with  non-adaptive  soundness)  for  a  language  L  if  the  algorithm  V  (the 
“CRS  generator” )  is  probabilistic  polynomial- time,  the  algorithm  V  (the  “verifier”)  is  a  determin¬ 
istic  polynomial-time,  and  P  (the  “prover”)  is  probabilistic  polynomial-time,  such  that  the  following 
two  conditions  hold: 

14In  fact,  as  remarked  in  [?],  in  the  context  of  black-box  separations,  restricting  to  reductions  that  only  query  its 
oracle  on  a  single  security  parameter  is  actually  without  loss  of  generality  if  we  consider  primitives  with  “standard” 
cryptographic  definitions  where  to  break  security  an  attacker  only  needs  to  be  successful  for  infinitely  many  input 
lengths. 
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•  Completeness:  There  exists  a  negligible  function  p  such  for  every  x  G  L,  every  w  G  Rl(x ) 
and  every  k  G  IV, 

Pr  [  p  <—  V(lk,  llxl);  7r  G-  P(lfe,a;,  u;,p)  :  V(lk,  x,  p,  ir)  =  1  ]  >  1  —  fi(k) 

•  Soundness:  For  ever?/  algorithm  B  and  every  polynomial  q,  there  exists  a  negligible  function 
p  such  that  for  every  k  G  N  and  every  x  ^  L  such  that  |x|  <  q(k) 

Pr  [  p  G-  V(lk,  lM);  7 r'  <-  B{lk,  x,  p)  :  K(lfc,  ®,  p,  tt')  =  1  ]  <  p(k) 

If  additionally  the  following  condition  holds,  then  we  call  ( V ,  P,  V)  an  adaptively-sound  non¬ 
interactive  proof  system: 

•  Adaptive  Soundness:  For  every  algorithm  B  and  every  polynomial  q,  there  exists  a  negligible 
function  p  such  that  for  every  k  G  N,n  G  [q(k)] 

Pr  [  p  G-  V(lk,  ln);  (x,  n')  g-  B(lk,  ln,  p)  :  V(lk,  x,  p,  n')  =  1  A  |x|  =  n  A  x  ^  L  ]  <  p{k) 


Finally,  if  the  soundness  (resp  adaptive  soundness)  condition  only  holds  w.r.t  polynomial-time 
adversaries  B,  we  call  (V,  P,  V)  a  non-interactive  argument  (resp.  an  adaptively-sound  non¬ 
interactive  argument)). 

Let  us  turn  to  defining  zero-knowledge.  Also  here  there  is  a  non-adaptive  and  an  adaptive 
version.  In  the  non-adaptive  definition  of  zero-knowledge  from  [?],  there  is  a  single  simulator, 
which,  after  seeing  the  statement  to  be  proven,  generates  both  the  CRS  and  the  proof  at  the  same 
time.  In  the  adaptive  definition  from  [?],  there  are  two  simulators — the  first  of  which  must  output 
a  string  before  seeing  any  theorems.  The  stronger  adaptive  definition  guarantees  zero-knowledge 
even  when  the  statement  to  be  proved  is  chosen  as  a  function  of  the  CRS.  We  here  focus  only  on 
adaptive  zero- knowledge. 

Definition  5  (Non-Interactive  Zero-Knowledge).  Let  (V,P,V)  be  an  non-interactive  proof  system 
for  the  language  L.  We  say  that  (V,P,V)  is  (adaptively)  zero-knowledge  if  there  exists  two  proba¬ 
bilistic  polynomial-time  simulators  S\  and  S2  such  that  for  every  polynomial  q,  every  non-uniform 
polynomial-time  statement-witness  chosing  algorithm  c(-,  ■,  •)  that  on  input  (lfc,  ln,  p)  outputs  a  n-bit 
statement  x  and  witness  w  such  that  ( x,w)inR,L ,  the  following  two  ensembles  are  computationally 
indistinguishable 

{p^-V(lk,lny,  x,w  <-  c(lfc,ln,p);7r  <-  P{lk,x,w,p)  :  (p,x,n)  } keNn&[q{k)] 

{(p,  aux)  G-  Si(lfc,ln);  x,w  G-  c(lfc,  ln,  p)\ P  G-  S2(lk,  x,  aux)  :  (p,x,tt')  }fceJV,ne[g(fc)] 

We  furthermore  say  that  (V,  P,  V )  is  perfect  (resp.  statistical)  zero-knowledge  if  the  above  ensembles 
are  identically  distributed  (resp.  statistically  close). 

We  use  the  (common)  acronym  “NIZK”  to  denote  a  non-interactive  zero-knowledge  proof  or 
argument.  Feige,  Lapidot  and  Shamir  and  Bellare  and  Yung  [?,  ?]  (building  on  [?])  show  that  the 
existence  of  enhanced  trapdoor  permutations  [?]  implies  that  all  of  A fV  has  a  adaptively-sound 
NIZK,  but  the  zero-knowledge  property  is  only  computational.  As  mentioned,  Groth,  Ostrovsky 
and  Sahai  [?]  show  (under  some  number  theoretic  assumptions)  that  all  of  J\fV  has  a  perfect  NIZK 
with  non-adaptive  soundness.  More  recently,  Abe  and  Fehr  [?]  present  a  perfect  NIZK  for  AfV 
also  with  adaptive  soundness  but  based  the  soundness  property  on  a  “knowledge-extractaction” 
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assumption  (simular  to  the  “knowledge-of-exponent”  assumption  of  [?])  rather  than  an  intractability 
assumption. 

We  aim  to  prove  limitations  of  basing  notions  of  adaptive  soundness  for  perfect  or  statistical 
NIZK  for  J\fV  on  intractability  assumptions.  Let  us  first  explicitly  define  what  it  means  to  break 
adaptive  soundness  of  a  NIZK. 

Definition  6  (Breaking  Adaptive  Soundness).  We  say  that  A  breaks  adaptive  soundness  of  ( V ,  P,  V) 
w.r.t  the  language  L  on  input  lengths  q(-)  with  probability  e(-)  if  for  every  k  G  N, 

Pr  [  p  V(lk,  l?(fe));  (x,  tv')  A-  A( lk,  p )  :  V ( lk ,  x,  p ,  tv')  A  |x|  =  q(k)  A  x  <£  L  =  1  ]  >  e(k) 

Let  us  turn  to  defining  what  it  means  to  base  adaptive  soundness  on  an  intractability  assumption 

C. 

Definition  7  (Basing  Adaptive  Soundness  on  the  Hardness  of  C).  We  say  that  R  is  a  black-box 
reduction  for  basing  adaptive  soundness  of  (V,  P,  V)  w.r.t.  L  and  input  lengths  q(-)  on  the  hardness 
of  C  w.r.t  threshold  t{-)  if  R  is  a  valid,  black-box  reduction  and  there  exists  a  polynomial  p(-,  ■)  such 
that  for  every  probabilistic  machine  A  that  breaks  adaptive  soundness  of  (V,  P,  V)  w.r.t  L  and  inputs 
lengths  q(-)  with  probability  e(-),  for  every  k  e  N,  RA  breaks  C  w.r.t  t  with  probability  p(e(k ),  1  /k) 
on  input  lk . 

Note  that  we  here  require  that  R°  breaks  the  assumption  C  on  the  security  parameter  k  by 
querying  O  on  the  same  security  parameter  k.  As  previously  mentioned,  a  seemingly  more  general 
definition  would  allow  R°  to  break  C  on  a  polynomially-related  security  parameter  k!  (which  can 
be  efficiently  computed  given  k),  but  this  extra  generality  does  not  buy  us  anything  as  we  can 
always  re-define  C  to  act  as  its  input  was  k'  when  getting  the  input  k. 

We  are  now  ready  to  formally  state  Theorem  1  from  the  introduction. 

Theorem  3.  Assume  the  existence  of  non-uniformly  hard  one-way  functions.  Then  there  exists 
an  JfV -language  L  such  that  the  following  holds.  Let  (V,P,V)  be  a  statistical  non-interactive 
adaptively  zero-knowledge  argument  for  L,  let  q(-)  be  a  super- constant  polynomial,  and  let  ( C,t ) 
be  any  efficient- challenger  assumption.  If  there  exists  a  black-box  reduction  R  for  basing  adaptive 
soundness  of  (' D,P,V )  w.r.t  L  and  input  lengths  q(-)  on  the  hardness  of  C  w.r.t  threshold  t,  then 
there  exists  a  probabilistic  polynomial-time  machine  B  and  a  polynomial  p' (•)  such  that  for  infinitely 
many  k  e  N ,  B  breaks  C  w.r.t  t  with  probability  on  input  lk.  If  furthermore  assuming 

the  existence  of  one-way  functions  secure  against  non-uniform  subexponential-time  algorithms,  the 
above  holds  even  if  C  is  subexponential-time  computable. 

Let  us  remark  that  as  shown  in  [?,  ?,  ?],  any  (even  computational)  NIZK  for  a  hard-on- 
the-average  language  (for  non-uniform  polynomial-time  algorithms),  implies  the  existence  of  non- 
uniformly  hard  one-way  functions.  So  the  assumption  of  one-way  functions  could  actually  be  relaxed 
to  assume  that  there  exists  a  hard-on-the  average  language  in  A fV.  Let  us  also  remark  that  under 
the  assumption  of  one-way  functions  secure  against  non-uniform  subexponential-time  algorithms, 
Theorem  3  directly  extends  also  to  a  super-polynomial-time  (SPS)  [?]  relaxation  of  the  notion  of  a 
statistical  NIZK,  where  the  simulator  may  run  in  subexponential  time. 

Note  that  in  Theorem  3,  we  rule  out  statistical  NIZK  where  adaptive  soundness  only  needs  to 
hold  w.r.t.  statements  of  a  particular  (polynomial)  length  n  =  q(k). 

Our  next  theorem  rules  out  even  exponential-time  challenger  assumptions  C  if  the  same  assump¬ 
tion  C  can  be  used  to  prove  adaptive  soundness  for  any  polynomial  length  statement  (indeed,  as 
far  as  we  know,  in  all  known  NIZK  constructions  the  underlying  intractability  assumption  depends 
only  on  the  security  parameter  for  the  NIZK  but  not  on  the  length  of  the  statement  to  be  proven). 
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Theorem  4.  Assume  the  existence  of  one-way  functions  secure  against  non-uniform  subexponential¬ 
time  algorithms.  Then  there  exists  an  MV -language  L  such  that  the  following  holds.  Let  ( V ,  P,  V) 
be  a  statistical  non-interactive  adaptively  zero-knowledge  argument  for  L,  and  let  (C.  t )  be  any 
exponential-time  challenger  assumption.  If  for  every  polynomial  q(-),  there  exists  a  black-box  re¬ 
duction  R  for  basing  adaptive  soundness  of  (' D,P,V )  w.r.t  L  and  the  input  length  q{-)  on  the 
hardness  of  C  w.r.t  threshold  t,  then  there  exists  a  probabilistic  polynomial-time  machine  B  and  a 
polynomial  p'(-)  such  that  for  infinitely  many  k  £  N,  B  breaks  C  w.r.t  t  with  probability  on 

input  lk . 

Note  that  Theorem  4  is  weaker  than  Theorem  3  in  one  aspect:  we  require  that  the  same 
assumption  C  can  be  used  to  prove  any  polynomial- length  statement,  whereas  in  Theorem  3  we 
rule  out  NIZK  where  the  underlying  hardness  assumption  may  depend  also  on  the  length  of  the 
statement  proved.  This  additional  restriction  is  necessary:  the  assumption  that  a  particular  NIZK 
is  adaptively  sound  for  statements  of  length  q(k)  =  k  can  clearly  be  stated  as  an  exponential-time 
challenger  assumption:  the  challenger  first  sends  a  CRS  to  the  attacker;  upon  receiving  back  a 
statement  x  and  proof  7 r,  the  challenger  ouputs  1  iff  ir  is  an  accepting  proof  of  x  (which  can  be 
efficiency  checked)  and  x  £  {0,  l\k  is  a  false  statement  (which  can  be  checked  in  time  2poly(fc)). 
Thus,  the  challenger  can  be  implemented  in  some  fixed  exponential  time. 


4.1  Proof  of  Theorem  3 

We  start  by  considering  a  simplified  case  when  the  zero-knowledge  property  is  perfect  and  the 
distribution  sampled  by  V  is  uniform  over  {0,  that  is,  we  consider  perfect  NIZK  in  the 

so-called  “Uniform  Reference  String”  (URS)  model. 


Ruling  out  Perfect  NIZK  in  the  URS  Model  Let  g  :  {0, 1}*  — >  {0, 1}*  be  a  length-doubling 
PRG  (which  can  be  constructed  based  on  one-way  functions  [?]).  Consider  the  language  L  = 
{<7(.s)|s  £  {0, 1}*}.  Assume  there  exists  a  perfect  NIZK  (V,P,V)  for  L  in  the  URS  model,  where 
the  reference  string  is  of  length  £(k)  given  the  security  parameter  k,  and  assume  there  exists  a 
black-box  reduction  R  for  basing  adaptive  soundness  of  ( T>,P,V )  w.r.t  L  and  input  length  (/(•)  on 
the  hardness  of  C  w.r.t  threshold  t.  That  is,  there  exists  a  polynomial  p(-,-)  such  that  for  every 
probabilistic  machine  A  that  breaks  adaptive  soundness  of  (P,  P,  V)  w.r.t  L  and  inputs  lengths  q(-) 
with  probability  e(-),  for  every  k  £  N,  RA  breaks  C  w.r.t  t  with  probability  p(e(k),  1  /k)  on  input 
lfc;  that  is, 


Pr 


(RA,C)(lk)  =  1  >t(A0+p(e(A0,l/fc). 


(1) 


Our  overall  proof  strategy  proceeds  in  two  steps: 


•  We  first  construct  devise  a  particular  inefficient  attacker  A  that  breaks  adaptive  soundness 
of  (T>,P,V)  with  overwhelming  probability.  By  Equation  1,  it  then  follows  that  there  exists 
some  polynomial  p(-)  such  that  RA  breaks  C  with  probability  t(k )  +  for  infinitely  many 

k. 

•  We  then  show  how  to  indistinguishably  simulate  A  by  an  efficient  “emulator”  A15.  This 

concludes  that  RA  breaks  C  with  probability  t(k)  +  —  p,(k)  for  infinitely  many  fc,  where 

p,{k)  is  a  negligible  function,  and  thus  proves  the  theorem. 

15We  use  the  term  emulator  to  describe  A  to  not  overload  the  word  simulator. 
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In  our  actual  proof,  the  above  two  steps  happen  somewhat  in  parallel.  We  first  construct  A  and 
A,  and  then  prove  that  A  simulates  A,  and  then  use  this  fact  to  argue  that  A  is  a  “good”  attacker 
(that  with  overwhelming  probability  provides  accepting  proofs  of  false  statements). 

For  simplicity  of  notation,  we  assume  that  q( k)  =  2k ;  it  is  easy  to  see  that  the  same  proof  works 
as  long  as  q(-)  is  any  super-constant  polynomial. 

Constructing  the  Attacker  A  We  present  a  randomized  attacker  A,  that  on  each  query  uses 
fresh  random  coins.  (Recall  that  our  notion  of  a  black-box  reduction  requires  the  reduction  to 
work  even  if  the  attacker  if  A  is  probabilistic.  As  we  point  out  in  Remark  2,  at  the  cost  of  a  minor 
complication,  the  proof  can  be  adapted  to  work  also  if  only  considering  reductions  that  work  as  long 
as  the  attacker  is  deterministic.  To  simplify  exposition,  we  consider  also  randomized  attackers.) 

On  input  lk  and  a  reference  string  p,  attacker  A  proceeds  as  follows  (letting  n  =  q(k)  =  2k): 

•  Verify  CRS:  A  first  checks  that  \p\  =  t{k)\  if  not,  it  return  _L. 

•  Inverting  S\i  Otherwise,  A  uniformly  picks  a  random  tape  r  such  that  Si(lfc,  ln)  outputs 

p,  aux  given  the  random  tape  r,  where  aux  is  some  arbitrary  string.  Since,  by  our  assumption, 
the  simulation  is  perfect,  every  string  p  £  {0,  is  output  by  Si(lk,  1")  with  positive  (and 

the  same)  probability,  so  A  will  succeed  in  this  task.  Note,  however,  that  this  step  is  not 
necessarily  efficient. 

•  Picking  FALSE  statement  x:  Next,  A  uniformly  picks  a  string  x  £  {0,  l}n.  Note  that, 
except  with  probability  2~k,  it  holds  that  x  L  (there  are  22k  strings,  and  at  most  2k  can  be 
in  the  range  of  the  PRG  g ). 

•  Generate  SIMULATED  proof  it:  Finally,  A  runs  the  simulator  lk ,  ln,x,  aux)  to  pro¬ 

duce  the  proof  7 r,  and  return  (. x ,  7 r). 

As  noted  above,  with  high  probability  the  statement  x  picked  by  A  is  false.  But  it  remains  to 
argue  that  the  proof  7r  of  x  output  by  A  is  accepting  (for  the  reference  string  p).  (Very  roughly 
speaking,  the  intuition  for  why  it  ought  to  be  accepting  is  that  the  statement  x  is  indistinguishable 
from  a  true  statements  (in  the  range  of  the  PRG),  and  for  such  statements  the  simulator  ought  to 
produce  accepting  proofs.)  As  mentioned  above,  towards  formalizing  this  intuition,  we  first  present 
an  efficient  emulator,  A,  for  A. 

Constructing  the  Emulator  A  We  construct  an  efficient  ’’emulator”,  A  that  on  input  lk  and 
a  reference  string  p,  proceeds  as  follows: 

•  Verfiy  CRS:  Just  as  A,  A  first  check  that  \p\  =  £(k );  if  not  it  simply  sends  back  J_. 

•  Picking  TRUE  statement  x:  Next,  A  uniformly  picks  a  string  s  £  {0,  l}fc,  and  lets 
x  =  g(s).  Note  that  by  definition  x  £  L. 

•  Generate  HONEST  proof  7r:  A  runs  the  honest  prover  algorithm  P(lk,  p,  x,  s)  to  produce 
the  proof  7r,  and  outputs  {x,i r). 

Proving  that  A  is  a  “good”  attacker  We  now  turn  to  proving  that  A  breaks  adaptive  sound¬ 
ness  of  (' D ,  P,  V)  with  overwhelming  probability.  In  particular,  we  show  the  following  claim. 
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Claim  1.  There  exists  a  negligible  function  p  such  that  for  every  k  £  N , 

Pr  [  p  •<—  V(lk ,  ln);  (x,  7 r')  •£-  A(lk,  p)  :  V(lk ,  x,  p,  tt')  =  1  A  x  ^  L  ]  >  1  —  p(k) 

Proof.  Let  us  first  note  that  by  the  completeness  property  of  (1 we  have  that  there  exists 

a  negligible  function  p!  such  that  for  every  k  £  N, 

Pr[  p^V(lk,lny,  (x^')^A(lk,p)  :  V(lk,  x,  p,  tt')  =  1  ]  >  1  -  p' (k)  (2) 

A,  however,  clearly  does  not  break  (adaptive)  soundness  of  (T>,  P ,  V)  as  it  picks  true  statements 

x.  As  noted  above,  A  does  pick  false  statements  (with  overwhelming  probability).  To  prove  that 
it  also  provides  accepting  proofs  of  these  statements,  consider  a  hybrid  attacker  A!  that  performs 
exactly  the  same  steps  as  A,  but  samples  a  true  statement  x  £  L  in  exactly  the  same  way  as  the 
emulator  A  (in  particular,  A'  still  generates  proofs  n  using  the  NIZK  simulator  strategies  Si,S2, 
just  as  A  does). 

Note  that  by  construction,  the  following  probability  distributions  are  identical  (as  the  only 
difference  between  the  experiments  generating  them  is  the  order  in  which  the  randomness  of  the 
simulator  used  to  generate  proofs  is  sampled). 

{(/?,  aux)  4-  Si(lfc,ln);  x,tt'  <-  A'(lk)  :  (p,x,  tt')  } 

{(p, aux)  £-  Si(lk,  ln);  s  <-  {0,  l}fc,x  =  g(s);ir'  <-  S2( lfc,x,aux)  :  (p,x,7r')  } 

By  the  perfect  zero- knowledge  property  of  ( V ,  P,  V)  (and  considering  the  statement-witness  chosing 
algorithm  c(lfc,ln,p)  that  picks  s  •(—  {0, l}fc  and  outputs  (g(s),s)),  it  follows  that  the  latter  one 
(and  thus  also  the  former  one)  is  identical  to  the  following  one. 

{p£-P>( lfc,ln);  s^{0,  l}k,x  =  g(s)]7r  P(lk,x,s,p)  :  (p,x,  tt)  } 

By  the  completeness  of  (V,P,V),  we  thus  have  that  A '  provides  convincing  proofs  (of  true  state¬ 
ments)  with  overwhelming  probability:  there  exists  some  negligible  function  p"  such  that 

Pr  [  p,  aux  •(—  Si(lfc,  ln);  (x,  tt')  4—  A/(lfc,  p)  :  V(lk,  x,  p,  n')  =  1  ]  >  1  -  p(k)  (3) 

which  in  turn  (by  the  Perfect  NIKZ  property)  implies  that 

Pr  [  p  •(—  V{lk ,  ln);  (x,  vr')  £-  A'( lfc,  p)  :  V{lk ,  x,  p,  tt')  =  1  ]  >  1  -  p(k)  (4) 

Finally,  as  the  only  difference  between  A  and  A '  is  the  choice  of  the  statement  x  (being  truly 
random  in  the  case  of  A  and  pseudorandom  in  the  case  of  A'),  it  intuively  should  follow  from  the 
security  of  the  pseudorandom  generator  g  that  A  also  provides  convincing  proofs  (which  combined 
with  equation  2  would  prove  the  claim.).  But  there  is  a  problem:  although,  the  verification  algo¬ 
rithm  V  is  efficient,  A  and  A!  are  not,  so  efficiently  contradicting  the  pseudo-randomness  property 
of  g  becomes  problematic.  This,  issue,  however,  can  be  dealt  with  by  noting  that  the  only  inefficient 
part  of  A  (and  A’)  is  the  “inverting  Si  step”  which  happens  before  A  chooses  the  statement  x.  We 
can  thus  non-uniformly  fix  these  inefficient  computations,  and  rely  on  the  fact  that  the  pseudo¬ 
randomness  property  of  g  holds  even  against  non-uniform  polynomial-time  algorithms  to  conclude 
that  there  exists  a  negligible  function  p'"  such  that  for  every  k  £  N, 

Pr[  p^V(lk,ln);  (x,7r')^i(l*,p)  :  V(lk,  x,  p,  tt')  =  1  ]  >  1  -  p"'{k)  (5) 

which  combined  with  equation  6  concludes  the  proof  of  the  claim.  □ 
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As  consequence  of  Claim  1  and  the  fact  that  R  is  a  good  reduction  (i.e. ,  Equation  1),  there 
exists  some  polynomial  p(-)  such  that  RA  breaks  C  with  probability  t(k)  +  for  infinitely  many 
k:  that  is, 


Pr 


{Ra,C)( lk)  =  l  >t{k)  + 


P(k ) 


(6) 


Proving  that  A  is  a  good  emulator  for  A  To  conclude  the  proof  of  the  theorem,  we  finally 
show  that  A  is  a  “good”  emulator  for  A,  even  if  A  is  repeatedly  invoked  by  R  (in  an  interaction 
with  C. 


Claim  2.  For 

keN, 


every  efficient  C  and  R,  there  exists  a  negligible  function  p  such  that  for  every 


Pr 


(. RA,C){lk )  =  1 


—  Pr 


{Ra,  C)(lk)  =  1  <p(k). 


Proof.  The  proof  of  the  claim  is  similar  to  that  of  Claim  1  but  more  complicated  in  order  to  deal 
with  the  fact  that  R  can  make  many  queries  to  its  oracle.  The  key  point  is  that  all  these  queries 
are  answered  independently  (by  both  A  and  A),  and  thus  we  can  perform  a  hybrid  argument  which 
essentially  reduces  us  to  the  situation  in  Claim  1.  Let  us  point  to  have  this  independence  property 
it  is  cruicial  that  A  generates  a  “fresh”  random  statement  (independent  of  all  earlier  statements) 
on  each  query  it  receives.  (If,  for  instance,  A  had  been  stateful  and  had  picked  a  random  statement 
x  once  (before  seing  any  CRS),  and  then  provided  proofs  of  the  same  x  in  every  query,  then  this 
independence  property  would  not  hold.  This  clarifies  why  our  proof  does  not  extend  to  rule  out 
also  reductions  proving  non-adaptive  soundness  of  (V,P,V).) 

We  proceed  to  a  formal  proof.  Assume  for  contradiction  that  the  claim  is  false.  That  is,  there 
exists  a  polynomial  p'  such  that  for  infinitely  many  k  £  N, 


Pr 


{Ra,C)(  lk)  =  1 


—  Pr 


{Ra,C)(  lk)  =  1 


> 


p'{k) ' 


Let  rn(k)  be  an  upper-bound  on  the  number  of  oracle  queries  by  R  on  input  lfc,  and  fix  a  canonical 
k  for  which  the  above  happens.  Consider  a  sequence  of  hybrid  experiments  Hq,  . . . ,  Hm^,  where 
H{  is  defined  as  the  output  of  C(lk)  after  communicating  with  R(lk)  where  the  first  i  oracle  queries 
of  R  are  answered  by  A,  and  the  remaining  ones  are  answered  by  the  efficient  A.  Note  that  both 
A  and  A  are  stateless  and  thus  these  hybrid  experiments  are  well  defined.  Furthemore,  note  that 

•  Hq  =  (RA,C)(lk),  and 

.  Hm{k)  =  (Ra,C)( lfc) 

It  follows  that  there  exists  some  j  such  that 


Pr  [Hj+i  =  1] 


Pt[Hj  =  1]\> 


m(k)p'(k ) 


Define  another  hybrid  H'-  which  is  identically  defined  to  Hj,  but  where  the  statement  Xj+ 1  in  the 
answer  to  the  j  +  1th  oracle  query  is  selected  as  a  true  statement  (just  as  in  Hj+ 1)  but  we  still 
generate  the  proof  7Tj_|_i  by  using  the  NIZK  simulator  (as  in  Hj). 

We  now  have  the  following  Subclaim: 

Subclaim  1.  Hi-  and  Hj  are  identically  distributed. 
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Proof.  Note  that  conditioned  on  the  jth  query  p3  being  “invalid”  (i.e.  outside  of  {0,1}^),  Hj 
and  Hj  proceed  identically  the  same  (the  jth  query  is  simply  answered  _L).  Conditioned  on  p3  £ 
{0, 1  yw  ,  on  the  other  hand,  it  follows  by  the  perfect  zero-knowledge  property  of  (' D ,  P,  V)  (in  the 
same  way  as  in  the  proof  of  Claim  1)  that  the  output  of  H'-  is  identically  distributed  to  the  output 
of  Hj. |_i ;  note  that,  perfect  zero- knowledge  is  important  here  to  ensure  that  the  zero- knowledge 
simulation  works  for  every  reference  string  p3  £  {0,  l}e(kK  □ 

To  reach  a  contradiction,  let  us  finally  argue  that  the  output  of  Hj  is  indistinguishable  to  that  of 
Hj.  Note  that  up  until  the  point  when  R  receives  its  (j  +  l)st  statement-proof  pair  (xj+ 1,  TTj+i)  back 
from  the  oracle,  the  two  experiments  proceed  identically  the  same.  Thus,  if  they  are  distinguishable, 
there  exists  some  prefix  r  of  the  execution  of  Hj16,  up  until  and  including  the  j  +  1  query  of  R , 
such  that  conditioned  on  this  prefix  r,  Hj  and  Hj  are  distinguishable.  We  may  also  extend  r  to 
also  include  the  string  aux  picked  by  A  in  the  j  +  1  query,  and  conclude  that  there  exists  some 
extension  t'  such  that 

•  |  Pr  [Hj+1  |t'  =  1]  -  Pr  [H,  =  1]  |t'|  >  ^ , w 

•  Hj\r'  and  Hj\t'  are  efficiently  computable  (given  t'). 

The  only  difference  between  Hj\r'  and  Hj \ t'  is  the  choice  of  the  statement  Xj+  \ :  in  the  former  is 
chosen  as  a  truly  random  string  2/c-bit  string,  where  in  the  latter  as  a  g(s),  where  s  £-  {0,  l}fc.  We 
can  thus  contradict  the  pseudorandonmess  property  of  g  (with  respect  to  non-uniform  polynomial¬ 
time  adversaries).  Note  in  this  last  step,  we  cruicially  rely  on  the  fact  queries  to  A  and  A  are 
answered  independently ,  and  the  statement  Xj+ \  is  chosen  at  random  independently  of  everything 
that  has  happened  up  until  query  j  + 1.  (As  mentioned  above,  in  the  case  of  a  non-adaptive  attacker 
A,  this  would  not  be  true — it  needs  to  stick  to  the  same  statement  x — and  as  such  our  proof  does 
not  extend  to  deal  with  non-adaptive  soundness.)  □ 

The  proof  of  the  theorem  (w.r.t.  Perfect  NIZK  in  the  URS  model)  is  concluded  by  combining 
Equation  6  with  Claim  2. 

We  now  show  how  to  extend  the  proof  to  deal  with  statistical  NIZK  in  the  “general”  CRS  model 
(i.e.,  the  reference  string  need  no  longer  be  uniform).  We  start  by  dealing  with  Perfect  NIZK  in  the 
CRS  model,  and  then  further  extend  the  proof  to  also  deal  with  Statistical  NIZK.  In  both  cases,  the 
issue  that  needs  to  be  handled  is  how  to  deal  with  reductions  that  query  its  oracle  on  “untypical” 
CRS:  in  the  case  of  Perfect  NIZK  in  the  CRS  model,  the  CRS  can  be  invalid  (i.e.,  not  in  the  range 
of  CRS  generation  algorithm;  in  the  case  of  statistical  NIZK,  we  also  need  to  deal  with  “deviating” 
CRS  that  are  in  the  range  of  the  CRS  generation  algorithm,  but  still  lead  to  a  large  statistical  gap 
for  the  zero-knowledge  simulation. 

Handling  Perfect  NIZK  in  the  CRS  Model  We  start  by  considering  Perfect  NIZK  {V.  P,  V) 
in  the  “general”  CRS  model.  The  attacker  A  described  above  it  not  well  defined  when  executed  on 
input  a  CRS  p  that  is  not  in  the  range  of  V  (in  particular,  the  “inverting  Si”  may  fail).  To  adress 
this  issue  we,  a)  remove  the  “Verify  CRS”  step  from  A,  and  b)  modify  the  “Verify  CRS”  step  of  A 
as  follows: 

•  Verify  CRS:  A  first  checks  that  p  is  in  the  range  V(lk,  l2fc);  if  not,  let  x,  ir  £-  A( lk,  p)  and 
return  x,t r. 

16Technically,  the  prefix  includes  the  random  tape  of  C  and  R  and  all  the  answers  to  the  first  j  queries  by  R. 
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That  is,  we  now  let  A  check  whether  the  reference  string  p  is  the  range  of  the  CRS  generating 
algorithm,  and  if  not,  A  outputs  a  honest  proof  of  a  true  statement. 

The  proof  of  Claim  1  remains  unchanged  with  respect  to  this  modified  A:  in  a  “real”  execution, 
the  CRS  p  is  always  in  the  range  of  V  and  thus  the  new  execution  mode  will  never  be  entered; 
likewise,  the  change  to  A  will  not  have  any  effect. 

The  proof  of  Claim  2  remains  essentially  unchanged;  the  only  (minor)  difference  is  in  the  proof 
of  Subclaim  1;  previously,  we  argued  that  Hj  and  H'-  are  identically  distributed  condition  on  pj 
being  invalid  (i.e.,  not  in  the  range  of  the  CRS  generation  algorithm)  by  noting  that  in  both  Hj 
and  Hj  the  answer  to  the  j  +  1th  query  is  _L.  With  our  modified  A,  the  answer  may  no  longer 
be  _L,  but  by  construction  of  the  modified  A.  both  experiments  proceed  in  exactly  the  same  way 
conditioned  on  pj  being  invalid. 

Handling  Statistical  NIZK  in  the  CRS  Model  As  mentioned,  for  the  case  of  statistical 
NIZK,  the  above  modifications  to  A  (and  A)  may  not  suffice.  The  problem  is  that  R  may  query  its 
oracle  on  a  “deviating”  CRS  for  which  the  zero-knowledge  simulation  is  statistically  far  from  the 
distribution  of  honestly  generated  proof.  However,  such  “deviating”  CRS  must  be  “rare” ;  we  can 
thus  afford  to  have  A  fail  given  such  deviating  CRS. 

More  precisely,  let  Sim(lk,p )  denote  the  output  of  the  following  process: 

•  Inverting  Si:  Pick  a  random  tape  r  such  that  S i(lk,  l2k)  outputs  p,  aux  given  the  random 
tape  r,  where  aux  is  some  arbitrary  string. 

•  Picking  TRUE  statement  x:  Pick  a  string  s  G  {0,  l}fc,  and  let  x  =  g(s). 

•  Generate  SIMULATED  proof  7r:  Run  the  simulator  S2(lfc,  l2fc,  x,  aux)  to  produce  the 
proof  7 r,  and  return  (x,  i r). 

We  say  that  a  CRS  p  is  a- deviating  if  following  distributions  are  a- far  in  statistical  distance 

{s  G-  {0,  l}fc,x  =  g(s);  7T  G-  P(lk,p,x,s)  :  (p,x,ir)  } 

{x,  7r'  g-  Sim(lk,  p)  :  (p,  x,  V)  } 

Claim  3.  There  exists  a  negligible  function  p'  such  that  for  every  k  G  N, 

Pr  [  p  G-  V{\k ,  1”)  :  p  is  p'  (k)- deviating  ]  <  p  (k) 

Proof.  Assume  for  contradiction  that  there  exists  some  polynomial  p(-)  such  that  for  infinitely 
many  k,  with  probability  at  least  over  the  choice  of  p,  the  statistical  distance  between  the 
above  distributions  (w.r.t.  p)  is  at  least  jjpry  It  follows  that  the  statistical  distance  between  the 
following  distributions  is  at  least  ■ 

{p  G-  V(lk,  l2fc);  s  G-  {0,  l}k- x  =  g(s);  n  g-  P{ lk,  x,  s)  :  (p,  x,  i r)  } 

{ p  ^ —  V( lk,  l2fc);  x,  7 r'  Sim( lk,  p)  :  (p,  x ,  7 r')  } 

By  the  statistical  ZK  propoperty  of  ( V,P,V ),  there  exists  some  negligible  function  p"  such  that 
the  latter  distribution  is  p"{k)  close  to  the  following  distribution 

{p  G-  5i(lfc,  l2fc);  x,  7r'  g-  Sim(lk,p)  :  (p,x,  tt')  }  , 
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which  in  turn  is  identical  to 

{p-  aux  cSi(lfc,  l2fc);  s  <-  {0,  l}k]x  =  g(s)]ir  4-  S2( lk,x,  aux)  :  (p,x,ir)  } 

But  this  contradict  the  statistical  ZK  property  of  (' D ,  P,  V).  □ 

Given  Claim  3,  we  now  modify  the  “Verify  CRS”  step  of  A  to  run  A  not  only  when  the  CRS 
is  invalid,  but  also  when  the  CRS  p  is  //(£:)-deviating  (this  may  not  be  efficienty  checkable,  but 
it  is  well  defined).  Given  this  new  A,  the  proof  of  Claim  1  goes  through  exactly  as  before  if 
we  restrict  all  experiments  to  conditioning  the  CRS  on  not  being  //(/c)-deviating  (and  relying  on 
the  simulation-closeness  requirement  guaranteed  by  the  the  definition  of  a  p'(k)- deviating  CRS 
instead  of  appealing  perfect  zero- knowledge) .  Since  by  Claim  3,  an  honestly  generated  CRS  is 
//(/^-deviating  with  negligible  probability,  it  follows  by  a  union  bound  that  Claim  1  still  holds 
with  respect  to  the  modified  A. 

The  proof  of  Claim  2  goes  through  essentially  unchanged:  we  simply  need  to  weaken  Subclaim 
1  to  the  following  new  subclaim  that  suffices  to  conclude  Claim  2. 

Subclaim  2.  H’-  and  Hj  are  p'(k)  close  in  statistical  distance. 

Proof.  Conditioned  on  the  (j  +  l)th  query  pj  being  “invalid”  (i.e.  outside  the  range  of  V(lk,  l2fc)) 
or  /[/(/^-deviating,  H)  and  Hj  proceed  identically  the  same  (by  construction  of  A). 

Conditioned  on  pj  being  in  the  range  of  T>  and  not  //(A’)-deviating,  it  follows  by  definition  of 
//(/^-deviating  that  that  the  output  of  Hi-  is  p'{k)- close  to  the  output  of  Hj+ □ 

This  concludes  the  proof  of  Theorem  3. 

Ruling  out  Subexponential-time  Challenger  Assumptions.  If  the  challenger  C  is  not  ef¬ 
ficient,  then  in  the  above  hybrid  argument,  when  switching  the  statement  x  =  g(s )  from  being 
pseudorandom  to  being  truly  random,  we  can  no  longer  directly  argue  that  the  probability  of  C 
outputting  1  does  not  change  by  much.  However,  if  we  could  ensure  that  the  pseudo-randomness 
property  held  against  subexponential-size  circuits,  then  the  same  proof  would  go  through  as  long 
as  C  is  a  subexponential-size  circuit.  Thus,  if  we  assume  the  existence  of  one-way  functions  secure 
against  subexponential-size  circuit,  we  prove  the  theorem  also  when  C  is  a  subexponential-size 
circuit. 

Remark  1.  On  Adaptive  Culpable  Soundness  Groth,  Ostrovsky  and  Sahai  /? /  also  define 
a  weaker  definition  of  adaptive  soundness  which  they  call  adaptive  culpable  soundness.  Roughly 
speaking,  1)  we  restrict  to  languages  in  A fV  n  coAfV,  and  2)  require  a  successful  attacker  to  not 
only  prove  a  false  statement,  but  also  provide  a  an  AfV  proof  of  the  fact  that  the  statement  is  true. 

Let  us  remark  that  simply  restricting  to  languages  in  AfVDcoAfV  does  not  suffice  for  overcoming 
our  lower-bound:  assuming  the  existence  of  one-way  permutations,  our  impossibility  result  rules  out 
statistical  NIZK  with  adaptive  soundness  also  for  AfV  fl  coAfV :  by  the  Blum-Micali-Goldreich-Levin 
/?,  ?7  construction  of  a  pseudo  random  generator  (see  /? ]),  the  existence  of  one-way  permutations 
implies  the  existence  of  a  hard- on- the- average  language  in  AfV  fl  coAfV ,  which  suffices  to  concluding 
the  theorem. 

R  is  also  worthwhile  to  note  why  our  proof  strategy  breaks  down  in  case  we  required  the  attacker 
to  also  provide  a  witness  for  false  statements  (as  in  the  definition  of  adaptive  culpable  soundness): 
a  key  component  in  our  proof  is  that  the  attacker  chooses  statements  that  are  false  but  look  indis¬ 
tinguishable  from  true  statements  (and  this  is  exactly  the  same  method  as  the  one  used  in  /?  ]).  In 
case  the  attacker  also  needs  to  provide  an  AfV  witness  for  the  statement  being  false,  we  can  no 
longer  simulate  such  an  attacker  by  using  a  true  statement. 
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Remark  2.  Deterministic  v.s.  Randomized  Attackers.  In  the  above  proof,  we  consider  a 
randomized  oracle  A,  and  thus  only  rule  out  reductions  that  work  for  randomized  attackers.  Follow¬ 
ing  /? ],  we  can  easily  extend  the  proof  to  also  rule  out  reductions  that  only  work  for  deterministic 
attackers.  First,  if  we  consider  a  deterministic  attacker,  we  may  assume  w.l.o.g.  that  R  never 
asks  the  same  query  (1  k,p)  twice  (since  can  we  can  internally  emidate  responses  to  all  repeated 
queries).  Next,  we  define  a  deterministic  attacker  A*  that  on  input  (1  k,p)  selects  the  random  tape 
of  A  as  f(lk,p)  and  next  executes  A(lk,p),  as  defined  above,  using  the  pre-selected  random  tape. 
Let  RO  :  {0, 1}*  — *  {0, 1}°°  be  a  uniformly  distributed  random  oracle.  Note  that  ARO  acts  exactly 
as  the  attacker  A  defined  in  our  proof  as  long  as  we  never  ask  the  attacker  the  same  query  twice. 
It  follows  that  R ’s  view  when  talking  to  ARO  and  A  are  identical.  We  can  thus  replace  A  with  ARO 
in  Claim  2.  Finally,  by  an  averaging  argument,  with  overwhelming  probability  over  the  choice  of  a 
random  oracle  f  RO,  A  *  breaks  adaptive  soundness  of  (' D ,  P,  V )  with  overwhelming  probability, 
and  for  each  such  “ good ”  choice  of  f  we  have  that  RA  (lfc)  breaks  C  with  advantage  1  /p(k),  where 
p(-)  is  a  polynomial;  thus  RaR° { lk)  also  breaks  C  with  advantage  negligibly  close  to 

Remark  3.  On  Non-uniform  Reductions  Our  current  lower  bound  only  considers  uniform 
security  reductions  R.  However,  by  using  the  recent  techniques  of  [I]  (and  relying  on  the  fact  that 
we  can  rule  out  reductions  that  only  need  to  work  for  deterministic  attackers),  it  readily  extends 
also  to  rule  out  non-uniform  reductions.  We  refer  the  reader  to  /? ]  for  further  details. 

4.2  Proof  of  Theorem  4 

The  proof  of  theorem  4  is  essentially  identical  to  the  proof  of  theorem  3.  The  only  obstacle  we  need 
to  deal  with  is  to  ensure  that  true  and  false  statements  are  indistinguishable  for  time  2k.  This  is 
easily  achieved  if  1)  assuming  the  existence  of  a  pseudorandom  generator  secure  against  time  2nt 
where  n  is  its  output  length,  and  2)  letting  A  prove  statements  of  length  q(k )  =  k*.  Note  that 
we  here  rely  on  the  fact  that  the  same  assumption  C  (with  the  same  security  parameter  k)  can  be 
used  to  prove  adaptive  soundness  of  any  polynomial  length  statement. 

5  Security  of  Non-interactive  Non-malleable  Commitments 

Commitment  schemes  are  used  to  enable  a  party,  known  as  the  sender ,  to  commit  itself  to  a 
value  while  keeping  it  secret  from  the  receiver  (this  property  is  called  hiding).  Furthermore,  the 
commitment  is  binding,  and  thus  in  a  later  stage  when  the  commitment  is  opened,  it  is  guaranteed 
that  the  “opening”  can  yield  only  a  single  value  determined  in  the  committing  phase.  In  this  work, 
we  consider  commitment  schemes  that  are  statistically-binding,  namely  while  the  hiding  property 
only  holds  against  computationally  bounded  (non-uniform)  adversaries,  the  binding  property  is 
required  to  hold  against  unbounded  adversaries.  We  refer  the  reader  to  [?]  for  a  formal  definition. 
In  the  rest  of  the  paper,  a  commitment  scheme  always  refers  to  a  statistically-binding  commitment. 

Following  [?,  ?],  we  consider  tag-based  commitment  schemes  where,  in  addition  to  the  security 
parameter,  the  committer  and  the  receiver  also  receive  a  “tag” — a.k.a.  the  identity — id  as  common 
input. 

Let  us  turn  to  defining  non-malleable  commitments.  We  use  a  definition  essentially  due  to 
[?,  ?],  which  follows  the  earlier  definition  from  [?].  Let  ( C,R )  be  a  tag-based  commitment  scheme, 
and  let  k  £  N  be  a  security  parameter.  Consider  a  man-in-the-middle  adversary  A  that,  on  inputs 
n  and  z  (where  z  is  received  as  an  auxiliary  input),  participates  in  one  “left”  and  one  “right” 
interaction.  In  the  left  interaction,  the  man-in-the-middle  adversary  A  interacts  with  C ,  receiving 
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a  commitment  to  the  value  v  using  an  identity  id  of  length  £[k)  of  its  choice.  In  the  right  interaction 
A  interacts  with  R  attempting  to  commit  a  value  v,  again  an  identity  id  of  length  £(k)  of  its  choice. 
If  the  right  commitments  is  invalid,  or  undefined,  its  value  is  set  to  _L;  furthermore,  if  the  adversary 
uses  the  same  identity  on  the  left  as  on  the  right,  the  right  interaction  is  considered  invalid.  Let 
MIM l[(A,£,v,  z)  denote  a  random  variable  that  describes  the  value  v  in  the  above  experiment.17 

Definition  8.  A  commitment  scheme  II  is  said  to  be  non-malleable  (with  respect  to  itself)  for 
identities  of  length  £(■)  if  for  every  TVT  man-in-the-middle  adversary  A  the  following  ensembles 
are  computationally  indistinguishable. 

{MIM  (A,  £,  v,  z) } fcejv,ue{o,1}”,«e{0,1}* 

{MIM  {A.tj, v,  z ) } fcejv, <,£{(), lj'veftu}* 

We  say  that  II  is  non-malleable  (with  respect  to  itself)  if  it  is  non-malleable  for  identities  of  length 
£{k)  =  k. 

Our  lower  bound  will  apply  to  non-malleability  with  respect  to  identities  of  length  1,  and  even 
if  only  considering  the  messages  0k  and  lk.  We  now  explicitly  define  what  it  means  to  break 
non-malleability  in  this  particular  way. 

Definition  9  (Breaking  Non-malleability).  Let  II  be  a  tag-based  commitment  scheme.  We  say  that 
A  breaks  non-malleability  of  II  with  probability  p(-)  if  for  every  n  G  N, 


Pr 


MIMn(T,£,Oft,T)  =  0A 


—  Pr 


MIMn(H,  £,  lfc,  _L)  =  0fc  |  >  fi(k) 


where  £(k)  =  1.  We  furthermore  say  that  A  breaks  one-sided  non-malleability  of  II  with  probability 
p(-)  if  the  above  holds  and  A  always  picks  identity  0  for  the  left  interaction  and  identity  1  for  the 
right  one. 

We  call  a  commitment  weakly  non-malleable  if  no  attacks  of  the  above  kind  exist. 

Definition  10  (Basing  Weak  Non-malleability  on  the  Hardness  of  C).  We  say  that  R  is  a  T(-)- 
black-box  reduction  for  basing  weak  non-malleability  of  n  (resp.  weak  one-sided  non-malleability) 
on  the  hardness  of  C  w.r.t  threshold  t(-)  if  R  is  a  time  T(-)  a  probabilistic  oracle  machine  and  there 
exists  a  polynomial  p(-,  •)  such  that  for  every  probabilistic  machine  A  that  breaks  non-malleability 
(resp.  one-sided  non-malleability)  of  n  with  probability  //(•),  for  every  k  G  N,  RA  breaks  C  w.r.t  t. 
with  probability  p(/i(k),  1  /k)  on  input  \k . 

We  are  now  ready  to  state  our  first  lower  bound  for  non-malleable  commitments. 

Theorem  5.  Let  H  be  a  two-round  tag-based  commitment  scheme  (i.e.,  the  commit-phase  consists 
of  a  single  message  from  the  receiver,  followed  by  a  single  message  from  the  committer),  and  let 
(C,  t )  be  any  efficient  challenger  assumption.  If  there  exists  a  probabilistic  polynomial-time  black¬ 
box  reduction  R  for  basing  weak  one-sided  non-malleability  of  II  on  the  hardness  of  C  w.r.t  threshold 
t,  then  there  exists  a  probabilistic  polynomial-time  machine  B  and  a  polynomial  p'(-)  such  that  for 
infinitely  many  k  €  N,  B  breaks  C  w.r.t  t.  with  probability  on  input  lk . 

17We  note  that  more  recent  definitions  of  non-malleability  [?,  ?]  additionally  output  the  view  of  A  in  the  above 
experiment.  Since  we  are  proving  a  lower-bound  we  simply  state  the  weaker  definition. 
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Proof.  Consider  an  unbounded  attacker  A  that  chooses  identity  0  in  the  left  interaction  and  1  in 
the  right  and  upon  receiving  a  commitment  to  the  value  bk  commits  to  bk,  and  otherwise  (e.g., 
if  the  commitment  is  invalid)  simply  commits  to  0k.  (Note  that  implementing  A  requires  super¬ 
polynomial  time  by  the  hiding  property  of  II.)  Now  consider  A  that  picks  the  same  identities,  but 
simply  commits  to  in  the  right  interaction  (no  matter  what  messages  it  receives  on  the  left).  We 
claim  that  RA  breaks  C  w.r.t  t  with  inverse  polynomial  probability  for  infinitely  many  k.  Assume 
not;  that  is,  there  exists  a  negligible  function  p  such  that  for  every  k  £  N,  RA  breaks  C  w.r.t  t 
with  probability  at  most  p{k).  Consider  a  fixed  k,  and  hybrids  Hi,...,Hm^  where  H,j  denotes 
the  success  probability  of  R  when  the  first  i  queries  are  answered  by  A  and  the  remaining  ones 
answered  by  A.  By  the  triangle  inequality  there  exists  some  i  such  | Ht  —  Ht+  \  \  is  inverse  polynomial 
(where  the  polynomial  only  depends  on  R).  Since  Hi  and  Hi+\  proceed  identically  up  until  query  i. 
this  means  there  exists  some  prefix  p  of  the  executions  up  until  query  i  such  that  1)  conditioned  on 
p  the  gap  in  probability  is  as  high,  and  2)  the  executions  of  Hi  and  Hl+\  are  efficiently  computable 
conditioned  on  this  prefix  (recall  that  A  is  efficient,  so  once  we  fix  all  the  answers  of  A  in  all  the 
first  i  +  1  queries,  the  rest  of  the  experiment  is  efficient).  Since  the  only  difference  between  the 
hybrids  is  the  commitment  received  by  R  in  round  i  +  1,  we  contradict  the  non-uniform  hiding  of 
II.  Note  that  we  here  rely  on  the  fact  that  II  only  has  two  rounds  (or  else  hiding  may  no  longer 
hold  since  R  could  be  rewinding  its  oracle),  and  that  C  is  polynomial-time  computable.  □ 

We  remark  that  the  above  theorem  is  tight;  we  cannot  hope  to  rule  out  also  super-polynomial- 
time  reductions  for  one-sided  non- malleability:  Liskov  et  al  [?]  present  a  construction  of  such 
commitments  assuming  the  existence  of  one-way  permutations  with  subexponential  security. 

Let  us  now  turn  to  ruling  out  also  super  polynomial-time  reductions  for  “two-sided”  non¬ 
malleability  (i.e.,  where  the  attacker  may  choose  which  identity  to  use). 

Theorem  6.  Let  II  be  a  two-round  tag-based  commitment  scheme  (i.e.,  the  commit-phase  consists 
of  a  single  message  from  the  receiver,  followed  by  a  single  message  from  the  committer),  and  let 
( C,t )  be  an  T(-)-size  challenger  intractability  assumption.  If  there  exists  a  T(-)-size  randomized 
black-box  reduction  R  for  basing  weak  non-malleability  of  II  on  the  hardness  of  C  w.r.t  threshold  t, 
then  there  exists  a  poly(T(-) -sized  attacker  B  and  a  polynomial  p'(-)  such  that  for  infinitely  many 
k  G  N ,  B  breaks  C  w.r.t  t  with  probability  on  input  lk . 

Proof.  Consider  the  attacker  A,  A  from  the  proof  of  Theorem  5.  We  consider  two  cases:  Either  RA 
breaks  C  w.r.t  t  with  inverse  polynomial  probability  for  infinitely  many  k  (as  in  the  proof  of  Theorem 
5)  in  which  case  we  are  done.  Or,  there  exists  a  negligible  function  p  such  that  for  every  k  £  N,  RA 
breaks  C  w.r.t  t  with  probability  at  most  p{k).  As  shown  in  the  proof  of  Theorem  5,  in  this  case 
R  together  with  C  and  using  a  polynomial-size  advice  string  may  distinguish  commitments  to  0k 
and  lk  with  inverse  polynomial  probability  for  infinitely  many  k:  let  D  denote  this  “commitment 
distinguisher”  (outputting  a  bit  b  e  {0, 1}).  Now  consider  a  third  attacker  A'  that  chooses  identity 
1  on  the  left  and  0  on  the  right  (instead  of  using  0  on  the  left  and  1  on  the  right  as  A  and  A)  and 
next  applies  D  to  the  commitment  it  receives  on  the  left  in  order  to  decide  what  value  to  commit 
to  on  the  right.  More  formally,  A' (lk)  proceeds  as  follows: 

•  A'  internally  emulates  D( ln),  outputs  the  first  output  of  D  (the  first  message  of  the  commit¬ 
ment18); 

18Recall  that  D  is  a  commitment  distinguisher  for  two-round  commitment,  and  thus  must  first  specify  the  first 
message  of  the  commitment. 
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•  Upon  receiving  a  commitment  c  on  the  left,  and  a  first  message  r  on  the  right,  A'  simply 
forwards  c  to  D; 

•  Let  6  denote  the  final  bit  output  by  D\  output  on  the  right  a  commitment  to  6n  (i.e.,  0n  if 
6  =  0  and  ln  if  6  =  1)  using  r  as  a  first  message. 

It  directly  follows  from  the  fact  that  D  is  a  good  distinguisher  that  A'  breaks  non-malleability  of 
II,  and  thus  there  exists  a  polynomial  p' {■)  such  that  for  infinitely  many  k  G  N,  RA  breaks  C 
w.r.t  t  with  probability  on  input  lk.  The  theorem  follows  by  noting  that  both  R  and  D  are 
computable  in  size  poly{T(-)).  □ 

A  Remark  on  Deterministic  Attackers  and  Non-uniform  Reductions  Just  as  the  proof 
of  Theorem  3,  the  proofs  of  the  above  theorem  readily  extends  to  rule  out  reductions  that  only  work 
with  deterministic  attackers,  and,  relying  on  the  techniques  from  [?],  also  non-uniform  reductions. 
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Abstract.  We  present  a  2-round  protocol  to  prove  knowledge  of  a  plain¬ 
text  corresponding  to  a  given  ciphertext.  Our  protocol  is  black-box  in 
the  underlying  cryptographic  primitives  and  it  can  be  instantiated  with 
almost  any  fully  homomorphic  encryption  scheme. 

Since  our  protocol  is  only  2  rounds  it  cannot  be  zero-knowledge  [G094]; 
instead,  we  prove  that  our  protocol  ensures  the  semantic  security  of  the 
underlying  ciphertext. 

To  illustrate  the  merit  of  this  relaxed  proof  of  knowledge  property,  we 
use  our  result  to  construct  a  secure  multi-party  computation  protocol 
for  evaluating  a  function  /  in  the  standard  model  using  only  black-box 
access  to  a  threshold  fully  homomorphic  encryption  scheme.  This  protocol 
requires  communication  that  is  independent  of  |/|;  while  Gentry  [Gen09a] 
has  previously  shown  how  to  construct  secure  multi-party  protocols  with 
similar  communication  rates,  the  use  of  our  novel  primitive  (along  with 
other  new  techniques)  avoids  the  use  of  complicated  generic  white-box 
techniques  (cf.  PCP  encodings  [Gen09a]  and  generic  zero-knowledge 
proofs  [AJLA+12,LATV11].) 

In  this  sense,  our  work  demonstrates  in  principle  that  practical  TFHE 
can  lead  to  reasonably  practical  secure  computation. 

Keywords:  Fully  Homomorphic  Encryption,  Threshold  Encryption,  Se¬ 
cure  Multi-Party  Computation,  Communication  and  Round  Complexity, 
Proof  Of  Knowledge 


1  Introduction 

The  main  technical  contribution  of  this  paper  is  a  novel  proof  of  knowledge 
of  a  plaintext  protocol  and  its  demonstrated  use  in  the  construction  of  a  fully 
black-box  multi-party  computation  protocol  with  low  communication  overhead. 
We  briefly  describe  the  motivation  behind  our  work. 
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Communication  Secure  computation  with  an  honest  majority  can  be  accomplished 
without  any  cryptographic  assumptions,  but  the  best  such  protocol  requires  the 
parties  to  communicate  |/|  log  |/|  +  d 2  •  poly{n,  log  |/|)  bits  [DIK10]  and  at  least 
d  rounds.  Here  |/|  is  the  size  of  the  function  being  computed  and  d  is  the 
circuit  depth  of  /,  and  thus  the  communication  of  the  protocol  is  super-linearly 
related  to  the  number  of  gates  in  /.  Until  recently,  even  the  use  of  cryptographic 
assumptions  for  secure  computation  required  polylog(X)  communication  overhead 
per  gate  [DIK10]  where  A  is  a  security  parameter. 

Gentry  [Gen09a]  circumvents  per-gate  overhead  as  follows:  the  lionest-but- 
curious  parities  use  secure  multi-party  computation  to  generate  an  FHE  key,  each 
party  encrypts  its  input,  and  sends  the  resulting  ciphertext  and  proof  to  other 
parties.  Once  all  parties  have  encryptions  of  everyone’s  inputs,  they  compute  the 
function  of  interest  locally  using  the  evaluation  procedure  of  the  FHE.  Finally,  to 
use  the  resulting  ciphertexts  as  inputs  to  a  secure  multi-party  computation  which 
computes  the  decryption  of  the  majority  input.  In  order  to  be  secure  against 
malicious  adversaries,  the  Naor  and  Nissim  compiler  [NN01],  which  makes  use 
of  the  PCP  theorem,  can  be  applied.  The  use  of  the  PGP  theorem  in  the  SMC 
steps  makes  the  approach  impractical,  even  when  presented  with  a  practical  FHE 
scheme. 

The  motivation  behind  our  work  is  to  remove  any  use  white-box  techniques, 
such  as  the  PCP  theorem  or  generic  ZK  or  NIZK,  from  the  above  framework 
for  constructing  communication-efficient  secure  protocols.  These  techniques  have 
historically  been  inefficient.  In  other  words,  we  seek  a  black-box  transformation 
from  TFHE  to  secure  computation. 

First  Contribution  The  main  technical  hurdle  in  devising  a  black-box  transforma¬ 
tion  from  TFHE  to  secure  computation  is  to  implement  the  requirement  for  each 
player  to  prove  that  they  “know  the  plaintext”  corresponding  to  the  encrypted 
input  that  they  have  broadcast.  This  step  is  essential  because  it  prevents  one 
player  from  copying  (or  mauling  via  the  homomorphism)  the  input  of  a  player 
who  has  acted  earlier.  To  handle  this  step,  we  show  how  to  construct  a  two-round 
black-box  proof  of  knowledge  of  an  encrypted  bit  for  any  circuit  private  FHE 
scheme  using  only  the  encryption  scheme.  Since  our  protocol  is  only  two  rounds, 
it  is  not  zero-knowledge  (cf.  [G094]),  but  can  provably  keep  the  encrypted  bit 
hidden.  Our  POK  requires  that  the  public-key  contain  a  labeled  encryption  of  0 
and  1,  which  given  all  known  FHE  schemes  seems  to  be  a  natural  modification.  3 
For  traditional  FHE  schemes,  the  POK  can  be  used  completely  black-box,  without 
even  the  need  for  the  modification. 

The  basic  idea  of  our  proof  of  knowledge  protocol  is  to  first  modify  the 
encryption  scheme  so  that  the  message  is  encoded  using  an  error-correcting  code 
(ECC)  based  verifiable  secret  sharing  (VSS)  scheme.  To  encrypt  a  message  we  first 

3  Since  all  current  schemes  contain  bit-wise  encryptions  of  their  own  secret-keys 
which  are  random  bit  strings,  and  a  natural  extension  of  any  protocol  that  provides 
encryptions  of  one’s  own  secret-key  can  be  used  to  derive  a  labeled  encryption  of  0 
and  1  which  we  describe. 
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generate  its  secret  shares,  and  encrypt  them  independently  using  fresh  randomness. 
A  verifier  now  requests  the  Prover  to  reveal  the  randomness  used  to  encrypt  a 
sub-threshold  number  of  the  shares.  The  verifier  then  does  a  consistency  check, 
based  on  the  ECC  underlying  the  scheme,  to  ensure  that  the  shares  were  encoded 
properly.  In  particular,  the  error-correcting  code  we  choose  offers  a  property 
that  allows  one  to  check  whether  local  parts  of  the  codeword  are  error-free.  The 
verifier  accepts  if  everything  appears  to  be  properly  coded.  Since  the  number 
of  shares  revealed  is  less  than  the  threshold,  it  does  not  leak  any  information 
about  the  original  message.  To  show  a  proof  of  knowledge  property,  we  argue 
that  an  extractor  can  rewind  the  Prover  and  ask  for  another  set  of  shares  to  be 
opened.  With  high  probability,  this  second  transcript  provides  enough  new  shares 
to  run  the  VSS  recover  algorithm,  and  recover  the  original  message.  The  one 
issue  with  this  approach  is  that  the  Prover  must  reveal  the  randomness  used  to 
encrypt  some  of  the  shares.  The  semantic  security  of  an  encryption  scheme  does 
not  guarantee  any  security  when  these  random  bits  are  revealed—  in  particular, 
the  security  of  the  rest  of  the  unopened  encryptions  are  not  guaranteed.  Instead, 
we  require  the  encryption  scheme  to  be  secure  against  a  selective  opening  attack 
(SOA).  Fortunately,  a  result  of  Hemenway  et  al.  [HLOV11]  can  be  generalized  to 
show  that  any  circuit  private  homomorphic  encryption  scheme  can  be  made  into 
an  SOA-secure  one. 

We  point  out  that  our  proof  of  knowledge  requires  the  encryption  scheme 
to  be  homomorphic  and  circuit-private.  Recently,  Damgard  et  al.  [DPSZ12] 
demonstrates  a  three-round  A-protocol  for  knowledge  of  plaintext,  but  their 
protocol  requires  the  underlying  encryption  scheme  to  also  be  homomorphic  on 
the  random  coins  used  to  encrypt.  Although  many  FHE  schemes  support  this 
property  on  their  random  coins,  it  is  certainly  not  specified  in  the  definition  of 
FHE.  In  contrast,  circuit  privacy  has  been  independently  defined  and  seems  to 
be  a  naturally  weaker  property.4  Moreover,  their  scheme  requires  the  message 
space  for  the  FHE  to  be  over  Zn  for  N  related  to  the  security  parameter.  While 
in  general,  single-bit  FHE  implies  many-bit  FHE,  we  are  not  aware  of  any  such 
transformation  that  also  preserves  the  homomorphism  over  the  random  coins 
as  required  by  their  protocol.  Thus,  the  requirement  for  large  message  space 
and  homomorphism  over  the  random  coins  seem  to  be  extra  assumption  which 
our  work  can  avoid  (our  protocol  also  works  on  single- bit  FHE).  Finally,  the 
A-protocol  from  [DPSZ12]  must  be  compiled  into  a  full  zero-knowledge  protocol 
using  standard  techniques  which  add  round  complexity  and/or  setup  assumptions; 
we  show  that  our  two-round  protocol  with  its  hidden-bit  property  suffices  for  our 
secure  computation  protocol. 

Second  Contribution  By  combining  our  result  with  almost  any  TFHE  scheme,  we 
construct  a  secure  multi-party  protocol  that  avoids  both  per-gate  communication 

4  Even  though  current  schemes  achieve  circuit  privacy  via  randomness  homomorphisms, 
it  is  certainly  plausible  for  future  constructions  to  achieve  circuit  privacy  in  other 
ways.  Moreover,  there  do  not  seem  to  be  any  natural  ways  to  transform  a  circuit 
private  scheme  to  one  with  a  randomness  homomorphism,  and  thus  we  feel  it  is  a 
weaker  notion. 
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complexity  and  white-box  techniques  such  as  the  PCP  theorem  or  Zero-Knowledge. 
The  communication  complexity  of  our  protocol  is  0{ \c  ■  n2)  where  A  is  a  security 
parameter  and  c  is  a  small  constant  for  the  TFHE  scheme  and  is  thus  independent 
of  |/|.  Our  black-box  transformation  is  particularly  important  because  if  practical 
FHE  (and  TFHE)  can  be  constructed,  our  transformations  will  result  in  practical 
SFE.  Our  work  is  in  the  standard  model  and  does  not  require  trust  assumptions 
such  as  the  common  reference  string,  a  random  oracle  or  public-key  setup. 


Final  Contribution  For  completeness,  we  also  construct  a  threshold  fully  homo¬ 
morphic  public-key  encryption  scheme  (TFHE)  based  on  the  Approximate  GCD 
problem  and  the  fully  homomorphic  encryption  scheme  presented  by  van  Dijk 
et  al.  [vDGHVIO],  and  our  result  was  the  first  to  demonstrate  the  feasibility  of 
directly  achieving  this  threshold  primitive  for  FHE.  Since  our  original  eprint 
submission,  [AJLA+12]  and  [LATV11]  present  more  efficient  TFHE  constructions 
based  on  LWE-style  assumptions.  The  point  of  this  construction  is  to  demonstrate 
feasibility  of  TFHE  under  different  complexity  assumptions.5 

We  present  our  protocols  in  the  information-theoretic  model  over  secure  point- 
to-point  channels,  and  thus  our  protocols  are  secure  in  the  presence  of  an  honest 
majority.  Thus,  when  used  with  our  transformation,  the  resulting  protocol  is  also 
only  secure  with  an  honest  majority.  By  using  another  TFHE  that  tolerates  a 
dishonest  majority,  our  transformation  results  in  an  secure  computation  protocol 
that  also  tolerates  the  same. 

The  TFHE  scheme  provides  a  constant-round  protocol  for  n  players  to  generate 
a  public-key  and  distribute  private  shares  of  the  corresponding  secret-key  of  a 
fully  homomorphic  encryption  scheme.  This  step  itself  is  non-trivial  since  the 
generation  of  the  public-key  for  an  FHE  scheme  (that  is  based  on  bootstrapping) 
requires  encryption  of  the  secret-key.  Later,  a  majority  of  players  can  cooperatively 
decrypt  a  ciphertext  by  running  a  constant-round  protocol  on  their  private  shares 
and  a  public  ciphertext.  We  also  provide  methods  for  distributed  encryption  and 
for  proving  knowledge  of  an  encrypted  value. 

We  note  that  both  our  TFHE  key  generation  and  decryption  protocols  are 
more  efficient  than  generically  applying  secure  function  evaluation  techniques 
to  the  key  generation  or  decryption  algorithms  of  an  FHE  scheme.  For  example, 
with  the  right  set  of  the  parameters,  our  decryption  protocol  requires  only  a 
constant  number  of  share  multiplications,  whereas  generic  techniques  would 
require  0(poly( A))  such  multiplications.  We  heavily  exploit  the  linear  nature  of 
the  operations  involved  in  key  generation,  encryption  and  decryption  for  the 
particular  FHE  scheme  of  van  Dijk  et  al.  For  key  generation  and  decryption,  we 
develop  specific  multiparty  computation  protocols  that  evaluates  an  arithmetic 
circuit  using  verifiable  secret  sharing  techniques,  that  is  more  efficient  than  the 
application  of  generic  techniques. 


5  We  note  that  historically,  threshold  encryption  has  been  presented  where  the  key- 
generation  algorithm  and  decryption  algorithms  are  single  algorithms,  or  they  are 
multi-party  protocols.  We  present  multi-party  protocols. 
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Comparison  With  Other  FHE-based  Secure  Computation  Protocols  Gentry’s  [Gen09a] 
secure  computation  protocol  was  the  first  to  achieve  communication  complexity 
that  is  independent  of  |/|  by  using  the  PCP  theorem  in  several  steps. 

Asharov,  Jain  and  Wichs  [AJLA+12]  and  Lopez-Alt,  Tromer,  and  Vaikun- 
tanathan  [LATV11]  have  constructed  more  efficient  TFHE  schemes  based  on 
LWE  and  the  closely  related  RLWE  assumption,  which  can  be  reduced  to  varying 
degrees  to  worst-case  lattice  problems.  Their  approaches  rely  on  the  ability  to 
construct  an  FHE  that  also  has  a  homomorphism  on  the  secret-keys,  and  can  also 
be  used  to  achieve  secure  computation  with  communication  that  is  independent  of 
|/|.  Together,  our  results  demonstrate  that  the  TFHE  primitive  can  be  developed 
from  reductions  to  different  classes  of  hardness  assumptions,  and  therefore  TFHE 
is  not  simply  a  consequence  of  a  specific  hardness  property. 

To  achieve  security  against  malicious  adversaries,  Lopez-Alt  et  al.  rely  on  a 
common  reference  string  setup  so  that  players  can  use  a  NIZK  to  prove  to  each 
other  that  their  keys  and  their  input  ciphertexts  are  well-formed.  The  use  of  such 
NIZK  also  requires  additional  hardness  assumptions,  since  (T)FHE  is  not  known 
to  imply  NIZK.  They  can  also  instantiate  their  ideas  in  the  standard  model 
by  replacing  these  NIZK  proofs  with  traditional  interactive  ZK  proofs;  but  in 
either  case,  the  generic  (NI)ZK  techniques  used  require  non-blackbox  use  of  the 
underlying  TFHE  scheme.6  By  choosing  the  CRS  model,  the  authors  observed 
that  by  using  a  more  expensive  simulation-sound  NIZK,  their  protocols  can  also 
achieve  UC-security.  Our  protocols  only  claim  standard  security,  but  it  has  bee 
pointed  out  to  us  that  it  is  likely  that  we  can  state  some  of  ours  results  as  UC  in 
a  TFHE-hybrid  model. 

Asharov  et  al.  use  efficient  A-Protocol  constructions  to  prove  well-formedness; 
these  make  heavy  use  of  the  underlying  mathematical  structure  of  the  LWE 
assumption.  In  order  to  have  efficient  NIZK  proofs,  they  must  rely  on  the  use  of 
the  Random  Oracle  model,  and  the  use  of  the  Fiat-Shamir  heuristic  to  transform 
the  A-protocols  into  NIZK  proofs.  In  any  case,  due  to  the  black-box  nature  of 
our  SMC  construction,  with  simple  modifications  to  the  public-key  to  include 
labeled  ciphertexts  representing  encryptions  of  0  and  1,  either  of  the  Lopez-Alt 
et  al.  or  Asharov  et  al.  TFHE  schemes  can  be  plugged  in  to  our  construction 
to  achieve  security  against  an  arbitrary  number  of  malicious  adversaries,  with 
abort.  In  contrast,  with  our  scheme  we  are  guaranteed  output  delivery,  but  need 
an  honest  majority  of  players. 

The  protocols  of  Damgard  et  al.  [DPSZ12]  and  Bendlin  et  al.  [BDOZ11]  use  a 
different  approach  to  constructing  secure  computation  protocols  from  traditional 
homomorphic  encryption.  Their  schemes  rely  on  the  idea  from  Beaver  [Bea91]  for 
circuit  randomization.  First,  they  use  an  offline  phase  in  which  the  parties  use  a 
somewhat  homomorphic  encryption  primitive  to  create  shares  of  triples  (a,  6,  c) 
such  that  a  ■  b  =  c.  One  triple  is  required  for  each  multiplication  gate  in  /  that 
is  to  be  evaluated  and  requires  approximately  0{n/s)  “heavy”  cryptographic 

6  In  other  words,  the  encryption  algorithm  of  the  TFHE  will  need  to  be  expressed  in 
terms  of  a  graph-coloring  instance  (or  Hamiltonicity,  circuit-sat  ,etc...).  As  far  as  we 
know,  this  transformation  requires  a  high-order  polynomial  overhead. 
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operations  to  generate.  Next,  after  such  triples  have  been  created,  the  parties  use 
only  information-theoretic  methods  to  evaluate  the  circuit.  This  approach  results 
in  admirable  communication  parameters  for  small  circuits  (as  they  have  also  run 
practical  examples);  nonetheless,  the  approach  requires  linear  communication 
for  each  gate  in  |/|,  and  thus  does  not  achieve  our  main  aim  of  eliminating  this 
relationship. 

Finally,  these  prior  results  are  all  in  a  model  in  which  n  parties  are  computing, 
and  the  protocols  can  tolerate  up  to  n  —  1  malicious  parties.  In  contrast,  our 
protocols  require  an  honest  majority.  The  relative  incomparability  of  these  models 
is  well  understood.  In  particular,  in  the  model  that  tolerates  up  to  n  —  1  malicious 
adversaries,  if  any  one  party  deviates  form  the  protocol  or  fails,  then  all  parties 
output  _L.  Alternately,  with  an  honest  majority,  all  parties  can  output  an  effective 
output,  as  supported  by  our  protocol.  For  a  discussion  of  the  relative  merits  of 
the  two  models,  and  the  impossibility  of  having  protocols  that  achieve  the  best 
of  both  worlds  for  general  functionalities,  see  the  work  of  Ishai  et  al.  [IKK+11]. 

In  summary,  all  of  these  recent  works  have  advantages  and  disadvantages 
of  their  own;  our  major  contribution  is  the  black-box  transformation  and  the 
independent  hardness  assumption. 

Related  work  Cramer,  Damgard  and  Nielson  [CDN01],  along  with  Jakobbsson 
and  Juels  [JJOO]  show  how  to  use  threshold  cryptography  to  construct  secure  mul¬ 
tiparty  computation  protocols.  In  more  detail,  we  use  many  ideas  from  [CDN01] 
which  shows  how  a  homomorphic  threshold  cryptosystem  can  be  used  to  achieve 
general  multiparty  computation  protocols.  The  notion  of  using  secret-sharing  to 
encode  encryptions,  as  we  will  do,  was  first  seen  in  [CDSMW08]  and  has  recently 
been  extended  in  [GLOV12],  although  these  works  use  the  technique  to  ensure 
consistency,  and  not  a  proof-of-knowledge,  as  pursued  here. 


2  Preliminaries  and  Notation 

A  4-tuple  of  protocols  and  algorithms  (Gen,  Enc,  Dec,  Eval)  is  a  (t,  n)-threshold 

fully  homomorphic  encryption  scheme  if  the  following  hold: 

Key  Generation  An  n-party  protocol  Gen  that  at  each  invocation  returns 
a  new  public-key  PK  and  the  secret-key  (SKi, . . . ,  SKn),  where  SK;  is  the 
share  of  the  secret-key  for  Player.^. 

Encryption  A  PPT  algorithm  EncpK(m,r)  that  returns  the  encryption  of  the 
plaintext  m  under  the  public-key  PK  with  random  coins  r. 

Decryption  There  exists  a  PPT  n-party  protocol  Dec(c,  SKi, . . . ,  SKn),  which 
returns  the  plaintext  m  using  the  shares  SK^  held  by  honest  party  Player^, 
where  c  =  Enc(m,  r)  for  some  random  r. 

/pK-homomorphic  There  exists  a  PPT  algorithm  Eval  which  given  a  polyno¬ 
mial  /,  ciphertexts  C\  £  EncpK(nii), . . . ,  Cj,  £  Encpi<(?nfc)  for  some  k  and  a 
public-key  PK,  outputs  c  £  Enc(/(roi, . . . ,  m*,)). 
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The  natural  notion  of  chosen  plaintext  attack  indistinguishability  needs  to  be 
modified  in  the  venue  of  threshold  cryptography  to  take  into  account  the  fact  that 
the  adversary  has  access  to  shares  of  the  secret-key.  The  appropriate  corresponding 
and  natural  definition  is  given  in  [CDN01],  and  full  version  of  our  paper  [MSasll]. 
Standard  security  notions  for  secure  multi-party  computation  protocols  can 
be  used  to  define  the  security  for  the  protocols  Gen  and  Dec  in  any  given 
instantiation  of  a  TFHE  (e.g.,  we  can  consider  security  in  the  real/ideal  standalone 
paradigm,  the  UC  framework,  etc..) 

Next,  we  present  the  notion  of  bootstrapping  a  ciphertext.  Gentry  developed 
the  notion  of  Bootstrapping  to  reduce  noise  in  a  somewhat  fully  homomorphic 
encryption  scheme,  in  order  to  achieve  a  fully  homomorphic  scheme.  In  contrast, 
we  assume  the  existence  of  an  FHE  and  simply  use  it  to  reduce  noise  produced 
in  ciphertexts  generated  in  our  selective  opening  attack  secure  scheme  that  we 
introduce  later. 

Definition  1.  (Bootstrapping  a  Ciphertext)  For  a  FHE  scheme  Ft  =  (G,  E,  D ,  Eval ) 
and  the  security  parameter  k,  let  Dn  be  77 ’s  decryption  circuit,  which  takes  a 
secret-key  and  s  ciphertext  as  input.  Given  a  ciphertext  C  encrypted  with  respect 
to  a  public-key  PK  and  secret-key  SK  =  ( SK\ , ..,  SKe)  we  require  that  PK  con¬ 
tains  a  bit-wise  encryption  of  SK,  denoted  s\,...,se  where  Si  =  E(PK,  SKi).  Let 
(Ci,..,Gn)  denote  the  bits  of  C ,  and  generate  Ci  =  E(PK,Ci).  We  say  that  the 
value  C t  =  Eval(PK,  Dv,  Si,  ...,  se.,  Ci, cn)  (which  homomorphically  evaluates 
D(SK,C))  is  the  result  of  bootstrapping  C. 


2.1  Selective  Opening  Security 

In  our  construction,  we  will  need  to  refer  to  encryption  schemes  where  messages 
that  are  encrypted  remain  secure,  even  after  the  randomness  used  to  encrypt 
related  messages  is  revealed.  This  notion  of  security  is  called  Selective  Opening 
Security. 

Definition  2  (IND-SO-SEC  Encryption  Security).  A  public-key  encryp¬ 
tion  scheme  77  =  (G,  E,  D )  is  Indistinguishable  Selective  Opening  secure  if,  for 
any  message  sampler  M  that  supports  efficient  conditional  resampling,  and  any 
ppt  adversary  A  =  (A±,  A2)  there  exists  a  negligible  function  /. 1  such  that  for  all 
sufficiently  large  k: 

|Pr[Tl/}d-s°-Real(lfc)  =  1]  -  Pr[Al)}d“S0“ldeal(lfe)  =  1] |  <  p(k). 

A  message  sampler  M  is  a  PPT  algorithm  that  outputs  a  vector  m  of  n  messages 
from  a  given  distribution.  It  is  an  efficient  conditional  resampler  if,  when  given 
two  auxiliary  inputs,  a  set  of  indices  I  C  [n\,  and  a  vector  of  messages  m  = 
(mi, ...,  mn),  M  samples  another  vector  m!  =  (m),---  ,m'n)  conditioned  on 
mi  =  m'i  for  each  i  €  I.  We  define  the  experiments  Ind-SO-Real  and  Ind-SO-ldeal 
as  follows. 
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I  nd  -SO -Rea  I  (lfc ,  A) 

(. PK ,  SK)  <-  G(lfe) 
m  =  (mi , . . . ,  to„)  M 
ri,. . .  ,rn  <<-  -R 

(/,ct)  «-  A1(PK,  Bpjffffli.ri EpK(mn,rn)) 
Output  A2(cr,  (■ mi,ri)iei ,  m) 

lnd-SO-ldeal(lfc,  A) 

(PK,SK)  <-  G(lk) 
m  =  (mi, . . . ,  mn)  •<—  M 

(/,ct)  «-  A1(PK,  EPK(mi,ri), . . . ,  EPK(mn,rn)) 

m'  = 

Output  A2(a,  ( m,;,ri)ie/,m ') 


2.2  Circuit  Privacy 

Definition  3.  ((Statistical)  Circuit  Private  Homomorphic  Encryption).  A  homo¬ 
morphic  encryption  scheme  e  =  ( Gen ,  2£nc,  Dec)  is  circuit- private  for  circuits  in 
a  set  Ce  if,  for  any  key  pair  ( PK ,  SK)  output  by  Gen(X),  any  circuit  C  £  Ce,  and 
any  fixed  ciphertext  if  =  (ip i, . . .  ,ipt)  that  are  in  the  image  of  Enc  for  plaintexts 
7Ti, . . . ,  7Tt,  the  following  distributions  (over  the  random  coins  in  Enc,  Eval)  are 
(statistically)  indistinguishable: 


EncPK(C( 7n, . . . ,  nt))  «  EvalPK(C,  ip) 

In  the  original  schemes  first  presented  by  both  Dijk  et  al.  [vDGHVIO]  and 
Gentry  [Gen09a] ,  the  initial  evaluation  functions  are  deterministic  and  not  circuit- 
private.  In  order  to  overcome  this  problem,  both  works  introduce  a  method  for 
adding  random  noise  to  encryptions,  whether  they  are  output  from  Eval  or 
Enc,  and  thus  in  some  sense  rerandomizing  them.  This  is  done  by  adding 
an  ‘encryption’  of  0  to  the  ciphertext  in  question,  but  where  the  ‘encryption’ 
has  significantly  more  noise  than  would  be  generated  by  either  the  legitimate 
encryption  or  evaluation  process.  Specifically,  they  introduce  ppt  algorithms 
labeled  CircuitPrivacy  :  C&  — >  C'bl  where  C  consists  of  all  the  ciphertexts  that  are 
output  from  Encpx(&)  or  a  call  to  Eval  with  an  encrypted  output  bit  of  b.  It  is 
the  case  that  for  any  b  and  any  Cbp,Cb,i  £  Cb- 

CircuitPrivacy(cfJjo)  CircuitPrivacy(cbii). 

3  Proof  of  Knowledge  of  an  Encryption 

As  noted  in  the  Introduction,  the  method  of  Cramer,  Damgard,  and  Nielsen  [CDN01] 
requires  an  honest- verifier  zero-knowledge  proof  of  knowledge  of  encrypted  val¬ 
ues  for  the  threshold  schemes  that  they  employ.  We  provide  a  weaker  2-round 
solution  to  that  requirement,  which  alas,  is  not  zero- knowledge,  but  also  does  not 
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release  any  information  about  the  bit  being  discussed  (we  formalize  this  below). 
Moreover,  our  construction  is  black-box  in  the  underlying  circuit-private  FHE 
scheme. 

We  construct  this  proof  through  a  two-step  process.  At  a  high-level,  instead  of 
encrypting  a  bit  6,  we  use  a  specific  (n,n/ 2  +  2)  verifiable  secret  sharing  scheme 
to  generate  n  shares  of  b  and  encrypt  those  shares. '  In  order  to  give  a  proof  of 
knowledge  of  the  encryption  of  &,  we  allow  a  verifier  to  select  n/ 2  +  1  of  the 
encryptions  of  shares  of  6,  and  then  direct  the  Prover  to  reveal  the  randomness 
used  to  encrypt  those  shares.  To  extract  the  bit,  our  extractor  rewinds  the  proof 
and  selects  an  alternate  nj 2  +  1  shares,  so  that  with  high  probability,  it  can  use 
n/2  +  2  shares  to  reconstruct  6,  and  only  b  due  to  the  verifiability  of  the  secret 
sharing  scheme.  The  problem  with  this  approach  is  that  revealing  the  randomness 
for  an  encryption  raises  selective  decommitment  issues.  We  use  techniques  from 
Hemenway  et  al.  [HLOV11]  to  construct  a  bit-wise  Indistinguishable  Selective- 
Opening  Secure  encryption  scheme  from  our  threshold  fully-homomorphic  scheme. 
We  can  then  use  it  to  bitwise  encrypt  the  VSS  shares. 

We  note  that  the  encryptions  of  the  shares  under  the  bit-wise  Indistinguishable 
Selective-Opening  Secure  scheme,  is  not  itself  a  homomorphic  encryption  scheme. 
For  example,  we  cannot  multiply  directly  two  sets  of  shares  encoding  bo  and 
bi  and  expect  the  result  to  encode  bo  ■  &i.  However,  the  individual  encrypted 
bits  are  still  properly  encoded  ciphertexts  under  the  FHE  scheme  that  have  a 
circuit-privacy  evaluation  function  applied  to  them.  Intuitively,  therefore,  we  can 
homomorphically  evaluate  the  reveal  function  of  the  secret  sharing  scheme  to  get 
a  single  encryption  representing  the  reconstituted  bit.  This  encryption  can  then 
be  used  to  homomorphically  evaluate  the  function  as  in  Cramer  et  al.  [CDN01]. 
There  is  however  a  snag:  in  principle,  once  the  circuit-privacy  function  has  been 
applied  to  a  ciphertext,  it  may  no  longer  be  able  to  have  homomorphic  operations 
applied  to  it,  as  this  is  not  guaranteed  by  the  definition.8  However,  this  problem 
is  easily  surmounted  by  applying  Gentry’s  bootstrapping  technique  (cf.  Defn  1) 
to  re-encode  the  selective-opening  secure  schemes  into  ciphertexts  which  can  have 
homomorphic  operations  applied  to  them,  and  thus  the  VSS’s  reveal  algorithm 
can  be  applied  to  the  individual  bits  of  the  shares,  resulting  in  ciphertext  of  the 
encoded  bit,  which  is  in  the  ciphertext  space  of  the  TFHE  scheme. 

Using  FHE  to  construct  a  Selective  Opening  Encryption  Scheme  Hemenway  et 
al.  [HLOV11]  show  how  any  re-randomizable  encryption  scheme  can  be  used  to 
construct  a  natural  lossy  encryption  scheme  and  thus,  by  the  result  of  Bellare  et 
al.  [BHY09],  is  secure  against  indistinguishable  selective  opening  attacks. 

Since  the  Hemenway  and  Ostrovsky  construction  relies  on  re-randomization, 
they  suggest  that  the  distribution  of  a  “fresh”  encryption  of  a  message  should  be 

7  We  use  a  verifiable  secret  sharing  scheme  with  a  n/2  +  2  threshold  to  simplify  the 
proof  of  the  VSS,  thus  \T\  =  n/2  +  1  is  chosen  to  be  right  under  the  threshold  of  the 
VSS,  as  one  might  expect. 

8  Further,  in  practice,  with  known  schemes,  these  ciphertexts  have  too  much  noise 
in  them  to  allow  further  homomorphic  operations  without  sacrificing  decryption 
correctness. 
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statistically  close  to  a  rerandomization  of  a  fixed  message.  They  point  out  that 
all  homomorphic  encryption  schemes  up  to  that  point  achieved  this  property  by 
adding  an  encryption  of  0  to  the  current  message.  While  this  property  was  true 
of  all  schemes  at  the  time,  it  is  not  actually  true  of  the  known  fully  homomorphic 
encryption  schemes,  because  each  time  we  add  an  encrypted  message  to  another 
we  increase  the  amount  of  noise  that  is  embedded  in  the  ciphertexts,  and  thus 
fresh  encryptions  have  less  noise  than  encryptions  that  have  had  operations  (such 
as  addition)  applied  to  them.  Fortunately,  the  property  they  state  is  overly  strong, 
and  a  simple  observation  shows  that  for  their  construction  to  go  through  they 
only  require  that  the  distributions 

{r  «—  R  '■  Epk(0,r)  ffl  Epk(m,r0)}  {r  <-  R  :  Epk(0,r)  ffl  Epk(m,r i)}, 

for  all  public-keys  pk ,  messages  m  and  random  strings  ro  and  rq  where  ES  is  the 
homomorphic  addition  operation.  However,  it  is  simple  to  see  that  even  these 
two  distributions  are  not  statistically  close  for  the  fully  homomorphic  encryption 
schemes  that  have  been  proposed.  Fortunately,  both  schemes  under  consideration 
have  rerandomization  functions  built  to  ensure  Circuit-Privacy ,  as  is  defined 
in  [Gen09b]  and  Def.  3. 

Construction  of  a  SOA  from  Lossy  We  generate  a  public-key  for  the  Lossy  scheme 
by  generating  a  traditional  public-key  and  secret-key  for  the  TFHE,  and  then 
we  augment  the  public-key  with  two  labeled  ciphertexts  Cq  and  Ci,  representing 
encryptions  of  0  and  1.  Now,  to  encrypt  a  bit  b ,  we  take  Cb,  and  rerandomize  it 
using  the  circuit-privacy  function  (In  comparison,  Hemenway  and  Ostrovsky  add 
an  encryption  of  the  bit  0).  Decryption  works  as  it  does  in  the  FHE  scheme.  The 
lossy  key  generator  simply  has  Ci  represent  an  encryption  of  0  instead  of  1.  By 
the  IND-CPA  security  of  the  TFHE  scheme,  the  keys  are  indistinguishable.  The 
scheme  is  formally  described  below. 

Key  Generation  G'(lfc,  6),  b  G  {INJ,  LOSSY}:  Let  (PK,  SK)  <-  G(lfc),c0  <- 
E(PK,0),  ci  <-  .E(PK,  1)  and  c[  <-  E( PK,0).  If  b  =  INJ  Output  PK'  = 
(pk,co,ci)  and  SK'  =  SK,  else  when  b  =  LOSSY  output  PK'  =  (PK,  Co,  c\ ) 
and  SK'  =  SK. 

Encryption  E'( PK'  =  (PK,  Co,  Ci),  b):  Output  ReRand(cb). 

Decryption  P'(SK,c):  Output  D(SK,c). 

Theorem  1.  If  (G,  E,  D)  is  a  circuit-private  FHE,  then  the  blackbox  construction 
(G',  E',  D')  described  above  is  an  IND-SO-SEC  secure  encryption  scheme. 

Proof.  Follows  from  [HLOV11]  and  [BHY09]. 

Modifying  the  SOA-secure  Encryption  Scheme  to  Support  POKs  Again,  in  order 
to  be  able  to  provide  a  proof  of  knowledge  that  a  party  has  knowledge  of  the  value 
encrypted,  we  need  to  provide  a  POIv.  We  will  show  a  2-round  public-coin  proof 
of  knowledge  of  the  encrypted  bit  based  on  any  selective  opening  secure  scheme. 
The  protocol  is  neither  zero-knowledge  nor  witness  indistinguishable,  but  does 
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maintain  secrecy  of  the  encrypted  bit.  First,  we  encrypt  bits  using  the  following 
protocol.  Let  TI'  =  (G' ,  E' ,  D')  be  the  selective-opening  attack  secure  scheme 
described  in  Thm.  1.  We  construct  a  new  encryption  scheme  IJ  =  ( G,E,D )  to 
encode  bits  as  follows.  We  define  G  =  G' ,  and  present  the  algorithms  for  E  and 
D  below.  Refer  to  a  full  version  of  our  work  [MSasll]  for  the  standard  definitions 
of  the  Verifiable  Secret  Sharing  algorithms. 


E(PK,  b,  r) 

(si,-,s„)  <-  VSShare(ntn/s+3)(b ) 
Let  M  be  the  n  x  n  matrix 
representation  of  shares  (si, . . . ,  sn) 
Cij  =  E'(PK,  Mi  j,  Tij) 

Output  C  =  {cij}ijen 


D{  SK,C) 

M  =  {Mitj}itje[n]^D'(  SK,C) 

Let  (si, . . . ,  sn)  be  the  shares 
corresponding  to  matrix  M. 

T’  =  {t|l  <  t  <  n  share  st 
is  n/2  +  2  -consistent} 

If  \T'\  <  n/2  +  2  output  _L. 

Let  T  C  T'  s.t.  |T|  =  n/2  -f  2. 

Output  VSReveal(n,n/2+2)  ({stj }) u&t 


Hidden  Bit  POK  Given  a  ciphertext  C  =  {ci,j}i,jen  output  by  encryption 
algorithm  E  and  the  random  coins  r  used  to  generate  it,  we  show  how  to  perform 
a  two-round  proof  of  knowledge  of  the  encrypted  bit  D( SK,  C).  P  will  prove 
that  it  has  knowledge  of  the  underlying  shares  of  the  verifiable  secret-sharing 
scheme  that  have  been  encrypted.  In  order  to  do  this,  the  verifier  sends  a  random 
challenge  of  indices  T  C  [n],  where  |T|  =  n/ 2  +  1.  The  encryptor  then  decommits 
to  these  encryptions  by  providing  the  random-bits  used  to  encrypt  each  share  of 
the  bit.  If  each  bit  decommits  successfully,  and  the  result  is  n/2  +  1  valid  shares 
to  the  VSS,  then  the  verifier  accepts. 


Prover(PK,  C  =  {ci,j}M6[nl 

Verifier(PK,C  =  {cij}ije[n]) 

=  E(PK,b,r),M,  r ) 

Let  a,j  =  E'{PK, 

T  <—  {S\S  C  [n]A|S|  =  f  +  l} 

{^i,x  j ri,x 

i£T 

— > 

xeW  if  3i,j:  Cij  ±  E,(PK,Mid,riJ), 

output  +. 

Output  1. 

Extractor(C,  PK,  U\  —  rx,i}  i^Ti  ,  U2  —  rX!i}  ;eT2  ) 

x€_\n\  a;E[n] 

Let  T  =  Ti  U  T2,  U  =»  Ui  U  U2 
If  |T|  <  n/2  output  _L. 

If  3i  £  T,  x  £  [n]  s.t.  E' (PK,  MiiX,ntX)  ^  aiX  or  E' (PK,  MXii,  rXli)  cx,i  output  _L. 

For  each  i  £  T  reconstruct  its  corresponding  share  Si. 

Output  VSReveal(rltn/2+2)(sr1,  Srn  ),  where  ri,..,r^  are  the  smallest  indices  in  T. 


Completeness  Follows  by  inspection. 

Extractability  (Soundness)  Soundness  follows  from  an  extractor. 
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Theorem  2.  For  all  sufficiently  large  n,  for  all  d  >  0,  for  all  ( SK ,  PK)  £-  G, 
for  all  ‘ciphertext’  inputs  C,  and  provers  P' ,  if  ( P'  ,V)(C  =  ,je[n]i  PR) 

accepts  with  probability  1  /nd,  then  there  exists  a  probabilistic  polynomial  time 
extractor  that,  with  all  but  negligible  probability,  outputs  a  set  of  decommitments 
to  all  ciphertexts  for  a  given  set  of  indices  L  =  {£i,  ■  ■  ■  ,  ln/2+2 }  Q  I71]  that  consti¬ 
tute  shares  S  =  {s^ , s^„/2+2}  suc-h  that  VSReveal(rLtn/2+2){sg1, ...,  sen/2+2)  = 
D(SK,  C). 


Definition  4.  We  say  an  n  x  n  matrix  representation  of  shares  has  t-consistent 
indices  if  there  is  a  set  S  of  size  t.  such  that  for  each  i  £  S ,  each  row  i  and  column 
i  is  n/ 2  +  2  consistent. 


Proof.  Given  the  ability  to  rewind  the  prover-verifier  protocol,  we  can  extract 
the  encrypted  bit  by  recovering  enough  shares  of  the  VSS  scheme.  We  continue  to 
execute  the  prover/verifier  protocol  until  we  get  two  distinct  separate  accepting 
proofs.  It  is  a  simple  observation  that  except  with  exponentially  small  probability, 
we  will  succeed  in  0(nd+1)  rewinds.  Let  (Ti,  U\)  and  (T2,  U2 )  be  the  flows  in  the 
first  and  second  accepting  proofs,  respectively.  By  the  security  of  the  commitment 
scheme  (Here  we  are  using  our  encryption  scheme  as  a  simple  commitment 
scheme),  the  probability  that  there  is  a  ciphertext  Cij  that  is  ever  decommitted 
to  in  two  distinct  fashions  is  negligble. 

We  feed  these  inputs  in  to  Extractor.  If  there  is  not  a  valid  encryption  of  a 
bit  (fewer  than  n/2  +  2  committed  and  consistent  shares),  then  by  Lemma  1,  the 
probability  that  the  verifier  outputs  anything  other  than  _L  is  less  than  | — s* 

(71/2+2) 


which  grows  exponentially  small. 

Given  the  decommitments  of  the  shares  {sij-jeT;  for  different  randomly  chosen 
set  of  indices  T)  and  T2,  note  these  sets  are  not  the  same  by  selection,  and 
therefore  there  is  no  chance  that  _L  is  output  by  the  extractor.  Next  the  extractor 
executes  a  VSReveafnn/ 2+2)  command.  However,  this  is  not  necessarily  over 
the  same  shares  as  would  be  revealed  in  a  legitimate  decryption.  We  need  to 
ensure  that  no  matter  which  of  the  rewound  and  newly  played  legitimate  traces 
we  receive,  we  are  going  to  reveal  the  same  encrypted  bit,  with  all  but  negligible 
probability.  That  is,  we  need  to  ensure  that  VSReveal(„tn/2+2){sr1>  srn/2)  = 
VSReveal^n  n/ 2+2){sii  •••>  sn/2).  This  is  the  case,  as  shown  in  Lemma  2  because  of 
the  verifiable  properties  of  the  secret  sharing  scheme  ensures  that  even  in  the  case 
of  a  corrupted  dealer  (improper  ciphertext  encoding  of  shares)  then  all  honest 
players  will  reveal  the  same  value,  with  all  but  negligible  probability.  Therefore, 
with  all  but  negligible  probability  we  have  that  the  extractor  outputs  the  same 
value  as  D( SK,  c). 


Lemma  1.  Let  M  be  an  n  x  n  matrix  with  at  most  nf  2  +  1  consistent  indices. 
The  probability  that  any  n/2  +  1  randomly  selected  indices  (without  replacement) 
choose  a  set  of  n/2  +  1  consistent  indices  is  no  more  than 
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Proof.  There  can  be  at  most  1  set  of  size  (n/2  +  1)  that  is  (n/2  +  1)  consistent 
in  an  n  x  n  matrix.  The  lemma  follows  by  computing  the  probability  of  choosing 
this  one  set  from  a  set  of  n  objects. 

Lemma  2.  Let  M  be  nxn  matrix  representation  of  shares.  Let  S,  T  C  [n] ,  |5j  = 
|Tj  =  n/2  +  2,  S  7^  T,  and  the  rows  Rs  =  {ri}i+s,  Rt  =  {rffi+T  and  columns 
Cs  =  {cijigs,  Ct  =  {cijigT  are  all  n/2  +  2 -consistent.  Let  s  =  (si,  ...,sn/ 2+2) 
and  t  =  (t  1,  ...,tn/ 2+2)  be  the  shares  drawn  from  M  corresponding  to  the  sets  of 
indices  S  and  T  respectively.  Then 

VSReveafnin/ 2+2) (si, . ..,  sn/2+i)  VSReveafn  nj 2+2) (^i>  *■*?  ^n/2+1) 

Proof.  Note  that  VSReveafn^n/ 2+2)  will  never  output  _L  under  our  conditions, 
so  all  that  we  need  do  is  show  that  /  will  interpolate  to  the  same  value  in  both 
cases. 

We  know  that  the  rows  Rt  =  {'f'ijieT  and  columns  Cr  =  {ci}j£T  are 
all  (n/2  +  2)-consistent.  Choose  any  j  £  S\T.  Let  T  =  {ti, . . .  ,tn/2+2}- 
Consider  Cj  =  (ci  j,  c2j,  ■  ■  ■ ,  cnj)T .  Since  Cj  is  n/2  +  2-consistent,  the  points 
(ct1}j,t  1), . . . ,  (ctn/2+1,j,tn/ 2+2))  interpolate  to  a  unique  univariate  degree  n/2  +  1 
polynomial  (i.e.  f{x,j)).  This  defines  (cij,  c2j,  ■  ■  ■ ,  cnj)T,  so  the  column  j  must 
be  consistent  with  T.  Since  the  j th  column  was  an  arbitrary  column  in  S  different 
from  those  in  T,  all  such  columns  must  be  consistent  with  the  rows  defined  be  T. 
A  symmetric  argument  shows  that  rows  selected  by  S  must  be  consistent  with 
the  columns  selected  by  T.  Therefore,  both  sets  are  consistent  in  that  they  define 
the  same  polynomials.  Therefore,  interpolation  in  VSReveahn  n/ 2+2)  will  result 
in  the  same  output. 

Hidden  Bit  We  show  that  no  efficient  cheating  verifier  can  predict  the  bit  b ,  when 
given  C  =  E{ PK,  b,  r)  as  a  theorem  for  which  we  are  engaging  in  a  POK. 

Theorem  3.  For  every  P.P.T.  adversary  A  =  (Ai,A2),  there  exists  a  negligible 
function  p,  such  that  Pi[HB A(lfc)  =  1]  <  1/2  +  p(k),  where  HB+  is  defined  below: 

HBa{  lk) 

(. PK ,  SK)  «-  G(lfc) 
b  €{0,1} 

C  =  {c,,j}i,je[n]  =  E(PK,b)  where  Cij  =  E'(PK,Mij,rij)  are  SOA-sec. 
(T,  a)  £-  Ai(PK,C)  where  T  C  [n],  |Tj  =  n/2  +  1. 
b' t—  A2(cr, 

Output  1  iff  b  =  b' 


Proof.  This  follows  directly  from  the  IND-SO-SEC  security  of  LI'  =  (G',  E' ,  D'). 
Suppose  an  adversary  A  =  (Ai,  A2)  breaks  the  hidden  bit  security  of  the  protocol. 
That  is  for  some  d  >  0  and  infinitely  many  k:  Vv[HB J4(lfe)  =  1]  >  1/2  +  l/kd. 
We  use  it  to  build  an  adversary  B  =  and  message  selector  M  that 

breaks  the  IND-SO-SEC  security  (cf.  Defn.  in  [BHY09]  or  [MSasll])  of  LI'  = 
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(G' ,  E' ,  D').  The  message  selector  M  chooses  a  random  bit  b,  let  (si,...,sn)  +- 
VSShare(n,n/2+2)(b),  and  let  M  be  the  n  x  n  matrix  that  represents  the  shares 
(si, . . . ,  sn)  according  to  the  ECC  representation  of  the  VSS.  Output  M. 

The  adversary  B±  ^PK,  (E(PK,  Mi j,  i+j)^  for  the  IND-SO-SEC  exper¬ 

iment  simulates  (T,a)  <—  A^PK,  C  =  (E(PK,  Mij,  r; j)),  and  outputs  /  = 
{(i,j)\i,j  €  n,i  £  T  or  j  €  T}  and  a'  =  ( T,a ).  Recall  by  the  definition  of  A\, 
\T\  =  n/2  +  1. 

The  conditional  message  selector  from  the  SOA  security  definition 

finds  a  random  bi- variate  polynomial  of  degree  n/2  +  1  in  each  variable  over 
the  field  F  such  that  /( 0,0)  €  {0,1}  and  for  each  (i,j)  €  /,  it  holds  that 
=  Mjj.  Since  \T\  =  n/2  +  1,  and  thus  we  have  effectively  release  n/2  +  1 
shares  for  a  VSS  scheme  that  requires  n/2 +  2  for  reconstruction,  the  information 
secrecy  property  of  the  VSS  guarantees  there  are  exactly  the  same  number 
of  such  selections  for  the  case  /( 0,0)  =  0  and  /( 0,0)  =  1.  outputs 

{/ (*>  j)}l<,i,j<n- 

The  adversary  B2{a,  (Mij, TXi)(i,j)e/, M*)  computes  the  shares  (s{,...,s*) 
that  correspond  to  M*,  and  runs  VSReveahnn/2+2){s\,  •■,  sn)  =  b' ,  it  then 
executes  b  <r-  A.2(cr,  and  outputs  1  iff  b  =  b' . 

Now  consider  Pr[i?}jd~S0~Real(lfe)  =  1],  this  is  a  perfect  simulation  of  HBa( lfc), 
and  therefore  by  the  assumption  that  A  breaks  the  hidden-bit  security,  the  term 
must  exceed  1/2+e,  where  e  >  l/kc.  In  contrast,  consider  Pr[R/jd  SO  Ideal(lfc)  =  l}- 
In  the  case  that  VSReveal(n>n/ 2+2)(s{, . . . ,  s*)  =  VSReveal(n>n/ s+2)(si, sn), 
which  occurs  with  probability  exactly  1/2,  it  is  again  a  perfect  simulation 
of  HBa^),  and  so  the  experiment  outputs  1  with  probability  1/2  +  e.  In 
contrast,  when  VSReveal(ntn/2+2){s*l--,  s*))  ^  VSReveal^ntn/2+2){s1, ...,  sn), 
then  we  know  that  A 2  outputs  VSReveal(ntn/2-]-2)(si, sn)  with  probability 
1/2  +  e,  and  so  B2  outputs  1  with  probability  1  —  (1/2  +  e)  =  1/2  —  e.  There¬ 
fore,  Pr[R^-S0-|deal(lfe)  =  1]  =  (1/2) (1/2  +  e  +  1/2  —  e)  =  1/2.  Therefore, 
pr[£lnd-s°-Rea|(ifc)  =  ]_]  _  Pr^ind-so-ideai^fe)  =  l]  =  1/2  +  e-  1/2  >  1  /kc, 

breaking  IND-SO-SEC  security. 

Using  the  SOA  Ciphertexts  in  a  Secure  Multiparty  Computation  Protocol  In  our 
SMC  construction,  we  encode  all  users’  inputs  using  the  POK  scheme  above. 
The  encrypted  inputs  are  sent  to  the  other  parties.  After  each  party’s  input  has 
been  confirmed  with  a  proof  of  knowledge,  the  parties  homomorphically  evaluate 
the  different  ciphertexts  to  get  an  appropriate  encrypted  output.  However,  as 
explained  before,  the  POK  encryptions  are  not  themselves  homomorphic.  To 
solve  this  problem  we  use  Gentry’s  bootstrapping  technique.  Bootstrapping  lets 
us  take  a  ciphertext  in  an  FHE  scheme  with  any  amount  of  noise  that  still 
allows  for  proper  decryption  (specially,  this  is  potentially  more  noise  than  is 
permissible  to  perform  any  extra  homomorphic  operations  without  destroying 
the  correctness  of  the  ciphertext),  and  output  a  new  ciphertext  in  the  FHE 
scheme,  of  the  same  value,  but  with  a  small  enough  amount  of  noise  that  it 
can  be  properly  computed  on  through  the  use  of  the  FHE’s  evaluation  function. 
Given  a  ciphertext  C  =  {ci,:j}i.-je[n]  'n  the  POK  scheme,  each  Cij  is  a  ciphertext 
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from  a  lossy  encryption  scheme.  To  convert  C  into  a  corresponding  encryption  c1 
in  the  TFHE  scheme  we  do  the  following:  We  bootstrap  each  Cij  which  is  simply 
a  TFHE  ciphertext  that  has  had  the  circuit-privacy  function  applied  to  it — thus 
containing  potentially  too  much  noise  to  apply  further  homomorphic  operations 
to,  but  not  so  much  that  it  decrypts  improperly —  to  receive  the  corresponding 
lower- noise  TFHE  ciphertext  c'  • .  The  d  ciphertexts  can  now  be  evaluated  in  the 
THFE  eval  function,  and  in  particular  we  can  use  the  TFHE  eval  function,  to 
evaluate  VSReveal(nin/ 2+2)-  The  result  of  this  evaluation  is  the  ciphertext  C' 
corresponding  to  the  output. 


Protocols  vs.  Algorithms  We  note  that  there  is  one  technical  issue  that  needs  to 
be  resolved,  which  is  that  in  this  section  we  have  described  the  key  generation 
and  decryption  algorithms  as  stand-alone  algorithms,  rather  than  protocols.  For 
our  purposes,  we  need  a  joint  protocol  for  key  generation  and  decryption.  For 
this  reason,  we  need  to  modify  our  key  generation  algorithm  in  the  TFHE  scheme 
to  include  an  encryption  of  the  bits  0  and  1  in  the  public-key.  These  values  allow 
the  parties  to  encrypt  under  the  SOA  secure  encryption  scheme  II.  The  SOA 
secure  scheme  does  not  modify  the  decryption  algorithm,  so  there  is  no  need  for 
modification  to  the  decryption  protocol. 


4  Secure  Multiparty  Computation 

We  follow  the  Cramer  et  al.  [CDN01]  approach  for  constructing  a  multi-party 
computation  protocol  based  on  threshold  cryptography.  Our  biggest  changes  are 
that  we  do  not  need  a  protocol  for  multiplication,  we  use  a  different  approach 
for  proving  knowledge  of  encryption,  and  we  explicitly  describe  a  key  generation 
phase  whereas  it  is  assumed  as  an  external  setup  in  [CDN01].  Since  our  solution 
requires  less  interaction  among  the  parties,  our  simulation  argument  is  simpler 
than  the  argument  from  [CDN01]. 

We  use  the  standard  simulation-based  definition  of  stand-alone  secure  multi¬ 
party  computation.  We  assume  the  existence  of  a  standard  n-party  CoinFlipping 
protocol  which  guarantees  soundness  in  the  presence  of  <  n/2  adversaries:  namely, 
for  any  minority  set  of  adversaries,  the  protocol  guarantees  that  the  distribution 
is  still  statistically  close  to  uniform.  Such  a  protocol  can  be  easily  constructed 
based  on  the  existence  of  hiding  commitments.  (Unlike  [CDN01],  we  do  not  need 
this  coin  flipping  protocol  to  be  simulatable.).  See  our  full  version  [MSasll] 
for  a  definition  of  the  real/ideal  paradigm  for  secure  multi-party  computation 
from  [CDN01]  and  [IKK+11].  In  this  section  the  TFHE  scheme  used  is  denoted 
II  =  (G,E,D,  Eval). 

We  assume  that  the  players  can  communicate  via  an  authenticated  broadcast 
channel  and  via  point-to-point  private  and  authenticated  channels  (which  may 
in  turn  be  implemented  using  signatures,  public-key  encryption,  etc.) 
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Protocol  1  .  Each  party  holds  private  input  Xf,  the  parties  jointly 
compute  f(x  1, . . . ,  xn). 

1:  Party  Pi  receives  as  input  (1  k,n,Xi).  (We  assume  the  adversary  receives 
as  input  1  fe,n,  a  set  of  corrupted  parties  C  and  the  inputs  {xc}c^x  for 
the  corrupted  parties,  and  auxiliary  information.) 

2:  Players  run  the  TFHE  key  generation  subprotocol  G{q,  r,  p,  9, <9,  n)  to 
generate  a  public-key  PK  and  shares  of  the  secret  for  the  threshold 
scheme  77.  At  the  end  of  this  step,  player  pi  holds  share  SK^  of  the 
secret-key  SK.  If  the  sub- protocol  halts  prematurely,  then  players  halt 
and  output  _L. 

3:  The  players  take  sequential  turns  sharing  their  input  using  the  encryption 
scheme  II  that  is  constructed  from  II  (see  §3).  More  specifically,  for 
i  £  [n],  player  Pi  broadcasts  c,  :j  <—  E(PK,Xij).  Then  all  of  the  players 
run  a  standard  CoinFlipping  protocol  to  generate  a  random  string  rj. 
Player  Pi  now  interprets  r*  as  n  strings  r^i, . . . ,  ryn  and  uses  coins  Tij 
as  the  random  coins  to  run  Verifier (PK,Cij)  (see  §3)  of  the  Hidden  Bit 
POK  protocol  on  input  for  each  bit  j  £  [n]  of  input  Xi.  Player  Pi 
runs  the  corresponding  Prover  algorithm  on  Cjj  using  the  random  coins 
used  to  generate  c,  j  as  the  witness,  and  broadcasts  the  Prover  message. 
The  remaining  players  also  execute  the  Verifier  algorithm  using  the  same 
random  coins  and  verify  that  the  first  message  is  consistent  and  the 
second  message  is  accepted.  If  player  Pi  fails  the  POK  protocol,  then  Pi 
is  excluded  from  the  rest  of  the  protocol,  and  the  remaining  players  that 
have  not  been  excluded  use  a  canonical  encryption  of  0  as  the  input  for 
Pi  (e.g.,  they  use  E(PK,  0;  0)  as  each  input  bit). 

4:  The  players  that  have  not  been  excluded  locally  run 
Eval(PK,  cyi, . . . ,  cntn,  f)  where  the  function  /  first  transforms 
the  input  ciphertexts  encrypted  under  II  into  ones  for  scheme  77.  This  is 
done  by  homomorphically  evaluating  the  decryption  procedure  described 
in  §3  (i.e.  bootstrapping,  see  Defn.  l).(Note:  All  of  the  ciphertexts  in  aj 
have  a  large  degree  of  noise  in  them  due  to  the  circuit-privacy  call  that 
was  used  to  rerandomize  the  ciphertexts.  Therefore,  the  first  thing  that 
is  done  is  that  the  ciphertexts  are  re-encoded  with  less  noise  using  the 
same  procedure  as  FHE  bootstrapping.)  Next,  compute  ciphertext  z%  of 
the  result  f(xi, . . .  ,xn).  Note  that  each  player  can  complete  this  step 
using  only  local  information  (since  the  public-key  for  the  FHE  includes 
all  the  information  needed  for  evaluation). 

5:  Each  player  Pi  that  has  not  been  excluded  broadcasts  the  ciphertext  Zi 
computed  in  the  previous  step.  Each  player  then  locally  computes  the 
majority  of  the  broadcasts  as  ciphertext  z' .  A  majority  is  guaranteed  to 
exist  since  the  malicious  players  form  a  minority  and  Eval  is  deterministic. 
Any  player  whose  broadcast  differs  from  the  majority  is  excluded  from 
the  remaining  portion  of  the  protocol. 
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6:  Players  pi  that  have  not  been  excluded  run  the  distributed  subprotocol 
D(z' ,  SKi, . . . ,  SK„)  using  input  z'  and  their  local  share  SK.j.  The  output 
of  the  protocol  is  taken  as  the  output. 


Theorem  4.  Let  n  be  Protocol  8  for  a  function  f ,  and  fix  s  £  {1, . . . ,  n/2}.  If 
77  is  a  circuit-private  TFHE  encryption  scheme,  then  for  any  ppt  adversary  A, 
there  exists  a  ppt  adversary  A'  such  that  for  every  polynomial- size  circuit  family 
Z  =  Zk  corrupting  a  minority  of  parties  the  following  is  negligible: 

|Pr[REAL „,A,z(k)  =  1]  -  Pr  [IDEAL  f  <AI  >z(k)  =  1]|. 


See  full  version  for  details. 

5  Threshold  FHE  for  the  Integers 

In  this  section  we  briefly  highlight  the  construction  of  a  TFHE  scheme  77  = 

(G,  E,  D,  Eval)  from  the  FHE  scheme  77  =  (G,  E,  D ,  Eval)  based  on  the  Approximate- 
GCD  problem  described  by  [vDGHVIO].  The  details  are  presented  in  our  full 
version  online.  We  point  out  that  in  any  such  transformation  E  =  E  and 
Eval  =  Eval,  and  thus  we  only  need  to  describe  protocols  for  computing  G  and 
D. 

Sharing  the  Public  and  Secret-key  Recall  the  secret-key  p  for  the  “somewhat 
homomorphic  encryption  scheme”  is  an  odd  77-bit  integer.  To  sample  p  in  a 
distributed  fashion,  we  notice  that  the  bits  po  and  pv-i  should  be  1  whereas  the 
rest  of  the  bits  pi, . . .  ,pv- 2  should  be  randomly  shared.  At  the  end,  each  player 
holds  a  share  of  p.  We  then  extend  techniques  from  [KLML05]  to  allow  multiple 
parties  who  hold  shares  of  p  to  compute  shares  of  1/p  and  xp  =  |_2K/p~|. 

Recall  that  the  secret-key  for  77  consists  of  a  (9-bit  vector  s  with  Hamming 
weight  9.  Our  first  modification  to  77  is  to  note  that  instead  of  9,  it  suffices 
to  select  a  vector  with  Hamming  weight  in  the  interval  9  ±  d/4.  To  verify  this, 
note  that  the  sparse  subset-sum  problem  is  assumed  to  be  hard  for  9  =  0e  for 
0  <  e  <  1;  our  change  does  not  violate  this  condition.  Also,  our  new  range  of 
settings  for  9  does  not  increase  the  total  degree  of  the  decryption  circuit  by 
more  than  a  factor  of  2  and  thus  the  condition  that  the  decryption  protocol 
is  admissible  is  maintained  (and  thus  the  scheme  is  bootstrappable.  See  the 
computation  on  p.18  [vDGHVIO].)  Our  approach  for  producing  s  is  to  securely 
generate  a  random  number  r,t  in  the  range  [0,  0]  for  each  s,;  and  setting  Si  =  1  if 
r-i  <  9  and  0  otherwise. 

The  public-key  consists  of  the  vectors  x  and  u.  Using  s  and  xp,  we  compute 
the  vector  u  using  the  formula  u  =  JU  .s,  •  m  mod  2rc+1.  These  shares  can  be 
used  to  compute  the  vector  y. 

Using  bits  of  1/p  computed  in  previous  steps,  we  generate  the  a^’s.  Recall  from 
the  original  public-key  generation  algorithm  that  we  need  to  sample  Xi  4—  Dl  p(p) 
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for  i  =  0, . . . ,  r.  Intuitively,  these  a represent  random  encryptions  of  0  that  get 
added  to  our  base  encryption  in  the  homomorphic  scheme.  Further,  recall  that 

D1  :P(p)  =  {choose  q  t—  Z  n  [0,  2  7/p),  r<-Zfl  (— 2P,  2P)  :  output  x  4—  pq  +  r}. 

After  sampling,  the  list  should  be  relabeled  so  that  Xo  is  the  largest.  The 
key-generation  process  requires  that  the  process  is  restarted  if  either  Xq  is  even  or 
xq  —  [x0/p]  -p  is  odd.  Since  Xo  =  pq  +  r  is  generated  as  directed  for  some  random 
q  and  r  and  since  p  is  an  odd  number,  the  requirement  that  xq  is  odd  can  be 
checked  by  inspecting  the  least  significant  bits  of  the  q  and  r:  If  qo  +  ro  =  1,  then 
xo  satisfies  the  first  condition.  To  check  the  second  condition,  that  xo  —  |_£o  /p I  •  P 
is  an  odd  number,  we  observe  that  because  of  the  constraints  — 2P  <  r  <  2P  and 
2P_1  <p<  2*,  it  follows  that  -2 p"?>+1  <  r/p  <  2p"r'+1. 

Since  p  =  A  and  rj  =  0( A2),  therefore  for  all  sufficiently  large  A  (if  p  =  A2, 
then  for  A  >  2),  [r/p\  =  0  and  as  a  result  r  can  be  ignored.  That  is  [xo/q~\  = 
[pq  +  r/q }  =  q  +  [r/q]  =  q.  So  Xo  —  [xo/p\  •  p  =  Xq  —  q  ■  p.  Because  Xq  and  p  are 
both  odd,  q  must  be  odd  to  make  the  term  Xq  —  |_Xo/p]  'P  even.  These  constraints 
imply  that  for  x0  to  be  odd  and  Xo  —  [xo/p\  •  p  to  be  even,  then  q  must  be  even 
and  r  must  be  odd. 

Computing  encryptions  of  s  One  step  in  Gentry’s  paradigm  for  FHE  construc¬ 
tion  requires  the  public-key  to  contain  an  encryption  of  the  secret-key.  We 
assume  circular  security  of  the  underlying  encryption  scheme,  as  do  van  Dijk  et 
al.  [vDGHVIO]  and  Gentry  [Gen09b].  Towards  this  goal,  we  design  a  protocol 
that  enables  players  who  hold  private  shares  of  the  secret-key  (as  well  as  the  entire 
public-key)  to  compute  an  encryption  of  the  secret-key  under  the  public-key. 
Note  this  cannot  be  done  trivially  with  homomorphic  evaluation  because  the 
encrypted  secret-key  is  in  fact  necessary  to  homomorphically  evaluate  circuits  of 
an  arbitrary  depth,  resulting  in  a  circular  requirement. 

Recall  that  in  Dijk  et  al.  [vDGHVIO],  the  encryption  of  m  under  the  public- 
key  (xo, . .  • ,  xT)  computes  as  [m  +  2r  +  2  J2ies  Xi\x o>  where  r  £  (— 2P  ,  2P  )  and 
S  C  {1, . . . ,  t}  is  a  random  subset.  Since  both  the  xfs  and  r  can  take  negative 
values  (as  integers)  whereas  the  computation  is  in  a  finite  field,  we  need  to 
somehow  make  sure  the  computation  in  the  finite  field  result  in  the  same  integer 
value  of  the  encryption  of  m.  To  resolve  this  issue,  we  compute  the  value  min 
which  is  a  unique  value  that  satisfies  the  following  two  properties:  1)  min  =  0 
mod  Xo,  and  2)  for  an  arbitrary  S  and  for  our  set  of  xfs  and  any  value  of  r,  it 
would  make  the  summation  m  +  2r  +  2  positive.  Because  the  range  of 

values  that  r  can  take  is  public,  all  users  can  compute  min  locally  and  agree  on 
respective  shares.  Next,  to  encrypt  the  secret-key,  all  users  generate  shares  for  a 
set  S  and  the  shares  for  a  value  r.  All  users  then  add  their  shares  of  r,  use  shares 
in  S  to  add  in  appropriate  xfs,  and  add  min. See  the  full  version  for  details. 

Computing  encryptions  of  0  and  1  for  PK  The  same  techniques  from  the  previous 
step  can  be  used  to  produce  encryptions  of  random  bits.  These  encryptions  can 
then  be  collaboratively  decrypted  until  both  an  encryption  of  0  and  an  encryption 
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of  1  are  identified.  These  two  ciphertexts  can  then  be  adjoined  to  the  public-key — 
they  are  guaranteed  to  be  well-formed  and  have  the  right  amount  of  noise. 
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A  Verifiable  Secret-Sharing  Scheme 

A  („/2+2)  Verifiable  Secret-Sharing  scheme  consists  of  a  sharing  algorithm  which 
takes  as  input  a  secret  s  and  produces  n-shares  si,...,sn.  These  shares  have 
the  property  that  for  any  T  C  {1,  ...n},  \T\  <  n/2  +  2  it  is  the  case  that 
{sijieT  is  information  theoretically  independent  from  s.  However,  for  any  S  C 
{1, . .  .  n},  | S'!  >  n/2  +  2,  it  is  the  case  that  the  reveal  algorithm,  when  given 
{sifigs,  can  reconstruct  s.  In  a  traditional  interactive  setting  we  require  that  all 
non-cheating  parties  agree  on  the  reconstructed  secret.  We  use  a  modification 
of  the  Cramer  et  al.  [CDD+99]  verifiable  secret  sharing  scheme;  we  do  not  need 
to  deal  with  interactive  adversaries,  nor  players,  so  the  scheme  is  significantly 
simplified.  We  present  the  sharing  and  revealing  algorithms  in  our  full  version. 


Protocol  2  .  [a],  VSShare(s) 

1:  Choose  a  random  degree  n/ 2  +  1  bi- variate  polynomial  /  such  that 
/(0, 0)  =  s. 

2:  Share  s*  =  (a,  b)  =  (i,  (/(*,  1), . . . ,  f{i,  n)),  (/( 1,  /(n,  i))). 

3:  Output  Si,  ...,  sn. 

Protocol  3  .  [s],  VSReveal(ntn/2+2)(si,  —,sn/2+2) 

1:  For  each  Sj  =  (i,  a,i ,  bi)  ensure  that  cq  and  bi  are  n/2  +  2-consistent 
2:  If  not  output  _L 

3:  For  each  *  /  j  ensure  Sj ,  s,  are  pairwise-consistent 
4:  If  not  output  _L 
5:  Interpolate  /,  based  on  shares. 

6:  Output  /( 0,0) 


Definition  5.  A  vector  (ei,...,en)  £  Fn  is  n/2  +  2— consistent  if  there  exists  a 
polynomial  w  of  degree  at  most  n/ 2  +  1  such  that  w{i)  =  e,  for  0  <  i  <  n. 


Approved  for  Public  Release;  Distribution  Unlimited. 

589 


21 


Definition  6.  Given  two  shares  Si  =  (i,  ai  =  (a,;i, . . . ,  aj„),  fo;  =  (bu, . . . ,  bni)) 
and  Sj  =  (j,  a,j(aji, . . . ,  ajn),  b,  =  ( bij , . . . ,  bnj)),  we  say  that  they  are  pairwise 
consistent  if  aij  =  bij  and  aji  =  bji . 

Definition  7.  For  our  purposes  it  is  useful  to  note  that  given  the  n  x  n  matrix 

7(M)  /( 1,2)  ...  /(l.n)' 

/(2, 1)  /(2, 2)  ...  /(2,n) 


L/(M)  f(n,  2)  ...  /(n,  n)  J 

that  a  share  Si  simply  corresponds  to  the  ith  row  and  column  of  the  matrix.  We 
will  call  this  the  matrix  representation  of  the  shares.  Notice  that  when  given  in  the 
matrix  representation,  any  two  shares  are  necessarily  pairwise  consistent.  Given 
a  set  of  n  pairwise  consistent  shares  s  =  (si,  ...,sn),  we  define  Ms  as  the  n  x  n 
matrix  representation  of  the  shares. 
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Abstract 

We  present  the  first  black-box  construction  of  a  secure  multi-party  computation  protocol 
that  satisfies  a  meaningful  notion  of  concurrent  security  in  the  plain  model  (without  any  set¬ 
up,  and  without  assuming  an  honest  majority).  Moreover,  our  protocol  relies  on  the  minimal 
assumption  of  the  existence  of  a  semi- honest  OT  protocol,  and  our  security  notion  “UC  with 
super-polynomial  helpers”  (Canetti  et  al,  STOC’IO)  is  closed  under  universal  composition,  and 
implies  “super-polynomial-time  simulation” . 
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1  Introduction 


The  notion  of  secure  multi-party  computation  allows  m  mutually  distrustful  parties  to  securely 
compute  (or,  realize )  a  functionality  f(x)  of  their  corresponding  private  inputs  x  =  x\, such 
that  party  Pi  receives  the  ith  component  of  f(x).  Loosely  speaking,  the  security  requirements 
are  that  the  output  of  each  party  is  distributed  according  to  the  prescribed  functionality-  this 
is  called  correctness — and  that  even  malicious  parties  learn  nothing  more  from  the  protocol  than 
their  prescribed  output — this  is  called  privacy.  These  properties  should  hold  even  in  case  that  an 
arbitrary  subset  of  the  parties  maliciously  deviates  from  the  protocol. 

Soon  after  the  concept  was  proposed  [Yao86],  general  constructions  were  developed  that  ap¬ 
peared  to  satisfy  the  intuitive  correctness  and  secrecy  for  practically  any  multi-party  functionality 
[Yao86,  GMW87].  These  constructions  require  only  authenticated  communication  and  can  use  any 
enhanced  trapdoor  permutation.  However,  definitions  that  capture  the  security  properties  of  se¬ 
cure  multi-party  computation  protocols  (and,  in  fact,  of  secure  cryptographic  protocols  in  general) 
took  more  time  to  develop.  Here,  the  simulation  paradigm  emerged  as  a  natural  approach:  Orig¬ 
inally  developed  for  capturing  the  security  of  encryption  and  then  extended  to  Zero-Knowledge 
[GM84,  GMR89].  The  idea  is  to  say  that  a  protocol  n  securely  realizes  /  if  running  n  “ emu¬ 
lates ”  an  idealized  process  where  all  parties  secretly  provide  inputs  to  an  imaginary  trusted  party 
that  computes  /  and  returns  the  outputs  to  the  parties;  more  precisely,  any  “harm”  done  by  a 
polynomial-time  adversary  in  the  real  execution  of  7 r,  could  have  been  done  even  by  a  polynomial¬ 
time  adversary  (called  a  simulator )  in  the  ideal  process.  The  simulation  paradigm  provides  strong 
security  guarantees:  It  ensures  that  running  the  protocols  is  “as  good  as”  having  a  trusted  third 
party  computing  the  functionality  for  the  players,  and  an  adversary  participating  in  the  real  execu¬ 
tion  of  the  protocols  does  not  gain  any  “computational  advantage”  over  the  simulator  in  the  ideal 
process  (except  from  polynomial  time  advantage).  We  call  this  definition  basic  security. 

The  original  setting  in  which  secure  multi-party  protocols  were  investigated,  however,  only 
allowed  the  execution  of  a  single  instance  of  the  protocol  at  a  time;  this  is  the  so  called  stand-alone 
setting.  A  more  realistic  setting,  is  one  which  allows  the  concurrent  execution  of  protocols.  In  the 
concurrent  setting,  many  protocols  are  executed  at  the  same  time.  This  setting  presents  a  new  risk 
of  a  “coordinated  attack”  in  which  an  adversary  interleaves  many  different  executions  of  a  protocol 
and  chooses  its  messages  in  each  instance  based  on  other  partial  executions  of  the  protocol.  To 
prevent  coordinated  attacks,  we  require  the  following  basic  security  guarantee: 

Concurrent  Security:  The  security  properties,  correctness  and  privacy,  of  the  ana¬ 
lyzed  protocol  should  remain  valid  even  when  if  multiple  instance  of  the  protocol  are 
concurrently  executed  in  a  potentially  unknown  environment. 

Another  natural  desideratum  is  the  capability  of  supporting  modular  design  of  secure  protocols. 

Modular  analysis:  The  notion  of  security  should  support  designing  composite  pro¬ 
tocols  in  a  modular  way,  while  preserving  security.  That  is,  there  should  be  a  way  to 
deduce  security  properties  of  the  overall  protocol  from  security  properties  of  its  compo¬ 
nents.  This  is  essential  for  asserting  security  of  complex  protocols. 

Unfortunately,  these  properties  are  not  implied  by  the  basic  security.  In  the  literature,  the 
strongest  and  also  the  most  realistic  formalization  of  concurrent  security  is  the  notion  of  Univer¬ 
sal  Composability  (UC)  [CanOl]:  It  considers  the  concurrent  execution  of  an  unbounded  number 
of  instances  of  the  analyzed  protocol,  in  an  arbitrary,  and  adversarially  controlled,  network  en¬ 
vironment.  It  also  supports  modular  analysis  of  protocols.  But,  these  strong  properties  come 
at  a  price:  Many  natural  functionalities  cannot  be  realized  with  UC  security  in  the  plain  model, 
where  players  only  have  access  to  authenticated  communication  channels;  some  additional  trusted 
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set-up  is  necessary  [CF01,  CKL03];  furthermore,  the  need  for  additional  trusted  set  up  extends  to 
any  protocol  that  only  guarantees  a  concurrent  extension  of  basic  security  [Lin04] .  A  large  body  of 
works  (e.g.  [CLOS02,  BCNP04,  KLP05,  CPS07,  GO07,  Kat07,  CDPW07])  have  shown  that  indeed, 
with  the  appropriate  trusted  set-ups,  UC-security  becomes  feasible.  However,  in  many  situations, 
trusted  set-up  is  hard  to  come  by  (or  at  least  expensive).  It  is  thus  important  to  have  a  notion  of 
concurrent  security  that  can  be  achieved  in  the  plain  model. 

Concurrent  Security  in  the  Plain  model.  Security  with  super-polynomial  simulators  (SPS)  [Pas03a] 
is  a  relaxation  of  UC  security  that  allows  the  adversary  in  the  ideal  execution  to  run  in  super¬ 
polynomial  time.  Informally,  this  corresponds  to  guaranteeing  that  “any  polytime  attack  that  can 
be  mounted  against  the  protocol  can  also  be  mounted  in  the  ideal  execution — albeit  with  super¬ 
polynomial  resources.”  Although  SPS  security  is  sometimes  weaker  than  basic  security,  it  often 
provides  an  adequate  level  of  security.  In  constrast  to  basic  security,  however,  SPS  directly  consid¬ 
ers  security  in  the  concurrent  setting.  Protocols  that  realize  practically  any  functionality  with  SPS 
security  in  the  plain  model  were  shown  based  on  sub-exponential  hardness  assumptions  [Pas03a, 
BS05,  LPV09].  Very  recently,  improved  constructions  are  presented  [CLP10,  GGJS12,  LPV12]  that 
are  based  on  only  standard  polynomial-time  hardness  assumptions. 

One  drawback  of  SPS  security  that  it  is  not  closed  under  composition;  thus  it  is  not  a  convenient 
basis  for  modular  analysis  of  protocols.  Angel-based  UC  security  [PS04]  is  a  framework  for  notions 
of  security  that  provides  similar  security  guarantees  as  SPS  and  at  the  same  supports  modular 
analysis.  Specifically,  angel-based  security  considers  a  model  where  both  the  adversary  and  the 
simulator  have  access  to  an  oracle  (an  “angel”)  that  allows  some  judicious  use  of  super-polynomial 
resources.  Since  the  angels  can  be  implemented  in  super-polynomial  time,  for  any  angel,  angel-based 
security  implies  SPS  security.  Furthermore,  akin  to  UC  security,  angel-based  UC  security,  with  any 
angel,  can  be  used  as  a  basis  for  modular  analysis.  Prabhakaran  and  Sahai  [PS04]  exhibited  an  angle 
with  respect  to  which  practically  all  functionalities  can  be  securely  realized;  later  another  angle  is 
given  by  [MMY06];  both  constructions,  however,  rely  on  some  non-standard  hardness  assumptions. 

Recently,  Canetti,  Lin  and  Pass  [CLP10]  proposed  a  new  notion  of  security,  called  UC  with 
super-polynomial  time  helpers.  This  notion  is  very  similar  to  the  angel-based  security  where  both 
the  adversary  and  the  simulator  have  access  to  a  helper  that  provides  some  super-polynomial  time 
help  through  a  limited  interface.  Like  angel-based  security,  UC  security  with  super-polynomial 
time  helpers  implies  SPS  security.  But,  unlike  angel-based  security  where  angels  are  basically  non¬ 
interactive  and  stateless,  the  helpers  are  highly  interactive  and  stateful.  Canetti,  Lin  and  Pass 
[CLP  10]  then  constructed  protocols  that  realize  practically  all  functionalities  with  respect  to  a  par¬ 
ticular  super-polynomial-time  interactive  helper,  based  on  the  existence  of  trapdoor  permutations. 

Summarizing  the  state-of-the-art,  there  are  constructions  [CLP10,  GGJS12,  LPV12]  of  protocols 
satisfying  a  meaningful  notion  of  concurrent  security — SPS  security — in  the  plain  model  based  on 
standard  polynomial  time  hardness  assumptions.  Furthermore,  the  construction  of  [CLP10]  also 
supports  modular  analysis  (the  constructions  of  [GGJS12,  LPV12]  are  better  in  terms  of  round- 
complexity — they  only  require  a  constant  number  of  communication  rounds — but  they  only  acheives 
“non-composable”  SPS  security). 

However,  all  these  constructions  are  non-black-box,  that  is,  the  constructed  protocols  make  non- 
black-box  use  of  the  underlying  primitives.  In  fact,  these  constructions  all  follow  the  ”  Feige-Shamir” 
paradigm  [FS90]:  The  protocols  contain  “trapdoors”  embedded  into  the  messages  of  the  protocol, 
allowing  a  super-polynomial  time  simulator  to  extract  the  trapdoor  and  simulate  messages  in  the 
protocol  by  ’’proving  that  it  knows  the  trapdoor”.  In  general,  protocols  following  this  approach 
seems  hard  to  turn  into  a  ’’practical”  protocol  for  secure  computations;  as  such,  there  result  should 
only  be  viewed  as  “feasibility  results”  regarding  concurrent  secure  computation  without  set-up,  but 
not  candidates  for  practical  purposes. 

In  contrast,  black-box  constructions  that  only  use  the  underlying  primitives  through  their  in- 
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put/output  interfaces,  are  often  much  more  efficient  and  are  more  suitable  for  implementation. 
Therefore,  a  series  of  recent  works  [DI05,  IKLP06,  IPS08,  LP07,  WeelO,  Goyll]  have  focused  on 
constructing  black-box  construction  of  secure  computation  protocols ,  as  an  important  step  towards 
bringing  secure  multi-party  computation  closer  to  the  practice.  However,  their  constructions  are 
all  in  either  the  stand-alone  setting  or  rely  on  strong  trusted  set-ups  (e.g.,  trusted  hardware).  This 
leaves  open  the  following  basic  question: 

Can  we  obtain  a  black-box  construction  of  concurrently  secure  protocols  in  the  plain 
model  (preferrably  based  only  standard  polynomial-time  assumptions)? 

Can  we  have  such  a  black-box  construction  that  also  satisfies  a  notion  of  security  sup¬ 
porting  composability  ? 

1.1  Our  Results 

We  present  a  black-box  construction  of  protocols  that  satisfy  UC  security  with  super-polynomial 
time  helper  for  a  specific  helper,  based  on  the  existence  of  a  stand-alone  senri-honest  oblivious 
transfer  (OT)  protocols;  that  is,  the  weakest  possible  assumption.  The  framework  of  UC  with 
super-polynomial  time  helper  of  [CLP10]  is  formalized  through  the  extended  UC  (EUC)  framework 
of  [CDPW07];  it  is  identical  to  the  standard  UC  model  [CanOO]  except  that  the  corrupted  parties 
(and  the  environement)  have  access  to  an  additional  super-polynomial  time  entity  "H,  called  a  helper 
functionality. 

Main  Theorem  (Informally  Stated):  Assume  the  existence  of  stand-alone  semi-honest  oblivious 
transfer  protocols.  Then  there  exists  a  sub- exponential-time  computable  interactive  machine  Ti  such 
that  for  any  “ well-formed ”  polynomial-time  functionality  T ,  there  exists  a  protocol  that  realizes  T 
with  TL-EUC  security,  in  the  plain  model.  Furthermore,  the  protocol  makes  only  black-box  calls  to 
the  underlying  oblivious  transfer  protocol. 

As  far  as  we  know,  this  is  the  first  black-box  construction  of  secure  multi-party  computation 
protocols  that  achieve  any  non-trivial  notion  of  concurrent  security  in  the  plain  model  (without 
any  trusted-set  up,  and  without  assuming  an  honest  majority). 

The  main  technical  tool  used  in  our  construction  is  a  new  notion  of  a  commitment  that  is 
secure  against  adaptive  chosen  commitment  attack  (CCA  security).  The  notion  of  CCA  secure 
commitments  was  previously  introduced  in  [CLP  10].  Roughly  speaking,  a  tag-based  commitment 
scheme  (i.e.,  commitment  scheme  that  take  an  identifier — called  the  tag — as  an  additional  input) 
is  said  to  be  CCA-secure  if  the  value  committed  to  using  the  tag  id  remains  hidden  even  if  the 
receiver  has  access  to  a  (super-polynomial  time)  oracle  that  “breaks”  commitments  using  any  tag 
id7  /  id,  where  by  breaking,  it  means  the  oracle  returns  a  decommitment  of  the  commitment.  Thus 
the  oracle  is  called  a  decommitment  oracle.  In  [CLP10],  a  commitment  scheme  that  is  CCA-secure 
w.r.t.  a  decommiment  oracle  is  constructed  based  on  the  minimal  assumption  of  one-way  functions. 
However,  their  construction  is  non-black-box.  In  this  work,  to  obtain  black-box  secure  computation 
protocols,  we  need  a  new  black-box  construction  of  a  CCA-secure  commitment  scheme.  Towards 
this,  we  weaken  the  notion  of  CCA  security  w.r.t.  decommitment  oracle  to  instead  consider  an 
oracle  that  “breaks”  commitments  by  returning  only  the  unique  committed  value  (and  not  the 
decommitment  information)  of  the  commitments  (or  _L  if  there  is  no  unique  committed  value);  we 
call  this  the  committed-value  oracle.  We  then  provide  a  black-box  construction  of  a  commitment 
scheme  that  is  CCA-secure  w.r.t.  the  committed- value  oracle. 

Theorem  (Informally  Stated):  Assume  the  existence  of  one-way  functions.  Then,  for  every 
e  >  0,  there  exists  an  0(ne)-round  commitment  scheme  that  is  CCA-secure  w.r.t.  the  committed- 
value  oracle  and  only  relies  on  black-box  access  to  one-way  functions  (where  n  is  the  security 
parameter). 
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We  next  show  that  the  notion  of  CCA-secure  commitments  intuitively  is  better  behaved  than 
traditional  notions  of  non-malleability  [DDNOO]  in  the  context  of  black-box  construction  of  concur¬ 
rently  secure  protocol.  On  a  very  high-level  (and  significantly  oversimplifying),  CCA  security  of 
commitment  schemes  allow  us  to  deal  with  “cut-and-choose”  techniques  (typically  used  in  black-box 
constructions)  in  concurrent  executions,  while  ensuring  hiding  of  commitments  in  other  executions. 

1.2  Outline 

In  Section  2,  we  define  the  notion  of  CCA-security  w.r.t.  the  committed-value  oracle.  (Notations 
and  definitions  of  basic  primitives  appear  in  Appendix  A.)  In  Section  4,  we  present  our  black-box 
robust  CCA-secure  commitment  scheme;  and  provide  the  proof  of  security  in  Appendix  B.  We 
recall  the  notion  of  UC  security  with  super-polynomial  time  helper  in  Appendix  C,  and  show  how 
to  achieve  this  security  notion  using  CCA-secure  commitments  in  a  black-box  way  in  Section  3. 

2  Definition  of  CCA-Secure  Commitments 

We  assume  familiarity  with  the  definition  of  commitment  schemes  and  the  statistically/computational 
binding  and  statistically/computational  hiding  properties.  Unless  specified  otherwise,  by  a  com¬ 
mitment  scheme,  we  mean  one  that  is  statistically  binding  and  computationally  hiding.  A  tag-based 
commitment  schemes  with  Z(n)-bit  identities  [PR05,  DDNOO]  is  a  commitment  scheme  where,  in 
addition  to  the  security  parameter  ln,  the  committer  and  the  receiver  also  receive  a  “tag” — a.k.a. 
the  identity — id  of  length  l(n)  as  common  input. 

2.1  CCA-Security  w.r.t.  Committed  Value  Oracle 

Let  ( C,R )  be  a  tag-based  commitment  scheme  with  Z(n)-bit  identities.  A  committed- value  oracle 
O  of  (C,  R)  acts  as  follows  in  interaction  with  an  adversary  A:  it  participates  with  A  in  many 
sessions  of  the  commit  phase  of  (C,  R)  as  an  honest  receiver,  using  identities  of  length  l{n),  chosen 
adaptively  by  A.  At  the  end  of  each  session,  if  the  session  is  valid,  it  reveals  the  unique  committed 
value  of  that  session  to  A;  otherwise,  it  sends  _L.  (If  a  session  has  multiple  committed  values, 
the  decommitment  oracle  also  returns  _L.  The  statistically  binding  property  guarantees  that  this 
happens  with  only  negligible  probability.)  Loosely  speaking,  a  tag-based  commitment  scheme 
( C ,  R)  is  said  to  be  CCA-secure  w.r.t.  the  committed-value  oracle,  if  the  hiding  property  of  the 
commitment  holds  even  with  respect  to  adversaries  with  access  to  the  committed- value  oracle  O. 
More  precisely,  denote  by  AP  the  adversary  A  with  access  to  the  committed- value  oracle  O .  Let 
IND^C,  R),  A,  n,  z),  where  b  £  {0, 1},  denote  the  output  of  the  following  probabilistic  experiment: 
on  common  input  ln  and  auxiliary  input  z,  AP  (adaptively)  chooses  a  pair  of  challenge  values 
(no,  wi)  £  {0,  l}n — the  values  to  be  committed  to — and  an  identity  id  £  {0,  l}^n\  and  receives  a 
commitment  to  Vb  using  identity  id.  Finally,  the  experiment  outputs  the  output  y  of  A  ,  the  output 
y  is  replaced  by  T  if  during  the  execution  A  sends  O  any  commitment  using  identity  id  (that  is, 
any  execution  where  the  adversary  queries  the  decommitment  oracle  on  a  commitment  using  the 
same  identity  as  the  commitment  it  receives,  is  considered  invalid).  Let 

Definition  1  (CCA  -secure  Commitments.).  Let  ( C,R }  be  a  tag-based  commitment  scheme  with 
l(n)-bit  identities.  We  say  that  ( C,R )  is  CCA-secure  w.r.t.  the  committed-value  oracle,  if  for  every 
VTT  ITM  A,  the  following  ensembles  are  computationally  indistinguishable: 

•  {IND0((C7,  R),A,  ra,  z)}  neN,ze{  o,i}* 

•  {INDi«C,  R),A,  n,  ^)}neAr^e{0,i}* 
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2.1.1  ^-Robustness  w.r.t.  Committed- Value  Oracle 

Consider  a  man-in-the-middle  adversary  that  participates  in  an  arbitrary  left  interaction  with  a 
limited  number  of  rounds ,  while  having  access  to  a  committed  oracle.  Roughly  speaking,  ( C ,  R)  is 
fc-robust  if  the  (joint)  output  of  every  fc-round  interaction,  with  an  adversary  having  access  to  the 
oracle  O,  can  be  simulated  without  the  oracle.  In  other  words,  having  access  to  the  oracle  does  not 
help  the  adversary  in  participating  in  any  fc-round  protocols  much. 

Definition  2.  Let  ( C,R }  be  a  tag-based  commitment  scheme  with  l(n)-bit  identities.  We  say  that 
( C ,  R)  is  k-robust  w.r.t.  the  committed-value  oracle,  if  there  exists  a  simulator  S,  such  that,  for  every 
VTT  adversary  A,  the  following  two  conditions  hold. 

Simulation:  For  every  WT  k-round  ITM  B,  the  following  two  ensembles  are  computationally 
indistinguishable. 

.  {output B,Ao[<5(y),Ao(z))(l",x)]}neJVwe({0)1}.)3 
.  {output B)sA[<S(y),S'AW)(l",x)]}neJVwe({0il}.)3 

where  output^  B[(B(y),  A(z))(.t)]  denote  the  joint  output  of  A  and  B  in  an  interaction  between 
them,  on  common  input  x  and  private  inputs  z  to  A  and  y  to  B  respectively,  with  uniformly 
and  independently  chosen  random  inputs  to  each  machine. 

Efficiency:  There  exists  a  polynomial  t  and  a  negligible  function  fa,  such  that,  for  every  n  G  N , 
z  G  {0, 1}*  and  x  G  {0, 1}*,  and  every  polynomial  T ,  the  probability  that  S  with  oracle  access 
to  A(z )  and  on  input  ln,x,  runs  for  more  than  T{n )  steps  is  smaller  than  +  p{n). 

The  following  proposition  shows  that  to  construct  a  robust  CCA-secure  commitment  scheme 
for  identities  of  length  n,  it  suffices  to  construct  one  for  identities  of  length  £(n)  =  ne .  The  same 
proposition  is  established  in  [CLP10]  for  robust  CCA-security  w.r.t.  decommitment  oracles,  and 
the  proof  there  also  applies  to  CCA-security  w.r.t.  committed-value  oracles;  we  omit  the  proof  here. 

Proposition  1.  Let  e  be  any  constant  such  that  0  <  e  <  1,  £  a  polynomial  such  that  £{n)  =  n£ ,  and 
( C,R )  a  k-round  robust  CCA-secure  commitment  scheme  (w.r.t.  the  committed-value  oracle)  with 
i-bit  identities.  Then  assuming  the  existence  of  one-way  functions,  there  exists  a  robust  k  +  l-round 
CCA-secure  commitment  scheme  ( C,R )  (w.r.t.  the  committed-value  oracle)  with  n-bit  identities. 

3  Black-Box  UC-Secure  Protocols  with  Super-Polynomial  Helpers 

We  consider  the  model  of  UC  with  super-polynomial  helper  introduced  in  [CLP10].  At  a  very  high- 
level,  this  model  is  essentially  the  same  as  the  UC-model  introduced  by  [CanOO],  except  that  both 
the  adversary  and  the  environment  in  the  real  and  ideal  worlds  have  access  to  a  super-polynomial 
time  functionality  that  acts  as  a  helper.  A  formal  definition  of  the  model  is  presented  in  Appendix  C. 
In  this  section,  we  show  the  following  theorem: 

Theorem  1.  Let  5  be  any  positive  constant.  Assume  the  existence  of  aT'OT -round  stand-alone  semi- 
honest  oblivious  transfer  protocol.  Then  there  exists  a  super-polynomial  time  helper  functionality  TL, 
such  that,  for  every  well-formed  functionality1  T ,  there  exists  a  O (max(n5 ,  T'ot)) -round  protocol  II 
that  FL-EUC-emulates  F .  Furthermore,  the  protocol  II  only  uses  the  underlying  oblivious  transfer 
protocol  in  a  black-box  way. 

1See  [CLOS02]  for  a  definition  of  well- formed  functionalities. 
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Towards  this  theorem,  we  need  to  first  exhibit  a  super-polynomial  time  helper  functionality 
H.  Roughly  speaking,  H  simply  acts  as  the  committed- value  oracle  of  a  CCA  secure  commitment 
scheme.  More  precisely,  consider  the  following  two  building  blocks:  First,  given  any  T'OT(n)- 
round  stand-alone  semi-honest  OT  protocol,  it  follows  from  previous  works  [IKLP06,  Hai08]  that 
there  exists  an  ToT(n)-round  OT  protocol  {S,R)  that  is  secure  against  a  malicious  sender  and 
a  semi-honest  receiver — called  mS-OT  protocol  for  short — that  only  relies  on  black-box  access  to 
the  semi-honest  OT  protocol;  furthermore  Tot  =  0(T'OT(n)).  Second,  we  need  a  Tot (n)-robust 
CCA-secure  commitment  scheme  (C,  R),  whose  committed- value  oracle  O  can  be  computed  in  sub¬ 
exponential  time.2  As  we  will  show  in  the  next  section  (see  Theorem  2),  such  a  protocol  exists  with 
O (max (Tot,  nS))  =  0(max(TQT,ns))  rounds,  relying  on  the  underlying  OWF  in  a  black-box  way. 
Since  OWFs  can  be  constructed  from  a  semi- honest  OT  protocol  in  a  black-box  way.  Therefore, 
we  have  that  the  second  building  block  can  also  be  based  on  the  semi-honest  OT  protocols  in  a 
black-box  way. 

Consider  a  helper  functionality  R  that  “breaks”  commitments  of  ( C ,  R)  in  the  same  way  as  its 
committed-value  oracle  O  does,  subject  to  the  condition  that  player  Pi  in  a  protocol  instance  sid 
can  only  query  the  functionality  on  commitments  that  uses  identity  (Pi,  sid).  More  precisely,  every 
party  Pi  in  a  secure  computation  can  simultaneously  engage  with  R  in  multiple  sessions  of  the 
commit  phase  of  ( C,R )  as  a  committer  using  identity  Pi,  where  the  functionality  simply  forwards 
all  the  messages  internally  to  the  committed- value  oracle  O,  and  forwards  Pi  the  committed  value 
returned  from  O  at  the  end  of  each  session.  Since  the  committed-value  oracle  O  can  be  computed 
in  sub-exponential  time,  this  functionality  can  also  be  implemented  in  sub-exponential  time.  A 
formal  description  of  the  functionality  appears  in  Figure  6  in  Appendix  D. 

We  show  that  Theorem  1  holds  w.r.t.  the  helper  functionality  defined  above  in  two  steps. 
First,  note  that  to  realize  any  well-formed  functionality  in  a  black-box  way,  it  suffices  to  realize 
the  ideal  oblivious  transfer  functionality  Pot  [Rab05,  EGL85].  This  is  because  it  follows  from 
previous  works  [Kil92,  BOGW88,  GMW91,  IPS08]  that  every  functionality  can  be  UC  securely 
implemented  in  the  Jx>T-hybrid  model,  even  w.r.t.  super-polynomial  time  environments.  Based  on 
previous  works,  [CLP  10]  further  shows  that  by  considering  only  dummy  adversaries  and  treating 
environments  with  access  to  a  super-polynomial  functionality  R  as  sub-exponential  time  machines, 
we  have  that  every  functionality  can  be  H-EUC  securely  implemented  in  the  Pot  model.  Formally, 
we  have  the  following  lemma  from  [CLP  10]. 

Lemma  1.  Fix  any  super-polynomial  time  functionality  R.  For  every  well-formed  functionality  P , 
there  exists  a  constant-round  PoT-hybrid  protocol  that  R-EUC- emulates  P . 

Next  we  show  how  to  implement  the  Pot  functionality  in  the  H-EUC  model.  Then  combining 
with  Lemma  1,  we  conclude  Theorem  1. 

Lemma  2.  Let  6  be  any  positive  constant.  Assume  the  existence  of  a  T'ot  -round  semi-honest 
oblivious  transfer  protocol.  Then  there  exists  a  0(max(n<5,  T'OT))-round  protocol  Llor  that  R-EUC- 
emulates  Pot ■  Furthermore,  the  protocol  Ilor  only  uses  the  underlying  oblivious  transfer  protocol 
in  a  black-box  way. 

3.1  Overview  of  the  OT  Protocol  IIot 

In  this  section  we  first  provide  an  overview  of  our  black-box  construction  of  "H-EUC  secure  OT 
protocol  IIoti  in  comparison  with  the  black-box  construction  of  an  OT  protocol  secure  against 
both  malicious  players  from  a  mS-OT  protocol  of  [IKLP06,  Hai08].  Roughly  speaking,  the  protocol 

2This  can  be  instantiated  by  simply  using  a  normal  Toy-robust  CCA  secure  commitments  with  an  exponential 
time  committed  value  O,  with  a  “scaled-down”  security  parameter. 
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of  [IKLP06,  Hai08],  relying  on  a  stand-alone  mS-OT  protocol  ( S ,  R),  proceeds  in  the  following  four 
stages: 

Stage  1  (Receiver’s  Random  Tape  Generation)  The  sender  and  the  receiver  jointly  decide 
the  receiver’s  inputs  and  random  tapes  in  Stage  2  using  2 n  parallel  “coin  tossing  in  the  well” 
executions. 

Stage  2  (OT  with  Random  Inputs)  The  sender  and  the  receiver  perform  2 n  parallel  OT  exe¬ 
cutions  of  (S,  R)  using  random  inputs  (sj,  sj)  and  rj  respectively,  where  the  receiver’s  inputs 
rj  s  (and  its  random  tapes)  are  decided  in  Stage  1. 

Stage  3  (Cut-and-Choose)  A  random  subset  Q  C  [2ra]  of  n  locations  is  chosen  using  a  3-round 
coin-tossing  protocol  where  the  sender  commits  to  a  random  value  first.  (Thus  the  receiver 
knowing  that  random  value  can  bias  the  coin-tossing  output.)  The  receiver  is  then  required 
to  reveal  its  randomness  in  Stage  1  and  2  at  these  locations,  which  allows  the  sender  to  check 
whether  the  receiver  behaved  honestly  in  the  corresponding  OT  executions.  The  randomness 
of  the  receiver  at  the  rest  of  locations  remains  hidden. 

Stage  4  (OT  Combiner)  Finally,  for  these  locations  j  0  Q  that  are  not  open,  the  receiver  sends 
otj  =  u (B  Cj  where  u  is  the  receiver’s  true  input.  The  sender  replies  with  /3q  =  vo  ®(©^q  «?) 

and  Pi  =  v\  ©  °J )•  The  honest  receiver  obtains  sj3' s  through  the  OT  execution, 

and  thus  can  always  recover  vu. 

At  a  very  high-level,  the  protocol  of  [IKLP06,  Hai08]  augments  security  of  the  mS-OT  protocol 
( S ,  R)  to  handle  malicious  receivers,  by  adding  the  cut-and-choose  (as  well  as  the  random  tape 
generation)  stage  to  enforce  the  adversary  behaving  honestly  in  most  (Stage  2)  OT  executions. 
(This  is  in  a  similar  spirit  as  the  non-black-box  approach  of  requiring  the  receiver  to  prove  that  it 
has  behaved  honestly.)  Then  the  security  against  malicious  receivers  can  be  based  on  that  against 
semi-honest  receivers  of  ( S ,  R). 

Wee  [WeelO]  further  augmented  the  stand-alone  security  of  the  protocol  of  [IKLP06,  Hai08] 
to  achieve  parallel  security,  that  is,  obtaining  a  protocol  that  is  secure  against  man-in-the-middle 
adversaries  that  simultaneously  acts  as  sender  and  receiver  in  many  parallel  executions.  Towards 
this,  Wee  instantiates  the  commitments  in  the  coin-tossing  sub-protocols  of  the  protocol  of  [IKLP06, 
Hai08],  with  ones  that  are  satisfy  a  notion  of  “non-malleable  w.r.t.  extraction”.  Roughly  speak¬ 
ing,  non-malleability  w.r.t.  extraction  [WeelO]  is  a  weaker  notion  than  non-malleability  of  [DDNOO, 
LPV08];  it  guarantees  that  no  matter  what  values  the  adversary  is  receiving  commitments  to,  the 
committed  values  extracted  out  of  the  commitments  from  the  adversary  (with  over-extraction) 
are  indistinguishable.  This  guarantees  that  a  simulator  can  bias  the  coin-tossing  output  by  ex¬ 
tracting  the  committed  values  from  the  adversary  while  the  adversary  cannot,  as  otherwise,  by 
non-malleability  w.r.t.  extraction,  it  could  do  so  even  if  the  honest  player  sends  a  commitment  to  0 
instead  of  its  true  random  challenge  q.  However,  this  is  impossible  as  in  this  case  no  information  of  q 
is  revealed.  In  other  words,  the  coin-tossing  protocol  when  instantiated  with  a  non-malleable  w.r.t. 
extraction  commitment  becomes  parallel  secure,  relying  which  Wee  shows  that  the  OT  protocol 
also  becomes  parallel  secure. 

Towards  %-EUC-Secure  OT  protocols,  we  need  to  further  overcome  two  problems. 

First,  we  need  to  go  from  parallel  security  to  concurrent  security.  In  other  words,  we  need 
coin-tossing  protocols  that  are  concurrently  secure.  Informally  speaking,  non-malleability  w.r.t.  ex¬ 
traction  guarantees  that  the  simulator  can  extract  the  committed  values  of  commitments  from  the 
adversary  (to  bias  the  output  of  the  coin-tossing)  while  keeping  the  commitment  to  the  adversary 
hiding  amid  rewindings  (to  ensure  that  the  adversary  cannot  bias  the  output).  However,  this  only 
holds  in  the  parallel  setting,  as  non-malleability  only  guarantees  hiding  of  a  commitment  when 
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values  of  the  commitments  from  the  adversary  are  extracted  in  parallel  at  the  end  of  the  execution. 
But,  in  the  concurrent  setting,  the  simulator  needs  to  extract  the  committed  values  from  the  ad¬ 
versary  in  an  on-line  manner,  that  is,  whenever  the  adversary  successfully  completes  a  commitment 
the  committed  value  is  extracted.  To  resolve  this  problem,  we  resort  to  CCA-secure  commitments, 
which  guarantees  hiding  of  a  commitment  even  when  the  committed  values  are  extracted  (via  the 
committed-value  oracle)  concurrently  and  immediately  after  each  commitment.  Now,  instantiat¬ 
ing  the  commitment  scheme  in  the  coin-tossing  protocols  with  a  CCA-secure  commitment  yields  a 
coin-tossing  protocol  that  is  concurrently  secure. 

The  second  problem  is  that  to  achieve  "H-EUC-security  (similar  to  UC-security),  we  need  to 
design  a  protocol  that  admits  straight-line  simulation.  The  simulator  of  a  OT  protocol  has  three 
tasks:  It  needs  to  simulate  the  messages  of  the  honest  sender  and  receiver,  extract  a  choice  from  the 
adversary  when  it  is  acting  as  a  receiver,  and  extract  two  inputs  when  it  is  acting  as  a  sender.  To 
achieve  the  first  two  tasks,  the  original  simulation  strategy  in  [IKLP06,  Hai08,  WeelO]  uses  rewind¬ 
ings  to  breaking  the  non-malleable  commitments  from  the  adversary  to  bias  coin-tossing.  When 
using  CCA-secure  commitments,  the  simulator  can  extract  the  committed  values  in  a  straight-line, 
by  forwarding  the  commitment  from  the  adversary  to  the  helper  functionality  R  that  breaks  the 
CCA  commitments  using  brute  force.  For  the  last  task,  the  original  simulation  strategy  uses  the 
simulator  of  the  rnS-OT  protocol  (S,  R)  against  malicious  senders  to  extract  the  adversary’s  inputs 
Sj’ s  in  the  Stage  3  OT  executions,  which  then  allows  extraction  of  the  real  inputs  vo  and  v\  from 
the  last  message.  However,  the  simulator  of  the  rnS-OT  protocol  may  use  rewindings.  To  solve 
this,  one  way  is  to  simply  assume  a  rnS-OT  protocol  that  has  a  straight-line  simulator.  We  here 
however,  present  a  different  solution. 

In  our  protocol,  the  sender  and  the  receiver  participate  in  parallel  “coin  tossing  in  the  well” 
executions  to  decide  the  sender’s  random  inputs  sb  (and  random  tapes)  in  the  Stage  3  OT  executions 
(besides  the  receiver’s  inputs  and  random  tapes).  Since  the  simulator  can  bias  the  coin-tossing  in 
a  straight  line,  it  can  determine  the  sender’s  inputs  sb,s,  which  allows  extraction  of  the  sender’s 
true  inputs.  For  this  to  work,  we  need  to  make  sure  that  a  malicious  sender  would  indeed  uses 
the  outputs  of  coin-tossing  as  inputs  in  the  OT  executions.  Towards  this,  we  again  use  the  cut- 
and-choose  technique:  After  the  OT  execution,  the  sender  is  required  to  reveal  its  randomness  in 
the  coin-tossing  and  OT  execution  at  a  randomly  chosen  subset  of  locations.  The  cut-and-choose 
technique  guarantees  that  a  malicious  sender  will  behave  consistently  in  most  OT  executions. 
Therefore  the  simulator  extracts  (through  the  coin-tossing  executions)  the  inputs  sb’s  correctly  at 
most  locations.  However,  in  the  protocol  of  [IKLP06,  Hai08,  WeelO],  to  recover  the  real  inputs  vq 
and  i>i ,  the  simulator  needs  to  obtain  all  sb,s  correctly.  To  bridge  the  gap,  we  modify  the  protocol  to 

have  the  sender  compute  a  random  secret-sharing  |a^|  of  each  input  Vb  and  hide  each  share  using 
the  appropriate  sb,  that  is,  it  sends  ab  ©  sb®a  for  every  j  (that  is  not  open  in  the  cut-and-choose 
procedures).  Then,  the  simulator,  able  to  extract  most  sb,s  correctly,  can  recover  enough  shares 
to  decode  to  the  real  inputs  correctly.  In  contrast,  a  malicious  receiver  that  is  enforced  to  behave 
honestly  in  most  OT  executions  by  the  cut-and-choose  procedure,  cannot  obtain  enough  shares  for 
both  inputs  and  thus  can  only  recover  one  of  them.  Finally,  we  remark  that  as  in  [WeelO],  to  avoid 
over-extraction  from  the  secret  shares,  we  use  the  technique  used  in  [CDSMW08,  CDSMW09], 
which  adds  a  another  cut-and-choose  procedure.  A  formal  description  of  our  OT  protocol  Hot 
that  implements  -Tot  is  provided  in  Figure  1;  a  formal  proof  of  security  of  Hot  (he.,  Lemma  2) 
appears  in  Appendix  D.l. 
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OT  protocol  IIot 

Inputs:  The  sender  and  receiver  receive  common  input  a  security  parameter  ln  and  private  inputs  (vq,  iq) 
and  u  £  {0, 1}  respectively. 

Stage  1:  The  sender  chooses  a  random  subset  T^  C  [20n]  of  size  n  and  commits  to  Tr  using  ( C ,  R). 

The  receiver  chooses  a  random  subset  Tg  C  [20n]  of  size  n  and  another  random  subset  T  C  [18n]  of 
size  n;  it  then  commits  to  both  Tg  and  T  using  ( C,R ). 

Stage  2  (Coin- Tossing): 

Receiver  Random-Tape  Generation:  The  receiver  chooses  20n  random  strings  (af , . . .  afon)  and 
commits  to  them  using  ( C,R ).  The  sender  sends  20n  random  strings  , . . .  gn).  The  receiver 
calculates  rf  =  af  ©  bf  for  every  i  €  [20n],  and  interprets  rf  as  Ci||rf ,  where  Ci  will  be  used  as  the 
receiver’s  input  bit,  and  rf  the  random  tape  in  the  OT  executions  below. 

Sender  Random-Tape  Generation:  The  sender  chooses  20 n  random  strings  (af , . . .  afon)  and  commits 
to  them  using  ( C ,  R).  The  receiver  sends  20n  random  strings  (bf , . . .  frfon)-  The  sender  calculates 
rf  =  af  ®bf  for  every  i  £  [20n],  and  interprets  rf  as  s°||s)||rf,  where  s°  and  s*  will  be  used  as  the 
sender’s  two  input  bits,  and  rf  the  random  tape  in  the  OT  executions  below. 

Stage  3  (OT  with  Random  Inputs):  The  sender  and  the  receiver  participates  in  20/t  executions  of 
the  OT  protocol  (S,  R)  in  parallel,  where  the  sender  acts  as  S  and  the  receiver  acts  as  R.  In  the  ith 
execution  of  (S,  R),  the  sender  uses  inputs  sf,  s\  and  random  tape  rf  and  the  receiver  uses  input  Cj 
and  random  tape  rf .  At  the  end  of  the  execution,  the  receiver  obtains  outputs  Si . . .  §20n- 

Stage  4  (Cut-and-Choose — Honesty  Checking): 

Sender  Honesty  Checking:  The  receiver  opens  Tg  and  sender  responds  as  follows:  for  every  j  £  Tg, 
the  sender  opens  the  jth  commitments  of  ( C ,  R)  in  Stage  2  to  af .  The  receiver  checks  if  the  openings 
are  valid,  and  if  for  every  j  £  Tg,  the  sender  acted  honestly  in  the  jth  OT  execution  according  to 
af  ©  bf .  The  receiver  aborts  if  not. 

Receiver  Honesty  Checking:  The  sender  opens  T^  and  receiver  responds  as  follows:  for  every  j  £  T^, 
the  receiver  opens  the  jth  commitments  of  ( C ,  R)  in  Stage  2  to  af .  The  sender  checks  if  the  openings 
are  valid  and  if  for  every  j  £  T#,  the  receiver  acted  honestly  in  the  jth  OT  execution  according  to 
af  ©  bf.  The  sender  aborts  if  not. 

Stage  5  (Combiner):  Set  A  =  [20n]  —  T#  —  Tg  (i.e.,  A  is  the  set  of  unopened  locations).  For  every  i  £  A 
The  receiver  computes  cc,  =  u®  Ci  and  sends  a*.  The  sender  responds  as  follows:  It  computes  a 
10?r-out-of-18n  secret-sharing  of  Vo;  without  loss  of  generality,  we  index  shares  in  that  secret-sharing 
with  elements  in  A;  let  the  secret-sharing  be  p°  =  {p?  }igA-  Similarly,  it  also  computes  a  10?i-out- 

of-18n  secret-sharing  p1  =  {pj }  for  v\.  Then  the  sender  computes  f3\  =  p\  ©  sb®ai  for  every 
i  £  A  and  sends  back  all  the  s. 

The  receiver  after  receiving  all  the  /3,f’s,  computes  shares  corresponding  to  the  uth  input  as  pt  = 
/3“  ©  Si  for  every  *  £  A,  and  sets  p  =  {/5i}igA. 

Stage  6  (Cut-and-Choose — Consistency  Checking):  The  receiver  opens  to  T.  Then  for  every  j  £ 
T  (~l  A,  the  sender  reveals  the  two  inputs  and  s]  and  random  tape  rf  that  it  uses  in  the  jth  OT 
execution  in  Stage  3.  The  receiver  checks  if  the  sender  acts  honestly  according  to  input  (sf,  sj)  and 
random  tape  ff  and  aborts  if  not. 

Finally  the  receiver  checks  whether  p  computed  in  Stage  5  is  17n-close  to  a  valid  codeword  w  (that 
is,  it  agrees  with  w  at  17 n  locations),  and  if  for  every  j  £  T  0  A,  Wj  is  equal  to  /?“  ©  sf®aj .  If  so  it 
outputs  the  value  v  encoded  in  w;  otherwise,  it  aborts. 


Figure  1:  Our  OT  protocol  IIot  that  implements  J-qt  hi  the  %-EUC  model 
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4  Black-Box  Robust  CCA-Secure  Commitments 


In  this  section,  we  present  a  black-box  construction  of  a  robust  CCA-secure  commitment  scheme 
w.r.t.  committed-value  oracle  based  on  one-way  functions.  For  simplicity  of  exposition,  the  presen¬ 
tation  below  relies  on  a  non-interactive  statistically  binding  commitment  scheme  com;  this  can  be 
replaced  with  a  standard  2-round  statistically  binding  commitment  scheme  using  standard  tech¬ 
niques3.  Our  construction  makes  use  of  previous  black-box  constructions  of  extractable  commit¬ 
ments  and  trapdoor  commitment  scheme.  So  let’s  start  by  reviewing  them. 

Extractable  Commitments  Intuitively,  an  extractable  commitment  is  one  such  that  for  any 
machine  C*  sending  a  commitment,  a  committed  value  can  be  extracted  from  C*  if  the  commitment 
it  sends  is  valid;  otherwise,  if  the  commitment  is  invalid,  then  no  guarantee  is  provided,  that  is,  an 
arbitrary  garbage  value  may  be  extracted.  This  is  known  as  the  “over-extraction”  problem.  (See 
Appendix  A. 7  for  a  formal  definition.)  As  shown  in  [PW09],  the  following  protocol  used  in  the 
works  of  [DDNOO,  PRS02,  Ros04]  (also  [Kil88] )  yields  a  black-box  extractable  commitment  scheme 
ExtCom:  To  commit  to  a  value  v  G  {0,  l}m,  the  committer  and  receiver  on  common  input  a  security 
parameter  ln,  proceed  as  follows: 

Commit:  The  committer  finds  n  pairs  of  random  shares  {uq,  vi}ie[n]  that  sum  up  to  v,  (i.e.,  v20  © 

v\  =  v  for  all  i  G  [n])  and  commits  to  them  in  parallel  using  the  non-interactive  statistically 
binding  commitment  scheme  com.  Let  clb  be  the  commitment  to  vl. 

Challenge:  The  receiver  sends  a  re-bit  string  ch  G  {0,  l}n  sampled  at  random. 

Reply:  The  committer  opens  commitments  clch.  for  every  i  G  [re]. 

To  decommit,  the  sender  sends  v  and  opens  the  commitments  to  all  re  pairs  of  strings.  The  receiver 
checks  whether  all  the  openings  are  valid  and  also  v  =  v’0  ©  v\  for  all  i. 

It  is  proved  in  [PW09]  that  ExtCom  is  extractable.  Furthermore,  the  commitment  scheme  has 
the  property  that  from  any  two  accepting  transcripts  of  the  commit  stage  that  has  the  same  commit 
message  but  different  challenge  messages,  the  committed  value  can  be  extracted.  This  property  is 
similar  to  the  notion  of  special-soundness  for  interactive  proof/argument  systems;  here  we  overload 
this  notion,  and  refer  to  this  special  extractability  property  of  ExtCom  as  special-soundness. 

In  our  construction,  we  will  actually  need  an  extractable  commitment  scheme  to  a  string  a  G 
{0,  l}m  for  which  we  can  open  any  subset  of  the  bits  in  a  without  compromising  the  security  (i.e. 
hiding)  of  the  remaining  bits.  As  shown  in  [PW09],  we  may  obtain  such  a  scheme  PExtCom  by 
running  ExtCom  to  commit  to  each  bit  of  a  in  parallel.  It  is  easy  to  see  that  PExtCom  is  also 
special-sound  in  the  sense  that,  given  two  accepting  transcripts  of  PExtCom  that  have  the  same 
commit  message  and  two  challenge  messages  that  contain  a  pair  of  different  challenges  for  every 
ExtCom  commitment,  the  committed  string  a  can  be  extracted.  We  call  such  two  transcripts  a  pair 
of  admissible  transcripts  for  PExtCom. 

Trapdoor  Commitments  Roughly  speaking,  a  trapdoor  commitment  scheme  is  a  computation¬ 
ally  biding  and  computationally  hiding  commitment  scheme,  such  that,  there  exists  a  simulator 
that  can  generate  a  simulated  commitment,  and  later  open  it  to  any  value.  (See  Appendix  A. 8  for 
a  formal  definition.)  Pass  and  Wee  [PW09]  presented  a  black-box  trapdoor  bit  commitment  scheme 
TrapCom.  To  commit  to  a  bit  a ,  the  committer  and  the  receiver  on  common  input  ln  do: 

Stage  1:  The  receiver  picks  a  random  string  challenge  e  =  (ei, . . . ,  en)  and  commits  to  e  using  the 
non-interactive  statistically  binding  commitment  scheme  com. 

3This  can  be  done  by  sending  a  first  message  of  a  2-round  commitment  scheme  at  the  beginning  of  the  protocol, 
and  using  the  second  message  of  the  2-round  commitment  scheme  w.r.t.  that  first  message  as  a  non-interactive 
commitment  in  the  rest  of  the  protocol. 
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Stage  2:  The  committer  prepares  ,vn.  Each  Vi  is  a  2  x  2  0,1-matrix  given  by 


(vT 

_  / 

{  Vi 

Vi  \ 

U10 

v}1  ) 

-  \ 

v  O’©  Vi 

cr®Vi  ) 

where  Vi  is  a  random  bit.  The  sender  commits  to  v\, . . .  ,vn  using  PExtCom  (i.e.,  committing 
using  ExtCom  bit  by  bit  in  parallel).  In  addition,  the  sender  prepares  (a°,  a}), . . . ,  (a°,  a*) 
where  af  is  the  opening  to  uf0,^1  (i.e.,  either  the  top  or  bottom  row  of  vi). 


Stage  3:  The  receiver  opens  to  the  challenge  e  =  {e\ , . . . ,  en);  the  sender  responds  with  a^1 , . . . ,  a®" . 


To  decommit,  the  sender  sends  a.  In  addition,  it  chooses  a  random  7  e  {0, 1},  sends  7,  sends  the 
openings  to  values  u°7,  u*7  for  i  =  1,  2, . . . ,  n  (i.e.,  either  the  left  columns  or  the  right  columns  of 
all  the  matrices).  The  receiver  checks  that  all  the  openings  are  valid,  and  also  that  a  =  rq7  ©rq7  = 


07 
=  Vn’ 


I7 
Vn  . 


As  shown  in  [PW09],  the  protocol  TrapCom  is  trapdoor,  following  a  Goldreich-Kahan  [GK96] 
style  proof;  moreover,  by  running  TrapCom  in  parallel,  we  obtain  a  trapdoor  commitment  scheme 
PTrapCom  for  multiple  bits.  Furthermore,  since  Stage  2  of  the  protocol  TrapCom  is  simply  an 
execution  of  PExtCom,  given  any  two  admissible  transcripts  of  Stage  2,  the  matrices  vi,...,vn 
prepared  in  Stage  2  can  be  extracted;  we  show  that  from  these  matrices,  the  actual  bit  committed 
in  the  TrapCom  commitment  can  be  extracted,  provided  that  the  commitment  is  valid  and  has 
a  unique  committed  value.  We  call  this,  again,  the  special-soundness  of  TrapCom.  It  is  easy  to 
see  that  the  notion  of  special  soundness  (and  admissible  transcripts)  can  be  easily  extended  for 
PTrapCom.  The  formal  definition  and  proof  of  special-soundness  of  TrapCom  (and  PTrapCom) 
appear  in  Appendix  B.l. 


4.1  Overview  of  Our  Construction 

The  CLP  Construction:  At  a  very  high  level,  the  CLP  construction  proceeds  by  having  the 
committer  first  commit  to  the  value  v  using  a  normal  statistically  binding  commitment  com,  followed 
by  a  sequence  of  poly{n)  WXSSV  proofs  of  the  committed  value.  The  W1SSV  proofs  are  the  non- 
black-box  component  of  the  CLP  construction,  but  are  crucial  for  achieving  CCA-security.  Recall 
that  proving  CCA-security  w.r.t.  O  amounts  to  showing  that  the  views  of  A  in  experiments  IN  Do 
and  INDi  are  indistinguishable  (when  A  has  oracle  access  to  O).  Let  us  refer  to  the  adversary’s 
interaction  with  C  as  the  left  interaction ,  and  its  interactions  with  O  as  the  right  interactions. 
The  main  hurdle  in  showing  the  indistinguishability  of  IN  Do  and  INDi  is  that  the  oracle  O  is  not 
efficiently  computable;  if  it  were,  indistinguishability  would  directly  follow  from  the  hiding  property 
of  the  left  interaction.  The  main  idea  of  the  security  proof  of  [CLP  10]  is  then  to  implement  the 
oracle  O  by  extracting  the  committed  values  from  the  adversary,  via  “rewinding”  the  special-sound 
proofs  in  the  right  interactions.  The  two  main  technical  challenges  arises  in  simulating  oracle  O. 

First,  once  the  simulation  starts  rewinding  the  right  interactions,  A  might  send  new  messages 
also  in  the  left  interaction.  So,  if  done  naively,  this  would  rewind  the  left  interaction,  which 
could  violate  its  hiding  property.  To  solve  this  problem,  the  CLP  protocol  schedules  messages 
in  the  special-sound  proofs  using  a  special  message  scheduling  (according  to  the  identity  of  the 
commitment),  called  the  CLP  scheduling,  which  is  a  variant  of  the  message  scheduling  technique 
of  [DDN00,  LPV08].  The  special  message  scheduling  ensures  that  for  every  accepting  right  inter¬ 
action  with  an  identity  that  is  different  from  the  left  interaction,  there  exists  many  points — called 
safe- points- -in  the  interaction,  from  which  one  can  rewind  the  right  interaction  without  requesting 
any  new  message  in  the  left  interaction. 

Second,  in  the  experiment  IND^,  the  adversary  A  expects  to  receive  the  committed  value  at 
the  very  moment  it  completes  a  commitment  to  its  oracle.  If  the  adversary  “nests”  its  oracle 
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calls,  these  rewindings  become  recursive  and  the  running-time  of  the  extraction  quickly  becomes 
exponential.  To  avoid  the  extraction  time  from  exploding,  the  simulation  strategy  in  CLP  rewinds 
from  safe-points  using  a  concurrent  extraction  strategy  that  is  similar  to  that  used  in  the  context 
of  concurrent  ZfC  by  Richardson  and  Killian  [RK99]. 

New  Approach:  To  obtain  a  black-box  construction,  our  main  goal  is  to  replace  the  WISSV 
proofs  with  an  “equivalent”  black-box  component.  The  key  property  that  the  CLP  proof  relies 
on  is  that  the  protocol  contains  many  3-round  constructs  satisfying  that  rewinding  the  last  two 
messages  reveals  the  committed  value,  but  rewinding  three  messages  reveals  nothing.  It  seems 
that  the  3- round  commitment  scheme  PExtCom  is  a  good  replacement  of  WISSV  proofs  as  one 
such  3-round  construct:  The  special-soundness  property  of  PExtCom  ensures  that  rewinding  the 
last  two  messages  reveals  the  committed  value,  and  the  hiding  property  ensures  that  rewinding 
three  messages  reveals  nothings.  It  is  thus  tempting  to  consider  a  commitment  scheme  in  which  the 
committer  commits  to  value  v  using  poly(n)  invocations  of  PExtCom,  arranged  according  to  the  CLP 
scheduling;  the  CLP  extraction  strategy  guarantees  that  for  every  accepting  right  interaction,  (the 
last  two  messages  of)  one  PExtCom  commitment  is  rewound  and  a  committed  value  is  extracted. 
Indeed,  if  a  commitment  of  this  scheme  is  valid,  meaning  that  all  the  PExtCom  commitments 
contained  in  it  are  valid  commitments  to  the  same  value,  the  CLP  extraction  strategy  returns  the 
unique  committed  value.  However,  if  the  commitment  is  invalid,  there  arises  the  over-extraction 
problem:  The  CLP  extraction  strategy  may  extract  a  garbage  value  from  an  invalid  PExtCom 
commitment  or  from  a  valid  commitment  that  is  inconsistent  with  the  other  commitments. 

To  solve  the  over-extraction  problem,  we  use  the  cut-and-choose  technique  to  enforce  the  com¬ 
mitter  to  give  valid  and  consistent  PExtCom  commitments.  Instead  of  having  the  committer  commit 
to  v  directly,  let  it  commit  to  a  (n  +  l)-out-of-10n  Shamir’s  secret  sharing  s  1, . . . ,  Sion  of  v  using 
many  PExtCom  invocations,  still  arranged  according  to  the  CLP  scheduling;  we  refer  to  all  the 
commitments  to  the  jth  share  Sj  the  jt,h  column.  After  all  the  PExtCom  commitments,  the  receiver 
requests  the  committer  to  open  all  the  commitments  in  n  randomly  chosen  columns;  the  receiver 
accepts  only  if  each  column  contains  valid  commitments  to  the  same  value.  It  follows  from  the  cut- 
and-choose  technique  that  except  with  negligible  probability,  at  most  n  columns  may  contain  invalid 
or  inconsistent  commitments.  Therefore,  when  applying  the  CLP  extraction  strategy  on  a  commit¬ 
ment  of  this  scheme,  it  guarantees  to  extract  out  a  secret-sharing  that  is  .9-close  to  all  the  secret¬ 
sharing  committed  to  in  this  commitment.  Then  by  relying  on  the  error-correcting  property  of  the 
secret  sharing,  a  valid  committed  value  can  be  reconstructed.  The  formal  analysis  is  actually  more 
subtle;  to  avoid  over-extraction,  we  employ  the  technique  used  in  [CDSMW08,  CDSMW09,  WeelO], 
which  involves  setting  the  validity  condition  of  the  commitment  scheme  carefully  so  that  invalid 
commitment  can  be  identified.  We  refer  the  reader  to  Appendix  B.3  for  more  details. 

Unfortunately,  our  use  of  the  cut-and-choose  technique  brings  another  problem:  The  above 
commitment  scheme  may  not  be  hiding.  This  is  because,  in  the  last  stage,  the  receiver  may  request 
the  committer  to  open  an  adaptively  chosen  subset  of  commitments  of  PExtCom,  the  remaining 
unopened  commitments  may  not  be  hiding,  unless  PExtCom  were  secure  against  selective  opening 
attack.  To  resolve  this  problem,  we  use  the  trapdoor  commitment  scheme  PTrapCom  to  replace 
PExtCom.  Since  PTrapCom  is  trapdoor,  it  is  secure  against  selective  opening  attack,  and  thus 
the  hiding  property  holds.  Furthermore,  since  Stage  2  of  PTrapCom  is  simply  a  commitment  of 
PExtCom,  we  can  use  Stage  2  of  PTrapCom  as  an  implementation  of  the  3-round  construct  needed 
for  the  CLP  scheduling  and  extraction  strategy.  More  precisely,  the  commitment  scheme  proceeds 
as  follow:  The  committer  commits  to  a  (n  +  l)-out-of-10n  secret  sharing  of  the  value  v  using  many 
invocations  of  PTrapCom,  where  all  the  invocations  share  the  same  Stage  1  message  sent  at  the 
beginning,  followed  by  all  the  3-round  Stage  2  executions  arranged  according  to  the  CLP  scheduling, 
and  then  all  the  Stage  3  executions  performed  in  parallel;  finally,  the  committer  and  the  receiver 
conducts  a  cut-and-choose  consistency  check  as  described  above. 
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It  seems  that  the  security  proof  of  our  CCA-secure  commitment  should  follow  from  that  of  the 
non-black-box  construction  of  [CLP  10].  Unfortunately,  due  to  the  fact  that  the  “rewinding  slots”  of 
our  protocol,  that  is  the  commitment  of  ExtCom,  may  have  over-extraction,  whereas  the  WISSV 
proofs  in  the  CLP  protocol  never  has  this  problem,  the  technical  proof  of  [CLP  10]  does  not  go 
through;  and  in  Appendix  B  we  rely  on  a  different  analysis  to  show  the  security  of  our  protocol.  A 
formal  description  of  our  CCA  secure  protocol  ( C ,  R)  in  Figure  2. 


The  robust  CCA-secure  protocol  ( C ,  R ) 

Let  k  be  an  arbitrary  polynomial,  £,  77  two  polynomials  such  that  £(n)  =  nv  and  77(71)  =  ne  for  v,  e  >  0, 

and  L  a  polynomial  such  that  L{n)  =  max(«(n)  +77(71),  4£{n)r](n)) .  To  commit  to  a  value  v,  the  committer 

C  and  the  receiver  R ,  on  common  input  1™  and  the  identity  id  £  {0,  lj-h”)  0f  the  committer  C  do: 

Stage  1:  The  receiver  sends  the  Stage  1  message  of  a  commitment  of  PTrapCom.  That  is,  a  commitment 
of  com  to  a  randomly  chosen  string  challenge  e  =  (ei, . . . ,  en). 

Stage  2:  The  committer  C  prepares  a  (n  +  l)-out-of-1077  Shamir’s  secret  sharing  si, . . . ,  Sion  of  the  value 
v,  and  commits  to  these  shares  using  Stage  2  of  the  protocol  PTrapCom  in  parallel,  for  L(n)  times', 
we  call  the  zth  parallel  commitment  the  ith  row,  and  all  the  commitments  to  the  ith  share  s»  the  ith 
column. 

Messages  in  the  first  M(n)rj{n)  rows  are  scheduled  based  on  the  identity  id  and  relies  on  scheduling 
pairs  of  rows  according  to  schedules  design0  and  design l  depicted  in  Figure  3.  More  precisely,  Stage 
2  consist  of  i{n)  phases.  In  phase  i,  the  committer  provides  77(77)  sequential  designid.  pairs  of  rows, 
followed  by  77(77.)  sequential  design-^^  pairs  of  rows.  Messages  in  the  rest  of  the  rows  are  simply 
arranged  sequentially. 

Stage  3:  The  receiver  opens  the  Stage  1  commitment  to  the  challenge  e.  The  committer  completes  the 
10?7-L(tt.)  executions  of  PTrapCom  w.r.t.  challenge  e  in  parallel. 

Stage  4  (cut-and-choose):  The  receiver  sends  a  randomly  chosen  subset  T  £  [IOtt]  of  size  n.  For  every 
j  £  T,  the  committer  opens  all  the  commitments  in  the  jth  column  of  Stage  3.  The  receiver  checks 
that  all  the  openings  are  valid,  and  reveal  the  same  committed  values  Sj. 

Decommitment  Message:  To  decommit,  the  committer  sends  v,  and  opens  all  the  commitments  in  the 
first  row  of  Stage  2  to  si, . . . ,  Sion-  The  receiver  checks  all  the  openings  to  si, . . . ,  Sion  are  valid; 
furthermore,  it  checks  that  Si, . . . ,  Sion  is  0.9-close  to  a  valid  codeword  w  =  (w\,  ■  ■  ■  ,  Wion),  and  for 
every  j  £  T,  Wj  equals  to  the  share  Sj  revealed  in  Stage  4. 

In  other  words,  a  commitment  of  (C,  R)  is  valid  if  and  only  if  the  first  row  in  Stage  2  of  the 
commitment  contains  valid  commitments  to  shares  si, . . . ,  Sion,  such  that,  Si, . . . ,  Sion  is  0.9  close 
to  a  valid  codeword  w,  and  w  agrees  with  all  the  shares  revealed  in  Stage  4  (i.e.,  for  every  j  £  T, 
Wj  =  Sj). 


Figure  2:  The  formal  description  of  the  «(n)-robust  CCA-secure  protocol  (C,  R) 
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A  General  Definitions 

A.l  Witness  Relations 

We  recall  the  definition  of  a  witness  relation  for  a  AfV  language  [GolOl]. 

Definition  3  (Witness  relation).  A  witness  relation  for  a  language  L  £  AfV  is  a  binary  relation 
Rl  that  is  polynomially  bounded,  polynomial  time  recognizable  and  characterizes  L  by  L  =  {x  : 
3 ys.t .  (. x,y )  £  Rl} 

We  say  that  y  is  a  witness  for  the  membership  x  £  L  if  (x,y)  £  Rl-  We  will  also  let  Rl(x) 
denote  the  set  of  witnesses  for  the  membership  x  £  L,  i.e.,  Rl(x)  =  {y  :  (x,y)  £  L}.  In  the 
following,  we  assume  a  fixed  witness  relation  Rl  for  each  language  L  £  AfV. 

A.  2  Indistinguishability 

Definition  4  (Computational  Indistinguishability).  Let  Y  be  a  countable  set.  Two  ensembles 
{An,y}neN,yeY  and  {Bn,y}neN,y£Y  are  said  to  be  computationally  indistinguishable  (denoted  by 
{An,y}neN,yeY  ~  {Bn,y}n£N,y£Y),  if  for  every  WT  “distinguishing”  machine  D,  there  exists  a 
negligible  function  v(-)  so  that  for  every  n  £  N,y  £  Y : 

|Pr  [a<-Anty  :  D(ln,  y,  a)  =  1]  -  Pr  [b  £-  Bn,y  :  D(ln,  y,  b)  =  1]  |  <  v(n) 

A. 3  Interactive  Proofs 

We  use  the  standard  definitions  of  interactive  proofs  (and  interactive  Turing  machines)  [GMR89] 
and  arguments  (a.k.a  computationally-sound  proofs)  [BCC88].  Given  a  pair  of  interactive  Turing 
machines,  P  and  V.  we  denote  by  ( P(w ),  V)(x)  the  random  variable  representing  the  (local)  output 
of  V,  on  common  input  x,  when  interacting  with  machine  P  with  private  input  w,  when  the  random 
input  to  each  machine  is  uniformly  and  independently  chosen. 

Definition  5  (Interactive  Proof  System).  A  pair  of  interactive  machines  (P,V)  is  called  an  inter¬ 
active  proof  system  for  a  language  L  if  there  is  a  negligible  function  u{-)  such  that  the  following  two 
conditions  hold  : 

•  Completeness:  For  every  x  £  L,  and  every  w  £  Rl(x),  Pr  [(P(w),  V)(x)  =  1]  =  1 

•  Soundness:  For  every  x  L,  and  every  interactive  machine  B,  Pr  [(B,  P)(.x)  =  1] 

<  v(\x\) 

In  case  that  the  soundness  condition  is  required  to  hold  only  with  respect  to  a  computationally 
bounded  proven,  the  pair  (P,V)  is  called  an  interactive  argument  system. 
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A. 4  Witness  Indistinguishable  Proofs 

The  notion  of  witness  indistinguishability  (WI)  was  introduced  by  Feige  and  Shamir  in  [FS90] . 
Roughly  speaking,  an  interactive  proof  is  said  to  be  WI  if  the  verifier’s  output  is  “computationally 
independent”  of  the  witness  used  by  the  prover  for  proving  the  statement.  In  this  context,  we  focus 
on  languages  L  £  MV  with  a  corresponding  witness  relation  Rl-  Namely,  we  consider  interactions 
in  which,  on  common  input  x,  the  prover  is  given  a  witness  in  Rl(x).  By  saying  that  the  output 
is  computationally  independent  of  the  witness,  we  mean  that  for  any  two  possible  WP-witnesses 
that  could  be  used  by  the  prover  to  prove  the  statement  x  £  L,  the  corresponding  outputs  are 
computationally  indistinguishable. 

Definition  6  (Witness- indistinguishability).  Let  (P,  V)  be  an  interactive  proof  system  for  a  lan¬ 
guage  L  £  A fV.  We  say  that  (P,  V)  is  witness-indistinguishable  for  Rl,  if  for  every  VVT  ITM  V* 
and  for  every  two  sequences  {w^x}ne jv,xeLn{o,i}«  and  {^jX}neJV,xeLn{o,i}"J  such  that  wl,x,wl,x  G 
Rl(x )  for  every  x,  the  following  probability  ensembles  are  computationally  indistinguishable. 

•  {(PC'Wjj^))  V  (^))(3;)}nGAr,a;SLn{0,l}ri,z£{0,l}* 

•  ^*(z))(x)}neAT,a;eLn{0,l}",ze{0,l}* 

A. 5  Special-sound  WI  proofs 

A  4-round  public-coin  interactive  proof  for  the  language  L  £  MV  with  witness  relation  Rl  is 
special-sound  with  respect  to  Rl,  if  for  any  two  transcripts  (6,  a,  (3, 7)  and  (5',a'  ,(5',  7')  such  that 
the  initial  two  messages,  6,6'  and  a,  a',  are  the  same  but  the  challenges  (3,ff  are  different,  there  is 
a  deterministic  procedure  to  extract  the  witness  from  the  two  transcripts  and  runs  in  polynomial 
time.  In  this  paper,  we  rely  on  special  sound  proofs  that  are  also  witness  indistinguishable  (WI) 
Special-sound  WI  proofs  for  languages  in  MV  can  be  based  on  the  existence  of  2-round  commitment 
schemes,  which  in  turn  can  be  based  on  one-way  functions  [GMW91,  FS90,  HILL99,  Nao91]. 

A. 6  Concurrent  ZK,  Protocols 

Let  (P,  V)  be  an  interactive  proof  for  a  language  L.  Consider  a  concurrent  adversarial  verifier 
V*  that  on  common  input  a  security  parameter  ln,  a  statement  x  £  {0,  l}n  and  auxiliary  input 
z,  interacts  with  m(n)  independent  copies  of  P  concurrently,  without  any  restrictions  over  the 
scheduling  of  the  messages  in  the  different  interactions  with  P. 

Definition  7.  Let  (P,  V)  be  an  interactive  proof  system  for  a  language  L.  We  say  that  (P,V)  is 
black-box  concurrent  zero-knowledge  if  for  every  polynomials  q  and  m,  there  exists  a  probabilistic 
polynomial  time  algorithm  Sq,rn,  such  that  for  every  concurrent  adversary  V*  that  on  common  input 
ln ,  x  and  auxiliary  input  z  opens  up  m(n)  executions  and  has  a  running-time  bounded  by  q(n), 
Sq,m  (r 

,  x,  z)  runs  in  time  polynomial  in  n.  Furthermore,  it  holds  that  the  following  ensembles  are 
computationally  indistinguishable 

•  {viewy*  [(P(w),  V*(z))( ln,  *)]}neJV, 

x£Lr{0,l}n  ,weRL(x),z£{0,l}* 

•  {Sq^rn  (1  ,  X,  ^)}neAf,xELn{0,l}n,MiSi?z/(3;),zS{0,l}* 

A. 7  Extractable  Commitments 

We  recall  the  definition  of  extractable  commitments  defined  in  [PW09].  Let  ( CS,RS )  be  a  statisti¬ 
cally  binding  commitment  scheme.  We  say  that  ( CS,RS )  is  an  extractable  commitment  scheme  if 
there  exists  an  expected  polynomial-time  probabilistic  oracle  machine  (the  extractor)  E  that  given 
oracle  access  to  any  VVT  cheating  sender  C*  outputs  a  pair  (r,  a*)  such  that: 
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•  (simulation)  r  is  identically  distributed  to  the  view  of  C*  at  the  end  of  interacting  with  an 
honest  receiver  Rs  in  commit  phase. 

•  (extraction)  the  probability  that  r  is  accepting  and  valid  a*  =  _L  is  negligible. 

•  (binding)  if  g*  ^  _L,  then  it  is  statistically  impossible  to  open  r  to  any  value  other  than  cr*. 

We  will  also  consider  extractable  commitment  schemes  that  are  computationally  binding;  the  defi¬ 
nition  is  as  above,  except  if  cr*  7^  _L,  we  only  require  that  it  is  computationally  infeasible  to  open 
r  to  any  value  other  than  a*. 

A. 8  Trapdoor  Commitments 

We  say  that  (Ct,  Rt)  is  a  trapdoor  commitment  scheme  if  there  exists  an  expected  polynomial-time 
probabilistic  oracle  machine  S  =  (5i ,  S2)  such  that  for  any  PPT  R*  and  all  v  G  {0,  l}n,  the  output 
(r,  w)  of  the  following  experiments  are  computationally  indistinguishable: 

•  an  honest  sender  Ct  interacts  with  R*  to  commit  to  v,  and  then  opens  the  com¬ 
mitment:  r  is  the  view  of  R*  in  the  commit  phase,  and  w  is  the  message  Ct  sends 
in  the  open  phase. 

•  the  simulator  S  generates  a  simulated  view  r  for  the  commit  phase,  and  then  opens 

the  commitment  to  v  in  the  open  phase:  formally,  (ln,  lk)  — >  (r,  STATE) ,  £2 (STATE,  v)  — > 

w. 


B  Proofs  for  Our  Black-Box  Robust  CCA-Secure  Commitments 

B.l  Properties  of  the  Trapdoor  Commitments  TrapCom 

Before  proving  the  security  properties  of  our  robust  CCA-secure  commitment  scheme,  we  first 
prove  a  few  properties  of  the  trapdoor  commitment  scheme  TrapCom  of  [PW09],  which  will  be  very 
instrumental  the  proof  of  robust  CCA-security. 

Special-soundness  of  TrapCom:  Since  Stage  2  of  the  protocol  TrapCom  is  simply  a  PExtCom 
commitment,  given  any  two  admissible  transcripts  of  Stage  2,  a  committed  value  can  be  extracted. 
Consider  the  following  deterministic  polynomial  time  procedure  reconst  that  on  input  two  admissible 
transcripts  71,  72  of  Stage  2  extracts  a  committed  value  as  follows:  It  first  reconstructs  all  the 
matrices  v\,  ■  ■  ■  ,  vn  from  71 , 72  by  relying  on  the  extract  ability  of  PExtCom;  then  it  checks  whether 
all  the  left  columns  of  the  matrices  sum  up  to  the  same  bit  b ,  and  sets  gq  to  b  if  this  is  the  case 
and  _L  otherwise;  it  computes  g\  similarly  with  respect  to  the  right  columns;  next, 

•  If  o\  and  (7 1  equal  to  two  different  bits,  reconst  outputs  err. 

•  Else  if  do  and  g\  both  equal  to  _L,  it  outputs  _L  as  well. 

•  Finally,  if  gq  and  G\  equal  to  the  same  bit  b,  or  only  one  of  them  equals  to  b  and  the  other 
equals  to  _L,  reconst  outputs  b. 

We  show  below  in  Lemma  3  that  as  long  as  the  reconst  procedure  does  not  output  err,  then 
the  extracted  value  must  be  the  committed  value — we  call  this  the  special-soundness  property  of 
TrapCom  -and  in  Lemma  4  that  when  the  reconst  procedure  outputs  err,  then  the  receiver’s  chal¬ 
lenge  in  the  TrapCom  commitment  can  be  computed  efficiently.  It  follows  essentially  from  Lemma  3 
and  4  that  TrapCom  is  computationally  hiding.  Formally,  let  T  be  a  commitment  of  TrapCom,  we 
say  that  a  pair  of  admissible  transcripts  71, 72  is  consistent  with  TrapCom  if  the  first  message  in  71 
and  71  equals  to  the  first  message  of  Stage  2  in  T.  Then, 
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Lemma  3  (Special-soundness  of  TrapCom).  Let  T  be  a  commitment  of  TrapCom,  and  71,72  a  pair 
of  admissible  transcripts  of  TrapCom  that  is  consistent  with  T  ■  Then,  if  reconst(71, 71)  =  /  err, 

if  is  statistically  impossible  to  open  T  to  any  value  other  than  cr. 

Proof.  Assume  for  contradiction  that  reconst(71, 71)  outputs  a  err  but  there  exists  a  decommit¬ 
ment  that  opens  T  to  a  bit  o'  £  {0, 1}  different  from  cr. 

It  follows  from  the  validity  condition  of  TrapCom  that  if  a  commitment  can  be  opened  to  a' 
there  must  exist  a  7  G  {0, 1},  such  that  all  the  commitments  of  ExtCom  to  re  7,  v\  /  for  i  =  1,2, ...  ,k 
are  valid  and  cr'  =  iq7  ©  tq7  =  •  •  •  =  ©  v^f1 ,  where  a  is  the  committed  value.  That  is,  either  all 

the  left  columns  or  the  right  columns  are  valid  commitments  to  values  that  sum  up  to  a' .  Since 
two  admissible  transcripts  of  TrapCom  contains  a  pair  of  admissible  transcripts  of  ExtCom  for  each 
commitment  to  a  bit  It  follows  from  the  extract  ability  of  ExtCom  that  from  71  and  71,  values 

u°7,rr7  can  be  extracted  correctly,  as  by  the  validity  condition  commitments  to  vT’s  are  all  valid. 
Therefore  the  procedure  reconst  will  set  bit  rr7  to  cr'.  Then,  conditioned  on  reconst  does  not  output 
err,  it  must  output  cr',  which  gives  a  contradiction.  □ 

Lemma  4.  Let  T  be  an  accepting  commitment  of  TrapCom,  and  71,71  a  pair  of  admissible  tran¬ 
scripts  of  TrapCom  that  is  consistent  with  T .  Then,  if  reconst(71, 71)  =  err,  the  receiver’s  challenge 
committed  to  in  Stage  1  of  T  can  be  computed  efficiently  and  deterministically  from  71,71- 

Proof.  The  reconst  procedure,  on  input  71,71,  reconstructs  a  tuple  of  n  matrices  v\,...,vn  by 
relying  on  the  special  soundness  of  ExtCom,  and  outputs  err  if  and  only  if  all  the  values 
in  the  left  columns  sum  up  to  a  bit  b  whereas  all  the  values  v® 1 ,  uj 1  in  the  right  columns  sum  up 
to  1  —  b.  Furthermore,  since  T  is  accepting,  in  Stage  3  of  T,  the  receiver  must  successfully  open 
the  stage  1  com  commitment  to  a  challenge  e  and  the  committer  must  successfully  open  the  two 
commitments  in  the  e*h  row  of  the  jth  matrices  to  the  same  value  rjj  for  every  j  £  [k].  Thus,  by  the 

special  soundness  of  ExtCom,  values  extracted  from  the  e*h  row  must  equal  to  r/j,  which 

means  the  two  bits  uj1  ei'>1  extracted  from  the  (1  —  ej)th  row  must  differ.  Thus  from  71 

and  71,  the  receiver’s  challenge  e  in  T  can  be  computed  efficiently.  □ 

Strong  Computational  Binding:  We  show  that  TrapCom  enjoys  a  strong  computational  binding 
property  as  described  in  Lemma  5. 

Lemma  5  (Strong  computational  binding).  For  every  WT  machine  C* ,  the  probability  that  C* 
in  interaction  with  the  honest  receiver  of  TrapCom,  generates  a  commitment  that  has  more  than 
one  valid  committed  values  is  negligible.  4 

Proof.  Assume  for  contradiction  that  there  is  a  committer  C*  that  can  generate  a  commitment  that 
has  two  valid  committed  values  with  polynomial  probability.  Then  we  can  construct  a  machine  A 
that  violates  the  hiding  property  of  com. 

The  machine  A  on  input  a  com  commitment  c  to  a  random  n-bit  string  e,  internally  incorporates 
C*  and  emulates  the  messages  from  the  receiver  for  C*  honestly,  except  that:  it  forwards  c  to  A 
at  the  Stage  1  message;  after  C*  completes  Stage  2,  it  repeatedly  rewinds  C*  from  the  challenge 
message  in  Stage  2  by  sending  C*  freshly  sampled  challenges,  until  another  accepting  transcript  of 
Stage  2  is  obtained;  then  it  checks  whether  the  pair  of  transcripts  of  Stage  2  is  admissible  and  if 
so  whether  reconst  outputs  err  on  input  these  two  transcripts;  if  this  is  the  case,  it  computes  the 
challenge  e'  from  the  two  admissible  transcripts  by  Lemma  4  and  outputs  e';  otherwise,  it  aborts. 
Finally,  A  cuts  its  execution  off  after  2n/3  steps. 

4Note  that  the  computational  binding  property  only  guarantees  that  it  is  impossible  for  an  efficient  committer  to 
generate  a  commitment  of  TrapCom  and  opens  it  to  two  different  values. 
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It  follows  from  standard  technique  that  the  expected  running  time  of  C*  is  bounded  by  a 
polynomial.  Furthermore,  each  challenge  in  Stage  2  of  a  TrapCom  commitment  is  a  n-tuple  of 
n-bit  strings.  Then  Since  A  runs  for  at  most  2n/3  steps,  the  probability  that  any  n-bit  string  is 
picked  for  a  second  time  in  A  is  2n/3/2n;  since  A  picks  at  most  2n/3  strings,  by  union  bound,  the 
probability  that  any  n-bit  string  is  picked  twice  is  ^73  =  2n/3^-.  Therefore,  except  with  negligible 
probability,  the  pair  of  accepting  transcripts  collected  by  A  is  also  admissible. 

Next,  we  show  that  conditioned  on  that  the  pair  of  transcripts  collected  by  A  is  admissible,  A 
outputs  the  value  committed  to  in  c  with  polynomial  probability.  Since  A  emulates  the  execution 
of  C*  perfectly,  with  polynomial  probability  C*  in  A  generates  a  commitment  that  can  be  opened 
to  both  0  and  1.  When  this  happens,  by  the  validity  condition  of  TrapCom,  the  commitment 
generated  by  C*  must  have  the  property  that  all  the  commitments  of  ExtCom  in  Stage  2  are  valid, 
and  the  committed  values  in  the  left  columns  sum  up  to  a  bit  6  whereas  the  committed  values  in 
the  right  columns  sum  up  to  another  bit  1  —  6.  In  this  case,  the  procedure  reconst  fails  to  extract 
a  value  from  the  pair  of  admissible  transcripts  collected  by  A  and  outputs  err.  The  by  Lemma  4 
the  challenge  committed  to  in  Stage  1  can  be  computed.  Thus  A  outputs  the  committed  value  of 
c  with  polynomial  probability.  □ 

Extension  to  multiple  bits.  As  shown  in  [PW09],  by  running  the  trapdoor  bit  commitment 
scheme  TrapCom  in  parallel,  we  obtain  a  trapdoor  commitment  scheme  PTrapCom  for  multiple  bits, 
with  the  additional  property  that  we  can  open  the  commitment  to  any  subset  of  the  bits  without 
compromising  the  security  of  the  remaining  bits.  The  hiding,  binding  and  trapdoor  property  of  the 
commitment  remains.  Furthermore,  Stage  2  of  the  protocol  PTrapCom  consists  of  many  parallel 
executions  of  PExtCom.  We  say  that  two  transcripts  of  Stage  2  of  PTrapCom  are  admissible  if  they 
contain  a  pair  of  admissible  transcripts  of  PTrapCom  for  each  parallel  execution  in  it.  Then  given 
a  pair  of  admissible  transcripts  of  PTrapCom,  the  committed  string  can  be  extracted  by  running 
the  following  procedure  reconst:  For  each  parallel  execution,  it  extracts  a  value  cq  using  the  reconst 
procedure;  then  it  outputs  err  if  any  cq  equals  to  err,  otherwise,  it  outputs  all  the  extracted  bits 
cq’s  concatenated.  Again,  we  call  this  property  the  special-soundness  of  PTrapCom. 

B.2  (C,  R)  is  a  Statistically-Binding  Commitment  Scheme 

In  this  section,  we  provide  formally  that  that  (C,  R)  is  a  statistically  binding  commitment  scheme. 
Proposition  2.  ( C ,  R)  is  a  statistically  binding  commitment  scheme. 

Proof.  The  statistically  bindng  property  of  ( C ,  R)  follows  directly  from  that  of  com.  We  then,  focus 
on  showing  the  hiding  property. 

Recall  that  the  commitment  scheme  TrapCom  is  trapdoor.  In  particular,  as  shown  in  [PW09], 
if  the  receiver’s  challenge  is  fixed,  then  there  is  a  straight-line  simulator  that  can  generate  a  sim¬ 
ulated  transcript  of  the  commit  phase  that  can  be  equivocated  to  both  0  and  1  later.  We  recall 
the  simulation  strategy.  Let  R*  be  a  malicious  receiver  using  a  fixed  challenge  e,  then  to  simulate 
Stage  2  and  3  of  TrapCom  for  R* ,  the  simulator  samples  a  random  bit  7  and  prepares  v\  -  ■  -vn  where 
each  Vi  is  a  2  x  2  0,1-matrix  such  that,  the  e*h  row  of  Vi  has  the  form  (r)i,r]i)  and  the  (1  —  ej)th 
row  has  the  form  (7  0  r/i,  (1  —  7)  0  r/i)  with  a  randomly  and  independently  sampled  bit  77*.  It  then 
commits  to  ■  ■  ■  ,vn  using  PExtCom  in  Stage  2;  later,  in  Stage  3,  upon  receiving  challenge  e,  for 
every  i,  it  opens  commitments  to  the  e\h  row  in  the  ith  matrix  to  yielding  an  accepting 

commitment.  To  equivocate  the  simulated  commitment  to  0,  the  simulator  sends  7  and  opens  all 
the  commitments  in  the  7th  column  of  the  matrices;  to  equivocate  the  commitment  to  1,  it  sends 
1  —  7  and  opens  the  (1  —  7)th  column  of  the  matrices.  It  follows  from  the  hiding  property  of  ExtCom 
(recall  that  a  commitment  of  PExtCom  to  v\  ■  ■  ■  vn  is  simply  many  commitments  of  ExtCom  to  bits 
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to1’62  in  parallel)  that,  for  every  b  £  {0,1},  the  simulated  commitment  of  TrapCom  together  with 
the  equivocated  opening  to  b  is  indistinguishable  from  an  honest  commitment  and  opening  to  b. 
Furthermore,  since  the  simulation  is  straight-line  and  thus  is  composable  under  concurrent  compo¬ 
sition,  we  have  that  TrapCom  is  secure  under  selective  opening  attack  with  concurrent  composition 
(See  [Xiall]  for  a  formal  definition)  against  malicious  receivers  that  always  use  a  fixed  challenge. 

Next,  by  relying  on  the  security  against  selective  opening  attack  of  TrapCom,  we  show  that 
for  every  malicious  receiver  R*  of  ( C,R ),  there  is  a  simulator  S  that  can  generate  a  simulated 
commitment  that  is  indistinguishable  from  an  honest  commitment  to  R*  to  any  value  v,  then 
the  hiding  property  follows.  More  precisely,  given  a  malicious  receiver  R*  of  ( C ,  R)  (with  loss  of 
generality,  deterministic) ,  let  ci  be  the  Stage  1  commitment  from  R*  and  e  the  challenge  committed 
to  in  ci-  The  simulator  S,  on  input  e,  simulates  a  commitment  of  (C,  R)  to  v  as  follows:  In  Stage  2 
and  3,  it  simulates  the  10nL(n)  commitments  of  PTrapCormc.r.t.  challenge  e  by  using  the  simulator 
of  PTrapCom  described  above  does;  finally  in  Stage  4,  upon  receiving  T,  for  every  column  j  £  T,  it 
samples  a  random  string  Sj  and  equivocate  all  the  simulated  commitments  of  PTrapCom  in  the  jth 
column  to  Sj.  Since  R*  uses  a  fixed  challenge  e  in  all  the  PTrapCom  commitments,  it  follows  from 
the  security  against  selective  opening  attack  of  TrapCom  that  in  H  the  simulated  commitments  of 
PTrapCom  in  Stage  2  and  3,  together  with  the  equivocated  openings  to  n  random  values  in  Stage 
4  is  indistinguishable  from,  the  honest  commitments  and  openings  to  n  shares  of  v  in  the  real 
execution  (since  by  the  property  of  the  (n  +  l)-out-of-10n  secret-sharing,  n  shares  of  v  is  identically 
distributed  to  n  random  values).  Thus,  the  simulated  commitment  by  S  is  indistinguishable  to  an 
honest  commitment  to  v.  Since  S  does  not  depend  on  the  committed  value  v,  we  conclude  that 
honest  commitments  to  any  two  values  v\  and  V2  are  indistinguishable.  □ 

B.3  Proof  of  Robust  CCA-Security  of  (C,  R) 

In  this  section,  we  prove  the  following  theorem. 

Theorem  2.  {C,R)  is  n(n)-robust  CCA-secure  w.r.t.  committed  value  oracles. 

The  formal  proof  of  Theorem  2  consists  of  two  parts:  in  Section  B.3. 2,  we  show  that  (C,R) 
is  CCA-secure.  and  in  section  B.3. 3,  we  show  that  it  is  also  robust.  Towards  this,  below  we  first 
adapt  the  definition  of  safe-points  in  [CLP10]  to  work  with  our  protocol  ( C,R ). 

B.3.1  Safe-Points 

Our  notion  of  safe- points  is  almost  the  same  as  that  in  [CLP  10]  (which  in  turn  is  based  on  the  notion 
of  safe-points  of  [LPV08]  and  safe  rewinding  block  of  [DDN00]),  with  the  only  exception  that  our 
definition  considers  the  3-round  rows  in  our  black-box  construction  of  CCA  commitment  ( C,R ), 
instead  of  the  3-round  WISSV  proofs  in  the  non-black-box  construction  in  [CLP10].  Recall  that, 
like  a  WISSV  proof,  each  row  in  Stage  3  of  the  protocol  (C,  R)  has  the  3-round  challenge-reply 
structure — we  call  the  three  messages  respectively,  the  commit,  challenge  and  reply  messages — and 
has  the  property  that  rewinding  a  complete  row  reveals  nothing  about  the  committed  value. 

Let  A  be  a  transcript  of  one  left  and  many  right  interactions  of  (C.  R).  Intuitively,  a  safe-point  p 
of  a  right  interaction  A;  is  a  prefix  of  a  transcript  A  that  lies  in  between  the  first  two  messages  ar  and 
[3r  of  a  row  (ar,/3r,  /yr)  in  interaction  k,  such  that,  when  rewinding  from  p  to  7r,  if  A  uses  the  same 
“scheduling  of  messages”  as  in  A,  then  the  left  interaction  can  be  emulated  without  affecting  the 
hiding  property.  This  holds,  if  in  A  from  p  to  where  7r  is  sent,  A  expects  either  no  message  or  only 
complete  rows  in  the  left  interaction,  as  shown  in  Figure  4  (i)  and  (ii)  respectively,  (Additionally, 
in  both  cases,  A  may  request  the  reply  message  of  some  row  in  the  left,  as  shown  in  Figure  4  (iii). 
This  is  because,  given  the  first  two  messages  of  a  row,  the  reply  message  is  deterministic,  and  hence 
can  be  emulated  in  the  rewinding  by  replaying  the  reply  in  A.) 
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(i) 


(ii) 


(iii) 


Figure  4:  Three  characteristic  safe-points. 
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Figure  5:  Prefix  p  that  is  not  a  safe  point. 


Definition  8.  Let  A  be  any  transcript  of  one  left  interaction,  and  many  right  interactions,  of 
( C,R ).  A  prefix  p  of  a  transcript  A  is  called  a  safe-point  for  right  interaction  k,  if  there  exists  an 
accepting  row  (ar,fir,  jr)  in  the  right  interaction  k,  such  that: 

1.  ar  occurs  in  p,  but  not  fir  (and  7 r). 

2.  for  any  row  (a^fi^ji)  in  the  left  interaction,  if  aq  occurs  in  p,  then  fii  occurs  after  7r. 

3.  messages  in  Stage  1,  3,  and  4  of  the  left  interaction  occur  either  before  p  or  after  7 r. 

If  p  is  a  safe-point,  let  (ap,fip,  jp)  denote  the  canonical  “safe”  right  row  associated  with  p.  Note 
that  the  only  case  a  right-interaction  row  is  not  associated  with  any  safe-point  is  if  it  is  “aligned” 
with  a  left-execution  row,  as  shown  in  Figure  5.  In  contrast,  in  all  other  cases,  a  right-interaction 
row  has  a  safe-point,  as  shown  in  Figure  4. 

It  follows  from  exactly  the  same  proof  in  [CLP  10]  that  in  any  transcript  of  one  left  and  many 
right  interactions  of  ( C ,  R),  every  accepting  right  interaction  that  has  a  different  identity  from  the 
left  interaction,  has  at  least  ? j(n)  safe-points.  This  technical  lemma  will  be  very  instrumental  in  the 
proof  of  CCA-security  in  the  next  section. 

Lemma  6  (Safe-point  Lemma).  Let  A  be  any  transcript  of  one  left  interaction,  and  many  right 
interactions,  of  ( C,R ).  Then,  in  A,  for  every  successful  right  interaction  that  has  a  different 
identity  from  the  left  interaction,  there  exist  at  least  a  number  of  Ll(rj(n))  non-overlapping  rows 
that  are  associated  with  a  safe- point. 

B.3.2  Proof  of  CCA  Security 

We  show  that  for  every  WT  adversary  A,  the  following  ensembles  are  computationally  indistin¬ 
guishable. 

.  {INDo ((C,R),A,n,z)} 

n£N,z£{  0,1}* 
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•  {INDi«C,  R),A,  n,  ^)}neAr^e{0,i}* 

Towards  this,  we  consider  new  commitment  scheme  ((7,  R)  (similar  to  the  “adaptor”  schemes  of 
[DDNOO,  LPV08,  CLP10]),  which  is  a  variant  of  ( C ,  R)  where  the  receiver  can  ask  for  an  arbitrary 
number  of  designs  in  Stage  2.  Furthermore,  ( C ,  R)  does  not  have  a  fixed  scheduling  in  Stage  2;  the 
receiver  instead  gets  to  choose  which  design  to  execute  in  each  iteration  (by  sending  bit  b  to  select 
design^).  Note  that,  clearly,  any  execution  of  ( C ,  R)  can  be  emulated  by  an  execution  of  (C,  R)  by 
simply  requesting  the  appropriate  designs.  It  follows  using  essentially  the  same  proof  for  the  hiding 
property  of  ( C ,  R)  in  Proposition  2  that  ((7,  R)  is  computationally  hiding;  we  omit  the  proof  here. 

Now  assume  for  contradiction  that  there  exists  an  adversary  A,  a  distinguisher  D,  and  a  poly¬ 
nomial  p,  such  that  for  infinitely  many  n  £  N,  there  exists  z  £  {0, 1}*,  such  that, 

|Pr  [D(\m0((C,R),A,n,z))  =  1]  -  Pr  ^(IND^C,  R),  A,  n,z))  =  1]  |  > 

p[n) 

We  reach  a  contradiction  by  exhibiting  a  (stand-alone)  adversary  B*  that  distinguishes  com¬ 
mitments  using  (C,R).  Let  STA b((C,R),B*,n,z)  denote  the  output  of  B*(ln,z )  after  receiving  a 
commitment  of  (C,  R)  to  value  vb,  where  as  in  experiment  IND5  the  challenges  vq  and  v\  are  chosen 
adaptively  by  B* .  We  show  that  the  following  two  claims  hold  w.r.t  B* . 

Lemma  7.  There  exists  a  polynomial  function  t  and  a  negligible  function  p,  such  that  for  every 
b  £  {0,1},  n  £  IV  and  z  £  {0,1}*,  and  every  function  p,  the  probability  that  B*  in  experiment 
STA b((C,  R),  B* ,n,  z)  takes  more  than  p(n)  steps  is  less  than  or  equal  to  +  p{n). 

Lemma  8.  Let  b  £  {0, 1}.  The  following  ensembles  are  computationally  indistinguishable. 

.  {STA b((C,R),B*,n,z)\ 

t  )  neiV,2e{o,i}* 

.  jlND b((C,R),A,n,z)\ 

l  )  neTV, 26(0,1}* 

By  Lemma  8,  it  thus  follows  that  for  infinitely  many  n  £  N,  there  exists  z  £  {0, 1}*,  such  that, 

Pr[JD(STA0«C,,fl),S*,n,z))  =  ll  —  Pr  \D(STAi((C,R),B*,n,  z))  =  lj  > 

L  J  L  J  4 p[n) 

Furthermore,  by  Lemma  7,  the  probability  that  B*  runs  for  more  than  T(n)  =  4 t(n)p(n)  steps  is 
smaller  than  1/4 p(n).  Therefore,  the  execution  of  B*  can  be  truncated  after  T(n)  steps,  while  only 
affecting  the  distinguishing  probability  by  at  most  4J(n\ which  means  there  exists  a  WT  machine 

that  distinguishes  commitments  with  probability  2p(n)  ’  contradicts  the  hiding  property  of 
(C,R). 

Construction  of  B*.  On  a  high-level,  B*  in  interaction  with  an  honest  committer  C  on  the 
left  emulates  the  committed-value  oracle  O  for  A  by  extracting  the  committed  values  of  the  right 
interactions  from  the  rows  in  Stage  2  of  ( C,R ).  Recall  that  Stage  2  of  ( C,R )  contains  multiple 
rows;  each  in  turn  contains  commitments  to  secret  shares  of  the  committed  value  (more  precisely, 
shares  of  a  decommitment  of  Stage  2  of  ( C,R )),  using  Stage  2  of  PTrapCom.  It  follows  from  the 
special  soundness  of  PTrapCom  that,  given  a  pair  of  transcripts  of  a  row  that  are  admissible  for 
each  commitment  of  TrapCom  contained  in  that  row,  the  secret  shares  committed  in  that  row  can 
be  reconstructed  using  the  reconst  procedure  (provided  that  it  does  not  output  err) — we  say  that 
such  a  pair  of  transcripts  of  a  row  is  admissible.  Then  the  committed  value  can  be  recovered. 
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The  construction  of  B*  contains  two  parts,  a  rewinding  procedure  and  a  reconstruction  pro¬ 
cedure.  The  rewinding  procedure  recursively  rewinds  the  rows  of  the  right  integrations  and  guar¬ 
antees  that  at  the  end  of  every  accepting  right  interaction  with  different  identity  from  the  left 
interaction,  a  pair  of  admissible  transcripts  (of  one  row)  of  that  right  interaction  is  collected.  The 
reconstruction  procedure,  on  the  other  hand,  on  input  a  pair  of  admissible  transcripts  of  one  right 
interaction,  reconstructs  the  committed  value  of  that  interaction.  The  rewinding  procedure  that 
we  use  here  is  essentially  the  same  as  that  used  in  the  CLP  extraction  procedure,  except  from  the 
superficial  difference  that  in  [CLP10],  pairs  of  accepting  transcripts  of  WTSSV  proofs  are  collected. 
However,  in  [CLP10]  given  two  different  accepting  transcripts  of  a  WISSV  proof  in  one  right  inter¬ 
action,  a  committed  value  can  be  extracted  directly  using  the  special-soundness  property  without 
over- extraction.  In  this  work,  in  order  to  avoid  the  over-extraction  problem,  the  procedure  for 
reconstructing  the  committed  value  from  two  admissible  transcripts  is  much  more  involved;  we  em¬ 
ploy  the  technique  used  in  [CDSMW08,  CDSMW09,  WeelO]  and  formalize  it  in  the  reconstruction 
procedure  REC. 

Next,  we  formally  describe  the  rewinding  procedure,  which  invokes  the  reconstruction  procedure 
REC  whenever  it  obtains  a  pair  of  admissible  transcripts;  readers  who  are  familiar  with  the  CLP 
extraction  procedure  can  skip  this  part  and  jump  to  the  description  reconstruction  procedure  REC. 

The  Rewinding  Procedure  At  a  high-level,  the  rewinding  procedure  rewinds  A  only  from  safe- 
points.  This  ensures  that  we  do  not  have  to  rewind  the  external  left  execution;  rather,  it  suffices 
to  request  an  additional  design  on  the  left  to  handle  these  rewindings.  But,  as  the  simulator 
needs  to  provide  the  committed  values  in  a  “on-line”  fashion  (i.e. ,  as  soon  as  a  right-interaction 
completes,  the  simulator  needs  to  provide  A  with  decommitment  information  for  this  interaction), 
these  rewindings  might  become  recursive  (if  the  right  interactions  are  nested).  And,  if  we  were 
to  perform  these  rewindings  naively,  the  running-time  quickly  grows  exponentially  (just  as  in  the 
context  of  concurrent  zero  knowledge  [DNS04]).  To  make  sure  that  the  recursion  depth  is  constant, 
we  instead  only  rewind  from  safe-points  p  such  that  the  number  of  new  right-rows  that  start  between 
p  and  the  last  message  of  the  right-row  associated  with  p,  is  “small”;  here,  “small”  is  defined 
appropriately  based  on  the  recursion  level.  More  precisely,  we  say  that  a  safe-point  p  is  d  +  1-good 
for  a  transcript  A  if  less  than  kd  =  M/rj'd  right-rows  start  between  p  and  7P,  where  M  is  an  upper- 
bound  on  the  total  number  of  messages  that  A  sends  or  receives,  and  rf  =  ne'  for  some  constant  e' 
such  that  0  <  e'  <  e.  On  recursion  level  d ,  B*  then  only  rewinds  A  from  d  +  1-good  safe-points. 

Formally,  we  describe  the  rewinding  procedure  using  a  recursive  helper  procedure  EXT.  EXT, 
on  input  an  integer  d  (the  recursion  level),  a  partial  joint  view  V  of  A  and  the  (emulated)  right 
receivers,  the  index  s  of  a  right-row,  a  “repository”  1Z  of  pairs  of  admissible  transcripts  of  the  right 
interactions  that  have  been  previously  collected,  proceeds  as  follows. 

Procedure  EXT(ci,  V,s,lZ):  Let  p  be  the  (partial)  transcript  contained  in  V.  If  d  =  0,  EXT  will 
emulates  a  complete  execution  of  IND  with  the  adversary  A.  If  d  >  0,  it  will  instead  extends  the 
partial  view  V  to  the  completion  of  the  right-row  s;  if  at  any  point  in  the  emulation,  p  is  not  a 
d  +  1-good  safe-point  for  s,  EXT  aborts  and  returns  _L.  Finally,  EXT  returns  the  the  view  Va  of  A 
in  the  emulation  (generated  so  far).  We  now  turn  to  describe  how  EXT  emulates  the  left  and  the 
right  interactions. 

The  left  interaction  is  emulated  by  simply  requesting  the  appropriate  messages  from  the  external 
committer.  At  the  top  level  (i.e.,  d  =  0),  A  participates  in  a  complete  ( C,R )  commitment  on  the 
left,  which  can  be  easily  emulated  by  simply  requesting  the  appropriate  designs  from  C.  At  lower 
levels  (i.e.,  d  >  0),  EXT  cancels  every  execution  in  which  p  is  not  a  safe-point.  Hence  it  only  needs 
to  emulate  the  left  interaction  when  p  is  a  safe-point.  In  this  case,  as  previously  discussed,  A  either 
does  not  request  any  new  messages  on  the  left,  or  only  asks  for  complete  new  rows;  the  former 
case  can  be  trivially  emulated  (by  simply  doing  nothing  or  replaying  old  messages  if  A  asks  for  the 
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third  message  of  a  left  row  again),  in  the  latter  case,  EXT  emulates  the  left  interaction  by  asking 
for  more  designs  from  C . 

On  the  other  hand,  in  the  right  interactions  EXT  follows  the  honest  receiver  strategy  of  (C,  R). 
Furthermore,  whenever  A  completes  a  row  (ar,/3r,  7r)  in  a  right  interaction  j,  EXT  attempts  to 
extract  a  decommitment  for  this  interaction,  if  the  row  (ar,/3r,  jr)  is  associated  with  a  d  +  1-good 
safe-point  p'.  To  extract,  EXT  invokes  itself  recursively  on  input  (d  +  1,  V',  s',  1Z),  where  V'  is  the 
(partial)  joint  view  of  A  and  the  right  receivers  corresponding  to  the  transcript  p\  and  s'  is  the 
index  of  the  right-row  (ay,  /3r,  7r).  It  continues  invoking  itself  recursively  until  one  of  the  recursive 
invocations  returns  a  view  containing  another  accepting  transcript  ( ar ,  /?(.,  j'r)  of  the  s/th  row.  When 
this  happens,  if  (ar,/3r,  jr)  and  (ar,(3'r,  j'r)  are  a  pair  of  admissible  transcripts,  EXT  records  them 
in  the  repository  77.  Later,  whenever  A  expects  the  committed  value  for  a  right  interaction  j,  it 
simply  checks  the  repository  77  for  a  matching  pair  of  admissible  transcripts  71,72,  and  invokes 
REC  with  71,72  and  the  transcript  T  of  the  right  integration  j  to  obtain  the  committed  value  u ;  it 
aborts  and  outputs  fail  if  no  pair  of  admissible  transcripts  is  available  or  the  REC  procedure  returns 
err — we  say  that  EXT  “gets  stuck”  on  interaction  j  in  this  case.  (If  A  expects  the  committed  value 
of  a  right  interaction  that  fails  or  has  the  same  identity  as  the  left,  it  simply  sends  _L  to  A.) 

The  Reconstruction  Procedure  Let  71  =  (ar,/3r,7r)  and  7i  =  (ar,/3',  7')  be  a  pair  of  ad¬ 
missible  transcripts  of  one  row  of  a  right  commitment  T.  Recall  that  Stage  2  in  T  contains  a 
com  commitment  to  the  committed  value  v,  and  each  row  in  T  commits  to  the  lOn  secret  shares 
of  a  decommitment  (v,d)  of  the  com  commitment,  using  Stage  2  of  PTrapCom.  Since  71  and  71 
are  admissible,  they  contain  a  pair  of  admissible  transcripts  of  PTrapCom  for  each  commitment  to 
one  of  the  lOn  share.  Therefore,  by  the  special-soundness  property  of  PTrapCom,  a  value  can  be 
reconstructed  from  each  pair  of  admissible  transcripts  of  PTrapCom  using  the  reconst  procedure; 
if  the  extracted  value  is  not  err,  then  either  the  corresponding  commitment  is  invalid,  or  it  is  and 
the  reconstructed  value  is  the  committed  share.  At  a  high-level,  the  reconstruction  procedure  REC 
uses  this  property  to  try  to  extract  shares  of  the  decommitment  ( v ,  d)  and  then  decode  the  shares 
to  obtain  the  committed  value;  it  utilizes  the  final  cut-and-choose  Stage  in  the  right  commitment 
T  to  avoid  over-extraction.  Formally, 

Procedure  REC(71,72,7~):  For  every  j  G  [lOn],  REC  sets  7^, 7^  to  the  pair  of  admissible  tran¬ 
scripts  of  PTrapCom  for  the  commitment  to  the  jth  secret  share  contained  in  71,71,  and  yj  to  the 
output  of  reconstlTi,  Tj,);  it  aborts  and  outputs  err  if  yj  equals  to  err;  otherwise,  it  sets  the  jth  share 
Sj  to  yj.  After  extracting  all  the  shares  tt  =  (si, . . . ,  sion),  it  recovers  a  valid  codeword  w  that  is 
0.8 -close  to  7 f;  then,  it  checks  whether  w  agrees  with  all  the  shares  revealed  in  the  cut-and-choose 
stage  in  the  right  commitment  T  (that  is,  for  every  i  G  [F],  it  checks  whether  uy  equals  to  the  share 
§i  revealed  for  the  ith  column  in  the  cut-and-choose  stage  in  T);  if  this  holds,  it  decodes  w  to  a 
tuple  (v',d!),  and  outputs  v’  if  (vf,d!)  is  a  valid  decommitment  of  the  Stage  2  com  commitment 
in  T.  It  aborts  and  outputs  _L  whenever  any  of  the  following  events  happens:  (1)  the  extracted 
shares  7 r  is  not  0.8-close  to  any  valid  codeword,  or  (2)  the  codeword  w  does  not  agree  with  any  of 
the  shares  revealed  in  the  cut-and-choose  stage,  or  (3)  the  tuple  ( v',d ')  decoded  from  w  is  not  a 
valid  decommitment  of  the  Stage  2  com  commitment. 

We  now  return  to  the  description  of  B* .  B*  in  interaction  with  C,  simply  invokes  EXT  on 
inputs  (0,  V,  null,  0),  where  V  is  the  initial  joint  states  of  A  and  honest  right  receivers.  Once  EXT 
returns  a  view  Va  of  A,  B*  return  the  output  of  A  in  this  view  if  A  never  used  the  identity  of  the 
left  interaction  in  any  of  the  right  interactions,  and  returns  _L  otherwise.  Furthermore,  to  simplify 
our  analysis,  B*  cuts-off  EXT  whenever  it  runs  for  more  than  2n  steps.  If  this  happens,  B*  halts 
and  outputs  fail. 
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Proof  of  Lemma  7  and  8:  Next  we  proceed  to  show  that  B*  runs  in  expected  polynomial  time 
(Lemma  7)  and  the  output  of  B*  is  correctly  distributed  (Lemma  8). 5  Towards  this,  we  consider 
another  machine  B  that  proceeds  identically  to  B*  except  that  it  has  access  to  an  oracle  O  that  on 
input  an  accepting  transcript  T  of  a  commitment  of  (C,  R),  returns  the  unique  committed  value  of 
that  commitment  if  it  is  valid,  and  returns  _L  if  it  is  invalid  or  has  more  than  one  valid  committed 
value;  furthermore,  B  runs  a  variant  EXT  of  the  recursive  helper  procedure  EXT  that  B*  runs. 
EXT  proceeds  identically  to  EXT  except  that  whenever  A  during  the  rewindings  in  EXT  expects 
the  committed  value  of  a  right  commitment  T  (that  is  accepting  and  has  an  identity  different  from 
that  of  the  left  commitment),  it  queries  the  oracle  O  on  T  and  feeds  A  the  value  v  returned  by 
O.  EXT  still  reconstructs  a  value  v'  for  that  right  interaction  as  EXT  does,  but,  it  does  abort  and 
outputs  fail  as  EXT  does  when  reconstruction  fails;  instead  it  continues  the  execution  and  simply 
outputs  fail  on  a  special  output  tape ;  additionally,  it  outputs  fail  on  a  special  output  tape  if  the 
reconstructed  value  v'  is  different  from  the  value  v  returned  by  O* .  Finally,  as  B*,  B  cuts  the 
execution  of  EXT  after  2n  steps  and  outputs  fail.  Below  we  show  that  the  expected  running  time 
of  B  is  bounded  by  a  polynomial  and  the  output  of  B  in  experiment  STAf,  is  statistically  close  to 
the  view  of  A  in  the  experiment  I N  D&. 

Claim  1.  There  exists  a  polynomial  function  t,  such  that  for  every  b  G  {0,1},  n  G  N  and  z  G 
{0,1}*,  B  in  experiment  STA i((C,  R),  B°,n,z)  takes  t(n)  steps  in  expectation. 

Claim  2.  Let  b  G  {0, 1}.  The  following  ensembles  are  statistically  close. 

•  {STA  b({C,R),B°,n,z)} 

l  )  neN,ze{o,i}* 

•  |lNDb«C',.R>,A,n,z)} 

l  J  ne-/v>e{o,i}* 

Furthermore,  we  show  that  except  with  negligible  probability  the,  during  the  execution  of  B , 
the  probability  that  B  outputs  fail  on  the  special  output  tape  is  negligible. 

Claim  3.  For  every  b  G  {0, 1},  n  G  N  and  z  G  {0, 1}*,  the  probability  that  B  during  the  execution 
of  STA;,((C',  R),  B° ,  n,  z)  outputs  fail  on  its  special  output  tape  is  negligible. 

By  construction,  B  outputs  fail  only  when  during  the  rewindings  in  EXT,  it  fails  to  reconstruct 
a  committed  value  for  a  right  interaction  (that  is  accepting  and  has  an  identity  different  from 
that  of  the  left  commitment),  or  a  value  is  reconstructed  but  is  different  from  that  returned  by 
O.  By  Claim  3,  the  above  event  happens  with  negligible  probability.  In  other  words,  during  the 
execution  of  B,  except  with  negligible  probability,  the  value  B  reconstructs  is  always  identical  to 
that  extracted  by  O* .  Thus,  except  with  negligible  probability,  it  is  equivalent  to  replace  the  values 
returned  by  the  oracle  O  with  the  values  B  reconstructs.  Then  since  the  only  difference  between 
B  and  B*  lies  in  which  values  they  use  to  feed  the  adversary  A  when  it  expects  a  committed  value, 
we  have  that  except  with  negligible  probability,  the  running  time  and  output  distributions  of  B  are 
identical  to  that  of  B* .  Therefore,  combining  Claim  2,  we  directly  have  that  for  every  b  G  {0, 1}, 
the  output  of  B*  in  experiment  STA b{(C,  R),  B° ,  n,  z)  is  statistically  close  to  IND^C,  R),  A,  n,  z), 
which  concludes  Lemma  8.  Furthermore,  By  Claim  1,  the  expected  running  time  of  B  is  bounded 
by  a  polynomial  t;  therefore,  for  every  function  T,  the  probability  that  B  runs  for  more  than  T(n) 
steps  is  no  more  than  p(n)  =  t(n)/T(n);  then,  the  probability  that  B*  runs  for  more  than  T{n ) 

5Though  the  rewinding  strategy  of  B *  is  very  similar  to  that  in  [CLP10],  due  to  the  difference  in  the  reconstruction 
procedure,  the  analysis  of  the  running  time  and  output  distribution  of  B*  is  quite  different  from  that  in  [CLP10]. 
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steps  must  be  bounded  by  p(n)  plus  a  negligible  amount,  which  concludes  Lemma  7.  Now  it  remains 
to  prove  Claim  1,  2  and  3. 

Proof  of  Claim  1 — Running-time  Analysis  of  B. 

To  bound  the  expected  running  time  of  B*,  it  suffices  to  bound  the  expected  running  time  of 
the  procedure  EXT.  Below  in  Subclaim  1  we  first  show  that  the  recursive  depth  of  EXT  is  always 
a  constant,  and  then  bound  the  running  time  of  EXT  in  Subclaim  2. 

Subclaim  1.  There  exists  a  constant  D  such  that  for  every  n  G  N,  and  every  V,  s,  and  1Z, 
EXT (D,V,  s,7Z)  does  not  perform  any  recursive  calls. 

Proof.  Recall  that  at  recursion  level  d,  the  procedure  EXT  terminates  and  returns  _L  whenever  more 
than  kd  =  M (n) /rf  (n)d  new  right-rows  has  started  in  its  execution,  where  M(n )  is  an  upper  bound 
on  the  total  number  of  messages  that  the  adversary  A  may  send  and  receive,  and  r/(n)  equals  to 
n£  for  some  constant  0  <  s'  <  e  <  1.  Let  nc  be  an  upper  bound  on  M(n);  set  D  to  [log^,^  nc~|, 
which  is  a  constant.  When  d  =  D,  kjj  <  1,  which  means  the  execution  terminates  whenever  A 
starts  a  new  right-row.  On  the  other  hand,  EXT  only  makes  a  recursive  call  at  the  completion  of  a 
new  right-row.  Therefore  at  recursion  level  D,  EXT  never  makes  any  recursive  calls.  □ 

Next,  we  show  that  the  expected  number  of  queries  that  EXT  makes  to  A  at  every  recursion 
level  d  <  D  is  always  bounded  by  a  polynomial. 

Subclaim  2.  For  every  0  <  d  <  D,  it  holds  that  for  every  n  G  N,  V ,  s,  and  TZ,  the  expected 
number  of  queries  that  EXT (d,V,s,lZ)  makes  to  A  is  bounded  by  9{d)  =  M (n)3(-D~d+1\ 

Proof.  Consider  some  fixed  V,  s  and  TZ.  We  prove  the  subclaim  by  induction  on  d.  When  d  =  D, 
the  claim  follows,  since  EXT  does  not  perform  any  recursive  calls  and  the  number  of  queries  made 
by  EXT  can  be  at  most  the  total  number  of  messages,  which  is  M  =  M(n). 

Assume  the  claim  is  true  for  d  =  d'  +  1.  We  show  that  it  holds  also  for  d  =  d' .  The  procedure 
EXT  simulates  an  execution  with  A  in  a  straight-line  on  recursion  level  d' .  until  it  encounters  the 
completion  of  a  right-row  s  that  has  a  d!  +  1-good  safe-point  p,  then  it  tries  to  obtain  another 
transcript  of  s,  by  repeatedly  invoking  EXT  on  recursion  level  d!  +  1  from  (the  partial  transcript)  p. 
Hence,  the  number  of  queries  made  by  EXT  is  bounded  by  the  sum  of  the  number  of  queries  made 
on  level  d' ,  and  the  queries  made  by  the  recursive  calls:  the  former  is  at  most  the  total  number  of 
messages,  that  is,  M,  while  the  latter  is  bounded  by  the  sum  of  the  queries  made  by  those  recursive 
calls  invoked  for  every  right-row  s.  Furthermore  we  compute  the  expected  number  of  queries  made 
by  the  recursive  calls  for  a  right-row  s  by  taking  expectation  over  all  partial  transcript  that  is 
potentially  a  d'-good  safe-point  for  s.  let  R  denote  the  set  of  all  partial  transcripts  of  length  i  that 
are  consistent  with  V;  for  every  p  G  Tj,  we  denote  by  Pr  \p  occurs  on  level  d']  the  probability  that 
p  occurs  (in  the  simulation)  on  level  d\  and  E[Qsd,(p)\p\  the  expected  number  of  queries  made  by 
the  recursive  calls  started  from  p  for  the  right-row  s,  conditioned  on  p  occurring  on  level  d' .  Then 

Li  [number  of  queries  by  EXT]  =  M  +  EEE  Pr[p  occurs  on  level  d']  E[Qsd,(p)\p] 

s  i  pGTi 

Next  we  bound  E[Qsd,(p)\p]  in  two  steps:  the  first  step  bounds  the  expected  number  of  recursive 
calls  started  from  p  for  proof  s,  and  the  second  step  uses  the  induction  hypothesis  to  derive  a  bound 
on  E[Qsd,(p)\p\. 

Step  1  :  Given  a  partial  transcript  p  from  L* ,  let  psd,(p )  denote  the  probability  that  conditioned  on 
p  occurring  on  level  d',  EXT  starts  recursive  calls  from  p  for  the  right-row  s,  which  happens  if  and 
only  if  p  is  a  d'  +  1-good  safe-point  for  proof  s,  that  is, 

Pd'(p)  =  Pr  [  p  is  d'  +  1-good  at  level  d!  \  p] 
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When  this  happens,  EXT  repeatedly  calls  itself  on  recursion  level  d!  + 1,  until  an  invocation  succeeds 
without  cancelling.  Let  qd,(p)  denote  the  probability  that  conditioned  on  p  occurring  on  level  d! ,  a 
recursive  call  to  EXT  on  level  d'  +  1  succeeds  without  cancelling.  Since  an  invocation  is  cancelled 
if  and  only  if  p  fails  to  be  a  d!  +  1-good  safe-point  for  s  in  the  invocation  on  level  d'  +  1,  we  have 

qsd,  ( P )  =  Pr  [  p  is  d'  +  1-good  at  level  d'  +  1  |  p] 

We  claim  that  qd,  (p)  >  psdi(p)-  This  is  because,  conditioned  on  p  occurring,  the  view  of  A  on  levels 
d!  and  d!  +  1  are  simulated  identically:  on  both  levels  d!  and  d!  +  1,  EXT  emulates  messages  in  the 
commitments  of  ( C ,  R)  for  A  perfectly;  and  furthermore,  whenever  A  expects  a  committed  value  of 
a  right  interaction,  EXT  sends  it  the  value  returned  by  the  oracle  O* ,  which  is  deterministic;  thus 
A  always  receives  the  same  value  on  both  level  d'  and  d'  +  1. 

Then  conditioned  on  p  occurring  on  level  d' ,  the  expected  number  of  recursive  invocations 
to  level  d!  +  1  before  encountering  a  successful  one  is  l/qd,(p).  Since  EXT  only  starts  recursive 
invocations  from  p  with  probability  pdi{p),  we  have  that  the  expected  number  of  recursive  calls 
from  p  for  proof  s,  conditioned  on  p  occurring  on  level  d\  is  at  most  psdi{p)/qdi(p )  <  1. 

Step  2  :  From  the  induction  hypothesis,  we  know  that  the  expected  number  of  queries  made  by  an 
invocation  of  EXT  on  level  d!  + 1  is  at  most  9{d'  +  1).  Therefore,  if  u  recursive  invocations  are  made 
from  p  for  a  right  row  s,  the  expected  number  of  queries  made  is  bounded  by  u6(d'  +  1).  Then  we 
bound  E[Qsd,(p)\p\  as  follow: 


e\QTM\A  <  E  Pr  [u  recursive  calls  are  made  from  p  for  s]  u  8(d'  +  1) 


uGN 


9{d!  +  1)  ]Tpr  [u  recursive  calls  are  made  from  p  for  s]  u 


u£N 


<  0{d!  +  1) 


Therefore, 


E  [number  of  queries  by  EXT]  <  M  +  Pr  [p  occurs  on  level  d']  6(d'  +  1) 

s  i  pGTi 

=  M  +  6(d'  +  1)  ^  ^  ^  Pr  [p  occurs  on  level  d'] 

s  i  peTi 

=  M  +  9(d'  +  l)M2 

<  Af3(D-T+l)  = 


□ 

Combining  Subclaim  1  and  2,  we  conclude  that  the  expected  running  time  of  machine  B  is 
bounded  by  a  polynomial  t'(n).  This  concludes  Claim  1. 

Proof  of  Claim  2 — Correctness  of  the  Output  distribution  of  B.  We  show  that  for  every 
b  G  {0,1},  the  output  of  B  in  STA b((C ,  R) ,  B° , n, z)  is  statistically  close  to  IND^C,  R),  A,  n,  z). 
Towards  this,  we  show  that  conditioned  on  that  B  does  not  output  fail  in  STA i((C,R),Bc>,n,z), 
the  output  of  B  is  identically  distributed  to  IND;,((C,  R),  A,  n,  z).  By  construction,  B  invokes  the 
recursive  helper  procedure  EXT  (at  the  top  recursion  level  d  =  0)  and  outputs  fail  if  EXT  runs  for 
more  than  2n  steps.  Conditioned  on  B  not  outputting  fail,  B  returns  the  output  of  A  contained  in 
the  simulated  view  Va  returned  by  EXT.  As  in  INDf,((C,  R),A ,  n,  z ),  the  output  is  replaced  with  _L 
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if  A  copies  the  identity  of  the  left  interaction  in  any  right  interaction.  Hence  it  suffices  to  show  that 
in  the  case  where  A  does  not  copy  the  identity  of  the  left  interaction,  EXT  simulates  the  messages  in 
the  left  and  right  interactions  for  A  perfectly.  By  construction  of  EXT,  all  the  messages  belonging 
to  the  commitments  of  ( C ,  R)  (both  on  the  left  and  right)  are  simulated  perfectly;  furthermore, 
EXT  emulates  the  committed  values  of  the  right  commitments  using  the  values  returned  by  the 
oracle  O,  which  are  identical  to  the  values  extracted  by  the  committed- value  oracle  O  of  (C,R). 
Therefore,  the  simulated  view  of  A  output  by  EXT  is  identically  distributed  to  the  real  view  of  A  in 
IND5.  Finally,  by  Claim  1,  the  probability  that  B  runs  for  more  than  2n  steps  is  exponentially  small. 
Therefore  we  conclude  that  STA&((C,  R),  D° ,  n,  z)  is  statistically  close  to  IND^C,  R),  A,  n,  z). 

Proof  of  Claim  3 — B  almost  never  outputs  fail.  Assume  for  contradiction  that  there  exist 
a  polynomial  p,  b  G  {0, 1}  and  an  infinitely  number  of  n  G  N  and  z  G  {0, 1}*  such  that  B  in 
experiment  STA b((C,  R),  B° ,  n,  z)  outputs  fail  with  probability  l/p{n).  Fix  a  b,  n,  and  z  for  which 
this  holds.  Then  by  Claim  1,  the  probability  that  B  runs  for  more  than  T{n)  =  2 t(n)p(n)  steps 
is  no  more  than  1/2 p(n),  where  t(n)  is  the  expected  running  time  of  B.  Then  consider  another 
machine  Bt  that  proceeds  identically  to  B  except  that  it  cuts-off  the  execution  after  T(n )  steps. 
We  have  that  Bt  takes  a  strict  polynomial  number  T(n)  of  steps  and  the  probability  that  Bt 
outputs  fail  is  at  least  l/2p(n). 

Now  consider  another  machine  B f  that  proceeds  identically  to  B*  except  that  it  also  cuts- 
off  the  execution  after  T(n )  steps.  We  claim  that  in  the  experiment  STA5,  Bf  outputs  fail  or 
reconstructs  a  value  for  a  right  interaction  that  is  not  the  valid  committed  value  with  polynomial 
probability.  Assume  for  contradiction  that  this  is  false,  that  is,  except  with  negligible  probability, 
Bf  always  succeeds  in  reconstructing  a  valid  committed  value  whenever  the  adversary  expects  a 
committed  value  during  the  rewindings.  Then  except  with  negligible  probability,  the  committed 
values  emulated  by  Bp  are  identical  to  that  emulated  by  Bt-  Therefore,  the  simulated  view  of 
A  in  Bp  is  statistically  close  to  that  in  Bt-  This  implies  that  except  with  negligible  probability, 
Bt  also  always  succeeds  in  reconstructing  a  valid  committed  value  whenever  the  adversary  expects 
one.  Thus  Bt  outputs  fail  only  with  negligible  probability,  which  contradicts  with  our  hypothesis. 
Therefore  with  polynomial  probability,  Bp  fails  to  extract  a  valid  committed  value  for  some  right 
interaction  during  its  execution. 

Below  we  reach  a  contradiction  by  showing  that  the  probability  that  Bp  outputs  fail  (Subclaim  3) 
and  the  probability  that  Bp  reconstructs  a  value  that  is  not  the  value  committed  value  are  negligible. 

Subclaim  3.  For  every  b  G  {0,1},  n  &  N  and  z  G  {0,1}*,  the  probability  that  Bp  outputs  fail 
during  the  execution  of  STA{,((CI,  R),  Bp,  n,  z)  is  negligible. 

Subclaim  4.  For  every  b  G  {0, 1},  n  G  N  and  z  G  {0, 1}*,  the  probability  that  there  exists  a  right 
interaction  that  is  accepting  and  has  an  identity  different  from  that  of  the  left  interaction,  for  which 
Bp  reconstruct  a  value  that  is  not  the  valid  committed  value  in  STA&((C,  R),  Bp,  n,  z)  is  negligible. 

Proof  of  Subclaim  3.  Consider  a  fixed  b  G  {0,1}.  By  construction,  Bp  outputs  fail  if  and  only  if 
one  of  the  following  cases  occurs  (in  which  B*  outputs  fail). 

Case  1:  None  of  the  rows  in  the  right  interaction  is  rewound. 

Case  2:  Some  row  is  rewound  and  a  pair  of  accepting  transcripts  of  that  row  is  collected,  but  that 
pair  of  transcripts  is  not  admissible. 

Case  3:  A  pair  of  admissible  transcripts  is  collected,  but  the  REC  construction  invoked  with  them 
outputs  err. 
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Below  we  analyze  the  probabilities  that  each  of  the  above  cases  occurs.  We  show  that  all  these 

events  occur  with  only  negligible  probability.  Therefore,  overall  the  probability  that  B outputs 

fail  is  negligible. 

Analysis  of  Case  1:  We  show  that  Case  1  never  happens.  More  precisely,  for  every  accepting 
right  interaction  j  with  a  different  identity  from  the  left  interaction,  one  of  its  rows  must 
be  rewound.  By  Lemma  6,  there  exist  a  number  of  £l(r](n))  non-overlapping  rows  in  the 
right  interaction  j  that  has  a  safe-point.  Recall  that  in  B j,  (more  precisely,  in  EXT),  a  right 
interaction  may  be  carried  out  at  multiple  different  recursion  levels  (through  recursive  calls); 
and  at  level  d,  B ^  rewinds  every  row  in  this  interaction  that  has  a  d+  1-good  safe-point.  By 
Subclaim  1,  the  recursion  depth  is  only  a  constant;  hence  there  must  be  a  level  d,  on  which 
a  number  of  Q(rj(n))  non-overlapping  rows  with  a  safe-point  start  in  interaction  j.  Since  the 
total  number  of  right-rows  that  start  on  level  d  is  bounded  by  kj  =  M/rf(n)d  (otherwise, 
the  simulation  is  cancelled)  and  ?/(n)  =  0(77(71)),  there  must  exist  one  right-row  that  has  a 
safe-point  p ,  such  that  there  are  less  than  M/rf  (n)d+1  right-rows  starting  in  between  p  and 
the  last  message  of  the  row.  Therefore  p  is  a  d  +  1-good  safe-point  for  this  right-row,  and  will 
be  rewound. 

Analysis  of  Case  2:  Recall  that  a  transcript  of  one  row  consists  of  a  polynomial  number  of  par¬ 
allel  commitments  using  Stage  2  of  PTrapCom,  each  of  which  consists  of  a  polynomial  number 
of  parallel  commitments  using  ExtCom.  For  a  pair  of  transcripts  of  one  row  to  be  admissible, 
it  must  hold  that  all  the  pairs  of  transcripts  it  contains  for  each  commitment  of  ExtCom 
are  admissible  w.r.t.  ExtCom,  that  is,  the  two  n-bit  challenges  in  that  pair  of  transcripts  are 
different.  Therefore,  a  pair  of  transcripts  of  a  row  is  admissible  if  and  only  if  the  two  chal¬ 
lenge  messages  it  contains,  which  are  two  tuples  of  a  polynomial  number  q  of  n-bit  strings 
a  =  (ai, . . . ,  aq),  /3  =  (/? i, . . . ,  (3q),  are  different  at  every  location,  that  is,  a*  ^  fa  for  every 
i  €  [q]. 

We  bound  the  probability  that  any  n-bit  challenge  message  is  picked  twice  in  whole  execution 
of  B?p  to  be  negligible.  Then  since  conditioned  on  this  not  happening,  every  two  accepting 
transcripts  of  a  row  are  admissible,  we  conclude  that  this  case  happens  with  negligible  prob¬ 
ability.  Since  B j,  runs  for  at  most  T(n)  steps,  it  picks  at  most  T(n )  n-bit  challenges  during 
the  whole  execution.  By  applying  the  union  bound,  we  obtain  that,  the  probability  that  a 
challenge  /3  is  picked  again  is  at  most  ^r~,  and  hence,  using  the  union  bound  again,  the 
probability  that  any  challenge  in  the  execution  is  picked  twice  is  at  most  T(n)^^.  Hence, 
overall,  the  probability  that  this  case  occurs  is  negligible. 

Analysis  of  Case  3:  Let  71,  71  be  a  pair  of  admissible  transcripts  of  one  row  of  an  accepting 
commitment  T  of  ( C,R ).  The  REC  procedure,  on  input  71,72,T,  outputs  err  if  and  only  if 
one  of  the  invocations  to  the  reconst  procedure  returns  err.  Then  by  Lemma  4,  the  receiver’s 
challenge  in  T,  which  is  shared  among  all  the  TrapCom  commitments  in  7”,  can  be  computed 
efficiently  and  deterministically  from  71  and  71- 

Then,  suppose  for  contradiction  that,  there  exists  a  polynomial  g,  such  that  for  infinitely 
many  n  e  N  and  z,  case  3  occurs  with  probability  at  least  1  /g(n)  during  the  execution  of  B 
Then  the  probability  that  case  3  occurs  in  a  randomly  chosen  right  interaction  in  B j,  is  at 
least  1  /g(n)T(n).  In  other  words,  with  polynomial  probability,  for  a  randomly  chosen  right 
interaction  in  T>^,  REC  is  invoked  and  outputs  err;  then  by  the  argument  above,  the  receiver’s 
challenge  in  this  randomly  chosen  right  interaction  can  be  computed  efficiently  from  the  pair 
of  admissible  transcripts  collected  for  this  interaction  (as  input  to  REC).  Furthermore,  we 
note  that  in  B^,  a  pair  of  admissible  transcripts  is  collected  (if  at  all)  for  a  right  interaction, 
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before  Stage  3  of  that  right  interaction  starts,  and  thus  before  the  com  commitment  to  the 
receiver’s  challenge  is  opened.  Therefore  we  can  use  B*  to  violate  the  hiding  property  of  com. 

More  precisely,  we  construct  a  machine  A*  that  violates  the  hiding  property  of  com.  A*  on 
input  a  com  commitment  c  to  a  random  n-bit  string  e,  internally  emulates  an  interaction 
between  C  and  B except  that  it  picks  a  random  right  interaction  (in  simulation  by  B f) 
and  feeds  c  as  the  Stage  1  message  of  that  interaction;  furthermore,  after  a  pair  of  admissible 
transcripts  71 ,  T2  is  collected  for  this  right  interaction,  A*  computes  a  challenge  e!  as  described 
above;  then,  it  aborts  and  outputs  e' .  Since  A*  emulates  an  interaction  between  C  and 
Bf  perfectly  before  it  aborts,  the  probability  case  3  happens  in  a  randomly  chosen  right 
interaction  in  A*  is  identical  to  that  in  a  randomly  chosen  right  interaction  in  B f,  which 
is  1  / g{ri)T(n).  Thus  with  polynomial  probability,  the  challenge  computed  by  A*  is  the  real 
challenge  committed  to  in  c.  Thus  A*  violates  the  hiding  property  of  com. 


□ 

Proof  of  Subclaim  4 ■  Consider  a  fixed  b  e  {0, 1},  n,  z  and  a  fixed  right  interaction  j  e  [T(n)],  we 
show  that  the  probability  that  Bf  reconstructs  a  value  for  the  right  interaction  that  is  not 
the  valid  committed  value  is  negligible.  Then  it  follows  from  a  union  bound  that  the  probability 
that  Bf  reconstructs  a  value  that  is  not  the  valid  committed  value  in  any  right  interaction  is  also 
negligible.  If  a  value  is  reconstructed  successfully  for  the  jth  right  interaction  T,  it  must  be  the 
case  that  interaction  j  is  accepting,  and  a  pair  of  admissible  transcripts  71 ,  7!  is  collected  and 
REC(71, 72,  T)  =  x  /  err  in  Bf.  Then  we  show  that  except  with  negligible  probability,  x  must  be 
the  committed  value  in  T. 

Each  row  of  a  commitment  of  ( C,R )  contains  lOn  commitments  of  TrapCom.  It  follows  from 
the  strong  computational  binding  property  (see  Lemma  5)  of  TrapCom  that  the  probability  that 
any  of  the  TrapCom  commitments  generated  by  machine  Bf  has  two  valid  committed  value  is 
negligible.6  Therefore,  the  shares  committed  to  using  TrapCom  in  the  jth  right  interaction  T  are 
uniquely  defined;  let  s) ,  ■  ■  ■  ,  s?10n  be  the  committed  shares  in  the  ith  row  of  T  (s\.  is  set  to  T  if 
the  kth  commitment  in  the  ith  row  is  invalid).  We  say  a  column  k  is  inconsistent  if  it  contains 
a  s %  equals  to  T  or  two  ,  s  ■’)  that  are  different;  we  claim  that  the  probability  that  there  are 
more  than  n  inconsistent  columns  in  the  jth  right  interaction  is  negligible.  Recall  that  in  the  cut- 
and-choose  stage  of  the  right  interaction  j,  Blf  emulates  the  honest  receiver’s  message  by  sending 
a  randomly  chosen  subset  T  of  size  n;  since  the  jth  right  interaction  is  accepting,  the  adversary 
A  must  successfully  reveal  all  the  commitments  in  each  column  in  T  to  the  same  value;  therefore 
all  the  columns  in  T  are  consistent.  Since  T  is  chosen  at  random,  the  probability  that  the  jth 
right  interaction  contains  more  than  n  inconsistent  columns,  but  none  of  them  is  chosen  in  T 
is  exponentially  small.  Therefore,  except  with  negligible  probability,  at  least  0.9  fraction  of  the 
columns  are  consistent. 

Now  we  are  ready  to  show  that  the  value  x  returned  by  the  procedure  REC  on  input  a  pair 
of  admissible  transcripts  71 , 71  of  the  kth  row  of  the  right  commitment  T  is  the  valid  committed 
value.  From  71,72,  the  procedure  RECextracts  lOn  values  ,  .§^0n  corresponding  to  the  lOn 

shares  committed  to  in  the  kth  row  of  T.  Then  consider  the  following  two  possible  cases: 

In  the  first  case,  the  shares  s},---  ,  s{0r)  committed  to  in  the  first  row  of  T  is  0.9-close  to  a 
valid  code  w.  Since  except  with  negligible  probability,  at  least  0.9  fraction  of  the  columns 
are  consistent,  by  the  special  soundness  of  TrapCom,  the  extracted  shares  §1 ,  •••  ,  5^0n  and 
with  s},  •  •  •  ,  s}0n  agree  with  each  other  at  no  less  than  0.9  fraction  of  positions.  Therefore 

6This  also  relies  on  the  fact  that  TrapCom  is  a  generalized  public-coin  protocol,  in  the  sense,  that  given  a  partial 
transcript  of  a  commitment  of  TrapCom,  messages  from  the  honest  receiver  continuing  from  that  partial  transcript 
can  be  emulated  efficiently,  by  simply  sending  random  strings. 
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Si,  •  •  •  ,  skWn  is  0.8-close  to  w.  Therefore  the  procedure  REC  will  recover  w  uniquely.  Then  if  w 
agrees  with  all  the  shares  opened  in  the  cut-and-choose  stage  in  T,  the  valid  committed  value 
is  the  value  v  encoded  in  w;  in  this  case,  REC  also  performs  the  same  check  and  will  output 
v  as  the  committed  value  correctly.  On  the  other  hand,  if  w  disagrees  with  one  of  the  shares 
opened  in  the  cut-and-choose  stage  in  T,  the  commitment  is  invalid  and  the  committed  value 
is  set  to  _L;  in  this  case  REC  performing  the  same  check,  will  also  return  _L  correctly. 

In  the  second  case,  the  shares  s},  •  •  •  ,  s ] 0n  committed  to  in  the  first  row  of  T  is  0.1-far  away 
from  every  valid  code  w.  In  this  case,  the  commitment  T  is  invalid  and  the  committed  value  is 
set  to  _L.  We  show  that  in  this  case,  the  probability  that  the  procedure  REC  does  not  output 
_L  is  negligible.  If  REC  outputs  a  value  v'  /  _L,  it  must  be  the  case  that  s^',  •  •  •  ,  Sj;0n  is  0.8-close 
to  a  valid  codeword  w'  that  encodes  v' .  By  our  hypothesis,  sj,  •  •  •  ,  sj0n  is  0.1-far  away  from 
w' .  Since  T  is  accepting,  all  the  columns  in  T  are  consistent,  and  thus  the  shares  revealed 
in  the  cut-and-choose  stage  equals  to  {s^}?;gr  /  _L.  By  construction  of  REC,  it  outputs  v' 
only  if  w'  agrees  with  all  the  shares  revealed  in  the  cut-and-choose  stage,  that  is,  si  =  w[  for 
every  i  £  T.  However,  since  the  set  T  is  chosen  at  random  by  the  honest  receiver  (emulated 
by  B ^),  the  probability  that  w'  disagrees  with  sj,  •  •  •  ,  sj0n  at  more  than  n  locations  but  none 
of  them  is  selected  in  T  is  exponentially  small.  Therefore,  except  with  negligible  probability, 
REC  outputs  _L  correctly. 

Combining  the  above  two  cases,  we  conclude  that,  except  with  negligible  probability,  the  values 
reconstructed  by  REC  must  be  the  valid  committed  value.  □ 

B.3.3  Proof  of  Robustness 

In  this  section,  we  extend  the  proof  in  the  last  section  to  show  that  (C,R)  is  also  robust  w.r.t. 
the  committed-value  oracle  O.  Towards  this,  we  need  to  show  that  for  every  k  <  n(n),  and  every 
VVT  adversary  A.  there  exists  a  simulator  S,  such  that,  for  every  WT  fc-round  ITM  B ,  the 
interaction  between  B  and  A  with  access  to  O  is  indistinguishable  from  that  between  B  and  S. 
The  construction  of  the  simulator  is  similar  to  that  in  [CLP  10],  but  the  correctness  follows  from  a 
proof  similar  to  the  proof  of  CCA  in  the  last  section.  For  completeness,  we  provide  the  construction 
of  S  below;  but  omit  the  proof. 

Given  an  adversary  A,  and  a  constant  k,  the  construction  of  the  simulator  S  is  very  similar  to 
that  of  B*  in  the  last  section.  On  a  high-level,  S  externally  interacts  with  an  arbitrary  /c-round 
ITM  B,  and  internally  simulates  an  execution  between  B  and  A° ,  by  forwarding  messages  from  B 
internally  to  A,  while  concurrently  extracting  the  committed  values  of  the  right  interactions  from  A 
to  simulate  O.  The  extraction  strategy  of  S  is  essentially  the  same  as  that  used  by  B *:  it  recursively 
rewinds  A  over  the  rows  in  Stage  2  of  the  protocol  to  extract  the  committed  values,  except  that,  here 
the  goal  is  to  make  sure  that  the  left  interaction  with  B  is  never  rewound,  (instead  of  the  goal  of 
ensuring  that  the  left  interaction  remains  hiding  (in  B *)).  This  is  achieved  by  rewinding  only  those 
right-rows  that  do  not  interleave  with  any  messages  in  the  left  interaction,  and  cancelling  every 
rewinding  in  which  the  right-row  interleaves  with  a  left-message.  More  precisely,  consider  the  notion 
of  R-safe- point  (which  is  in  analogous  to  the  notion  of  safe- point) — a  prefix  p  of  a  transcript  A  is  a 
R-safe-point  for  a  right-row  (a,  f3, 7)  if  it  includes  all  the  messages  in  A  up  to  a  (inclusive),  and  that 
no  left-message  is  exchanged  in  between  p  and  7.  Then  S  simply  runs  the  procedure  EXTdehned  in 
the  last  section  internally,  except  that  it  replaces  the  notion  of  safe-point  with  R-safe-point,  and  that 
it  simulates  the  left  interaction  with  A  by  forwarding  the  messages  between  A  and  B;  everything 
else  remains  the  same.  Then  it  follows  from  the  fact  that  S  always  rewinds  A  from  a  R-safe-point  p, 
and  cancels  every  rewindings  in  which  p  is  not  a  R-safe-point,  the  left  interaction  is  never  rewound. 
Furthermore,  since  the  left  interaction  with  B  consists  of  only  k  <  n(n)  rounds,  and  the  protocol 
( C ,  R)  contains  at  least  n(n)  +  77(71)  rows,  there  exist  at  least  77  =  ne  R-safe-point  in  every  successful 
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right  interaction.  Then,  it  follows  from  the  same  proof  as  in  Claim  7  and  Claim  8  that  there  is  a 
polynomial  t,  such  that  the  probability  that  S  takes  more  than  T(n)  steps  is  smaller  than  t(n)/T(n ) 
plus  a  negligible  amount,  and  that  the  joint  output  of  S  and  B  is  indistinguishable  from  that  of 
A°  and  B. 

C  Model  of  Security 

C.l  UC  and  Global  UC  security 

We  briefly  review  UC  and  externalized  UC  (EUC)  security.  For  full  details  see  [CanOO,  CDPW07]. 
The  original  motivation  to  define  EUC  security  was  to  capture  settings  where  all  ITMs  in  the  system 
have  access  to  some  global,  potentially  trusted  information  (such  as  a  globally  available  public  key 
infrastructure  or  a  bulletin  board)  [CDPW07].  Here  however  we  use  the  EUC  formalism  to  capture 
the  notion  of  global  helper  functionalities  that  are  available  only  to  the  corrupted  parties. 

We  first  review  the  model  of  computation,  ideal  protocols,  and  the  general  definition  of  securely 
realizing  an  ideal  functionality.  Next  we  present  hybrid  protocols  and  the  composition  theorem. 

The  basic  model  of  execution.  Following  [GMR89,  GolOl],  a  protocol  is  represented  as  an 
interactive  Turing  machine  (ITM),  which  represents  the  program  to  be  run  within  each  participant. 
Specifically,  an  ITM  has  three  tapes  that  can  be  written  to  by  other  ITMs:  the  input  and  subroutine 
output  tapes  model  the  inputs  from  and  the  outputs  to  other  programs  running  within  the  same 
“entity”  (say,  the  same  physical  computer),  and  the  incoming  communication  tapes  and  outgoing 
communication  tapes  model  messages  received  from  and  to  be  sent  to  the  network.  It  also  has  an 
identity  tape  that  cannot  be  written  to  by  the  ITM  itself.  The  identity  tape  contains  the  program 
of  the  ITM  (in  some  standard  encoding)  plus  additional  identifying  information  specified  below. 
Adversarial  entities  are  also  modeled  as  ITMs. 

We  distinguish  between  ITMs  (which  represent  static  objects,  or  programs)  and  instances  of 
ITMs ,  or  ITIs,  that  represent  interacting  processes  in  a  running  system.  Specifically,  an  ITI  is 
an  ITM  along  with  an  identifier  that  distinguishes  it  from  other  ITIs  in  the  same  system.  The 
identifier  consists  of  two  parts:  A  session-identifier  (SID)  which  identifies  which  protocol  instance 
the  ITI  belongs  to,  and  a  party  identifier  (PID)  that  distinguishes  among  the  parties  in  a  protocol 
instance.  Typically  the  PID  is  also  used  to  associate  ITIs  with  “parties” ,  or  clusters,  that  represent 
some  administrative  domains  or  physical  computers. 

The  model  of  computation  consists  of  a  number  of  ITIs  that  can  write  on  each  other’s  tapes 
in  certain  ways  (specified  in  the  model).  The  pair  (SID, PID)  is  a  unique  identifier  of  the  ITI 
in  the  system.  With  one  exception  (discussed  within)  we  assume  that  all  ITMs  are  probabilistic 
polynomial  time. 

Security  of  protocols.  Protocols  that  securely  carry  out  a  given  task  (or,  protocol  problem) 
are  defined  in  three  steps,  as  follows.  First,  the  process  of  executing  a  protocol  in  an  adversarial 
environment  is  formalized.  Next,  an  “ideal  process”  for  carrying  out  the  task  at  hand  is  formalized. 
In  the  ideal  process  the  parties  do  not  communicate  with  each  other.  Instead  they  have  access  to 
an  “ideal  functionality,”  which  is  essentially  an  incorruptible  “trusted  party”  that  is  programmed 
to  capture  the  desired  functionality  of  the  task  at  hand.  A  protocol  is  said  to  securely  realize  an 
ideal  functionality  if  the  process  of  running  the  protocol  amounts  to  “emulating”  the  ideal  process 

7An  ITM  is  VVT  if  there  exists  a  constant  c  >  0  such  that,  at  any  point  during  its  run,  the  overall  number  of 
steps  taken  by  M  is  at  most  nc,  where  n  is  the  overall  number  of  bits  written  on  the  input  tape  of  M  in  this  run.  In 
fact,  in  order  to  guarantee  that  the  overall  protocol  execution  process  is  bounded  by  a  polynomial,  we  define  n  as  the 
total  number  of  bits  written  to  the  input  tape  of  M,  minus  the  overall  number  of  bits  written  by  M  to  input  tapes  of 
other  ITMs\  see  [CanOl]. 
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for  that  ideal  functionality.  Below  we  overview  the  model  of  protocol  execution  (called  the  real-life 
model),  the  ideal  process,  and  the  notion  of  protocol  emulation. 

The  model  for  protocol  execution.  The  model  of  computation  consists  of  the  parties  running 
an  instance  of  a  protocol  n,  an  adversary  A  that  controls  the  communication  among  the  parties,  and 
an  environment  Z  that  controls  the  inputs  to  the  parties  and  sees  their  outputs.  We  assume  that  all 
parties  have  a  security  parameter  k  G  N.  (We  remark  that  this  is  done  merely  for  convenience  and 
is  not  essential  for  the  model  to  make  sense).  The  execution  consists  of  a  sequence  of  activations, 
where  in  each  activation  a  single  participant  (either  Z ,  A,  or  some  other  ITM)  is  activated,  and  may 
write  on  a  tape  of  at  most  one  other  participant,  subject  to  the  rules  below.  Once  the  activation 
of  a  participant  is  complete  (i.e.,  once  it  enters  a  special  waiting  state),  the  participant  whose  tape 
was  written  on  is  activated  next.  (If  no  such  party  exists  then  the  environment  is  activated  next.) 

The  environment  is  given  an  external  input  z  and  is  the  first  to  be  activated.  In  its  first 
activation,  the  environment  invokes  the  adversary  A,  providing  it  with  some  arbitrary  input.  In 
the  context  of  UC  security,  the  environment  can  from  now  on  invoke  (namely,  provide  input  to) 
only  ITMs  that  consist  of  a  single  instance  of  protocol  tt.  That  is,  all  the  ITMs  invoked  by  the 
environment  must  have  the  same  SID  and  the  code  of  tt.  In  the  context  of  EUC  security  the 
environment  can  in  addition  invoke  an  additional  ITI  that  interacts  with  all  parties.  We  call  this 
ITI  the  helper  functionality,  denoted  T~L. 

Once  the  adversary  is  activated,  it  may  read  its  own  tapes  and  the  outgoing  communication 
tapes  of  all  parties.  It  may  either  deliver  a  message  to  some  party  by  writing  this  message  on 
the  party’s  incoming  communication  tape  or  report  information  to  Z  by  writing  this  information 
on  the  subroutine  output  tape  of  Z .  For  simplicity  of  exposition,  in  the  rest  of  this  paper  we 
assume  authenticated  communication;  that  is,  the  adversary  may  deliver  only  messages  that  were 
actually  sent.  (This  is  however  not  essential  since  authentication  can  be  realized  via  a  protocol, 
given  standard  authentication  infrastructure  [Can04].) 

Once  a  protocol  party  (i.e.,  an  ITI  running  tt)  is  activated,  either  due  to  an  input  given  by  the 
environment  or  due  to  a  message  delivered  by  the  adversary,  it  follows  its  code  and  possibly  writes 
a  local  output  on  the  subroutine  output  tape  of  the  environment,  or  an  outgoing  message  on  the 
adversary’s  incoming  communication  tape. 

The  protocol  execution  ends  when  the  environment  halts.  The  output  of  the  protocol  execution 
is  the  output  of  the  environment.  Without  loss  of  generality  we  assume  that  this  output  consists 
of  only  a  single  bit. 

Let  exec^ ,A,z(,k,z,r)  denote  the  output  of  the  environment  Z  when  interacting  with  parties 
running  protocol  tt  on  security  parameter  k,  input  z  and  random  input  r  =  rz,  va,  ri,  ^2,  •••  as 
described  above  (z  and  rz  for  Z\  r a  for  A,  r*  for  party  Pt).  Let  EXEC n,A,z{k,z)  denote  the 
random  variable  describing  EXEC7rjJ4i^(/c,  z,  r)  when  r  is  uniformly  chosen.  Let  exec^^z  denote 
the  ensemble  {EXECViA,z(k>  z)}fee;v,ze{o,i}*- 

Ideal  functionalities  and  ideal  protocols.  Security  of  protocols  is  defined  via  comparing  the 
protocol  execution  to  an  ideal  protocol  for  carrying  out  the  task  at  hand.  A  key  ingredient  in  the 
ideal  protocol  is  the  ideal  functionality  that  captures  the  desired  functionality,  or  the  specification, 
of  that  task.  The  ideal  functionality  is  modeled  as  another  ITM  (representing  a  “trusted  party”) 
that  interacts  with  the  parties  and  the  adversary.  More  specifically,  in  the  ideal  protocol  for 
functionality  T  all  parties  simply  hand  their  inputs  to  an  ITI  running  T .  (We  will  simply  call  this 
ITI  T .  The  SID  of  T  is  the  same  as  the  SID  of  the  ITIs  running  the  ideal  protocol,  (the  PID  of 
T  is  null.))  In  addition,  T  can  interact  with  the  adversary  according  to  its  code.  Whenever  T 
outputs  a  value  to  a  party,  the  party  immediately  copies  this  value  to  its  own  output  tape.  We  call 
the  parties  in  the  ideal  protocol  dummy  parties.  Let  tt{J-)  denote  the  ideal  protocol  for  functionality 
7. 
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Securely  realizing  an  ideal  functionality.  We  say  that  a  protocol  n  emulates  protocol  (f  if 
for  any  adversary  A  there  exists  an  adversary  S  such  that  no  environment  Z,  on  any  input,  can 
tell  with  non- negligible  probability  whether  it  is  interacting  with  A  and  parties  running  7 r,  or  it 
is  interacting  with  S  and  parties  running  (f.  This  means  that,  from  the  point  of  view  of  the 
environment,  running  protocol  7r  is  ‘just  as  good’  as  interacting  with  <f>.  We  say  that  7r  securely 
realizes  an  ideal  functionality  T  if  it  emulates  the  ideal  protocol  tt(F).  More  precise  definitions 
follow.  A  distribution  ensemble  is  called  binary  if  it  consists  of  distributions  over  {0, 1}. 

Definition  9.  Let  n  and  (j)  be  protocols.  We  say  that  ir  UC-emulates  (resp.,  EUC-emulatesj  <f>  if  for 
any  adversary  A  there  exists  an  adversary  S  such  that  for  any  environment  Z  that  obeys  the  rides 
of  interaction  for  UC  (resp.,  EUC)  security  we  have  exec^^z  «  EXECV^z- 

Definition  10.  Let  T  be  an  ideal  functionality  and  let  it  be  a  protocol.  We  say  that  it  UC-realizes 
(resp.,  EUC-realizesj  T  if  n  UC-emulates  (resp.,  EUC-emulatesj  the  ideal  protocol  it  (J7). 

Security  with  dummy  adversaries.  Consider  the  adversary  V  that  simply  follows  the  instruc¬ 
tions  of  the  environment.  That  is,  any  message  coming  from  one  of  the  ITIs  running  the  protocol 
is  forwarded  to  the  environment,  and  any  input  coming  from  the  environment  is  interpreted  as  a 
message  to  be  delivered  to  the  ITI  specified  in  the  input.  We  call  this  adversary  the  dummy  adver¬ 
sary.  A  convenient  lemma  is  that  UC  security  with  respect  to  the  dummy  adversary  is  equivalent 
to  standard  UC  security.  That  is: 

Definition  11.  Let  it  and  (j)  be  protocols.  We  say  that  n  UC-emulates  (resp.,  EUC-emulatesj  (j)  w.r.t 
the  dummy  adversary  V  if  there  exists  an  adversary  S  such  that  for  any  environment  Z  that  obeys 
the  rules  of  interaction  for  UC  (resp.,  EUC)  security  we  have  EXEC </>,£, z  ~  EXEC^iyz- 

Theorem  3.  Let  n  and  be  protocols.  Then  it  UC-emulates  (resp.,  EUC-emulates)  </>  if  and  only  if 

it  UC-emulates  (resp.,  E UC-emulates,)  (j)  with  respect  to  the  dummy  adversary. 

Hybrid  protocols.  Hybrid  protocols  are  protocols  where,  in  addition  to  communicating  as  usual 
as  in  the  standard  model  of  execution,  the  parties  also  have  access  to  (multiple  copies  of)  an  ideal 
functionality.  Hybrid  protocols  represent  protocols  that  use  idealizations  of  underlying  primitives, 
or  alternatively  make  trust  assumptions  on  the  underlying  network.  They  are  also  instrumental  in 
stating  the  universal  composition  theorem.  Specifically,  in  an  ^-hybrid  protocol  (i.e.,  in  a  hybrid 
protocol  with  access  to  an  ideal  functionality  J7),  the  parties  may  give  inputs  to  and  receive  outputs 
from  an  unbounded  number  of  copies  of  T . 

The  communication  between  the  parties  and  each  one  of  the  copies  of  T  mimics  the  ideal 
process.  That  is,  giving  input  to  a  copy  of  T  is  done  by  writing  the  input  value  on  the  input  tape 
of  that  copy.  Similarly,  each  copy  of  T  writes  the  output  values  to  the  subroutine  output  tape  of 
the  corresponding  party.  It  is  stressed  that  the  adversary  does  not  see  the  interaction  between  the 
copies  of  T  and  the  honest  parties. 

The  copies  of  T  are  differentiated  using  their  SIDs.  All  inputs  to  each  copy  and  all  outputs  from 
each  copy  carry  the  corresponding  SID.  The  model  does  not  specify  how  the  SIDs  are  generated, 
nor  does  it  specify  how  parties  “agree”  on  the  SID  of  a  certain  protocol  copy  that  is  to  be  run  by 
them.  These  tasks  are  left  to  the  protocol.  This  convention  seems  to  simplify  formulating  ideal 
functionalities,  and  designing  protocols  that  securely  realize  them,  by  freeing  the  functionality  from 
the  need  to  choose  the  SIDs  and  guarantee  their  uniqueness.  In  addition,  it  seems  to  reflect  common 
practice  of  protocol  design  in  existing  networks. 

The  definition  of  a  protocol  securely  realizing  an  ideal  functionality  is  extended  to  hybrid  pro¬ 
tocols  in  the  natural  way. 
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The  universal  composition  operation.  We  define  the  universal  composition  operation  and  state 
the  universal  composition  theorem.  Let  p  be  an  ^-hybrid  protocol,  and  let  n  be  a  protocol  that 
securely  realizes  F.  The  composed  protocol  pn  is  constructed  by  modifying  the  code  of  each  ITM 
in  p  so  that  the  first  message  sent  to  each  copy  of  F  is  replaced  with  an  invocation  of  a  new  copy 
of  7T  with  fresh  random  input,  with  the  same  SID,  and  with  the  contents  of  that  message  as  input. 
Each  subsequent  message  to  that  copy  of  F  is  replaced  with  an  activation  of  the  corresponding 
copy  of  7 r,  with  the  contents  of  that  message  given  to  7r  as  new  input.  Each  output  value  generated 
by  a  copy  of  ir  is  treated  as  a  message  received  from  the  corresponding  copy  of  F .  The  copy  of  ir 
will  start  sending  and  receiving  messages  as  specified  in  its  code.  Notice  that  if  7r  is  a  ^/-hybrid 
protocol  (i.e.,  p  uses  ideal  evaluation  calls  to  some  functionality  Q)  then  so  is  pn. 

The  universal  composition  theorem.  Let  F  be  an  ideal  functionality.  In  its  general  form,  the 
composition  theorem  basically  says  that  if  7r  is  a  protocol  that  UC-realizes  F  (resp.,  EUC- realizes 
F)  then,  for  any  ^-hybrid  protocol  p ,  we  have  that  an  execution  of  the  composed  protocol  pn 
“emulates”  an  execution  of  protocol  p.  That  is,  for  any  adversary  A  there  exists  a  simulator  S  such 
that  no  environment  machine  Z  can  tell  with  non-negligible  probability  whether  it  is  interacting 
with  A  and  protocol  pn  or  with  S  and  protocol  p,  in  a  UC  (resp.,  EUC)  interaction.  As  a  corollary, 
we  get  that  if  protocol  p  UC-realizes  F  (resp.,  EUC-realizes  F ),  then  so  does  protocol  pU8 

Theorem  4  (Universal  Composition  [CanOl,  CDPW07]).  Let  F  be  an  ideal  functionality.  Let  p 
be  a  F -hybrid  protocol,  and  let  n  be  a  protocol  that  UC-realizes  F  (resp.,  EUC-realizes  F).  Then 
protocol  pn  UC-emulates  p  (resp.,  EUC-emulates  p). 

An  immediate  corollary  of  this  theorem  is  that  if  the  protocol  p  UC-realizes  (resp.,  EUC-realizes) 
some  functionality  Q ,  then  so  does  pn . 

C.2  UC  Security  with  Super-polynomial  Helpers 

We  modify  the  definitions  of  UC  security  by  giving  the  corrupted  parties  access  to  an  external 
“helper”  entity,  in  a  conceptually  similar  way  to  [PS04],  This  entity,  denoted  TL,  is  computationally 
unbounded,  and  can  be  thought  of  as  providing  the  corrupted  parties  with  some  judicious  help. 
(As  we’ll  see,  this  help  will  be  used  to  assist  the  simulator  to  “reverse  engineering”  the  adversary 
in  order  to  extract  relevant  information  hidden  in  its  communication.) 

The  definition  uses  the  formalism  of  EUC  security  [CDPW07].  Specifically,  we  model  the 
helper  entity  as  an  ITM  that  is  invoked  directly  by  the  environment,  and  that  interacts  with  the 
environment  and  the  corrupted  parties.  More  formally,  let  TL  be  an  ITM.  An  environment  Z  is 
called  aided  by  TL  if:  (a)  Z  invokes  a  single  instance  TL  immediately  after  invoking  the  adversary; 
(b)  As  soon  as  a  party  (i.e.,  an  ITI)  P  is  corrupted  (i.e.,  P  receives  a  corrupted  message),  Z  lets 
TL  know  of  this  fact;  (c)  TL  interacts  only  with  the  corrupted  parties.  Then: 

Definition  12.  Let  ir  and  <f  be  protocols,  and  let  TL  be  a  helper  functionality  (i.e.,  an  ITM).  We 
say  that  it  "H-EUC- emulates  if  for  any  adversary  A  there  exists  an  adversary  S  such  that  for  any 
environment  Z  that's  aided  by  TL  we  have  exec^s ^  ~  exec k,a,z- 

The  meaningfulness  of  relativized  UC  security  of  course  depends  on  the  particular  helper  ITM 
in  use.  Still,  it  is  easy  to  see  that  if  protocol  7r  77-EUC-emulates  protocol  <ft  where  TL  obeys  the 
above  rules  and  runs  in  time  T(n),  then  7r  UC-emulates  <f  according  to  a  relaxed  notion  where 
the  adversary  S  can  run  in  time  poly(T{n)).  As  noted  in  the  past,  for  many  protocols  and  ideal 

8The  universal  composition  theorem  in  [CanOl]  applies  only  to  “subroutine  respecting  protocols”,  namely  protocols 
that  do  not  share  subroutines  with  any  other  protocol  in  the  system.  In  [CDPW07]  the  theorem  is  extended  to 
protocols  that  share  subroutines  with  arbitrary  other  protocols,  as  long  as  the  composed  protocol,  p* ,  realizes  T  with 
EUC  security. 
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functionalities,  this  relaxed  notion  of  security  suffices  even  when  T(n )  =  exp(n )  [Pas03b,  PS04, 
BS05,  MMY06], 

Universal  Composition  with  super-polynomial  helpers.  The  universal  composition  theorem 
generalizes  naturally  to  the  case  of  EUC,  even  with  super-polynomial  helper  functionalities: 

Theorem  (universal  composition  for  relativized  UC).  Let  T  be  an  ideal  functionality,  let  Li  be  a 
helper  functionality,  let  n  be  an  T -hybrid  protocol,  and  let  p  be  a  protocol  that  Li-EU C-realizes  T . 
Then  protocol  ttp  LL-EUC-emidates  n. 

Proof.  The  proof  of  Theorem  C.2  follows  the  same  steps  as  the  proof  of  Theorem  4  (see  e.g.  the 
proof  in  [CanOO]).  The  only  difference  is  in  the  construction  of  the  distinguishing  environment  Zn 
(see  there).  Recall  that  Z n  takes  an  environment  Z  that  distinguishes  between  an  execution  of  n 
and  an  execution  of  np,  and  uses  it  to  distinguish  between  an  execution  of  p  and  an  ideal  evaluation 
of  T.  For  this  purpose,  Z n  emulates  for  Z  an  execution  of  np. 

Now,  in  the  presence  of  the  helper  Li,  Zp  must  emulate  for  Z  also  the  interaction  with  Li.  Note 
that  Zn  cannot  run  LL  on  its  own,  since  LL  may  well  be  super-polynomial  in  complexity.  Instead, 
Z n  will  forward  to  the  external  instance  of  LL  each  message  sent  to  LL  by  Z .  Similarly,  whenever 
any  of  the  corrupted  parties  that  Z K  locally  runs  sends  a  message  to  LL,  Zn  externally  invokes  a 
party  with  the  same  ID  and  code,  corrupts  it,  and  instructs  it  to  send  the  query  to  the  external 
instance  of  LL.  The  responses  of  LL  are  handled  analogously. 

Note  that  the  proof  uses  the  fact  that  the  helper  functionality  LL  does  not  take  messages  directly 
from  the  adversary.  Indeed,  Z, T  cannot  emulate  for  the  external  instance  of  LL  messages  coming 
from  the  adversary.  □ 

D  Black-Box  UC-Secure  Protocols  in  "H- EUC  Model 

In  this  work,  we  consider  UC-security  with  the  a  super-polynomial  time  helper  that  help  breaks 
commitments  of  our  black-box  robust  CCA  secure  commitment  scheme  ( C,R ).  More  precisely,  it 
proceeds  as  described  in  Figure  6 


Functionality  LL 

Corrupted  Parties:  Upon  receiving  an  input  (Corrupt,  Pi,  sid)  from  the  environment,  record  (Corrupt, 
Pi,  sid). 

Initialization:  Upon  receiving  an  input  (lnit,P,;,  sid,  k)  from  party  Pi  in  the  protocol  instance 
sid ,  if  there  is  no  previously  recorded  tuple  (Corrupt,  Pi,  sid)  or  there  is  a  previously  recorded  session 
(Pi,  sid,  k),  ignore  this  message;  otherwise,  initialize  a  session  of  ( C,R )  with  O  using  identity  (Pi,  sid), 
and  record  session  (Pi,  sid,  k). 

Accessing  O :  Upon  receiving  an  input  (Mesg,R,  sid,  k,  to)  from  party  Pi  in  the  protocol  instance 
sid,  if  there  is  no  previously  recorded  session  (Pi,  sid,  k),  ignore  the  message;  otherwise,  forward  m  to  O 
in  the  kth  session  that  uses  identity  (Pi,  sid),  obtain  a  reply  m! ,  and  return  (Mesg,R,  sid,  k,  m')  to  /’  . 


Figure  6:  The  ideal  functionality  LL 


D.l  Proof  of  Lemma  2 

In  this  section,  we  first  recall  the  protocol  IIot  that  7TEUC  emulates  Tot  and  then  prove  its 
security.  The  construction  relies  on  the  Ten-round  mS-OT  protocol  (S,  R)  and  the  CCA-secure 
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commitment  scheme  (C,  R).  On  common  input  1"  ,  the  sender  and  the  receiver  of  the  protocol  IIot 
on  private  inputs  (fo,fi)  and  u  respectively  proceed  as  follow: 

Stage  1 :  The  sender  chooses  a  random  subset  T r  C  [20n]  of  size  n  and  commits  to  T r  using 
(C,R). 

The  receiver  chooses  a  random  subset  Tg  C  [20n]  of  size  n  and  another  random  subset 
T  C  [18n]  of  size  ro;  it  then  commits  to  both  Ts  and  T  using  (C,  R). 

Stage  2  (Coin- Tossing): 

Receiver  Random-Tape  Generation:  The  receiver  chooses  20n  random  strings  (af,...afon) 
and  commits  to  them  using  ( C ,  R).  The  sender  sends  20n  random  strings  (bf, . . .  &2on).  The 
receiver  calculates  rf  =  a^©  bf  for  every  i  £  [20n],  and  interprets  rf  as  Ci\\r f,  where  c*  will 
be  used  as  the  receiver’s  input  bit,  and  rf  the  random  tape  in  the  OT  executions  below. 

Sender  Random-Tape  Generation:  The  sender  chooses  20n  random  strings  (af , . . .  af0n)  and 
commits  to  them  using  ( C,R ).  The  receiver  sends  20n  random  strings  (bf , . . .  frfon)-  The 
sender  calculates  rf  =  af  ©  bf  for  every  i  £  [20n],  and  interprets  rf  as  s?||sj||rf,  where 
sf  and  sj  will  be  used  as  the  sender’s  two  input  bits,  and  rf  the  random  tape  in  the  OT 
executions  below. 

Stage  3  (OT  with  Random  Inputs):  The  sender  and  the  receiver  participates  in  20n  execu¬ 
tions  of  the  OT  protocol  (S,  R)  in  parallel,  where  the  sender  acts  as  S  and  the  receiver  acts 
as  R.  In  the  ith  execution  of  ( S ,  R),  the  sender  uses  inputs  sf ,  sj  and  random  tape  rf  and  the 
receiver  uses  input  ct  and  random  tape  rf .  At  the  end  of  the  execution,  the  receiver  obtains 
outputs  si  . . .  ^On- 

Stage  4  (Cut-and-Choose — Honesty  Checking): 

Sender  Honesty  Checking:  The  receiver  opens  Tg  and  sender  responds  as  follows:  for  every 
j  £  Ts,  the  sender  opens  the  jth  commitments  of  (C,  R)  in  Stage  2  to  af .  The  receiver  checks 
if  the  openings  are  valid,  and  if  for  every  j  £  Tg,  the  sender  acted  honestly  in  the  jth  OT 
execution  according  to  af  ©  bf .  The  receiver  aborts  if  not. 

Receiver  Honesty  Checking:  The  sender  opens  T r  and  receiver  responds  as  follows:  for  every 
j  £  T^j,  the  receiver  opens  the  jth  commitments  of  (C,  R)  in  Stage  2  to  af.  The  sender  checks 
if  the  openings  are  valid  and  if  for  every  j  £  Tr,  the  receiver  acted  honestly  in  the  jth  OT 
execution  according  to  af  ©  bf.  The  sender  aborts  if  not. 

Stage  5  (Combiner):  Set  A  =  [20n]  —  T/j  —  Tg  (i.e.,  A  is  the  set  of  unopened  locations).  For 
every  i  £  A  The  receiver  computes  ai  =  u®  Ci  and  sends  a*.  The  sender  responds  as  follows: 
It  computes  a  10n-out-of-18n  secret-sharing  of  uo;  without  loss  of  generality,  we  index  shares 
in  that  secret-sharing  with  elements  in  A;  let  the  secret-sharing  be  p°  =  Similarly,  it 

also  computes  a  10?r-out-of-18n  secret-sharing  p 1  =  (p\  }ieA  for  v\ .  Then  the  sender  computes 
=  Pi®  sfQi  for  every  i  £  A  and  sends  back  all  the  fdf's. 

The  receiver  after  receiving  all  the  /3f”s,  computes  shares  corresponding  to  the  uth  input  as 
Pi  =  (3?  ©  §i  for  every  i  £  A,  and  sets  p  =  {pi}igA- 

Stage  6  (Cut-and-Choose — Consistency  Checking):  The  receiver  opens  to  T.  Then  for  ev¬ 
ery  j  £  Tn  A,  the  sender  reveals  the  two  inputs  s®  and  sj  and  random  tape  rf  that  it  uses 
in  the  jth  OT  execution  in  Stage  3.  The  receiver  checks  if  the  sender  acts  honestly  according 
to  input  (•Sj'jsj)  and  random  tape  rf  and  aborts  if  not. 
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Finally  the  receiver  checks  whether  p  computed  in  Stage  5  is  17n-close  to  a  valid  codeword 
w  (that  is,  it  agrees  with  w  at  17n  locations),  and  if  for  every  j  G  T  n  A,  Wj  is  equal  to 
/?“  ©  Sj  3 .  If  so  it  outputs  the  value  v  encoded  in  w;  otherwise,  it  aborts. 

Next  we  proceed  to  show  that  IIot  is  indeed  a  secure  realization  of  Poj.  Below  we  describe  the 
technique  for  simulating  the  protocol  execution  of  IIot  in  the  ideal- world,  where  parties  have  access 
to  the  ideal  commitment  functionality  J- ot,  and  give  a  proof  that  the  simulation  in  the  ideal- world 
setting  is  indistinguishable  from  a  real-world  execution  of  IIot-  Recall  that  we  only  need  to  prove 
that  IIot  77-ETJ C-emulates  J-qt!  hence  in  both  the  ideal  and  real  worlds,  the  environment  and  the 
adversary  have  access  to  the  R  functionality. 

Let  A  be  any  WT  adversary  and  Z  any  WT  environment.  The  simulator  Sim  for  A  in  the 
ideal  world  internally  simulates  a  real-world  execution  with  A  on  auxiliary  input  it  simulates  A s 
interaction  with  the  environment  Z  and  the  functionality  R,  by  simply  forwarding  the  communi¬ 
cations  between  A  and  Z  or  R;  furthermore,  it  simulates  messages  belonging  to  the  OT  protocol 
IIot  f°r  A  as  follows: 

Strategy  1:  If  the  Sender  (Pi)  is  honest  and  the  Receiver  (Pj)  is  corrupted,  the  simula¬ 
tor  needs  to  be  able  to  extract  the  choice  u  of  the  receiver  (controlled  by  A)  so  that  it  can 
send  u  to  the  ideal  OT  functionality  Toj  to  obtain  an  input  vu,  and  simulate  the  view  of  A 
without  knowing  the  other  input  vi-u. 

Towards  this,  the  simulator  Sim  first  acts  honestly  in  Stage  1  to  4  except  the  following:  It 
forwards  all  the  commitments  of  ( C ,  R)  from  A  in  Stage  1  and  2  to  the  helper  functionality  R. 
Since  the  receiver  Pj  is  corrupted,  R  accepts  commitments  with  identity  Pj  from  Sim ,  and 
returns  Sim  the  unique  committed  value  if  the  commitment  is  valid  and  T  otherwise.  These 
committed  values  include  T 5  and  T  committed  to  by  A  in  Stage  1  and  all  the  random  strings 
af  for  i  G  [20n]  committed  to  by  A  in  Stage  2,  which  allows  Sim  to  recover  the  inputs  and 
random  tapes  {cj,  t/2 } r20Tl]  that  A  is  supposed  to  use  in  the  Stage  3  OT  executions.  Then 

for  every  j  G  [20n] ,  Sim  checks  whether  A  behaves  honestly  according  to  Cj ,  in  the  jth 
OT  execution  in  Stage  3,  and  sets  to  be  the  set  of  locations  in  which  A  cheats.  Next,  if  A 
successfully  completes  the  first  4  stages,  Sim  needs  to  extract  its  input  choice  u  and  simulate 
the  Stage  5  sender’s  message.  To  do  so,  it  first  extracts  u  by  counting  how  many  shares  out 
of  the  18n  shares  p°  =  and  p 1  =  {p}}i&A  that  A  will  get  (in  Stage  5  and  6)  for  each 

input  no  and  v\  as  follows: 

•  For  every  location  j  G  A  and  also  in  T,  since  the  sender’s  inputs  sj  and  sj  will  be 
revealed  in  stage  6,  Sim  counts  that  A  obtains  one  more  share  for  both  p°  and  p1. 

•  For  every  location  j  G  A  and  also  in  4>,  A  has  cheated  in  the  jth  OT  in  Stage  3  and 
thus  may  obtain  both  of  the  sender’s  inputs  sj  and  sj  in  that  OT  execution;  recall  that 
in  Stage  5  of  the  protocol,  the  two  shares  pj  and  pj  will  be  covered  using  the  sender’s 
inputs  sj  and  sj  as  one-time  pads.  Therefore,  after  receiving  the  Stage  5  message  (which 
contains  fy-  =  pj  ©  sJ  3),  A  will  be  able  to  recover  both  shares.  Thus  Sim  counts  that 
A  again  obtains  one  more  share  for  both  p°  and  p1. 

•  For  the  rest  of  locations  j  G  A  —  $  —  T,  since  A  acts  honestly  using  input  Cj  and  the  two 
sender’s  inputs  sj  and  sj  will  not  be  revealed  in  Stage  6,  A  obtains  sjJ  through  the  OT 

execution  while  Sj  3  remains  computationally  hidden.  Thus  A  later  can  only  recover 
the  share  pjJ®°j.  Therefore,  Sim  counts  that  A  gets  one  more  share  of  pci®“j. 

Then  to  simulates  the  sender’s  Stage  5  message,  Sim  proceeds  as  follows:  If  for  both  inputs  A 
gets  more  than  lOn  shares,  the  simulator  Sim  outputs  fail  and  aborts.  Otherwise,  if  for  only 
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one  input  A  gets  more  than  lOn  shares,  Sim  sends  its  index  b*  to  the  ideal  functionality  J- 'ot 
and  receives  a  value  w,  it  then  sets  Vb*  =  w  and  sets  v\-b*  to  a  random  bit,  and  complete  the 
rest  of  the  simulation  by  following  the  honest  sender’s  strategy  using  Vb*  and  v\-b*  as  inputs. 
Finally,  if  for  none  of  the  inputs  A  gets  more  than  lOn  shares,  then  Sim  simply  sets  both  vq 
and  v i  to  random  bits  and  complete  the  simulation  honestly  according  to  these  two  values. 

Strategy  2:  If  the  Sender  (Pi)  is  corrupted  and  the  Receiver  (Pj)  is  honest,  the  simula¬ 
tor  needs  to  simulate  the  view  of  the  sender  (controlled  by  A)  without  knowing  the  choice  of 
the  receiver  and  extracts  the  two  inputs  from  A. 

Towards  this,  first  note  that  during  the  whole  execution  of  IIoT)  the  only  message  that 

depends  on  the  receiver’s  choice  u  is  the  Stage  5  receiver’s  message,  consisting  of  {ay}  -gA 

that  are  supposed  to  be  set  to  ay  =  u  ©  Cj.  The  simulator  Sim  simulates  the  cr,-’ s  by 

simply  sending  random  bits  (and  emulates  the  rest  of  the  receiver’s  messages  for  A  honestly). 

Furthermore,  to  extract  the  two  inputs  of  the  sender  (controlled  by  A ),  Sim  proceeds  as 

follows:  It  forwards  all  the  commitments  of  ( C ,  R)  from  A  in  Stage  1  and  2  to  the  helper 

functionality  "H.  Since  the  sender  Pj  is  corrupted,  H  accepts  commitments  with  identity  Pj 

from  Sim.,  and  returns  Sim .  the  unique  committed  value  if  the  commitment  is  valid  and  _L 

otherwise.  These  committed  values  include  Tr  committed  to  by  A  in  Stage  1  and  all  the 

random  strings  af  for  i  £  [20n]  committed  to  by  A  in  Stage  2,  which  allows  Sim  to  recover 

the  inputs  and  random  tapes  {s°,  t[{  }  .g  j20n]  that  A  is  supposed  to  use  (as  a  sender)  in  the 

Stage  3  OT  executions.  Next,  if  A  completes  the  execution  of  IIot  successfully,  Sim  extracts 

shares  of  the  sender’s  inputs  by  computing  pb  =  {  pb  =  (3b-  0  sb®aj  \  for  b  £  {0, 1}  (The 

l  J  J  J  )  jeA 

rationale  behind  this  extraction  strategy  is  that,  for  every  input  b,  the  sender  of  the  protocol 
IIot  is  supposed  to  send  “encryption”  j  of  the  shares  j  pb  j  of  that  input  in  Stage  5, 

hidden  using  the  appropriate  inputs  j  of  the  OT  executions).  Given  the  shares  p°  and 

px ,  Sim  reconstructs  inputs  and  vl  as  follows:  For  every  b,  it  checks  whether  pb  is  16?r-close 
to  a  valid  codeword  wb,  and  whether  wb  passes  the  consistency  check  in  the  last  stage,  that 
is,  if  wb  agrees  with  [3b  ©  sb^aj  for  all  j  £  F;  If  so,  then  it  sets  vb  to  the  value  encoded  in  wb; 
otherwise  it  sets  vb  =  _L.  Finally  Sim  sends  the  two  values  v°  and  v 1  externally  to  the  OT 
functionality. 

Strategy  3:  If  both  the  Sender  (P,)  and  the  Receiver  (Pj)  are  honest,  the  simulator  needs 
to  simulate  the  transcript  of  an  honest  execution  of  IIot  for  A  without  knowing  the  inputs 
of  the  honest  players.  To  do  so,  it  simply  generates  the  transcript  of  an  honest  execution  of 
IIot  using  inputs  all  0. 

Below  we  analyze  each  of  the  simulation  strategies  above,  and  show  that  the  environment  Z's 
interactions  with  S  in  the  ideal-world  is  indistinguishable  from  that  with  A  in  the  real-world  in 
each  of  the  cases. 

Analysis  of  the  first  case:  Consider  the  following  five  hybrids: 

Hybrid  H\:  Hybrid  Hi  proceeds  identically  to  the  ideal  execution,  except  that:  In  Stage  2, 
for  every  location  j  that  the  sender  would  not  need  to  reveal  the  randomness,  that  is,  j  0 
rsur  (recall  that  the  simulator  obtains  F^  and  T  by  forwarding  A’ s  commitments  to  the 
helper  functionality  H  at  the  end  of  Stage  1),  the  simulator  simulates  the  jth  commitment 
of  ( C,R )  to  A  by  committing  to  0  instead  of  a"j .  Since  these  commitments  all  have 
identities  belonging  to  an  honest  player,  and  the  helper  functionality  H  only  breaks 


Approved  for  Public  Release;  Distribution  Unlimited. 
41 
632 


commitments  with  identities  of  corrupted  parties,  it  follows  from  the  CCA-security  of 
(C,R)  that  the  ideal-execution  is  indistinguishable  from  H\ . 

Hybrid  H2’.  Hybrid  Hi  proceeds  identically  to  Hi  except  that  in  Stage  5,  instead  of  always 
using  the  sender’s  inputs  Sj  and  sj  for  j  e  A  to  hide  the  shares  p°  =  and 

p 1  =  {p}}ieA,  the  simulator  replace  those  inputs  sj’ s  that  are  computationally  hidden 
from  A  with  random  strings  to  hide  the  shares.  More  precisely,  recall  that  in  every 
location  j  £  A  —  $  —  T,  A  acts  honestly  in  the  OT  execution  (using  input  Cj )  and 

t  t  ^ _ C  '  •  • 

the  sender’s  inputs  are  not  revealed  in  Stage  6;  thus  the  input  3  is  computationally 
hidden.  Then,  instead  of  using  s j  °3  as  a  one-time  pad  to  hide  one  of  the  jth  shares  p j 
or  pj  in  Stage  5,  Sim  uses  a  truly  random  string. 

We  claim  that  H2  is  indistinguishable  from  H\.  Towards  showing  this,  we  first  show 
that  it  follows  from  the  security  of  the  OT  protocol  ( S ,  R)  against  semi-honest  receiver 
that  the  views  of  a  malicious  receiver  R*  in  the  following  two  experiments  are  indistin¬ 
guishable. 

In  both  experiments,  the  receiver  R*  on  input  a  choice  u,  random  input  r  and 
auxiliary  input  z,  first  engages  in  an  execution  with  the  honest  sender  S  with 
inputs  -so  and  si  chosen  at  random.  After  the  execution  with  S  completes,  R* 
receives  the  two  inputs  so  and  si  in  the  first  experiment.  On  the  other  hand, 
what  R*  receives  in  the  second  experiment  depends  on  whether  it  has  acted 
honestly  according  to  inputs  u  and  r:  If  it  is  dishonest,  then  it  still  receives  so 
and  si;  otherwise,  if  it  is  honest,  it  receives  su  and  a  random  bit  s' . 

It  follows  from  the  security  against  semi-honest  receivers  that  when  R*  acts  honestly 
according  to  a  choice  u,  the  sender’s  input  si_u  that  is  not  chosen  is  computationally 
hidden,  and  thus  R*  cannot  tell  apart  later  whether  it  receives  si_u  or  a  random  bit. 
Therefore  its  views  in  the  above  two  experiments  are  indistinguishable.  It  further  fol¬ 
lows  from  a  simple  hybrid  argument  that,  no  malicious  receiver  can  tell  apart  the  two 
experiment  even  if  they  are  executed  in  parallel. 

Then,  since  the  only  difference  between  hybrid  Hi  and  H2  lies  in  whether  the  sender’s 

_  ^  ^ _ Q  ■  * 

message  in  Stage  5  is  generated  using  honest  inputs  Sj  3  or  random  strings,  for  those 
locations  j  £  A  —  $  —  T  where  the  adversary  A  acts  honestly  in  the  OT  execution 
according  to  the  inputs  and  random  tapes  decided  in  Stage  2.  It  then  follows  from  the 
indistinguishability  of  the  above  two  experiments  (executed  in  parallel)  that  the  sender’s 
messages  in  Stage  5  in  H 1  and  H2  are  indistinguishable.  Then,  by  the  1-robustness  of 
the  CCA-secure  commitment  ( C ,  R) ,  we  have  that  the  view  of  A  in  the  two  hybrids  are 
indistinguishable.  Thus  H\  and  Hi  are  indistinguishable. 

Hybrid  H3:  This  hybrid  proceeds  identically  to  H2  except  the  following:  The  ideal  func¬ 
tionality  J~oj  does  not  expect  to  receive  a  choice  from  the  simulator  and  instead  directly 
discloses  both  of  the  sender’s  inputs  vo  and  v\  to  the  simulator;  then  after  the  simulator 
extracts  the  adversary’s  choice  u,  instead  of  using  inputs  vu  and  a  random  bit  to  simulate 
the  Stage  5  message  as  in  H2 ,  the  simulator  uses  vq  and  v\ . 

To  show  that  H3  is  indistinguishable  from  H2,  we  first  prove  that  due  to  the  cut-and- 
choose  procedure  in  Stage  4,  the  probability  that  A  cheats  in  a  large  number  of  -more 
than  n — OT  executions  in  Stage  3  without  being  caught  is  negligible. 

Claim  4.  In  hybrid  H4,  the  probability  that  A  cheats  in  more  than  n  OT  executions  in 
Stage  3,  and  successfully  passes  the  receiver’s  honesty  check  in  Stage  4  is  negligible. 

We  remark  that  this  claim  holds,  even  if  A  receives  a  commitment  to  the  set  of  locations 
Tr  to  be  opened  in  the  cut-and-choose  procedure  in  Stage  1.  This  is  because  the  CCA- 
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security  of  the  commitment  guarantees  that  T#  remains  hidden  even  if  all  the  values 
that  A  commits  to  in  Stage  2  are  extracted  via  a  committed-value  oracle  (since  these 
commitments  use  identities  of  corrupted  parties,  different  from  the  identity  of  the  com¬ 
mitment  to  Fr,  which  is  the  identity  of  the  honest  sender.)  Then  since  we  can  identify 
the  locations  where  A  cheats  using  these  committed  values  efficiently,  these  locations 
must  be  computationally  independent  of  VR.  Thus  if  A  cheats  in  a  large  number  of  OT 
executions,  one  of  them  will  be  selected  by  T^  to  check  with  overwhelming  probability, 
causing  A  to  fail  in  Stage  4.  A  formal  proof  of  this  claim  is  presented  at  the  end  of  this 
section. 

It  follows  directly  from  Claim  4  that  except  with  negligible  probability,  if  A  completes 
Stage  4  successfully,  then  the  total  number  of  shares  that  it  gets  is  at  most  20n;  then, 
by  the  pigeon  hold  principle,  it  gets  more  than  lOn  shares  for  at  most  one  input.  This 
implies  that  the  probability  that  the  simulator  outputs  fail  is  negligible.  Assume  that 
S4  does  not  output  fail.  Then  the  only  difference  between  the  simulation  in  hybrid  H2 
and  H3  lies  in  how  the  Stage  5  sender’s  message  is  simulated.  In  H2 ,  for  the  input 
that  A  gets  more  than  lOn  shares,  the  simulator  obtains  the  true  value  through  the  OT 
functionality  and  thus  simulate  the  corresponding  part  of  the  sender’s  message  perfectly. 
On  the  other  hand,  for  the  inputs  that  A  gets  no  more  than  lOn  shares,  it  simulates 
shares  of  these  inputs  using  shares  of  random  bits.  However,  since  A  gets  at  most  lOn 
shares  of  these  random  bits  and  the  rest  of  shares  are  all  covered  by  truly  random  strings 
in  H2 ,  switching  the  random  bits  to  true  inputs  does  not  change  the  distribution  of  the 
simulated  message  (of  Stage  5).  Thus  we  conclude  that  the  views  of  A  in  H3  and  H±  are 
statistically  close,  and  so  are  the  executions  of  H3  and  H4. 


Hybrid  H4:  Hybrid  H4  proceeds  identically  to  H3  except  that  in  Stage  5,  the  simulator 
switches  back  to  using  the  sender’s  inputs  and  sj  in  the  OT  executions  to  hide  the 

(instead  of  using  random  strings  to  hide  part  of 


shares  p°  =  \  p°A  and  p1  =  \  p]  > 
l  JJ je A  l  J J 


1  je  a 


the  shares).  In  other  works,  H4  reverses  the  changes  done  in  H2.  Then  it  follows  from 
the  same  argument  as  in  H2  that,  by  the  1-robustness  of  the  commitment  ( C,R ),  the 
hybrid  H±  proceeds  indistinguishably  from  H3. 


Hybrid  H§:  Hybrid  H§  proceeds  identically  to  H4  except  that,  in  Stage  2,  for  every  location 
j  that  the  sender  do  not  need  to  reveal  the  randomness,  that  is,  j  0  T^UT,  the  simulator 
switches  the  jth  commitment  of  ( C ,  R)  to  A  from  committing  to  0  back  to  committing  to 
cij  .  That  is,  H4  reverses  the  changes  done  in  H\.  Then  it  follows  from  the  same  argument 
as  in  H\  that  by  the  CCA-security  of  ( C,R ),  the  hybrid  proceeds  indistinguishably 
from  H4. 


Finally  note  that  in  H§,  the  simulator  receives  from  Tot  both  inputs  vq  and  v±,  and  internally 
emulates  the  real-execution  with  A  perfectly.  Therefore,  by  a  hybrid  argument,  we  have  that 
the  real  execution  is  indistinguishable  from  an  execution  of  H\,  which  in  turn  is  indistinguish¬ 
able  from  from  the  ideal  execution.  Thus  we  concludes  that  the  simulator  Sim  is  constructed 
correctly. 

Analysis  of  the  second  case:  Consider  the  following  sequence  of  hybrids. 

Hybrid  H\ :  This  hybrid  proceeds  identically  to  the  ideal  execution,  except  the  following: 
In  Stage  2,  for  every  location  j  that  the  receiver  do  not  need  to  reveal  the  randomness, 
that  is,  j  0  T R  (recall  that  the  simulator  obtains  TR  by  forwarding  A’s  commitments 
to  the  helper  functionality  R  at  the  end  of  Stage  1),  the  simulator  simulates  the  jth 
commitment  of  ( C,R )  from  the  receiver  to  A ,  by  committing  to  0  instead  of  aj.  Since 
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these  commitments  all  have  the  identity  of  the  honest  receiver,  and  the  helper  function¬ 
ality  'H  only  breaks  commitments  with  identities  of  corrupted  parties,  it  follows  from  the 
CCA-security  of  (C,R)  that  the  ideal-execution  is  indistinguishable  from  H\. 

Hybrid  H2'.  This  hybrid  proceeds  identically  to  H\  except  the  following:  the  ideal  func¬ 
tionality  J~oj  discloses  the  external  receiver’s  choice  u  to  the  simulator;  furthermore,  in 
Stage  5,  instead  of  simulating  all  the  ay's  using  random  bits,  the  simulator  computes 
them  honestly  as  a j  =  u  0  Cj  (where  Cj’s  are  the  inputs  that  the  receiver  uses  in  the 
Stage  3  OT  executions). 

We  claim  that  H2  is  indistinguishable  from  H\.  Towards  showing  this,  we  first  show  that 
it  follows  from  the  security  of  the  OT  protocol  ( S ,  R)  against  malicious  senders  that  the 
views  of  a  malicious  sender  S*  in  the  following  two  experiments  are  indistinguishable. 

In  both  experiments,  the  sender  S*  first  participates  in  an  interaction  with  an 
honest  receiver  R  using  a  random  inputs  u.  After  the  execution  with  R,  in  the 
first  experiment,  S*  receives  the  input  u,  whereas  in  the  second  experiment,  it 
receives  another  independently  sampled  random  bit  u' . 

It  follows  from  the  security  against  malicious  senders  of  the  OT  protocol  that  the  views 
of  the  malicious  sender  S*  in  the  above  two  experiments  are  indistinguishable.  Further¬ 
more,  it  follows  from  a  simple  hybrid  argument  that,  no  malicious  receiver  can  tell  apart 
the  above  two  experiments  even  if  they  are  executed  in  parallel. 

Then,  note  that  the  only  difference  between  hybrid  H\  and  H2  lies  in  whether  in  Stage 
5,  the  ccj’s  (for  j  6  A)  from  the  receiver  are  simulated  using  random  bits  or  generated 
honestly  as  u  ©  Cj\  in  other  words,  the  differenece  is  whether  the  ccj’s  are  computed  as 
the  sum  of  u  and  a  random  bit  (yielding  a  random  bit)  or  Cj  (yielding  u  ©  Cj).  It  then 
follows  from  the  indistinguishability  of  the  above  two  experiments  (executed  in  parallel) 
that  the  receiver’s  messages  in  Stage  5  in  H\  and  H2  are  indistinguishable.  Thus,  by 
the  1-robustness  of  the  CCA-secure  commitment  ( C,R ),  we  have  that  the  view  of  A 
and  the  output  of  the  external  OT  receiver  (which  will  be  vu )  in  the  two  hybrids  are 
indistinguishable.  Hence  Hi  and  H2  are  indistinguishable. 

Hybrid  H3:  This  hybrid  proceeds  identically  to  H2  except  that,  in  Stage  2,  for  every  location 
j  that  the  receiver  do  not  need  to  reveal  the  randomness,  that  is,  j  0  Tr,  the  simulator 
switches  the  jt,h  commitment  of  (C,  R)  from  the  receiver  to  A  from  a  commitment  to 
0  back  to  a  commitment  to  a  j’ .  That  is,  H3  reverses  the  changes  done  in  H\.  Then  it 

follows  from  the  same  argument  as  in  H 1  that  by  the  CCA-security  of  ( C ,  R),  the  hybrid 
H3  proceeds  indistinguishably  from  H2.  We  remark  that  in  H3  the  simulator  essentially 
emulates  the  execution  of  Hot  for  A  perfectly  as  an  honest  receiver  (using  the  external 
receiver’s  true  input  u  that  it  gets  from  J-ot)>  except  that  it  tries  to  extract  the  two 
sender’s  inputs  from  A  at  the  end  of  the  execution. 

Hybrid  H4:  This  hybrid  proceeds  identically  to  H3  except  the  following:  The  external  re¬ 
ceiver  no  longer  interacts  with  Jxnu  and  instead,  simply  outputs  a  value  that  the  sim¬ 
ulator  feeds  it.  On  the  other  hand,  the  simulator  internally  emulates  the  execution  of 
Hot  for  A  by  following  the  honest  receiver’s  strategy  (as  in  H3),  obtaining  an  output 
v ;  it  then  skips  extracting  the  sender’s  inputs  ho  and  hi  and  simply  feeds  the  external 
receiver  the  value  v  as  the  its  output. 

We  show  that  the  output  of  the  environement  in  is  statistically  close  to  that  in 
H3.  Since  the  only  difference  between  the  two  hybrids  lies  in  how  the  outputs  of  the 
external  receiver  are  derived,  it  suffices  to  show  that  except  with  negligible  probability, 
the  outputs  of  the  external  receiver  in  the  two  hybrids  are  the  same.  In  H4,  the  external 
receiver  directly  outputs  the  value  v  the  simulator  feeds  it,  which  is  just  the  output  of 
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an  honest  receiver  of  IIot  with  input  u  (emulated  by  the  simulator  for  A).  In  H3,  the 
external  receiver  obtains  the  input  from  which  is  vu  extracted  by  the  simulator 
from  A.  Recall  that  both  v  and  vu  are  derived  in  two  steps: 

•  In  the  first  step,  shares  of  the  two  values  are  recovered.  The  honest  receiver  obtains 
shares  of  v  by  computing  p  =  {pj  =  fif  ©  Sj}jgA’  where  Sj’s  are  the  outputs  it 
obtains  in  the  Stage  3  OT  executions  with  inputs  Cj’s.  On  the  other  hand,  the 

simulator  extracts  shares  of  vu  as  pu  =  \  pf  =  ©  sj®Qj  l  ,  where  the  sj’s  are 

l  J  J  J  J  je a  J 

the  inputs  that  A  is  supposed  to  use  in  the  OT  executions. 

•  In  the  second  step,  a  codeword  is  recovered  from  the  shares:  The  honest  receiver 
recovers  w  that  is  17n-close  to  p,  whereas  the  simulator  recovers  wu  that  is  16n- 
close  to  pu.  Then  both  codewords  are  checked  for  consistency,  that  is  whether  they 
agrees  with  fiV  0  sj®aj  at  locations  j  G  T,  where  the  sj’s  are  T's  actual  inputs  in 
the  OT  executions  revealed  in  the  last  stage.  If  w  (or  wu  respectively)  passes  the 
consistency  check,  then  v  (or  vu  resp.)  is  set  to  the  value  encoded  in  w  (or  wu  resp.); 
otherwise,  it  is  set  to  _L. 

Towards  showing  that  v  and  vu  are  (almost)  always  the  same,  Consider  the  following 
two  possible  cases:  p  is  17n-close  to  a  valid  codeword  w  or  not. 

•  If  it  is,  (in  Hfi)  the  honest  receiver  will  recover  w  from  p.  We  show  that  the  simulator 
will  recover  the  same  codeword  w  from  pu  (i.e.,  wu  =  w).  This  relies  on  the  following 
claim: 

Claim  5.  Let  p  and  pu  be  defined  as  above.  Then,  except  with  negligible  probability, 
the  shares  p  and  pu  are  17 n-close  to  each  other. 

This  claim  essentially  follows  from  the  fact  that  due  to  the  cut-and-choose  procedure, 
the  probability  that  A  cheats  in  more  than  n  OT  executions  in  Stage  3,  and  yet, 
passes  the  sender’s  honesty  check  in  Stage  4  is  negligible.  (This  follows  from  the 
same  proof  as  Claim  4).  Therefore,  there  are  at  least  17n  locations  where  A  acted 
honestly  (in  the  OT  executions),  meaning  that  the  output  Sj  of  the  honest  receiver 
in  these  OT  executions  equals  to  s® ,  which  in  turn  equals  to  s“®“J  since  a  =  u®Cj 
in  H3  and  H 4.  This  implies  that  p  and  pu  agree  with  each  other  at  at  least  17n 
locations. 

Therefore,  except  with  negligible  probability,  pu  is  16n-close  to  w.  Then  the  sim¬ 
ulator  will  uniquely  recover  w  as  well  (i.e.,  wu  =  w ).  After  that,  both  the  honest 
receiver  and  the  simulator  conduct  the  same  consistency  check  against  w,  leading 
to  the  same  outputs  v  =  vu. 

•  Otherwise,  if  p  is  n- far  away  from  any  valid  codeword,  the  honest  receiver  sets  v  to 
_L.  We  need  to  show  that  the  simulator  will  also  set  vu  to  _L  with  overwhelming 
probability.  Suppose  not,  then  the  simulator  must  have  recovered  a  codeword  wu 
from  pu.  By  our  hypothesis,  wu  is  n-far  away  from  p\  let  be  the  set  of  locations 
j  at  which  wu  and  p  differ.  Then  we  show  that  the  probability  that  wu  passes  the 
consistency  check  is  negligible.  Formally, 

Claim  6.  Let  T  be  defined  as  above.  Then,  the  probability  that  |T|  >  n  and  A 
successfully  passes  the  consistency  check  in  Stage  6  is  negligible. 

This  claim  essentially  follows  from  the  fact  that  due  to  the  cut-and-choose  procedure, 
the  probability  that  'k  is  large  but  none  of  the  locations  j  in  'k  is  checked  in  the  last 
stage  (i.e.,  T  n  T  =  0)  is  negligible.  (This  follows  from  a  similar  proof  as  Claim  4). 
With  overwhelming  probability  there  is  a  location  j  in  T  being  checked,  forcing  A 
to  reveal  the  inputs  s j  and  sj  it  uses  in  that  OT  execution,  which  also  reveals  the 
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difference  between  pj  and  w That  is, 

pj  =  Pj  ©  %  =  Puj  0  f?  =  Puj  0  f®ai  ±  0J 

Thus,  except  with  negligible  probability,  the  adversary  fails  to  pass  the  consistency 
check,  and  vu  is  set  to  _L  as  claimed. 

By  construction,  in  the  last  hybrid  H 4,  the  view  of  A  is  emulated  perfectly  according 
to  IIot  and  the  output  of  the  external  OT  receiver  is  the  same  as  that  of  the  honest 
receiver  of  IIot-  Therefore,  the  output  of  the  environment  in  hybrid  Hi  is  identically 
distributed  to  the  real-execution.  Then  by  a  hybrid  argument,  we  have  that  the  real 
execution  is  indistinguishable  to  H\ ,  and  thus  the  ideal  execution.  Thus  the  simulator 
Sim  is  constructed  correctly. 

Analysis  of  the  third  case:  Consider  the  following  sequence  of  hybrids: 

Hybrid  H\ :  This  hybrid  proceeds  identically  to  the  ideal  execution  except  the  follow¬ 
ing:  The  ideal  Tot  functionality  discloses  the  inputs  (uo,fi)  and  u  of  the  external 
sender  and  receiver  to  A,  and  furthermore,  the  simulator  switches  the  sender’s  and 
receiver’s  inputs  that  it  uses  for  simulating  the  transcript  of  IIot  (for  A)  from  all 
0  to  (0,t>i)  and  0.  It  follows  from  the  analysis  of  the  first  case  above  that  when 
considering  a  semi-honest  adversary  acting  as  the  receiver  of  IIot  and  using  input 
0,  the  adversary  cannot  tell  apart  if  the  honest  sender  is  using  inputs  (0, 0)  or  (0,  iq). 
Thus  the  simulated  transcripts  in  Hi  and  the  ideal  execution  must  be  indistinguish¬ 
able.  Furthermore  since  no  player  is  corrupted,  the  helper  functionality  77  would 
not  accept  any  query  from  the  adversary,  the  indistinguishability  of  the  simulated 
transcripts  directly  implies  the  indistinguishability  of  H 1  and  the  ideal  execution. 
Hybrid  H2'  This  hybrid  proceeds  identically  to  Hi  except  that  the  simulator  switches 
the  receiver’s  input  that  it  uses  for  simulating  the  transcript  of  IIot  from  0  to  1. 
It  follows  from  the  analysis  of  the  second  case  above  that  when  considering  a  semi- 
honest  adversary  acting  as  the  sender  of  IIoT)  the  adversary  cannot  tell  apart  if  the 
honest  receiver  is  using  inputs  0  or  1.  Thus  the  simulated  transcripts  in  H\  and  H2 
must  be  indistinguishable.  Therefore,  it  follow  from  a  similar  argument  as  in  Hi 
that  Hi  and  H2  are  indistinguishable. 

Hybrids  H%  and  Hi:  These  two  hybrids  proceed  identically  to  H2  except  that  the 
simulator  switches  the  inputs  that  it  uses  for  simulating  the  transcript  of  IIot  from 
((0,  iq),  1)  in  H2  to  ((uo,ui),  1)  in  H3  and  to  ((uo,ui),tt)  in  Hi.  It  follows  from  the 
same  argument  as  in  Hi  that  hybrid  H3  is  indistinguishable  to  H2,  and  from  the 
same  argument  as  in  H2  that  hybrid  Hi  is  indistinguishable  to  H3. 

Finally,  in  the  last  hybrid,  A  receives  the  transcript  of  the  execution  of  IIot  using  true 
inputs  as  in  the  real  execution.  Furthermore,  since  the  outputs  of  the  honest  receiver  in 
Hi  is  identical  to  that  in  the  real  execution  (both  equal  to  vu ),  we  have  that  the  output 
of  the  environment  in  Hi  is  identically  distributed  to  that  in  the  real  execution.  Then  by 
a  hybrid  argument  we  conclude  that  the  real  and  ideal  executions  are  indistinguishable. 

Proof  of  Claim  f.  Let  <b  be  the  set  of  locations  where  A  cheats  in  Stage  3.  We  note  that  $  can 
be  computed  efficiently  given  the  values  that  A  commits  to  using  (C,R)  in  Stage  2.  Recall  that 
the  receiver’s  honesty  check  in  Stage  4  requires  the  receiver  to  open  all  the  commitments  it  sends 
in  Stage  2  at  locations  in  Tr.  Therefore  if  <h  n  T#  /  0,  by  the  statistically  binding  property  of 
( C,R ),  A  would  have  been  caught  cheating.  Thus  if  A  successfully  completes  Stage  4,  it  must  hold 
that  4>  n  T/j  =  0.  Now  assume  for  contradiction  that  A  cheats  in  more  than  n  OT  executions,  but 
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successfully  completes  Stage  4  in  H4  (i.e.,  |4>|  >  n  and  <f>  n  Tr  =  0)  with  polynomial  probability. 
Then  we  show  that  A  can  be  used  to  violate  the  CCA-security  of  (C,  R). 

Consider  a  machine  B  that  acts  as  a  receiver  of  (C.  R)  externally  with  access  to  the  committed- 
value  oracle  O;  internally,  it  emulates  an  execution  of  hybrid  H4  with  A,  by  using  O  to  implement 
the  helper  functionality  "H,  except  the  following:  It  forwards  messages  from  the  external  committer 
C  to  A  as  the  sender’s  commitment  in  Stage  1;  then  after  Stage  3,  it  computes  the  set  using  the 
values  that  A  commits  to  in  Stage  2  obtained  through  the  helper  functionality  R  as  in  H, 4;  finally, 
it  simply  outputs  <J>  and  aborts.  It  follows  from  the  construction  that,  when  B  externally  receives 
a  commitment  to  — a  randomly  chosen  set  of  size  n — using  the  identity  of  the  honest  sender, 
it  internally  emulates  the  execution  of  H4  perfectly  up  to  Stage  3;  then  by  our  hypothesis,  with 
polynomial  probability,  it  outputs  a  set  <3?  of  size  greater  than  n,  disjoint  with  T^.  However,  on 
the  other  hand,  if  B  externally  receives  a  commitment  to  0  (still  using  the  identity  of  the  honest 
sender),  then  the  probability  that  B  outputs  a  set  of  size  greater  than  n  that  is  disjoint  with  the 
randomly  chosen  is  exponentially  small.  Finally  since  all  the  commitments  that  B  queries  to 
the  committed-value  oracle  O  have  identities  belonging  to  a  corrupted  party,  different  from  the 
identity  of  the  honest  sender,  we  have  that  B  violates  the  CCA  security  of  ( C ,  R).  □ 
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Abstract 

How  can  we  encode  a  communication  protocol  between  two  parties  to  become  resilient  to 
adversarial  errors  on  the  communication  channel?  This  question  dates  back  to  the  seminal 
works  of  Shannon  and  Hamming  from  the  1940’s,  initiating  the  study  of  error-correcting  codes 
(ECC).  But,  even  if  we  encode  each  message  in  the  communication  protocol  with  a  “good”  ECC, 
the  error  rate  of  the  encoded  protocol  becomes  poor  (namely  0(l/m)  where  m  is  the  number 
of  communication  rounds).  Towards  addressing  this  issue,  Schulman  (FOCS’92,  STOC’93) 
introduced  the  notion  of  interactive  coding. 

We  argue  that  whereas  the  method  of  separately  encoding  each  message  with  an  ECC  ensures 
that  the  encoded  protocol  carries  the  same  amount  of  information  as  the  original  protocol,  this 
may  no  longer  be  the  case  if  using  interactive  coding.  In  particular,  the  encoded  protocol  may 
completely  leak  a  player’s  private  input,  even  if  it  would  remain  secret  in  the  original  protocol. 
Towards  addressing  this  problem,  we  introduce  the  notion  of  knowledge-preserving  interactive 
coding,  where  the  interactive  coding  protocol  is  required  to  preserve  the  “knowledge”  transmitted 
in  the  original  protocol.  Our  main  results  are  as  follows. 

•  The  method  of  separately  applying  ECCs  to  each  message  is  essentially  optimal:  No 
knowledge-preserving  interactive  coding  scheme  can  have  an  error  rate  of  1  /to,  where  m 
is  the  number  of  rounds  in  the  original  protocol. 

•  If  restricting  to  computationally-bounded  (polynomial-time)  adversaries,  then  assuming 
the  existence  of  one-way  functions  (resp.  subexponentially-hard  one-way  functions),  for 
every  e  >  0,  there  exists  a  knowledge-preserving  interactive  coding  schemes  with  constant 
error  rate  and  information  rate  n~e  (resp.  l/polylog(?r))  where  n  is  the  security  parameter; 
additionally  to  achieve  an  error  of  even  l/?n  requires  the  existence  of  one-way  functions. 

•  Finally,  even  if  we  restrict  to  computationally-bounded  adversaries,  knowledge-preserving 
interactive  coding  schemes  with  constant  error  rate  can  have  an  information  rate  of  at 
most  o(l/logn).  This  results  applies  even  to  non- constructive  interactive  coding  schemes. 


*Pass  is  supported  in  part  by  a  Alfred  P.  Sloan  Fellowship,  Microsoft  New  Faculty  Fellowship,  NSF  Award  CNS- 
1217821,  NSF  CAREER  Award  CCF-0746990,  NSF  Award  CCF-1214844,  AFOSR  YIP  Award  FA9550-10-1-0093, 
and  DARPA  and  AFRL  under  contract  FA8750-11-2-  0211.  The  views  and  conclusions  contained  in  this  document 
are  those  of  the  authors  and  should  not  be  interpreted  as  representing  the  official  policies,  either  expressed  or  implied, 
of  the  Defense  Advanced  Research  Projects  Agency  or  the  US  Government. 
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1  Introduction 


The  study  of  how  to  communicate  over  a  noisy  channel  dates  back  to  the  seminal  works  of  Shannon 
[Sha48]  and  Hamming  [HAM50]  from  the  1940s,  initiating  the  study  of  error-correcting  codes. 
Roughly  speaking,  an  error-correcting  code  encodes  a  k- bit  message  m  into  a  ck  bit  message  with 
the  property  that  even  if  a  fraction  ij  <  1  of  the  bits  of  the  encoded  messages  are  adversarially 
changed,  the  original  message  m  can  be  decoded;  R  =  1/c  is  referred  to  as  the  information  rate  of 
the  code,  and  r/  as  the  error  rate.  Efficiently  encodable  and  decodable  error  correcting  codes  with 
constant  information  rate  and  error  rate  are  known  [Jus];  in  fact,  such  codes  can  even  be  made 
linear-time  encodable  and  decodable  [Spi96] . 

In  this  work,  we  are  interested  in  the  question  of  how  to  encode  interactive  communication: 
Given  an  interactive  protocol  n  =  (A,  B)  between  two  parties,  how  can  we  encode  this  protocol  to 
become  resilient  to  adversarial  errors?  A  naive  approach  would  be  to  simply  apply  a  “good”  (i.e. , 
constant  information  and  error  rate)  error  correcting  code  to  each  message  of  the  protocol.  This 
results  in  a  poor  error  rate:  if  the  protocol  has  m  rounds  and  each  round  requires  sending  a  fc-bit 
message,  then  it  suffices  to  corrupt  0(k)  out  of  the  0(km .)  communicated  bits  (that  is,  a  fraction 
0(l/m))  to  ensure  an  incorrect  decoding.  To  address  this  problem,  Schulman  [Sc,h92,  Sch93,  Sch96] 
introduced  the  notion  of  interactive  coding.  Roughly  speaking,  an  interactive  coding  scheme  is  an 
algorithm  Q  =  (Qi,Q2)  such  that  for  any  interactive  protocol  n  =  ( A,  B ),  ( Qi,Q 2)  emulates  the 
interaction  of  (A,  B )  in  the  sense  that  (with  overwhelming  probability)  the  execution  of  the  actual 
protocol  (A,  B)  and  the  “encoded  protocol”  (Q^Q?)  yield  the  same  outputs.  Additionally,  the 
protocol  (Q^,  Q2 )  is  error-resilient:  the  execution  of  (Qf,  Q2)  yields  the  same  outputs  even  if  a  rj 
fraction  of  the  communication  is  adversarially  corrupted,  where  77  is  an  error  rate.  Schulman  [Sch96] 
presented  an  interactive  coding  scheme  with  constant  information  and  error  rate.  Schulman’s 
construction  achieved  an  error  rate  of  1/240,  which  was  later  improved  by  Braverman  and  Rao 
[BR11]  and  Braverman  [Bral2]  to  (close  to)  1/8.  The  interactive  coding  scheme  Q  in  their  works, 
however,  requires  exponential  or  subexponential  time.  Gelles,  Moitra  and  Sahai  [GMS11]  showed 
to  get  a  polynomial-time  interactive  coding  (with  constant  information  and  error  rate)  for  the  case 
of  uniformly  distributed  (as  opposed  to  adversarial)  errors.  More  recently,  the  elegant  work  of 
Brakerski  and  Kalai  [BK12]  showed  how  to  get  a  polynomial-time  interactive  coding  handling  also 
adversarial  errors,  with  a  constant  information  rate  and  an  error  rate  of  (close  to)  1/32,  and  even 
more  recently  Brakerski  and  Naor  [BN13]  show  how  to  get  quasi- linear  time  interactive  coding  with 
constant  information  and  error  rate. 

Interactive  Coding,  revisited  When  we  encode  messages  using  error  correcting  codes  we  ensure 
that  the  encoded  messages  carry  exactly  the  same  information  as  the  original  messages;  in  other 
words,  they  carry  all  the  information  in  the  original  messages  (or  else  we  cannot  decode),  and 
additionally  they  do  not  carry  any  other  information  (say,  about  future  messages).  Consider,  for 
instance,  transmitting  an  “interactive  exam”  (e.g.,  an  oral  exam)  in  an  error  resilient  way.  The 
exam  has  the  property  that  question  2  in  the  exam  reveals  the  answer  to  question  1.  Ideally,  we 
would  like  to  guarantee  that  the  error  resilient  version  of  the  exam  does  not  allow  the  student 
(taking  the  exam)  to  see  question  2  before  it  needs  to  provide  the  answer  to  question  1  (or  else  it 
can  trivially  answer  question  1).  Clearly  this  property  would  hold  if  we  use  the  “naive  approach” 
of  separately  encoding  every  message  using  an  error  correcting  code,  but  as  we  shall  see  shortly, 
this  property  may  no  longer  hold  if  we  use  interactive  coding.  Intuitively,  the  problem  is  that 
interactive  coding  (and  in  particular,  the  above-mentioned  solutions),  while  guaranteeing  that  the 
encoded  protocol  carries  at  least  the  same  amount  of  information  as  the  original  protocol,  does  not 
necessarily  guarantee  that  the  encoded  protocol  does  not  reveal  more  information  than  the  original 
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protocol. 

As  another  example,  consider  two  mutually  distrustful  players  that  wish  to  runs  some  secure 
cryptographic  protocol  ( A,B )  over  a  noisy  channel.  Can  these  players  instead  run  an  interactive 
coding  (Qi,  Q2  )  of  ( A ,  B)1  In  other  words,  does  the  interactive  coding  preserve  the  security  of  the 
original  underlying  protocol?  It  is  easy  to  see  that  the  “naive  approach”  of  separately  encoding 
every  message  using  an  error  correcting  code  preserves  security  of  the  underlying  protocol.  However, 
if  we  use  interactive  coding,  this  may  no  longer  be  the  case.  The  problem  is  that  the  notion  of 
interactive  coding  only  requires  that  the  encoded  protocol  (Q^Q^)  emulates  ( A,  B )  as  long  as 
both  of  the  communicating  parties  are  honestly  executing  the  protocol.  In  particular,  if  one  of  the 
players  is  adversarial,  it  could  be  the  case  that  the  player  gains  more  information  when  participating 
in  the  encoded  protocol  than  it  would  have  in  the  original  protocol;  for  instance,  player  1  may,  by 
deviating  from  the  protocol  instructions  in  the  encoded  protocol  (Qf,  Qf),  learn  something  about 
player  2’s  private  input  that  is  guaranteed  to  remain  secret  in  the  original  protocol  ( A,  B )  (no 
matter  what  player  1  does). 

The  reason  interactive  coding  schemes  do  not  necessarily  provide  the  desired  guarantees  in  the 
above  scenarios  is  that  such  schemes  typically  “bundle  together”  multiple  rounds  of  interactions 
of  the  original  protocol,  and  when  an  error  in  the  communication  is  detected,  the  whole  bundle  is 
“replayed”.  (Looking  forward,  as  we  show  in  Theorem  2,  any  interactive  coding  with  a  “good”  error 
rate  in  fact  needs  to  replay  messages  in  this  way.)  This  may  allow  an  attacker  to  “fake”  an  error  in 
the  communication  in  order  to  get  the  bundle  replayed,  but  this  time  change  its  messages,  and  as  a 
consequence  may  learn  two  (or  more)  partial  transcripts  where  the  attackers  messages  are  different: 
in  essence,  the  encoded  protocol  gives  the  attack  the  opportunity  to  “rewind”  the  honest  player  in 
original  protocol.  In  the  above  “interactive  exam”  example  such  rewindings  mean  that  the  student 
may  get  knowledge  of  the  second  question  before  having  to  provide  the  answer  to  the  first  one; 
for  the  cryptographic  protocol  example,  it  is  well-known  that  most  (but  not  all,  see  [CGGMOO]) 
cryptographic  protocols  are  not  secure  under  such  rewindings:  Consider,  for  instance,  any  of  the 
classic  zero-knowledge  protocols  (e.g.,  [GMR89,  Blu86]);  if  the  verifier  can  rewind  the  prover  just 
once,  it  can  completely  recover  the  NP-witness  used  by  the  prover,  although  the  protocols  are 
zero- knowledge  without  such  rewindings. 

Knowledge-preserving  interactive  coding  Towards  addressing  this  problem,  we  here  put 
forward,  and  study,  the  notion  of  knowledge-preserving  interactive  coding :  Roughly  speaking,  we 
require  not  only  that  (Qf,  Q2 )  conveys  at  least  as  much  “knowledge”  as  (A,  B),  but  also  that  it  does 
not  convey  more,  even  if  one  of  the  players  adversarially  deviaties  from  the  protocol  instructions; 
that  is,  (Qi,  Q2  )  preserves  the  knowledge  transmitted  in  (A,  B).  In  other  words,  we  require  not  only 
that  (Qi,  Q2 )  emulates  (A,  B)  when  the  players  are  honest  (only  caring  about  their  correct  output 
and  not  trying  to  extract  any  other  knowledge) ,  but  also  that  it  is  a  good  emulation  when  one  of  the 
players  adversarially  deviaties  from  the  protocol  instructions  (e.g.,  trying  to  obtain  more  knowledge 
about  the  other  player’s  input  and  potentially  use  it  in  the  interaction).  We  formalize  this  notion 
through  the  classic  zero-knowledge  “simulation-paradigm”  from  cryptography  [GMR89,  GMW91]: 
We  require  that  for  every  adversarial  strategy  A*  for  player  1  (resp.  B*  for  player  2)  participating 
in  the  encoded  protocol  (A,B)  =  there  exists  a  “simulator”  A*  (resp.  B*)  such  that 

the  output  of  both  players  in  the  execution  of  (A* ,  B)  (resp.  (A,  B*))  are  indistinguishable  from 
the  outputs  of  players  in  the  execution  of  (A* ,  B)  (resp.  (A,B*)).  In  other  words,  an  adversary 
participating  in  the  encoded  protocol  does  not  gain  any  more  “knowledge”  than  it  would  have  in 
the  original  protocol,  and  cannot  affect  the  honest  parties  output  more  than  it  could  have  in  the 
original  protocol. 
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As  we  shall  see,  achieving  knowledge-preserving  interactive  coding  is  significantly  harder  than 
“plain”  interactive  coding,  and  studying  resilience  against  only  computationally  bounded  adver¬ 
saries ,  as  was  done  by  Lipton  [Lip94]  and  Micali,  Peikert,  Sudan  and  Wilson  [MPSW10]  in  the 
context  of  error  correcting  codes,  is  actually  essential  for  achieving  good  error  rates  in  the  context 
of  knowledge-preserving  interactive  coding. 

1.1  Our  Results 

We  are  interested  in  knowledge-preserving  interactive  coding  schemes  Q  =  (■ Qi,Q2 )  where  Q\ 
and  Q2  are  efficient;  we  formalize  this  by  requiring  that  Q\,  Q2  receive  as  input  the  communication 
complexity  t  and  number  of  rounds  m  of  the  protocol  (A,  B ),  and  a  security  parameter  n,  and  require 
that  Qi,Q2  run  in  time  polynomial  in  £,  rn  and  n;  in  the  sequel,  when  referring  to  a  knowledge¬ 
preserving  interactive  coding  scheme,  we  only  refer  to  such  efficiently  computable  schemes. 

The  information-theoretic  regime  We  start  by  stating  the  folklore  result  that  the  “naive 
approach”  of  separately  encoding  each  message  in  the  protocol  with  a  good  error  correcting  code 
is  a  knowledge-preserving  interactive  coding: 

Theorem  1.  [Informally  stated]  There  exists  a  knowledge-preserving  interactive  coding  scheme  Q 
with  polynomial  information  rate  and  error  rate  0(l/m)  where  m  is  the  number  of  communication 
rounds  in  the  original  protocol. 

Our  first  result  is  a  strong  negative  result  for  knowledge-preserving  interactive  coding,  show¬ 
ing  that  the  naive  approach  is  essentially  optimal  (if  requiring  resilience  against  computationally 
unbounded  adversaries). 

Theorem  2.  [Informally  stated]  For  every  knowledge-preserving  interactive  coding  scheme  Q  = 
( Qi,Q2 )?  every  polynomial  m(-),  there  exists  an  m{n)-round  protocol  (A,B)  such  that  (Qi4,Qf) 
has  an  error  rate  of  at  most  1  / m(n ) ,  where  n  is  the  security  parameter.  (In  particular,  no  knowledge 
preserving  coding  scheme  can  have  error  rate  1/poly (n)  where  n  is  the  security  parameter). 

Let  us  provide  a  high-level  overview  of  the  proof  of  the  theorem.  The  key  idea  is  to  come 
up  with  a  protocol  n  having  the  property  that  the  only  way  to  make  the  protocol  error  resilient 
makes  it  possible  for  an  attacker  to  “rewind”  the  honest  players  (just  as  what  is  done  in  known 
interactive  protocols,  as  described  above).  Consider  some  interactive  coding  protocol  Q  =  (Q 1,  Q2) 
and  let  M(n,m,£)  be  a  polynomial  upper  bound  on  the  number  queries  made  by  Qi,Q2  to  its 
oracles  (where  n  is  the  security  parameter,  m  is  the  number  of  round  in  the  protocol  it  to  be 
encoded,  and  t  is  the  communication  complexity  of  it).  Consider  the  m(n )  =  poly(n)-round  “ping- 
pong”  protocol  7T  where  each  player  d  G  {1,2}  gets  an  M(n,2mn,m)  +  1-wise  independent  hash 
function  Hd  :  {0,  l}?01^")  ->  {0,  l}n  as  input  and  proceeds  as  follows:  player  1  computes  and  sends 
ai  =  Hi(f[f)  to  player  2;  player  2  computes  and  sends  b\  =  #2(01)  to  player  1;  player  1  computes  and 
send  a2  =  Ri(ai,&i)  to  player  2,  etc,  for  rn  rounds,  and  finally  both  player  output  the  transcript 
of  the  interaction.  That  is,  at  each  round,  each  player  d,  computes  its  next  message  by  applying 
its  hash  function  Hd  to  the  current  transcript.  Note  that  in  this  protocol,  by  the  unpredictability 
of  the  output  of  the  hash  functions,  player  1,  even  if  maliciously  deviating  from  the  protocol,  will 
with  overwhelming  probability  be  able  to  obtain  at  most  m  distinct  pairs  (q,H2(q)). 

In  contrast,  as  we  show,  unless  the  encoded  protocol  has  an  error  rate  less  than  1/m,  a  malicious 
player  1  in  the  encoded  protocol  can  with  inverse  polynomial  probability  get  m  + 1  such  pairs  (and 
as  such  a  malicious  player  1  can  learn  something  new  in  Q 71  that  it  couldn’t  have  learnt  in  7 r). 
The  key  lemma  needed  to  establish  this  shows  that  the  encoded  protocol  “implicitly  executes”  the 
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original  ping-pong  protocol.  More  precisely,  the  rounds  of  the  encoded  protocol  can  be  divided  into 
“chunks” ,  where  each  chunk  in  the  encoded  protocol  corresponds  to  a  round  in  ping-pong  protocol1, 
and  additionally  by  observing  the  oracle  queries  made  by  Q,  we  can  read  out  a  polynomial  list  of 
candidates  for  the  current  transcript  of  the  ping-pong  protocol;  to  establish  this  lemma  we  rely 
on  the  “elusiveness”  property  of  the  output  of  the  hash  functions  (and  the  fact  that  Q  queries  the 
hash  functions  at  most  M(n,2mn,m)  times). 

Next,  by  an  averaging  argument,  one  of  these  chunks,  say  chunk  i,  must  be  shorter  than  a 
fraction  1  /m  of  the  total  communication  complexity  of  the  encoded  protocol.  The  idea  now  is  for 
a  malicious  player  1  to  honestly  execute  the  encoded  protocol  using  its  actual  input,  except  that 
during  the  i’th  chunk,  the  player  acts  as  if  its  input  was  a  random  hash  function  H[  consistent 
with  the  transcript  up  until  the  end  of  chunk  1  —  1;  that  is,  we  switch  the  input  only  in  chunk  i, 
but  make  sure  we  pick  an  input  that  is  consistent  with  the  transcript  so  far.  (Note  that  this  attack 
is  not  necessarily  efficient  since  picking  an  input  consistent  with  the  current  transcript  may  not 
be  compuationally  feasible.)  Now,  intuitively,  since  the  chunk  was  “small”,  by  the  error  resilience 
property  of  the  interactive  coding  scheme,  with  overwhelming  probability,  player  1  will  finally 
output  the  same  transcript  (including  m  distinct  pairs  {q,H-2{q)))  as  if  it  had  been  running  the 
protocol  honestly.  (Formalizing  this  requires  showing  that  the  attack  performed  by  player  1  can  be 
perfectly  emulated  by  the  channel). 

Additionally,  as  we  show,  by  observing  the  oracle  queries  made  by  Q\  during  the  i’th  chunk 
(which  corresponds  to  the  i’th  round  in  the  implicitely  executed  ping-pong  protocol),  player  1  may 
learn  a  new  pair  (q' ,  H2(q'))',  intuitively,  this  follows  since  player  1  is  using  a  new  input  in  round  i 
of  the  implicitely  executed  ping-pong  protocol  (but  formally  proving  this  claim  is  quite  non-trivial) . 
Thus,  in  essence,  player  1,  by  using  a  different  input  in  only  chunk  i  manages  to  “rewind”  player 
2  in  the  implict  ping-pong  protocol. 

So,  if  player  1  could  just  identify  the  f’th  chunk,  it  can  learn  m  +  1  distinct  pairs  (q,  #2(9)), 
which  was  not  possible  in  7 r;  but  it  can  simply  guess  the  starting  round  of  the  i’th  chunk  with  inverse 
polynomial  probability.  Summarizing,  in  7 r,  an  attacker  can  learn  m  +  1  distinct  pairs  (q,H2(q)) 
only  with  negligible  probability,  whereas  in  Q n  this  can  be  done  with  inverse  polynomial  probability 
(if  Qn  has  a  “non-trivial”  error  rate);  thus,  we  are  “blatantly”  violating  knowledge-preservance  of 

Q. 

The  computational  regime  We  next  turn  to  consider  computational  knowledge-preserving  in¬ 
teractive  coding ,  where  we  only  require  resilience  against  computationally  bounded  adversaries: 
we  only  require  the  error-resilience  property  to  hold  against  computationally-bounded  channel 
adversaries,  and  the  knowledge-preserving  property  to  hold  against  computationally-bounded  ad¬ 
versaries.  We  first  present  a  positive  result,  showing  that  constant-error  rate  is  possible  (albeit  at 
a  sub-constant  information  rate): 

Theorem  3.  [Informally  stated]  Assume  the  existence  of  one-way  functions.  Then,  for  every 
e  >  0,  there  exists  a  knowledge-preserving  interactive  coding  scheme  with  error  rate  (1/12)  —  e  and 
information  rate  0(l/ne)  where  n  is  the  security  parameter.  If  additionally  subexponentially-hard 
one-way  functions  exists,  the  information  rate  can  be  improved  to  0(  1/poly logn). 

The  idea  behind  this  scheme  is  simple:  The  players  start  by  exchanging  verification  keys  for 
a  signature  scheme;  the  verification  keys  are  appropriately  padded  to  become  “long”  and  then 
encoded  using  a  good  error-correcting  code.  Next,  we  run  the  original  protocol,  except  that  all 
messages  in  the  protocol  are  signed  and  additionally  encoded  using  a  good  error-correcting  code. 

1These  chunks  may  depend  on  the  inputs  of  the  players  and  the  randomness  of  Q. 
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Whenever  a  player  receives  a  message  that  does  not  have  a  valid  signature,  it  requests  to  hear  the 
message  again.  It  is  easy  to  show  that  this  coding  scheme  is  knowledge  preserving  (even  against 
unbounded  attackers);  additionally,  if  the  verification  keys  exchanged  in  the  first  round  are  long 
enough,  then  the  scheme  has  error  rate  close  to  ?7/4,  where  77  is  the  error  rate  of  the  error-correcting 
code.  Using  state  of  the  art  error-correcting  codes  this  would  yield  an  error  rate  of  1/16  —  e  (where 
e  >  0  is  an  arbitrarly  small  constant).  We  can  further  improve  the  error  rate  by  relying  on  an 
idea  from  [MPSW10]:  since  messages  are  signed  and  we  only  consider  a  computationally  bounded 
channel,  it  in  fact  suffices  to  “list-decode”  the  error-correcting  code  used  to  encode  the  messages 
in  the  protocol  (while  still  using  unique  decoding  for  error-correcting  code  used  to  encode  the 
verification  keys).2  This  allows  us  to  improve  the  error  rate  to  1/12  —  e. 

As  our  next  result  demonstrates,  one-way  functions  are  necessary  to  achieve  a  “non-trivial” 
error  rate. 

Theorem  4.  [Informally  stated]  Assume  the  existence  of  a  computational  knowledge-preserving 
interactive  coding  scheme  with  error  rate  1/m,  where  m  is  the  number  of  communication  rounds  in 
the  original  protocol.  Then  one-way  functions  exist. 

The  proof  of  Theorem  4  follows  by  carefully  showing  that  the  attack  constructed  in  the  proof  of 
Theorem  2  can  be  “approximately”  implemented  in  polynomial-time,  if  one-way  functions  do  not 
exists. 

We  finally  show  that  every  computational  knowledge-preserving  interactive  coding  scheme  with 
constant  error  rate  must  have  an  information  rate  of  o(l/  log  n). 

Theorem  5.  [Informally  stated]  Assume  the  existence  of  a  computational  knowledge-preserving 
interactive  coding  scheme  with  information  rate  R  and  error  rate  77.  Then  Rg  e  o(l/log(n)),  where 
n  is  the  security  parameter. 

Let  us  first  mention  that  a  weaker  version  of  the  above  theorem,  demonstrating  that  the  infor¬ 
mation  rate  needs  to  sub  constant  (as  opposed  to  o(l/  log  n))  can  be  obtained  by  carefully  “scaling 
down”  the  proof  of  Theorem  2  by  considering  a  constant-round  ping-pong  protocol  where  the  length 
of  each  message  is  O(logn).  To  give  the  tight  bound,  we  need  to  rely  on  an  even  more  scaled  down 
version  where  the  length  of  the  messages  in  the  ping-pong  protocol  is  just  1.  In  this  regime,  the 
previous  proof  no  longer  works:  we  can  no  longer  ensure  that  the  transcript  from  the  ping-pong 
protocol  can  be  decoded  by  observing  all  the  oracle  calls  made  by  Q.  (In  the  proof  of  Theorem 
2  this  was  proven  by  relying  on  the  elusiveness  property  of  the  image  of  the  hash  function,  but 
since  we  now  consider  the  range  {0, 1},  this  no  longer  holds.)  Rather,  we  here  provide  a  different 
information-theoretic  definition  of  chunks  and  rely  on  the  fact  that  the  protocol  is  knowledge  pre¬ 
serving  to  show  that  chunks  are  well-defined  (to  simplify  the  proof  of  this,  we  actually  rely  on  a 
simpler  variant  of  the  ping-pong  protocol).  The  idea,  which  turn  out  to  be  quite  subtle  to  formalize, 
is  that  if  a  partial  transcript  contained  information  about,  say,  player  2’s  message  in  round  j,  before 
player  l’s  message  in  round  j  has  been  fully  determined  in  the  partial  transcript,  then  intuitively, 
player  1  has  the  opportunity  to  (with  non-negligible  probability)  change  its  message  in  round  j  as 
a  function  of  player  2’s  message  in  the  same  round,  which  isn’t  possible  in  the  original  ping-pong 
protocol. 

2[MPSW10]  relies  on  this  idea  to  show  how  to  achieve  an  error-correcting  code  with  error  rate  1/2  —  e  if  assuming 
a  (noiseless)  public-key  infrastructure  and  a  computationally-bounded  channel.  In  our  context,  we  do  not  have  a 
public-key  infrastructure,  but  our  initial  exchange  of  verification  keys  using  a  uniquely  decodable  error-correcting 
code  can  be  viewed  as  a  way  to  set-up  the  appropriate  public-key  infrastructure  needed  for  their  results. 
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Non-constructive  knowledge-preserving  interactive  coding  All  the  above-mentioned  re¬ 
sults  rely  on  the  standard  notion  of  interactive  coding  where  the  algorithm  Q  =  (Qi,  Q2)  only  uses 
the  original  protocol  n  =  (A,  B)  as  a  black-box  (i.e.,  the  encoded  protocol  is  One  may 

also  consider  a  more  relaxed  notion  of  coding,  where  the  encoded  protocol  uses  the  description 
of  the  protocol  7r  in  a  non-black-box  way,  or  is  even  non-constructive.  We  note  that  the  proof 
of  Theorem  6  is  actually  stronger  than  stated;  we  actually  show  that  every  protocol  (not  just 
those  protocols  obtained  by  accessing  the  original  protocol  tt  as  a  black-box)  that  preserves  the 
knowledge  transmitted  in  the  1-bit  ping-pong  protocol  and  has  an  error  rate  of  0(1),  must  have  a 
communication  complexity  of  at  least  w(logn). 

Theorem  6.  [Informally  stated]  For  every  function  r/(n)  >  0(1/ log  n),  there  exists  a  protocol 
tt  with  communication  complexity  0(  1/17(71))  such  that  for  every  protocol  tt'  that  is  a  knowledge¬ 
preserving  variant  of  it  (even  just  w.r.t.  computationally-bounded  adversaries)  and  is  computation¬ 
ally  rj-error  resilient,  the  communication  complexity  of  tt'  is  at  least  w(logn). 

It  is  worthwhile  to  compare  Theorem  6  with  Theorem  2.  As  mentioned  above,  Theorem  6  is 
stronger  that  Theorem  2  in  that  it  rules  out  also  non-constructive  interactive  coding  schemes.  On 
the  other  hand,  it  is  weaker  is  several  other  aspects:  First,  in  Theorem  2  we  “blatantly”  violate 
knowledge  preservance:  we  exhibit  some  explicit  information  that  can  only  be  learnt  with  negligible 
probability  in  7 r,  but  can  be  learnt  with  inverse  polynomial  probability  in  the  encoded  protocol.  In 
contrast,  in  the  proof  of  Theorem  6  we  rely  on  the  knowledge-preservance  property  in  a  stronger 
way  (in  particular,  as  mentioned  above,  we  rely  the  knowledge-preservance  property  to  show  that 
the  encoded  protocol  implicitly  executed  tt,  whereas  in  Theorem  2  this  could  be  showed  uncon¬ 
ditionally).  Secondly,  the  error  rate  achieved  in  Theorem  6  is  weaker  than  the  one  rate  achieved 
in  Theorem  2.  This,  to  some  extent,  is  necessary,  since  Theorem  6  also  rules  out  computational 
knowledge-preserving  interactive  coding,  and  as  showed  in  our  positive  result  (Theorem  3),  an  error 
rate  of  0(1)  can  be  achieved  in  this  setting. 

1.2  Overview  of  the  Paper 

In  Section  2  we  provide  some  notation  and  preliminaries.  In  Section  3  we  formally  define  the  notion 
of  knowledge-preserving  interactive  coding.  Section  4  contains  our  results  for  the  information- 
theoretic  setting,  and  Section  5  contains  our  result  for  the  computational  setting;  finally,  in  Section 
6  we  present  our  impossibility  results  for  non-constructive  interactive  coding. 

2  Notation  and  Preliminaries 

2.1  Notation 

Basic  Notation  Let  N  denote  the  set  of  positive  integers,  and  [n]  denote  the  set  {1,2, . . .  ,n}. 
By  a  probabilistic  algorithm  we  mean  a  Turing  machine  that  receives  an  auxiliary  random  tape 
as  input.  If  M  is  a  probabilistic  algorithm,  then  for  any  input  x,  the  notation  “Mr(x)”  denotes 
the  output  of  the  M  on  input  x  when  M’s  random  tape  is  fixed  to  r,  while  M(x)  represents  the 
distribution  of  outputs  of  Mr(x )  when  r  is  chosen  uniformly.  We  say  that  a  function  e  :  N  — >  [0, 1] 
is  negligible  if  for  every  constant  c  G  N,  e(n)  <  n~c  for  sufficiently  large  k.  We  say  that  a  function 
/i  :  N  — >  [0, 1]  is  overwhelming  if  there  exists  a  negligible  function  e  such  that  for  all  n  £  N, 
/i(n)  >  1  —  e(n). 


Approved  for  Public  Release;  Distribution  Unlimited. 

6 

645 


Probabilistic  Notation  We  use  probabilistic  notation  from  [GMR89]:  By  x  S,  we  denote  that 
an  element  x  is  sampled  from  a  distribution  S.  If  F  is  a  finite  set,  then  x  4—  F  means  x  is  sampled 
uniformly  from  the  set  F  .  To  denote  the  ordered  sequence  in  which  the  experiments  happen  we  use 
comma,  e.g.  (x  <—  S ,  (y,  z)  <—  A{x)).  Using  this  notation  we  can  describe  probability  of  events.  For 
example,  if  p(-,  •)  denotes  a  predicate,  then  Pr[x  <—  S,  (y,  z)  <—  A{x)  :  p(y,  z)\  is  the  probability  that 
the  predicate  p(y,z )  is  true  in  the  ordered  sequence  of  experiments  (x  <—  S,  ( y,z )  <—  A(x)).  The 
notation  {(a;  <—  S,(y,z)  <—  A(x)  :  {y,z))}  denotes  the  resulting  probability  distribution  {(y,z)} 
generated  by  the  ordered  sequence  of  experiments  (x  £-  S,  (y,  z)  <—  A(x)). 

Notation  for  Interactive  protocols  An  interactive  protocol  is  a  tuple  it  =  (A,B,Xa,Xb) 
where  A  and  B  are  interactive  probabilistic  Turing  machines  and  Xa  and  Xb  specify  the  set  of 
inputs  to  A  and  B  (parametrized  by  a  security  parameter  n).  A  and  B,  on  input  x  £  Xa( ln)  and 
y  £  XB{ln)  interact  with  each  other  and  generate  some  output  at  the  end  of  the  interaction.  We 
denote  this  interaction  by  A(x)  •£)•  B(y)  (formally,  it  is  a  random  variable  over  joint  views  of  A  and 
B ,  including  the  randomness  of  both  players,  their  inputs,  and  all  the  messages  received).  Given 
an  interaction  e,  we  denote  by  out,;[e]  the  output  of  player  i  £  {1,  2},  by  out[e]  the  output  of  both 
parties,  and  by  transfe]  the  transcript  of  the  interaction. 

2.2  Statistical  Distance  and  Computational  Indistinguishability 

We  recall  the  definitions  of  statistical  distance  and  computational  indistinguishability. 

Definition  7  (Statistical  distance).  The  statistical  distance  between  two  probability  distributions 
X,Y  is  defined  by  A (X,Y)  =  (1/2)  •  \  Fr[x  X]  —  Pr[x  T]|.  X  and  Y  are  e-close  if 

A  {X,Y)<e. 

The  statistical  distance  between  two  ensembles  {Xk\^  and  {Yk}k  is  a  function  6  defined  by 
S(k)  =  A (Xk,Yk).  Two  probability  ensembles  are  said  to  be  statistically  close  if  their  statistical 
distance  is  negligible.  We  also  say  Xf.  and  Yj~  are  statistically  close  if  A  (A*.,!*,)  <  e(k)  for  some 
negligible  function  e. 

Definition  8  (Computational  Indistinguishability).  Two  ensembles  {Xk},  {Yk}  are  computationally 
indistinguishable  if  for  every  probabilistic  polynomial  time  distinguisher  D.  there  exists  a  negligible 
function  p  such  that  for  every  k  £  N, 

I  Pr[D(lfc,  Xf.)  =  1]  -Pr[D(lfc,Tfc)  =  1] |  <  p(k). 


2.3  Hash  Functions 

We  recall  the  standard  definition  of  f-wise  independent  hash  functions. 

Definition  9  (t-wise  Independent  Hash  Functions).  A  family  of  hash  functions  H  =  {h  :  S\  — >  52} 
is  t-wise  independent  if  the  following  two  conditions  hold: 

1.  \/x  £  Si,  the  random  variable  h{x)  is  uniformly  distributed  over  S2,  where  h  ■<—  H. 

2.  Vx'i  /  •  •  •  /  xt  £  Si,  the  random  variables  h(x  1), . . . ,  h(xt)  are  independent,  where  h  H . 
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2.4  One-way  Functions  and  Distributionally  One-way  Functions 

We  start  by  recalling  the  definition  of  a  one-way  function. 

Definition  10  (One-way  functions).  A  function  /  :  {0, 1}*  — >  {0, 1}*  is  one-way  if  it  is  computable 
in  polynomial  time  and  for  every  non-uniform  probabilistic  polynomial  time  machine  A,  there  exists 
a  negligible  function  /i(-)  such  that  for  every  n  G  N, 

Pr  [x  <-  {0,  1}"  :  A(f(x))  G  /_1(/0*0)]  <  n(\x\ ) 

Additionally,  if  there  exists  some  e  such  that  above  holds  for  every  poly(2n£)-sized  circuits  A,  f  is 
a  subexponentially-hard  one-way  function. 

A  distributionally  one  way  function  is  weaker  primitive:  here  it  is  only  computationally  infeasible 
to  find  a  random  pre- image  to  f(x)  (but  finding  some  pre-image  may  be  easy). 

Definition  11  ([IL89]:Distributionally  one-way  functions).  We  say  a  function  /  :  {0, 1}*  — >  {0, 1}* 
is  distributionally  one-way  if  it  is  computable  in  polynomial  time  and  there  exists  a  constant  c  >  0 
such  that  for  every  non-uniform  probabilistic  polynomial-time  algorithm  A,  for  sufficiently  large 
n  G  N,  the  statistical  distance  between  the  following  distributions  is  at  least  \\ 

•  {x  <-  {0,  l}n  :  (f(x),x)} 

•  {x  <-  {0,  l}n  :  (f(x),  A(f(xn))} 

While  distributionally  one-way  functions  are  a  weaker  primitive  than  one  way  functions,  [IL89] 
shows  that  the  existence  distributionally  one-way  functions  implies  the  existence  of  one-way  func¬ 
tions. 

Theorem  12  ( [IL89] ) .  Distributionally  one-way  functions  exist  if  and  only  if  one  way  functions 
exist. 

2.5  Signature  schemes 

We  recall  the  definition  of  an  (adaptive-secure)  signature  schemes. 

Definition  13  (Signature  scheme  [GMR89]).  A  secure  signature  scheme  with  signature-length  /(•) 
and  key-length  v(-)  is  a  triple  (Gen,  Sig,  Ver)  of  probabilistic  polynomial  time  algorithms,  such  that 

•  for  all  n  G  N,  m  G  {0, 1}*, 

Pr[(s/c,u&:)  A—  Gen(ln),  a  <—  Sigsfc(m)  :  \sigm.a\  <  l(n)  A  \vk\  <  v(n )  A  Ver.„fc(m,  a)  =  1]  =  1 

•  for  every  non-uniform  probabilistic  polynomial  time  adversary  A,  there  exists  a  negligible 
function  //(•)  such  that 

Pr [(sk,vk)  <—  Gen(ln),  (m,  a)  4-  ASlSsfc^'-*(ln)  :  Vert,/C(?n,  a)  =  1  A  m  <£  L\  <  /x(n) 

where  L  denotes  the  list  of  A’s  queries  to  its  oracle. 

The  existence  of  signatures  schemes  is  implied  by  the  existence  of  one-way  functions  [NY89, 
Rom90] : 

Theorem  14.  Assume  the  existence  of  one-way  functions  ( resp .  sub- exponentially  hard  one-way 
functions).  Then  there  exists  a  secure  signature  scheme  (resp.  a  secure  signature  scheme  with 
signature-length  and  key-length  polylogn). 
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2.6  Error-correcting  Codes 

We  recall  the  definition  of  error  correcting  codes. 

Definition  15  (Coding  function).  An  (n,£) -coding  function  C  =  (. E,D )  is  an  encoding  function 
E  :  {0,  l}n  — >  {0, 1 Y  and  a  decoding  function  D  :  {0, 1}^  — *  {0,  l}n  for  some  positive  integers  £  >  n. 
The  information  rate  of  the  scheme,  denoted  R  is  defined  as  n/£.  The  scheme  has  error  rate  (or 
decoding  distance)  r/  if,  for  all  m  G  {0,  l}n  and  all  r  G  {0,  l}m  such  that  the  codeword  E(m )  and  r 
differ  in  at  most  r/m  bits,  D(r)  =  m. 

Definition  16  (ECC).  An  family  of  coding  functions  {Cn  =  (En,  Dn)}ne^  is  an  efficient  error 
correcting  code  (ECC)  C  =  ( E,D )  with  error  rate  rj  :  N  — >  (0, 1)  and  information  rate  R  :  N  — > 
(0, 1)  if  for  every  n  G  N,  ( En,Dn )  is  a  (■ n,n/R(n ))  coding  function  with  error  rate  r ?(n),  and  {En} 
and  {Dn}  can  be  computed  by  uniform  polynomial  time  algorithms. 

As  shown  by  Justesen  in  [Jus],  ECCs  with  constant  error  and  information  rate  exist. 

Theorem  17  ([Jus]).  There  exists  an  ECC  with  error  rate  0(1)  and  information  rate  0(1). 

Justensen  codes,  however,  do  not  give  a  tight  error  rate.  The  concatenation  of  the  Reed-Solomon 
code  [RS60]  and  the  Hadamard  code,  however,  yield  an  ECC  with  error  rate  close  to  1/4  (which  is 
optimal),  but  require  a  polynomial  information  rate. 

Theorem  18  ([GSOO]).  For  every  e  >  0,  there  exists  an  ECC  with  error  rate  \  —  e  and  information 
rate  R{n)  =  0(l/n). 

When  unique  decoding  is  impossible,  it  may  be  still  possible  to  decode  to  a  short  list  of  candidate 
messages;  the  notion  of  list-decoding  captures  this. 

Definition  19.  A  (n,  £)-coding  function  is  ( e,L)-list  decodable  if  for  any  r  G  {0,1}^,  there  exists 
a  list  of  at  most  l  <  L  distinct  mi,  m2,  ...mi  such  that  E(mi)  and  r  differ  in  at  most  em  bits, 
for  all  i  G  [/].  A  family  of  coding  functions  {(En,Dn)}n6N  with  information  rate  R  :  N  -»  (0, 1) 
is  efficiently  e-list  decodable  if  for  every  n  G  N,  (. En,Dn )  is  a  (■ n,n/R(n ))  coding  function  that  is 
(e(ra),  Ln)-list  decodable  for  some  Ln  G  N,  and  there  exists  a  polynomial  time  algorithm  LD  that 
finds  this  list. 

As  shown  by  Guruswami  and  Sudan  [GSOO] ,  the  concatenation  of  the  Reed-Solomon  code  and 
Hadamard  code  is  efficiently  list  decodable  up  to  an  error  rate  close  to  1/2. 

Theorem  20.  For  every  e  >  0,  there  exists  an  ECC  with  information  rate  R(n)  =  0(l/n)  that  is 
is  efficiently  \  ~  e-list  decodable. 

3  Knowledge-Preserving  Interactive  Coding 

In  this  section  we  provide  a  formal  definition  of  knowledge-preserving  interactive  coding. 

3.1  Error  Resilience  for  Interactive  Protocols 

Let  us  start  by  defining  error  rate  for  interactive  protocols;  in  contrast  to  earlier  works  on  interactive 
coding,  we  here  consider  error-resilience  against  both  unbounded  adversarial  channels  (as  is  typically 
done  [Sch96])  and  also  error-resilience  against  computationally  bounded  channels  (as  was  done  in 
the  context  of  error  correcting  codes  in  [Lip94,  MPSW10]). 
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Towards  providing  these  definitions,  we  need  some  additional  notation.  The  communication 
complexity  of  a  protocol  n  on  security  parameter  n,  denoted  by  CCn(7r),  is  the  worst-case  total 
number  of  bits  transmitted  in  the  interaction  A(x)  -H-  B(y),  over  all  possible  input  x  G  XA(1 n),y  £ 
Xb{  1")  and  randomness  of  both  players.  The  round  complexity  m(n)  of  a  protocol  n  on  security 
parameter  n  is  the  worst-case  number  of  communication  rounds  (one  round  corresponds  to  two 
message)  in  the  interaction  A(x )  o  B(y),  over  all  possible  input  x  G  AA(ln),y  G  Xb(V1)  and 
randomness  of  both  players. 

We  consider  interactive  protocols  running  over  noisy/adversarial  channels,  which  may  flip  some 
of  the  bits  transmitted  by  both  players.  We  model  channels  as  interactive  Turing  machines  that 
relay  messages  between  the  two  players. 

Definition  21  (Channel).  A  channel  is  an  interactive  Turing  machine  C  that  on  input  a  security 
parameter  1"  interacts  with  two  interactive  machines  by  relaying  messages  for  the  machines  as 
follows:  upon  receiving  a  message  m  from  one  machine,  C  sends  a  message  m'  to  the  other  machine 
of  length  | m!\  =  \m\. 

We  denote  by  A(x)  ^c(in)  B(y)  the  interaction  between  A(x)  and  B(y)  over  the  channel 
C  given  the  security  parameter  n.  (Note  that  the  interaction  A(x)  -H-  B(y)  is  identical  to  the 
interaction  A{x)  ^c0  (1  n)B(y),  where  Co  is  the  “honest”  channel  that  simply  relays  messages 
between  A  and  B  without  flipping  any  bits.) 

Definition  22  (Communication  Complexity  over  Noisy  Channels).  Let  it  =  (A,  B,  XA,  Xb)  be  a 
protocol.  The  communication  complexity  of  n  over  noisy  channels  on  security  parameter  n,  denoted 
by  CC*  (7 r),  is  the  worst-case  number  of  bits  transmitted  in  the  interaction  A(x)  -H-  B(y),  over  all 
possible  inputs  x  G  XA(ln),y  G  A#(ln),  randomness  of  both  players,  and  the  channel  C. 

We  are  now  ready  to  define  error  resilience. 

Definition  23.  A  protocol  7r  =  (A,B,Xa,Xb)  with  round-complexity  m(-)  is  (computationally) 
rj(-,  ■) -error  resilient  if  there  exists  a  negligible  function  /j  such  that  for  every  security  parameter  n, 
inputs  x  G  XA(1  n),  y  G  Ag(ln),  and  any  (non-uniform  probabilistic  polynomial-time  in  the  security 
parameter  n)3  channel  C  that  flips  at  most  rj(n,m(n ))  •  CC*(tt)  bits,  the  following  holds: 

Pr  [out[A(x)  G-  B(y)\  =  out[A(x)  1-)  B(y)]  >  1  -  y(n). 

3.2  Knowledge  Preservance 

Let  us  move  on  to  defining  what  it  means  for  a  protocol  7 r  =  (A,  B ,  XA,  Xb)  to  be  convey  “as  much 
knowledge”  as  a  protocol  n  =  (A,  B,  XA,  Xb).  We  formalize  this  using  the  classic  “simulation- 
paradigm”  from  cryptography  [GMR89,  GMW91].  We  require  that  for  every  adversarial  strategy 
A*  for  player  1  (resp.  B*  for  player  2)  participating  in  7r,  there  exists  a  simulator  A*  such  that  the 
output  of  both  players  in  the  execution  of  (A*,B)  (resp.  (A,B*))  are  indistinguishable  from  the 
outputs  of  players  in  the  execution  of  ( A*,B )  (resp.  ( A,B *)).  That  is,  any  “harm”  A*  can  do  in 
7 f,  the  simulator  A*  could  have  also  done  in  7 r. 

Definition  24.  A  protocol  7r  =  (A,  B,  XA,  Xb)  is  a  (computationally)  knowledge-preserving  variant 
of  7T  =  (A,  B ,  XA,  Xb)  if  the  following  two  properties  hold: 

3We  could  also  have  defined  the  channel  as  a  uniform  polynomial-time  algorithm.  All  our  result  hold  for  both 
choices. 
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•  Completeness:  There  exists  a  negligible  function  y  such  that  the  following  ensembles  are 
statistically  close  as  a  function  of  n. 

-  {out[A(.x)  B(y)\\ne^'XexA(\™),y£XB{ln) 

-  {out[A(.x)  B(y)]}neN}XexA(in),yexB{in) 

•  (Computational)  Knowledge  Preservance:  For  every  (probabilistic  polynomial-time)  adver¬ 
sary  strategy  A*  for  player  1,  there  exists  a  (probabilistic  polynomial-time)  strategy  A*  such 
that  the  following  ensembles  are  statistically  close  (resp.  computationally  indistinguishable) 
as  a  function  of  n. 

-  {out [A*{x,z)  «-)•  -B(2/)]}?leN,3;gAfA(i"),yeAfs(in),2e{o,i}* 

-  {out [A*(x,z)  -B(2/)]}ngN,a:6A,A(1"),yeA,s(1n),ze{0,1}* 

We  make  the  analogous  requirement  for  every  (probabilistic  polynomial-time)  adversary  strat¬ 
egy  B*  for  player  2. 

A  Remark  on  Auxiliary  Input  Just  as  in  the  classic  definitions  of  zero-knowledge  [GMR89, 
G094]  and  secure  computation  [GMW91],  the  additional  input  z  to  A*  (and  A*)  models  any 
auxiliary  information  available  to  the  attacker.  All  our  results  hold  regardless  of  whether  we  allow 
the  attacker  to  receive  such  auxiliary  information. 

Single-session  v.s.  Multiple  session  Knowledge  Preservance  Our  notion  of  knowledge 
preservance  assumes  that  the  attacker  is  only  participating  in  a  single  execution  of  n' ,  and  stipulates 
that  this  execution  of  tt'  emulates  n.  A  stronger  notion  of  concurrent  knowledge  preservance 
(in  analogy  with  the  notion  of  concurrent  zero- knowledge  [DNS04])  would  instead  require  that 
multiple  concurrent  executions  of  7 t'  still  emulate  tt1  (in  the  sense  that  an  attacker  participating  in 
an  arbitrary  polynomial  number  of  sessions  of  tt'  can  be  emulated  by  a  simulator  participating  in 
concurrent  sessions  of  7r.)  We  omit  a  formal  definition  of  concurrent  knowledge  preservance,  and 
simply  remark  that  our  positive  results  extend  also  to  the  concurrent  multi-session  setting. 

A  Remark  on  Preserving  Cryptographic  Protocol  Security  In  this  comment  we  assume 
the  reader  is  familiar  with  classic  definitions  of  protocol  security  [GMW91];  see  [Gol04]  for  details. 
It  easily  follows  from  the  definition  of  knowledge  preservance  that  if  a  protocol  7r  is  a  “secure 
implementation”  of  some  functionality  T  (in  the  sense  of  [Gol04]),  then  any  knowledge-preserving 
variant  tt/  of  n  will  also  be  a  secure  implementation  of  T .  Indeed,  if  tt'  is  a  knowledge-preserving 
variant  of  7 r,  then  tt'  is  “as  secure  as”  7r.  (Additionally,  if  n  is  a  concurrently  secure  implementation 
of  T  and  7 r'  is  a  concurrent  knowledge  preserving  variant  of  7 r,  then  tt'  is  a  concurrently  secure 
implementation  of  J-.) 

3.3  Knowledge-Preserving  Interactive  Coding 

We  are  now  ready  to  define  knowledge-preserving  interactive  coding.  An  interactive  coding  scheme  is 
a  pair  of  oracle-aided  interactive  probabilistic  Turing  machines  Q  =  (Qi,  Q 2).  For  every  interactive 
protocol  7r  =  (A,  B,  A’a,  As),  Q  induces  an  encoded  interactive  protocol  Q7'  =  (Qf,  Qf ,  A'a,  Ab), 
defined  as  follows.  In  the  interaction  of  Q 77 ,  Q\  and  Q 2  do  not  receive  the  input  directly.  Instead,  Q\ 
and  Q2  receive  as  input  the  security  parameter  ln,  the  round  complexity  lm  and  the  communication 
complexity  \ccA'k)  Qf  ^  anc[  are  given  oracle  access  to  ATa{x)  and  BrB(y)  respectively,  where 
x  G  A4(ln),y  G  Xb{ ln)  are  the  inputs  and  vaXb  £  {0, 1}00  are  uniformly  sampled.  More  precisely, 
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Q i  (resp.,  Q 2)  gets  oracle  access  to  the  next-message  functions  of  ATa(x)  (resp.,  BrB(y)),  which  on 
input  a  partial  transcript  T  returns  the  next  message  (or  the  final  output,  in  case  T  is  a  complete 
transcript).  The  interaction  is  denoted  by  Q2^  where  the  inputs  1",  lm,  and  \pcn(ir) 

are  omitted  for  notational  simplicity.  When  we  are  explicit  about  the  randomness  used  by  Q 1  and 
Q2,  we  write  <->■  Q2(y\r2). 

Definition  25  (Knowledge-Preserving  Interactive  Coding  Schemes).  Let  r/(-,  •),  r(-,  •)  €  (0,1)  be 
functions.  A  pair  of  oracle-aided  interactive  probabilistic  Turing  machines  Q  =  (Q 1,  Q2)  is  a  (com¬ 
putational)  knowledge-preserving  interactive  coding  scheme  with  error  rate  r/(-,-)  and  information 
rate  Rf,  •)  if  for  every  interactive  protocol  7 r  =  ( A ,  B,  X4,  Xb),  the  corresponding  encoded  protocol 
Qn  satisfies  the  following  properties. 

•  Efficiency :  Q\  and  Q2  run  in  polynomial  time  in  n,  m(n)  and  CCn(7r). 

•  Information  Rate:  CC *n{Qn)  <  CCn(7r )/R(n,m(n))',  that  is  the  worst-case  “blow-up”  of  the 
encoded  protocol  is  bounded  by  1  /R(n,m(n)). 

•  Error  Resilience:  Q *  is  (computationally)  ??-error  resilient. 

•  Knowledge  Preservance:  Qn  is  a  (computationally)  knowledge-preserving  variant  of  7 r. 

Q  is  a  (computational)  knowledge-preserving  interactive  coding  scheme  with  information  rate 
R(-)  and  error  rate  ?/(•)  if  Q  is  (computational)  knowledge-preserving  interactive  coding  scheme 
with  information  rate  R'(n,m )  =  R(n)  and  error  rate  ?/(n,  m)  =  g(ri). 

4  The  Information-Theoretic  Regime 

As  we  shall  see,  achieving  knowledge-preserving  interactive  coding  is  significantly  harder  than 
“plain”  interactive  coding,  and  studying  resilience  against  only  computationally  bounded  adversaries 
(as  was  done  in  [Lip94,  MPSW10]  in  the  context  of  error  correcting  codes)  actually  is  essential  for 
acheiving  good  error  rates  in  the  context  of  knowledge-preserving  interactive  coding. 

To  put  our  result  in  context,  let  us  start  by  showing  that  the  “naive  approach”  of  separately 
encoding  each  message  in  the  protocol  with  a  good  error  correcting  code  is  a  knowledge-preserving 
interactive  coding: 

Theorem  26.  There  exists  a  knowledge-preserving  interactive  coding  scheme  Q  with  information 
rate  R(n,m )  =  0(m)  and  error  rate  rj(n,m )  =  0(l/m). 

Proof.  We  simply  pad  each  message  in  the  protocol  n  to  become  of  equal  length  (this  increases  the 
communication  complexity  by  at  most  a  factor  m)  and  next  encode  each  message  using  a  constant- 
rate  error  correcting  code  (see  Theorem  17);  let  7r  denote  the  encoded  protocol.  Clearly,  7 r  is  error 
resilient  as  long  as  we  corrupt  at  most  one  message;  thus  we  have  an  error  rate  of  0(l/m).  It  easily 
follows  that  7r  is  a  security  preserving  variant  of  7r;  the  simulator  A*  for  an  attacker  A*  for  player  1 
emulates  an  execution  of  7r  for  A*  by  simply  encoding  all  messages  in  n  (using  the  error  correcting 
code)  and  decoding  all  messages  received  by  A*  before  sending  them  to  player  2.  The  simulator  for 
player  2  is  defined  analogously.  □ 

Let  us  now  turn  to  our  main  impossibility  result  for  the  information-theoretic  setting.  We  show 
that  naive  approach  is  essentially  optimal:  namely,  any  knowledge  preserving  interactive  coding 
scheme  must  have  an  error  rate  of  at  most  1/m. 
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Theorem  27.  Let  Q  be  a  knowledge-preserving  interactive  coding  scheme  with  information  rate 
R( y)  and  error  rate  ??(•,•).  Then  for  every  polynomial  m(-),  we  have  that  for  sufficiently  large 
n,  y(n,m(n))  <  1/mfn).  (In  particidar,  there  does  not  exists  a  knowledge-preserving  interactive 
coding  scheme  with  error  rate  rj'(n)  =  l/poly(n)J 

Proof.  Consider  some  knowledge-preserving  interactive  coding  protocol  Q  =  (Q i,  Q2)  with  informa¬ 
tion  rate  R( •,  •)  and  error  rate  ??(•,  •)  and  let  M ( n ,  £,  m)  be  a  polynomial  upper  bound  on  the  number 
queries  made  by  Qi,Q2  to  its  oracles  (where  n  is  the  security  parameter,  (  is  the  communication 
complexity  of  the  protocol  it  to  be  encoded  and  m  is  the  number  of  round  in  n).  Assume  for  contra¬ 
diction  that  there  exists  a  polynomial  m(-)  such  that  for  infinitely  many  n,  r](n,  m(n))  >  l/m(n). 

We  will  construct  a  “ ping-pong ”  protocol  it  =  (A,  B,  X4,  Xb)  with  round  complexity  m(-)  such  that 
Qn  cannot  be  a  knowledge-preserving  variant  of  ir. 

The  ping-pong  protocol  7 r.  Let  t(n)  =  M ( n ,  m(n),  2m(n)n)+l,  and  PLn  =  {Hk  :  Uig{o,...i2m(n)n}{0,  1}*  — >■ 
{0,  l}n}  be  a  t- wise  independent  hash  function  family.  On  security  parameter  n,  let  Xa{ ln)  = 

Xb{ ln)  =  Rni  he.,  the  inputs  x  G  Xa( ln)  and  y  E  Xb( ln)  for  both  players  specify  hash  functions  Hx 
and  Hy  in  PLn.  n  is  a  deterministic  protocol  that  on  the  inputs  x  G  Xa{ ln)  and  y  G  Afi(ln)  proceeds 
as  follows:  First,  A  sends  a\  =  Hx(ftf)  to  B,  who  sends  back  b\  =  Hy(a\)  to  A.  Then  at  each  round 
i,  A  sends  a*  =  Hx(a\,  &i, . . . ,  aj_i,  6j_i)  to  B ,  who  sends  back  bi  =  Hy(ai,  bi, . . . ,  o^-i,  6*_i ,  aj) 
to  A;  namely,  both  parties  generates  their  next  messages  by  applying  their  hash  function  to  the 
current  transcript.  At  the  end  of  the  interaction,  both  A  and  B  output  the  whole  transcript 
(cii ,  61 , , . . ,  am ,  6m.) . 

Since  7r  is  deterministic,  the  transcript  (a\,  b\, ... ,  am,  bm)  is  determined  by  the  inputs  x  and  y. 

Let  afx.  y )  (and  bfx,  y)  resp.)  denote  the  z-th  messages  A  (and  B  resp.)  send  in  the  interaction  of 
A(x)  -H-  B(x),  and  dt(x.  y)  =  (ai,  61, . . . ,  a*_i ,  bi-i,  af)  and  bi  =  (ai,  b\, . . . ,  ai,  bi)  denote  the  partial 
transcripts  of  the  interaction  of  A(x)  -H-  B(x)  up  until  round  i;  by  definition,  bfx,  y)  =  Hy(a,i(x,  y)) 
for  i  G  \m\  and  afx^y)  =  Hx(bi-\(x,y))  for  i  G  [m],  where  bo(x,y)  is  defined  to  be  0.  Let  m! (•) 
denote  the  round  complexity  of  the  encoded  protocol  Qn . 

Privacy  of  the  Ping-pong  Protocol  Our  first  observation  is  that  in  the  ping-pong  protocol, 
by  the  unpredictability  of  the  output  of  the  hash  functions,  player  1,  even  if  maliciously  deviating 
from  the  protocol  instructions,  can  only  guess  more  than  m  distinct  pairs  (q,  Hy(q ))  with  negligible 
probability.  Let  the  predicate  PrivacyBreach(o,  y)  =  1  iff  o  contains  m  +  1  distinct  pairs  ( q,Hy(q )). 

Claim  28.  For  every  adversarial  strategy  A*  and  every  n  G  N, 

Pr  [x  <5—  AA(ln),  y  •<—  Xb{ ln)  :  PrivacyBreach(outi[A*(a:)  G)-  B(y)],y)  =  1]  <  L/ 2n, 
where  L  denotes  the  length  of  A*  ’s  output  (i.e.,  L  =  |outi[A*(x)  -H-  B(y)]|). 

Proof.  Note  that  the  interaction  with  B(y)  only  allows  A*  to  make  m  queries  to  Hy.  Thus,  for  the 
predicate  PrivacyBreach  to  output  1,  A*  needs  to  predict  one  extra  pair  (. q Hy(q'))  that  A*  does  not 
learn  from  B ;  that  is,  q'  is  different  from  any  partial  transcript  of  the  interaction.  However,  since  Hy 
is  f-wise  independent,  Hy(q')  remains  uniformly  random  for  every  such  q.  Therefore,  each  guess  of 
A*  in  its  output  can  only  be  correct  with  probability  2~n .  Since  A*  can  only  make  at  most  L  guesses 
in  its  output,  by  an  union  bound,  Pr[PrivacyBreach(outi[A*  (x)^B(y)\,y)  =  l]<L/2n.  □ 

We  shall  now  see  that  in  the  encoded  protocol  QK ,  this  “privacy-property”  no  longer  holds,  and 
as  such  Qn  cannot  be  a  knowledge  preserving  variant  of  7 r.  As  a  first  step  towards  showing  this, 
we  demonstrate  a  structural  property  of  the  encoded  protocol  Qf .  In  the  sequel  of  the  proof,  we 
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assume  without  loss  of  generality  that  Q  never  makes  the  same  query  twice  to  its  oracle  (since  the 
oracle  anyway  is  deterministic). 

Implicit  Ping-pong  Computation.  We  show  that  (with  overwhelming  probability)  the  en¬ 
coded  protocol  Qn  “implicitly  executes”  the  original  ping-pong  protocol  in  a  chronological  order. 
More  precisely,  as  formalized  below,  the  rounds  of  the  encoded  protocol  can  be  divided  into  (non¬ 
empty)  “chunks”,  where  each  chunk  in  the  encoded  protocol  corresponds  to  a  single  round  (i.e. , 
two  consecutive  messages)  in  ping-pong  protocol;  additionally  by  observing  the  oracle  queries  made 
by  Q,  we  can  read  out  a  polynomial  list  of  candidates  for  the  current  transcript  of  the  (implicitly 
executed)  ping-pong  protocol.  We  emphasize  here  that  definition  of  the  chunks  may  depend  on  the 
inputs  of  the  players  and  the  randomness  of  Q. 

Formally,  let  the  predicate  lmplicitComp(x,  y,  rq,  1^2)  =  1  iff  Q\  asks  its  oracle  (that  is,  AI(.t)) 
the  queries  bo(x ,  y)A,  b\  (x,  y ),  b  2(x,  y), . . . ,  bm-i(x,  y)  in  order  during  the  interaction  of  Q^x\ri)  -H- 
Q2^v\r  2)  and  all  m  queries  are  made  in  different  rounds.  When  lmplidtComp(x,  y,  rq,  r2)  =  1,  Qi’s 
queries  partition  the  rounds  of  the  interaction  into  non-empty  chunks  in  the  natural  way:  for  every 
i  £  [m],  the  i-th  chunk  of  the  interaction  Q^x\r  1)  -H-  <2^^(n)  starts  at  the  round  where  Q\  makes 
the  query  bj-i(x,y)  and  finishes  when  makes  Q 1  the  query  bi(x,y).5  The  following  lemma  shows 
that  with  overwhelming  probability  (over  random  inputs  x,y  and  the  execution  of  ££  Q 2^) 

ImplicitComp  holds  and  thus  chunks  are  well-defined. 

Lemma  29  (Implicit  Computation  Lemma).  There  exists  a  negligible  function  y(-)  such  that  for 
every  n  £  N, 

Pr[x  £-  XA(ln),y  £-  XB(ln),n,r2  £  {0, 1}00  :  lmplicitComp(x,  y,  rq,  r2)  =  1]  >  1  -  y(n) 

Intuitively,  the  lemma  follows  by  the  “elusiveness”  property  of  the  output  of  the  hash  function 
Hx  used  by  A:  if  Q 1  is  not  asking  its  oracle  all  the  queries  in  order  it  must  be  able  to  guess  the 
output  of  Hx  on  a  new  point  q,  which  contradicts  its  f-wise  independent  property.  Note  that  we 
here  rely  on  the  fact  that  the  output  of  the  hash  functions  are  “long”  (i.e.,  super- logarithmic) ; 
otherwise,  it  is  easy  to  guess  the  output  of  the  hash  function  with  inverse  polynomial  probability. 
We  proceed  to  a  formal  proof. 

Proof  (of  Lemma  29).  For  convenience,  we  actually  prove  a  slightly  stronger  statement:  We  show 
that  with  overwhelming  probability,  the  following  three  properties  holds  during  the  execution  of 
Qi(x\n)  ££  Q2' ^(r2):  (a)  Q 1  makes  the  queries  b0(x,y),bi(x,y),b2{x,y)  ?  •  • • ?  bm— 1  C X,y )  to  A(x ), 
(b)  Q 2  makes  the  queries  ai(x,  y),  a2(x,  y), . . . ,  am(x,  y)  to  B(y),  and  (c)  the  queries  are  made  in 
chronological  order;  that  is,  every  i  £  [to],  Q 1  make  the  query  i(.x,  y)  before  Q2  makes  the  query 
a,i(x,y )  and  Q2  make  the  query  a.j(x,y)  before  Q\  makes  the  query  bi(x,y).  It  easily  follows  that 
if  the  above  three  properties  hold  with  respect  to  (x,y,r\,r2)  then  lmplicitComp(x,  y,  r\,  r2)  =  1. 
We  now  show  that  except  with  negligible  probability  (over  x,y,r\,r2),  each  of  these  properties 
(individually)  hold;  we  can  then  conclude  by  a  union  bound  that  with  overwhelming  probability, 
all  of  them  simultaneously  hold. 

For  (a),  suppose  for  the  sake  of  contradiction  that  with  some  noticeable  probability  e(n),  Q\ 
does  not  make  the  query  bi(x,  y)  for  some  i  £  {0, . . . ,  to  —  1}.  By  completeness  of  Qn,  Q 1  outputs 
bm(x,y )  with  overwhelming  probability.  Thus,  by  an  union  bound,  with  noticeable  probability 

4Recall  that  bo(x,y)  is  defined  to  be  0. 

5 We  can  assume  without  loss  of  generality  that  Q 1  always  queries  the  full  transcript  bm(x,  y)  before  generating 
the  output  (at  the  cost  of  at  most  one  extra  query),  so  that  the  last  chunk  m  also  is  well  defined. 
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e'{n),  Qi  does  not  query  bi{x,y)  but  outputs  bm(x,y),  which  contains  at(x,y )  =  Hx(bi(x,y)).  But, 
this  can  only  happen  with  probability  at  most  2~n  since  Hx  is  t-wise  independent  and  Q\  makes  at 
most  t  —  1  queries  to  its  oracle,  none  of  which  is  h(x,  y),  and  its  oracle  is  exactly  computing  Hx{-)\ 
thus,  even  conditioned  on  Q±  view  of  the  interaction,  Hx(bi(x ,  y))  is  uniform  and  can  thus  only  be 
guessed  by  Q\  with  probability  2~n.  By  identically  the  same  argument  it  follows  that  (b)  happens 
except  with  negligible  probability. 

For  (c),  suppose  for  the  sake  of  contradiction  that  with  some  noticeable  probability  e(n),  Q2 
make  the  query  a,i(x,y)  before  Q\  makes  the  query  bi-i(x,y)  for  some  i  £  [to].  Note  that  di(x,y) 
contains  ajfx,y)  =  Hx(bi-i(x,y)).  Thus,  by  guessing  which  query  of  Q2  is  bi-i(x,y),  we  can 
construct  an  algorithm  R  that  predicts  the  value  of  Hx(bi-i(x,y ))  with  probability  e(n)/f(n), 
while  querying  Hx  on  at  most  t(n)  —  1  points,  none  of  which  is  y),  contradicting  t-wise 

independence  of  Hx.  By  identically  the  same  argument  if  follows  that  Q\  only  make  the  query 
bi(x,y )  before  Q2  makes  the  query  a,i(x,y )  for  some  i  £  [to]  with  negligible  probability.  □ 

Obtaining  a  Privacy  Breach  in  the  Encoded  Protocol  We  are  now  ready  show  how  to 
obtain  a  privacy  breach  in  the  encoded  protocol  Q71/ 

Claim  30.  There  exists  an  adversarial  strategy  A*  for  player  1  in  Q 77  such  that  for  sufficiently 
large  n  £  N,  the  output  length  of  A*  is  bounded  by  2M(n,m,2mn)m(n)n  and 

Pr[x  <—  4/4(1"),  y  <—  Xb{ ln)  :  PrivacyBreach(outi[R*(x)  ££  Q^^],y)  =  1]  >  1/4 m(n) 

Proof.  The  idea  behind  the  attacker  A*  (acting  as  player  1)  is  the  following.  By  an  averaging 
argument,  one  of  the  chunks,  say  chunk  i,  in  the  encoded  protocol  must  be  shorter  than  a  fraction 
1/to.  of  the  total  communication  complexity  of  the  encoded  protocol.  The  idea  now  is  for  A*  to 
honestly  execute  the  encoded  protocol  using  its  actual  input  x  and  randomness  rq,  except  that 
during  the  z’th  chunk,  A*  samples  a  fresh  input  x'  (and  a  fresh  randomness  r[  for  Q 1)  consistent 
with  the  transcript  up  until  (and  including)  chunk  i—  l,6  and  executes  the  chunk  using  the  input  x' 
(and  randomness  r'fj  instead  of  x.  Intuitively,  since  the  chunk  was  “small”,  by  the  error  resilience 
property  of  the  interactive  coding  scheme,  player  1  will  finally  produce  the  same  output  (including 
to  pairs  ( q,Hy(q )))  as  if  it  had  been  running  the  protocol  honestly  (that  is,  without  “deviating”  in 
chunk  i).  Formally  proving  this  requires  showing  that  the  attack  performed  by  A*  can  be  modelled 
as  channel  that  flips  a  sufficiently  small  number  of  bits;  indeed,  note  that  the  way  A*  deviates  from 
the  protocol  does  not  rely  the  original  random  coins  rq  used  by  Q 1  or  the  input  x,  and  this  property 
is  crucial  for  us  to  be  able  to  emulate  the  attacker  by  a  channel. 

Finally,  by  observing  the  oracle  queries  made  by  Q\  during  the  i’th  chunk — which  corresponds 
to  the  i’th  round  in  the  ping-pong  protocol,  by  the  “implicit  computation”  property — A*  may  learn 
an  additional  pair  (q1,  Hy(q'))\  intuitively,  the  reason  for  this  is  that,  with  overwhelming  probability, 
the  messages  in  the  i-th  round  in  “implicit  computation”  of  n  remain  uniformly  distributed,  even 
after  conditioning  on  the  first  i  —  1  rounds.  (We,  however,  warn  the  reader  that  proving  this  is 
quite  subtle;  see  Sub-claim  32).  Thus,  if  A*  could  just  identify  the  Fth  chunk,  it  can  learn  to  +  1 
pairs  ( q,Hy(q ))  of  Hy.  Towards  this,  A*  simply  guesses  the  starting  round  of  the  i’th  chunk. 

We  proceed  to  a  formal  description  of  the  attacker  A*.  (Recall  that  m! {■)  denotes  the  round 
complexity  of  QT)  On  input  x  £  4/4(1"),  and  randomness  ?q,  A*  performs  the  follow  “forking” 
attack: 

6Note  that  this  step  may  not  be  efficiently  computable  in  general,  but  this  is  not  a  problem  since  we  here  consider 
information-theoretic  security. 
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1.  A*  uniformly  picks  a  random  round  j  <—  [m'(n)\  and  honestly  executes  the  encoded  protocol 
Qi  up  to  the  end  of  (j  —  l)-th  round.  Let  T  be  the  resulting  partial  transcript. 

2.  A*  samples  a  fresh  input-randomness  pair  (x* ,  r\ )  conditioned  on  the  partial  transcript  T; 
namely,  {x'  ,r'f)  are  uniformly  random  over  all  input-randomness  pair  such  that  Q^''  ')(r^)  is 
consistent  with  T?  Then,  A*  continues  executing  Q\  but  now  with  inputs  x '  and  randomness 
r[,  for  as  many  rounds  as  possible,  subject  to  the  restriction  that  the  number  of  bits  it 
transmitted  since  round  j  does  not  exceed  rj(n,m )  •  CC n{Q™). 

3.  A*  continues  the  rest  of  the  interaction  honestly,  with  the  “true”  input  x  and  randomness  r\ 
of  Q i  pretending  that  its  own  messages  were  honestly  sent  all  along  (including  the  messages 
sent  since  round  j ),  but  may  have  been  incorrectly  received  by  player  2.  At  the  end  of  the 
interaction,  A*  outputs  (o,  L),  where  o  is  the  output  of  Q\ ,  and  L  is  the  list  of  queries  Q\ 
made  during  the  “deviation”  (using  the  new  input  x' ) . 

We  first  show  that,  with  overwhelming  probability,  A*  can  still  learn  the  “valid”  m  pairs  ( q ,  Hy(q )) 
(that  it  would  have  learn  even  if  it  didn’t  deviate). 

Sub-claim  31.  There  exist  a  negligible  function  // ( • )  such  that  for  every  n  £  N, 

Pr[x  •£-  AA(ln),y  4-  XB(ln),  ( o,L )  •(-  outi[A*(x)  ££  :  o  =  outi[A(x)  ££  B(y)}\  >  1  -  y(n). 

Proof.  Note  that  the  deviation  performed  by  A*  in  Step  2  can  be  implemented  by  a  channel  C, 
since  it  only  relies  on  knowledge  of  the  transcript  of  the  interaction  and  not  the  internal  state 
(inputs  and  randomness)  of  either  of  the  players.  Also,  by  construction  of  A*,  C  never  needs  to  flip 
more  than  g  ■  CC n(Qn)  bits.  The  claim  follows  directly  by  the  r/-error  resilience  and  completeness 
ofQ\  □ 

Note  that  o  =  outi[A(x)  -H-  B(y)\  contains  m  distinct  pairs  ( q ,  Hy(q),  namely,  (ch(x,  y ),  bi(x,  y)  = 
Hy(a  i(x,y ))  for  i  £  [m];  below  we  abuse  of  notation  and  let  o  denote  the  set  of  of  these  pairs.  We 
next  show  that  L  contains  one  additional  distinct  pair  (q' ,  Hy(q'))  with  noticeable  probability.  Re¬ 
call  that  a  query  of  Q\  is  of  the  form  (oq,  &i, . . . ,  at,  bf)\  below  we  sometimes  abuse  of  notation  and 
interpret  each  such  query  as  a  pair  (g,  v)  where  q  =  (ai,  &i, . . . ,  af)  and  v  =  bi  (that  is,  q  is  the 
vector  containing  all  but  the  last  component,  and  v  contains  only  the  last  component). 

Sub-claim  32.  For  sufficiently  large  n  £  N,  the  following  holds 

p  x  <—  XA(ln),y  •£-  XB(ln),  (o,  L)  •<-  outi[A*(x)  ££  ■  >  l/2m'(n) 

[  3(q,Hy(q))  £  L  and  (q,Hy(q))  $  outl[A(x)  O  B(y) }  \  -  7  1 

Proof.  Note  that  in  the  experiment  {x  AA(ln),2/  XB(ln)  :  outi[A*(x)  £-)•  for  every 

choice  of  j  (by  A*),  the  tuple  [x\  y,  r\ ,  rq)  is  uniformly  distributed  (since  we  can  view  the  experiment 
as  first  sampling  a  uniform  j  —  1-round  transcript  T  and  then  then  sampling  ( x ' ,  y,  r[ ,  rq )  conditioned 
on  T).  It  follows  that  the  distribution  of  (x1,  y,  r^,  rf)  is  independent  of  j. 

Additionally,  note  that  A*  could  have  picked  x' ,  r\  is  a  somewhat  more  convoluted  way,  gen¬ 
erating  exactly  the  same  distribution:  instead  of  directly  sampling  x’ .  r\  conditioned  on  T,  first 
sample  a  list  L\  of  (at  most  t(n)  —  1)  query-answer  pairs  corresponding  to  Qi’s  queries  to  its  oracle 
A(x)  up  until  round  j  —  1,  conditioned  on  the  transcript  being  T;  next,  sample  x'  conditioned  on 
L\  and  T,  and  finally  r'  conditioned  on  x\L\  and  T.  The  following  observation  will  be  useful  in 
what  follows: 

7Note  that  this  is  the  only  inefficient  step  in  the  forking  attack. 
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Sampling  x'  conditioned  on  L\  and  T  is  equivalent  to  sampling  x'  just  conditioned  on 
just  the  query-answer  pairs  L\. 

The  reason  this  holds  is  that  conditioned  on  L\,  x'  and  T  are  independent  (recall  that  T  is  deter¬ 
mined  as  a  function  of  just  L\ ,  y ,  n,  V2)- 

Now,  by  observing  the  list  of  queries  L\  (up  to  the  transcript  T)  and  the  input  y  of  player  2, 
let  us  determine  the  next  round  in  the  “implicit  computation”  of  n  (or  said  otherwise,  the  “next 
chunk”  in  the  encoded  protocol  after  the  transcript  T).  If  L\  does  not  contains  the  query  0,  let 
i  =  1  (i.e.,  the  implicit  computation  has  not  begun  yet  since  player  1  has  not  generated  its  first 
input  ai;  consequently,  the  next  round  is  1).  If  L\  contains  the  query-answer  pair  (0,oq)  (since 
Qi’s  oracle  A  is  deterministic,  there  can  be  at  most  one  such  query),  check  if  L\  contains  a  query  of 
the  form  ( b\  =  Hy(ai),  02)  (again,  there  can  be  at  most  one  such  query);  if  not  set  i  =  2,  otherwise, 
check  if  L\  contains  a  query  of  the  form  (b 2  =  Hy(a\,  61, 0,2),  (Mi),  and  so  on. 

Below  we  show  the  following  two  statements: 

1.  With  probability  at  least  1  /m!{n)  —  negl(n),  it  holds  that  i  £  [m(n)\  (i.e.,  the  implicit  com¬ 
putation  of  7 r  has  not  ended)  and  L  contains  the  query  bi(x',y )  (which  corresponds  to  the 
pair  (ai(x' ,y),bi(xl ,y)  =  Hy(di(x',  y))) 

2.  With  probability  at  most  2_n,  it  holds  that  (a* (2/,  y),  bi{x\  y))  £  outi[A(x)  £>•  B(y)}.8 
The  claim  then  follows  by  a  union  bound. 

To  prove  statement  (1),  consider  some  fixed  (x' ,y,r[,r2)  where  chunks  are  well-defined  (i.e. 
lmplicitComp(x/,  y,  r[,  r-i)  =  1).  Note  that  the  event  in  (1)  means  that  the  whole  i-th  chunk  of 
)  (7/ )  ^  Q2^v\r  2)  is  completed  during  the  deviation,  i.e.,  the  chunk  starts  at  or  after  round  j. 
and  ends  before  the  “cut-off”.  By  an  averaging  argument,  there  must  exist  some  chunk  i*  that  is 
shorter  than  (1/m)  •  CCn(Qn )  <  r/(n,  m)  ■  CCn(Q7r).  Clearly,  when  j  equals  to  the  starting  round  of 
chunk  i* ,  which  happens  with  probability  1  /m!(n)  since  j  is  uniformly  distributed  and  independent 
of  [x\  y,  r[,  r2),  chunk  i  =  i*  and  thus  chunk  i  will  be  completed  before  the  cut-off;  consequently, 
since  lmplicitComp(x/,  y,  r[,  7*2)  =  1,  L  contains  the  query  bi(x',y).  Since,  by  Lemma  29  (and 
the  observation  that  x',y,r[,r 2  are  uniformly  distributed)  lmplicitComp(x/,  y,  r[,  r2)  =  1  holds  with 
overwhelming  probability,  we  have  Pr \bi(x' ,  y)  £  L\  >  l/m'{n)  —  negl(n)  for  some  negligible  function 
negl(n). 

To  prove  statement  (2),  note  that  if  at(x,y)  /  ai(x',y),  then  (di(x\  y),  bi(x\  y))  ^  outi[J4(x)  0 
B(y)\.  Thus,  it  sufficient  to  show  that  Pr [ai(x,y)  =  ai(x',y)\  <  2~n;  that  is  Pr[Hx(bi-i(x,y))  = 
Hxt(bi-i{x\  y))]  <  2~n.  Consider  some  fixed  x,  y,  ri,  r2,  note  that  i  is  determined  as  a  function 
of  these  (recall  that  it  is  a  function  of  L\,y),  and  trivially  Hx(bi- i(x,  y)  is  determined.  Additionally, 
note  that  for  every  x'  consistent  with  Li,  \{x' ,  y)  =  Hy{di- \{x\  y)  is  determined  and  furthermore 
bi-i(x',  y )  is  not  contained  in  L\  (since  by  definition  of  i,  bi-2(x',y)  is  the  “last”  ping-pong  query 
in  L\).  Since,  as  observed  above,  x'  is  uniformly  sampled  conditioned  only  on  Li  (and  since 
L\  contains  at  most  t(n)  —  1  queries,  none  of  which  is  6,_i(.t/, y)),  it  follows  that  every  fixed 
x,y,r\,r2,L\,  Pr[Hx(bi-\(x,y)  =  Hxi(bi-i(x\y)]  <  2~n ,  and  thus  this  condition  also  holds  for 
random  x,  y,  r\.  r'2. 

□ 


By  combining  Sub-claim  31  and  32,  and  applying  the  union  bound  we  get  that 
Pr[PrivacyBreach(outi[A*(x)  £>  Q^^],y)  =  1]  >  1/2 m'{n). 
which  concludes  the  proof  of  Claim  30.  □ 

8Pedantically,  in  case  i  >  m(n),  cn  is  not  defined;  in  this  case  the  event  is  simply  defined  to  not  hold. 
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Combining  Claim  28  and  30  shows  that  Q ™  is  not  a  knowledge-preserving  variant  of  it,  which 
leads  to  a  contradiction  and  completes  the  proof  of  Theorem  27.  □ 

5  The  Computational  Regime 

We  here  turn  to  studying  knowledge-preserving  interactive  coding  in  the  presence  of  only  computationally- 
bounded  adversaries  (i.e. ,  computational  knowledge-preserving  interactive  coding). 

5.1  Positive  Results 

We  first  present  a  positive  result,  showing  that  assuming  the  existence  of  one-way  function,  compu¬ 
tational  knowledge-preserving  interactive  coding  with  constant  error  rate  (more  specifically,  close 
to  1/12)  and  sub-polynomial  (or  even  poly  logarithmic,  if  assuming  subexponentially-hard  one-way 
functions)  information  rate  is  possible. 

Theorem  33.  Assume  the  existence  of  one-way  functions.  For  every  e  >  0,  there  exists  a  com¬ 
putational  knowledge-preserving  interactive  coding  scheme  with  perfect  completeness,  error  rate 
V  =  jo  —  e  and  information  rate  R(n)  =  0{l/ne).  If  additionally  sub- exponentially  hard  one-way 
functions  exists,  the  information  rate  is  1/polylogn. 

Roughly  speaking,  the  idea  behind  the  scheme  is  the  following.  In  a  “preamble  phase”  ,  the 
players  start  by  exchanging  verification  keys  for  a  signature  scheme;  the  verification  keys  first  are 
padded  with  p  0’s  to  become  “long”  enough  (where  p  is  a  parameter  to  be  set)  and  then  encoded 
using  a  good  ECC  (Ep,Dp);  let  a{n)  denote  the  length  of  the  encoded  verification  key.  Next,  in 
the  “main  execution  phase”  we  run  the  original  protocol  ir,  except  that  each  messages  is  signed 
and  encoded  using  a  good  error  correcting  code  (Em,Dm)  (which  may  be  different  from  the  code 
(Ep,Dp)).  More  precisely,  player  1  keep  track  of  the  “current  round”  number  i\  in  the  protocol  n, 
and  encode  its  it/l-round  message  as  ct  =  Em(i,ai,ai)  where  a is  a  signature  of  (i,  Oj).  Upon 
receiving  a  message  c  while  having  the  “current  round”  number  (in  the  protocol  n)  being  i ,  player  1 
decodes  the  message  (( i',b),a )  =  Dm{c )  and  interprets  b  as  the  V th  round  message  in  ir,  as  long 
as  1)  i!  =  i  —  1,  and  2)  a  is  a  valid  signature  on  (i' ,6);  if  not,  player  1  “signals”  that  the  received 
message  was  corrupted  by  simply  resending  its  message  Cj_ i  =  Em(i  —  1,  aj_i,  af)  from  the  previous 
round.  Player  2’s  strategy  is  defined  analogously  except  that  player  2  accepts  the  received  message 
if  i'  =  i  (since  player  2  is  sending  the  second  message  in  each  round).  Finally,  we  impose  a  bound 
c  on  the  communication  complexity  of  the  protocol  (or  else  the  protocol  may  run  forever,  due  to 
“resend”  message);  both  players  simply  abort  outputting  nothing  if  the  communication  complexity 
would  exceed  c  if  they  send  their  message.  Let  /3(n)  denote  the  length  of  each  encoded  message, 
and  let  y(n,  m)  =  2a(n)  +  2mf3(n)  be  the  length  of  the  protocol  if  all  messages  get  sent  through  on 
the  first  trial,  and  there  is  no  cut-off. 

We  must  set  p  such  that  the  length  a(n)  of  the  encoded  verification  keys  is  within  a  constant 
factor  of  c  (or  else,  either  the  preamble  phase  can  be  fully  corrupted,  or  the  main  phase  can  be  fully 
corrupted).  On  the  other  hand,  c  must  be  long  enough  to  execute  the  encoded  version  of  ir  (that  is 
c  >  7 (n,  m),  and  additionally  handle  sufficiently  many  “resend”  requests,  before  the  error-quota  of 
the  adversary  runs  out.  By  appropriately  setting  p  and  c,  this  leads  to  an  error  rate  of  77/4  if  r/  is 
the  error  rate  of  both  (Ep,  Dp )  and  ( Em,  Dm);  roughly  speaking,  we  lose  a  factor  of  two  because  the 
adversary  may  choose  to  corrupt  either  the  verification  key  of  player  1  or  that  of  player  2;  we  loose 
another  (additively)  factor  of  two  due  to  the  fact  that  the  length  of  the  encoded  messages  must 
be  within  a  constant  factor  of  c,  and  the  fact  that  each  time  the  attacker  corrupts  the  message  of 
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a  single  player  in  the  main  phase  protocol  execution,  we  need  to  resend  the  whole  round  (i.e.,  2 
messages). 

We  can  further  improve  the  error  rate  by  relying  on  an  idea  from  [MPSW10]:  since  the  messages 
in  the  main  phase  are  signed  and  we  only  consider  a  computationally  bounded  channel,  it  in  fact 
suffices  to  list-decode  the  error-correcting  code  (Em,  Dm )  used  in  the  main  phase.9  It  follows  using 
the  same  argument  as  in  [MPSW10]  that  (with  overwhelming  probability)  list-decoding  can  only 
yields  at  most  a  single  valid  message  (since  all  the  messages  are  signed) ,  and  thus  using  list-decoding 
here  yields  unique  decoding. 

We  provide  a  formal  description  of  the  scheme  in  Figure  1.  We  assume  without  loss  of  generality 
that  in  the  original  protocol  n  each  player  sends  a  single  bit  at  each  round  in  the  protocol  (we  refer 
to  such  protocols  as  “bit  protocols”). 

The  following  key  lemma  shows  that  the  above-described  scheme  is  a  knowledge  preserving 
interactive  coding  schemes.  The  proof  of  Theorem  33  is  then  concluded  by  appropriately  setting  p 
and  c. 

Lemma  34.  Let  n  =  (A,  B,  A’a,  Xb)  be  a  bit  protocol  with  round  complexity  m(-) .  Let  (Gen,  Sig,  Ver) 
be  a  secure  signature  scheme  with  signature  length  fin)  and  verification-key  length  v{n),  let  (Ep,  Dp ) 
be  an  ECC  with  constant  error  rate  r)p  and  information  rate  Rp{-)  and  ( Em,Dm )  be  an  error 
correcting  codes  that  is  efficiently  pm-list-decodable  and  has  information  rates  Rp{-).  Consider 
Q,a,f3, 7  defined  in  Figure  1  w.r.t  the  functions  p(-,  •),  c(-,  •).  If  c(n,m)  >  then  Q  is  a 

computational  knowledge  preserving  interactive  coding  scheme  with  perfect  completeness,  and: 

•  information  rate  R(-)  s.t. 

R(n,m)  =  c(n,m)/2m; 


•  error  rate  ??(-,•)  s.t. 


p(n,  m)  =  min 


c(n,  m)  —  7 (n,  m) 
2 c(n,  m) 


Alp  ■ 


a{n)  \ 
c(n,  m)  ) 


Proof.  We  separately  prove  each  of  the  required  properties. 


Efficiency  and  Information  rate:  Q  is  clearly  polynomial-time  computable,  and  by  defini¬ 
tion  of  Q,  we  have  that  CC*(Q7T )  =  c(n,  m);  it  follows  that  Q  has  information  rate  R(n,m )  = 
c(n,  m)/(2m). 


Perfect  Completeness:  It  easily  follow  from  the  definition  of  Q  that  Q n  perfectly  emulates  n  if 
both  players  are  honest.  In  fact,  for  every  n,  input  pair  x  €  df4(ln),  y  £  caLY^(ln)  and  randomness 
pair  rA,rB  €  {0, 1}°°, 


Pr 


out[Q 


ArA  (x) 

1 


•f-T-  Q 


BrB  iv) 
2 


out [ArA(x)  BrB(y )] 


=  1 


We  refer  to  this  property  as  perfect  completeness ,  and  it  will  be  useful  shortly. 

9[MPSW10]  relies  on  this  idea  to  show  how  to  acheive  an  error-correcting  code  with  error  rate  1/2  —  e  if  assuming 
a  (noiseless)  public-key  infrastructure  and  a  computationally-bounded  channel.  In  our  context,  we  do  not  have  a 
public-key  infrastructure,  but  our  initial  exchange  of  verification  keys  using  a  uniquely  decodable  error-correcting 
code  can  be  viewed  as  a  way  to  set-up  the  appropriate  public-key  infrastructure  needed  for  their  results. 
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Input  protocol:  A  bit  protocol  tt  =  (A,  B1  Xa,  Xb)  with  round  complexity  m  =  m(n). 

Parameters: 

•  Let  p  =  p(n,  in)  be  a  padding  parameter. 

•  Let  c  =  c(n,  m)  be  a  cut-off  parameter. 

Primitives  used: 

•  Let  (Gen,  Sig,  Ver)  be  a  signature  scheme  with  signature  length  l  =  l(n)  and  verification  key 
length  v  =  v{n). 

•  Let  (Up,  Dp)  be  an  error  correcting  code  with  (constant)  error  rate  7/p  and  information  rate 
Rp  —  Rp(-). 

•  Let  (Em,Dm)  be  an  error  correcting  code  that  is  efficiently  r/m-list  decodable  and  has  infor¬ 
mation  rate  Rrn  =  Rm{-). 

Initialization:  On  input  a  security  parameter  1",  round  complexity  lm,  and  communication  complex¬ 
ity  l2m,  Q\  (resp.,  Qf)  initializes  a  counter  i\  =  1  (resp.,  *2  =  1). 

Preamble:  Q\  runs  (sk \,vki)  <—  Gen(ln)  and  sends  cqo  =  Ep(vki\\Op)  to  Q2-  Then  Q2  runs 
(sk2,vk2)  -S—  Gen(ln)  and  sends  C2,o  =  Ep(vk2\\0p)  to  Q±.  Both  Q i  and  Q2  decode  the 
received  message  c'20  and  c\  0  and  store  vk'2  =  Dp(c20)  and  vk\  =  Dp(c'10),  respectively. 
Let  a(n)  denote  the  length  of  each  message  cf  0,  c20  in  the  preamble  phase;  that  is  a(n)  = 
(v(n)  +  p(n))/Rp(v(n)  +  p(n )) 

Main:  We  first  define  the  strategy  of  Q-\ : 

•  First,  Qi  queries  its  oracle  A  to  obtain  the  first  message  ai,  appends  ai  to  t\,  computes 

(Ji  Sigsfe  ((ii,  ai)),  sends  Cip  =  a±,  cti))  to  Q2,  and  increases  the  counter  by  1 

(i.e.,  h  ■=  h  +  1). 

•  Upon  receiving  a  message  c'  from  Q2,  Qi  list-decodes  c,  and  verifies  that  there  exists  a 
unique  message  ( i',b',a ')  such  that  (a)  i’  =  i\  —  1  and  (b)  Ver.„fc^((z/,  b'),  a')  =  1.  If  the 
verification  rejects,  Q i  resends  its  previous  message  c-j  If  the  verification  accepts,  then 
Q i  appends  b'  to  t\  and  queries  t\  to  its  oracle  A.  If  A  returns  an  output  cq,  then  Qi 
outputs  Oi  and  terminates.  If  A  returns  a  next  message  a,;, ,  then  Qi  appends  a,,  to  t\ , 
computes  <—  Sigsfel  ((*i,  a.*1)),  sends  cpq  =  ^m((*i,fli1)o'i1))  to  Q 2,  and  increases  the 
counter  by  1  (i.e.,  i\  :=  i\  +  1). 

The  strategy  of  Q2  is  defined  analogously,  except  that  in  step  (a)  ,  Q2  verifies  that  i'  =  i2  (as 
opposed  to  i2  —  1). 

•  Upon  receiving  a  message  c'  from  Q i,  Q2  list-decodes  c,  and  verifies  that  there  exists  a 
unique  message  ( i',b',a ')  such  that  (a)  i'  =  i2  and  (b)  Ver„fc'  {{if  a'),  a')  =  1.  If  the 
verification  rejects,  Q2  resends  its  previous  message  c2^2-i-  If  the  verification  accepts,  then 
Q2  appends  a'  to  t2  and  queries  t2  to  its  oracle  B.  If  B  returns  an  output  02,  then  Q2 
outputs  02  and  terminates.  If  B  returns  a  next  message  bi2 ,  then  Q 2  appends  bi2  to  t2, 
computes  cq2  ■<—  Sigsfc2 ((*2, Oi2)),  sends  c2,i2  =  Em((i2,bi2,ai2))  to  Q 1,  and  increases  the 
counter  by  1  (i.e.,  i2  :=  i2  +  1)- 

Let  fi{n)  denote  the  length  of  each  round  in  the  main  phase.  Let  7 (n,m)  =  2 a(n)  +  2 m/3(n). 

Abort  condition:  At  any  point,  if  sending  the  next  message  causes  the  total  communication  to  exceed 
c(n,m)  bits,  the  scheme  Q  aborts  (with  the  players  outputting  _L). 


Figure  1:  Interactive  coding  scheme  Q  =  (Qi,Q2)  encoding  an  interactive  bit  protocol  7r. 
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Knowledge  Preservance:  First  note  that  if  c(n,  m)  >  7 (n,  m)  then  Q  is  complete.  Note  that 
Q  executes  ir  in  a  straight-line  fashion  (without  any  “rewindings” ) .  We  now  use  this  observation  to 
show  that  7 r  =  Q 71  is  a  knowledge  preserving  variant  of  7r.  More  precisely,  for  every  polynomial-time 
attacker  A*  for  player  1 ,  we  show  the  existence  of  a  polynomial-time  simulator  A*  such  that  for  every 
x  G  Xai  y  €  Xb  and  z  G  {0,1}*  we  have  that  out^*  [A*(x,  z)  G7  is  identically  distributed 

to  out a*[A*{x,z)  -h-  B(y)].  The  simulator  A*(x,z),  in  essence,  is  just  the  encoding  algorithm  Q 2: 
A*(x,z )  simply  emulates  an  interaction  between  A*(x,z)  and  Q2,  while  externally  forwarding  all 
the  oracle  queries  by  Q 2  and  answering  those  queries  by  forwarding  back  all  the  external  message. 
Since  Q2  never  rewinds  its  oracle,  the  view  of  A*  in  the  simulation  is  identical  to  its  view  in  the 
real  execution.  (Note  that  the  knowledge  preservance  property  holds  unconditionally.)  A  simulator 
for  an  adversarial  player  2  is  constructed  in  the  analogous  way. 


Error  resilience  We  turn  to  showing  that  Qn  is  77-error-resilient,  where 


77(71) 


min 


c(n,  min))  —  7(77,  m(m)) 
2  c(n,  m(m)) 


Vp  ■ 


a{n)  \ 
c(n,  m{m .))  J 


Consider  some  non-uniform  polynomial-time  channel  C,  security  parameter  n,  inputs  x,  y  and 

Ar  (x)  Br  (y) 

randomness  r a ■,  t'b  and  an  execution  e  G  supp{Q1rA  ‘  Q2  H  )  such  that  out(e)  / 

Ar  (x) 

out(Ar4(x)  G7  BrB[y))  (recall  that  by  perfect  completeness,  for  every  e'  G  supp(Q1rA  -H- 

Q frB  V  ),  we  have  that  out(e)  =  out (ArA(x)  G7  BrB(y)).)  For  this  to  happen,  either  of  two  things 
must  have  happened: 


1.  either  execution  gets  cut-off  (in  which  case  both  players  output  _L);  or, 

2.  either  Q 1  or  Q2  queries  its  oracle  on  a  partial  transcript  t'  that  is  not  a  partial  transcript  in 
the  execution  of  A(x)  -H-  B(y). 


We  show  that  neither  of  these  cases  can  happen  with  inverse  polynomial  probability  for  infinitely 
many  n  (and  selections  of  x,y,rA,re)  as  long  as  C  corrupts  at  most  r]{n)c{n,m(n))  bits. 

Let  us  first  prove  that  case  1  only  can  happen  with  negligible  probability.  First,  note  that  since 
c(n,m(n))  >  7(71,  m(n))  we  have  that  Qn  does  not  abort  when  run  over  a  noiseless  channel.  Next, 
note  that  since  77(77.)  <  rjpa(n)/c(n,m(n)),  the  channel  can  corrupt  at  most  rjp  ■  a{n)  bits.  It  follows 
that  each  message  in  the  preamble  phase  will  always  be  correctly  decoded,  since  (Ep,  Dp )  has  error 
rate  r/p  and  each  message  in  the  preamble  phase  is  of  length  a(n). 

Additionally,  since  77(77)  <  r/m  •  (c(n,m(n))  —  7(77,  m(n))) / (2c(n,  m(n)),  the  channel  can  corrupt 
at  most 

(c(n,  min))  —  7(77,  min))) 

??m  2 

bits.  Note  that  unless  channel  corrupts  77 m/3(n)  bits  in  a  message  in  the  main  phase,  the  message 
can  still  be  list  decoded.  Furthermore,  it  follows  (as  in  [MPSW10]),  relying  on  the  security  of  the 
signature  scheme  (against  non-uniform  polynomial-time  attackers)10  that  except  with  negligible 
probability,  the  correct  message  is  the  unique  one  that  has  an  accepting  signature  (since  the  channel 
has  seen  at  most  a  single  signed  message  of  the  form  (7,  •)  for  each  verification  key).  On  the  other 
hand,  if  the  channel  corrupts  more  than  rjm/3in)  bits  in  one  message,  list  decoding  is  no  longer 
guaranteed  to  work,  and  this  may  cause  the  players  to  resend  two  messages  (recall  that  the  player 

10Note  that  the  reason  we  require  non-uniform  security  of  the  signature  scheme  is  that  the  attacker  needs  to  get 
the  inputs  x,  y  and  the  non-uniform  advice  of  C. 
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that  notices  a  corrupted  message,  resends  its  previously  send  message,  which  forces  the  other  player 
to  resend  the  corrupted  one).  Thus,  every  time  the  channel  corrupts  ?ym/3(n)  bits,  it  may  cause 
the  interaction  to  become  2/3(n)  bits  longer.  So,  to  make  the  interaction  become  cut-off  (with 
non-negligible  probability),  we  need  j  such  corruptions  of  ijm(3(n)  bits,  where 

7(71)  +  2/3(n)j  >  c(n,  m(n)). 


In  other  words, 

c(t7,  777(77))  —  7(77, 777(77)) 

J>  md  1 

which  means  that  the  channels  needs  to  corrupt  more  than 

c(n,  777.)  —  7(77,  777 ) 

Vm  2 

bits,  which  is  a  contradiction. 

We  proceed  to  show  that  case  2  only  can  happen  with  negligible  probability.  The  key  observation 
needed  to  prove  this  is  that,  as  mentioned  above,  the  preamble  phase  is  always  uniquely  decoded 
and  thus  C  cannot  change  the  verification  keys  vk\,vk2-  Consider  the  first  time  that,  say,  Q\  queries 
its  oracle  on  a  partial  trascript  t!  that  is  not  a  partial  transcript  in  the  execution  of  A(x )  -H-  B(y). 
It  means  that  Q 1  accepts  an  incorrect  message  ( ')  such  that  b’  is  different  from  the  message 
67 _i  it  should  have  received  in  7r  in  round  i\  —  1,  it  must  be  the  case  that  a)  i!  =  i\  —  1  (or  else 
Q 1  would  reject  it),  and  b)  C  provided  a  valid  signature  (for  the  verification  key  ufo)  on  (t',6'). 
But  the  channel  has  seen  at  most  a  single  signature  (for  the  verification  key  vA^)  on  a  message 
of  the  type  ( i\  —  1,  •)  (since  Q2  will  only  send  a  single  message  of  this  type);  it  thus  follows  from 
the  non-uniform  security  of  the  signature  scheme  that  player  2  accepts  an  incorrect  message  with 
at  most  negligible  probability.  It  follows  analogously  that  C  can  only  make  player  2  accept  an 
incorrect  message  with  negligible  probability.  □ 

Equipped  with  Lemma  34,  we  now  turn  to  proving  Theorem  33. 

Proof  of  Theorem  33.  Assume  the  existence  of  one-way  functions,  fix  some  e  >  0.  By  scaling  down 
the  security  parameter  in  the  construction  from  Theorem  14,  there  exists  a  signature  scheme  with 
both  verification-key  length  and  signature  length  0(ne).  Additionally,  by  Theorem  18  and  20,  there 
exists  ECCs  (EP,D p),  ( Em,Dm )  with  information  rate  R(n)  =  0(1/77),  and  such  that  ( Ep,Dp )  has 
error-rate  1/4  —  e  and  ( Em ,  Dm )  is  1/2  —  e  efficiently  list  decodable.  By  Lemma  34,  we  get  that  the 
error  rate  77(77)  is  (approximately)  maximized11  when 

c(t7,  777)  =  7(77, 777 )  +  0(77)  =  3 0(77)  +  2 777 (77)/? (77). 

(that  is,  the  two  expressions  inside  the  min  are  the  same).  In  this  case, 

_  a(n) 

>l(n)  ,]p  '  3a(n)  +  2m(n)P(n) ' 

Note  that  we  can  set  the  padding  parameter  p(n)  to  be  a  sufficiently  big  polynomial  such  that 
e  •  a(n)  >  2m,(n)/3(n);  it  follows  that  the  error  rate  is  at  least 

Vp  =  (V4)  ~  e  >  J_  _ 

3  +  e  3  +  e  “12 

11  For  simplicity,  we  ignore  e  terms. 
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By  Lemma  34,  the  information  rate  of  Q  is  c(n,m)/2m  =  0(ne).  This  concludes  the  first  part  of 
the  theorem. 

If  additionally  assuming  the  existence  of  subexponentially-hard  one-way  functions,  it  instead 
follows  that  c(n,m)  <  0(m  ■  polylogn).  □ 

5.2  Negative  Results 

We  show  that  our  positive  result  is  optimal  in  two  ways: 

1.  The  existence  of  one-way  functions  is  necessary. 

2.  If  a  constant  error  rate  is  desired,  it  is  impossible  to  achieve  an  information  rate  of  11(1/  log  n). 

The  necessity  of  one-way  functions  We  show  that  the  existence  of  one-way  functions  is  nec¬ 
essary  to  acheive  computational  knowledge-preserving  interactive  coding  with  error  rate  1  /poly(n). 

Theorem  35.  For  every  polynomial  m(-),  the  existence  of  a  computational  knowledge-preserving 
interactive  coding  scheme  Q  with  error  rate  r}(n,m)  >  1  /m(n)  implies  the  existence  of  one-way 
functions. 

Proof.  At  a  high  level,  the  theorem  follows  by  observing  that  the  forking  attacker  A*  in  the  proof 
of  Theorem  27  can  be  approximated  efficiently  if  one-way  functions  do  not  exist,  and  so  can  the 
channel  adversary.  We  turn  to  a  formal  proof.  Assume  for  contradiction  that  one-way  functions 
do  not  exist,  we  show  that  there  does  not  exist  a  computational  knowledge-preserving  interactive 
coding  scheme  with  polynomial  error  and  information  rate. 

Consider  some  polynomial  m(-)  and  computational  knowledge-preserving  interactive  coding 
protocol  Q  =  (Q\,Q2)  with  error  rate  rj(n,m )  >  1  /m(n);  let  M(n,m,£)  be  a  polynomial  upper 
bound  on  the  number  queries  made  by  Q i,  Q2  to  its  oracles  (where  n  is  the  security  parameter,  m 
and  i  are  the  round  complexity  and  communication  complexity  of  the  protocol  n  to  be  encoded). 

Let  t  =  M(n,m,2mn)  +  1.  Let  ir  =  (A,B,Xa,Xb)  be  the  ping-pong  protocol  defined  in 
the  proof  of  Theorem  27  with  m  rounds  and  using  f-wise  independence  hash  functions  as  inputs. 
Let  m'{  )  be  the  round  complexity  of  the  encoded  protocol  Qn .  We  show  that  Q 77  cannot  be  a 
computational  knowledge-preserving  variant  of  7 r  by  obtaining  a  privacy  breach  using  the  same 
forking  attacker  A*  as  in  the  proof  of  Theorem  27,  but  relying  on  the  assumed  non-existence  of 
one-way  functions,  to  make  A*  and  the  channel  C  that  emulates  the  attacker  A *,  efficient. 

Recall  that  the  only  inefficient  step  of  A*  is  in  Step  2,  where  A*  needs  to  sample  a  fresh  input- 
randomness  pair  conditioned  on  the  first  j  —  1  rounds  partial  transcript  T  of  the  execution 

Qf^x\ri)  -H-  Let  /  denote  the  function  that  maps  (x,y,r\,r2,j)  to  T.  Clearly,  / 

is  efficient.  By  Theorem  12  and  the  assumed  non-existence  of  one-way  functions,  there  exists  a 
polynomial-time  inverter  M  such  that  (T,  M(T))  and  (T,  (x,y,ri,r2,j))  has  statistical  distance  at 
most  1/8 m'(n)  for  infinitely  many  n  £  N.  (Note  that  M  only  works  for  infinitely  many  n  £  N. 
Nevertheless,  this  is  sufficient.)  Namely,  M  can  approximately  sample  a  random  pre-image  of  a 
random  transcript  T  with  small  inverse  polynomial  error.  Relying  on  the  inverter  M,  A*  can  be 
made  efficient  straightforwardly,  with  the  following  modification;  let  us  denote  the  modified  attacker 
A* 

Wff 

•  In  the  second  step,  A*ff  applies  M  to  the  partial  transcript  T  to  obtain  a  pre-image  (x',  y'r\ ,  r^.j'). 
Then  A*ff  uses  (x',r[)  to  continue  the  attack  as  before.  Namely,  A*ff  continues  the  interac¬ 
tion,  but  with  the  input  and  randomness  to  Q 1  switched  to  x'  and  r\ ,  for  as  many  rounds 
as  possible,  subject  to  that  the  number  of  bits  it  transmits  since  round  j  does  not  exceed 
V(n)  ■  CCn(Qn). 
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By  construction,  the  attacker  A*ff  runs  in  polynomial  time;  additionally,  since  the  channel  C 
used  in  the  proof  of  Theorem  27  perfectly  mimics  the  attacker,  it  is  also  efficient. 

We  now  show  that  A*ff  approximate  A*  well  over  random  inputs,  which  implies  that  A*ff  can 
also  obtain  a  privacy  breach  with  inverse  polynomial  probablity  for  infinitely  many  n.  Specifically, 
we  show  that  the  following  two  experiments  have  a  statistical  distance  of  at  most  1/8 m'(n)  for 
infinitely  many  n  G  N. 

.  ExPl(ln)  =  [x  <-  XA(ln),y<r-  XB{ln)  :  A*(x)  O  Q^y)) 

•  Exp2(ln)  =  [x  <-  XA(1  n),y^  XB(ln)  :  A*eff(x)  Q*{y)] 

Claim  36.  For  infinitely  many  n  G  N,  the  statistical  distance  between  Exp1(ln)  and  Exp2(ln)  is 
at  most  1/8 m!(n). 

Proof.  Recall  that  both  experiments  are  determined  by  the  values  of  (x,y,ri,r2,j,x',r'1),  where 
(x,y,ri,r2,j)  are  independently  and  uniformly  sampled,  and  then  in  Exp1;  (x1,  r\ )  are  sampled 
conditioned  on  the  first  j  —  1  round  partial  transcript  T  of  the  execution  Qi^X\r\)  -H- 
and  in  Exp2,  (x',r[)  are  sampled  by  first  applying  the  efficient  inverter  to  obtain  (x',  y',  rfi  r2,  j') 
and  then  discarding  (;</,  r2,  j7). 

Fix  a  security  parameter  n  G  N  such  that  M  works;  that  is,  such  that  (T,  M(T ))  and  (T,  (x,  y,  ?’i,  r2,j)) 
have  a  statistical  distance  of  at  most  1/8 m'{n).  This  implies  that  the  distributions  of  ( T,  x7,r^ ) 
in  Exp1(ln)  and  Exp2(ln)  have  a  statistical  distance  of  at  most  1/8 m'(n),  since  projection  (i.e. , 
removing  (if ,  r'2.  j'))  cannot  increase  statistical  distance.  We  claim  that  additionally,  the  distribu¬ 
tion  of  the  whole  tuple  (x,y,ri,r2,j,x',r[)  in  Exp1(ln)  and  Exp2(ln)  have  a  statistical  distance  of 
at  most  1/8 m'(n)  as  well.  To  see  this,  as  a  thought  experiment,  we  can  view  the  experiments  as 
sampled  in  the  following  different  order:  first,  T  is  sampled,  then  ( x',r[ )  are  sampled  conditioned 
on  T,  and  finally  (x,y,ri,r2,j)  are  sampled  conditioned  on  T  (note  that  conditioned  on  T,  (x/  r\) 
and  (x,y,r\,r2,  j)  are  independent).  Note  that  in  both  experiments,  (x,  y,  ri,  7*2,  j)  are  sampled  in 
an  identical  way  after  sampling  (T,  x' ,  r\ ) ,  so  it  does  not  increase  the  statistical  distance.  Therefore, 
the  statistical  distance  between  Exp1(ln)  and  Exp2(ln)  on  this  security  parameter  n  is  at  most 
1/8  mf(n).  □ 

Now,  since  A*  obtains  a  privacy  breach  with  probability  >  l/4m/(n)  in  Exp1(l”)  for  sufficiently 
large  n  G  N,  and  Exp1(ln)  and  Exp2(ln)  have  statistical  distance  at  most  1/8 m'(n)  for  infinitely 
many  n  G  N,  it  follows  that  A*{f  can  also  obtains  a  privacy  breach  with  probability  >  1/8 m!{n) 
in  Exp2(l")  for  infinitely  many  n  G  N.  This  shows  that  Qfi  is  not  a  computationally  knowledge¬ 
preserving  variant  of  it  and  completes  the  proof.  □ 

The  necessity  of  a  communication  complexity  blow-up  We  show  that  every  computational 
knowledge-preserving  interactive  coding  scheme  with  constant  error  rate  must  have  an  information 
rate  of  o(l/logn),  showing  that  the  inverse  polylogarithmic  rate  achieved  in  Theorem  33  (assuming 
subexponentially  hard  one-way  functions)  is  essentially  optimal. 

Theorem  37.  Assume  the  existence  of  a  computational  knowledge-preserving  interactive  coding 
scheme  with  information  rate  R(n)  and  error  rate  y{n).  Then  R(n)ri(n)  G  o(l/log(n)). 

Proof.  The  theorem  is  a  direct  consequence  of  Theorem  38  proven  in  Section  6.  □ 
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6  Lower  Bound  for  Non-constructive  Schemes 


In  this  section,  we  present  an  impossibility  result  for  the  computational  setting,  which  applies 
even  to  non-constructive  interactive  coding  scheme.  In  particular,  for  every  7/(77)  >  1/logn,  we 
demonstrate  the  existence  of  protocol  n  with  communication  complexity  1/77(71)  such  that  every 
computationally  77-error  resilient,  computationally  knowledge-preserving  variant  of  7r  must  have 
communication  complexity  at  least  cu(logn).  In  particular,  for  the  case  77(77)  =  0(1),  we  get  that 
the  information  rate  also  for  non-constructive  interactive  coding  is  at  most  o(l/ log  77).  (Note  that 
this  result  is  interesting  also  in  the  information  theoretic  setting,  since  in  contrast  to  Theorem  27, 
we  here  provide  an  impossibility  result  also  for  non-constructive  interactive  coding.) 

Theorem  38.  For  every  function  ?/(•)  such  that  y{n)  >  0(1/ logro),  there  exists  a  protocol  ir  = 
(A,  B,  Xai  Xb)  with  communication  complexity  CC„(7r)  =  0(1/77(77))  such  that  for  every  protocol 
it'  =  (Qi,  Q2,  Xa-,  Xb)  that  is  a  computationally  knowledge-preserving  variant  of  n  and  is  computa¬ 
tionally  rj-error  resilient,  the  communication  complexity  of  it'  is  at  least  cu(log77). 

Proof.  We  here  consider  a  somewhat  simpler  variant  of  the  ping-pong  protocol,  which  we  refer  to 
as  the  “bit-exchange”  protocol  7r  (the  protocol  is  almost  identical  to  a  protocol  used  in  [CPU]  in 
a  quite  different  context).  We  show  that  any  protocol  tt'  with  communication  complexity  O (log 77) 
that  is  computational  77-error  resilient  cannot  be  a  computationally  knowledge  preserving  variant 

of  7T. 

Similarly  to  the  proof  of  Theorem  27,  let  us  first  formally  define  7r  and  formalize  a  security 
property  that  it  satisfies. 

The  “bit-exchange”  protocol  tt.  Let  m(-)  =  [~2/t/(-)]  [Kai-Min’s  Note:  Make  m  =  2/77 
instead  of  I/77  so  that  we  can  do  Markov  on  the  length  of  i-th  block.]  and  consider  the 
following  simple  bit-exchange  protocol  7r  =  (A,B,Xa,Xb),  where  both  players  simply  send  their 
inputs  to  each  other,  bit-by-bit.  On  security  parameter  77,  let  m  =  777(77)  and  T^(ln)  =  Tg(  1")  = 
{0, 1  }m(n).  7T  is  a  deterministic  777-round  protocol  that  on  the  inputs  x  E  {0,  l}m  and  y  E  {0,  l}m 
proceeds  as  follows:  at  each  round  i  E  [777],  A  sends  a*  =  Xi  to  B,  who  sends  back  b%  =  y%  to  A, 
where  Xi,yi  denote  the  7-th  bit  of  x,y,  respectively.  At  the  end  of  the  interaction,  both  A  and  B 
output  the  whole  transcript  (a,  b ),  where  a  =  (ai, . . . ,  am)  E  {0,  l}m  and  b  =  (&i, ... ,  bm)  E  {0,  l}m. 

“Guess-the-next-bit”  security  of  the  bit-exchange  protocol.  We  say  that  player  matches 
in  a  round  i  E  [777]  if  it  guesses  the  bit  sent  by  its  opponent  in  the  next  message.  Formally,  for 
i  E  [777],  defined  the  predicates  Matchi^a,  b)  =  1  iff  a*  =  bi ,  Match2jj(a,  b)  =  1  iff  bi  =  aj+i-  Note 
that  if  the  inputs  are  uniformly  distributed,  then  for  every  i  E  [777],  the  probability  that  each  player 
matches  in  round  i  with  probability  exactly  1/2. 

Claim  39.  For  every  adversarial  strategy  A*,  every  n  E  N  and  i  E  [777], 

Pr  [x,  y  <—  {0,  l}m  :  Matchi,j(out2[A*(x)  E7  B(y)})  =  1]  =  1/2. 

Similarly,  for  every  adversarial  strategy  B* ,  every  n  E  N  and  i  E  [777  —  1], 

Pr  [x,  y  •(—  {0,  l}m  :  Match2,i(outi[A(x)  o  B* (y)])  =  1]  =  1/2. 

Proof.  The  claim  trivially  follows  by  noting  that  for  every  A*  (resp.,  B*),  yi  (resp.,  £7+1)  remains 
uniformly  random  conditioned  on  the  view  of  A*  (resp.,  B*)  when  A*  (resp.,  B *)  needs  to  send  its 
i-th  message.  □ 
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Now,  consider  some  computationally  knowledge  preserving  variant  n'  =  (Q\,  Q2,  {0,  {0, 1  }m(n)) 

of  7r  that  has  O (log n)  communication  complexity  and  is  ry-error  resilient.  Let  c(n)  =  max{CCn(7r/),  logn}, 
and  m'  (■)  be  the  round  complexity  of  it1  .  As  in  the  proof  of  Theorem  27,  we  first  show  that  tt1 
needs  to  be  “implicitly  executing”  7r  in  a  chronological  order.  In  contrast  to  this  step  in  the  proof 
of  Theorem  27,  we  here  rely  on  the  knowledge  preservance  property  of  n1  to  demonstrate  this. 

Implicit  bit-exchange  computation.  Our  formalization  of  implicit  computation  here  is  quite 
different  from  how  it  was  formalized  in  the  proof  of  Theorem  27.  Here  we  rely  on  information- 
theoretic  definitions  of  what  it  means  to  implicitely  execute  7 r  (which  is  what  allows  us  to  provide 
an  impossibility  result  also  for  non-constructive  coding  schemes).  Towards  formalizing  it,  let  us 
first  introduce  some  additional  definitions. 

For  two  strings  T  and  T' ,  we  denote  by  T  <T'  (resp.,  T  -<  T')  that  T  is  a  prefix  (resp.,  proper 
prefix)  of  T' .  Fix  a  security  parameter  n  and  let  m  =  m(n).  If  x,y  G  {0,  l}m  and  T  is  a  partial 
transcript,  then  let  p(x,y,T )  =  Pr[T  ■<  trans[<5i(x)  GG  Q 2(2/)]];  that  is,  the  probability  that  T  is 
consistent  with  the  execution  of  Qi(x)  GG  Qziy)-  Let  A  >  e  G  (0, 1)  be  two  parameters  (to  be 
determined  later).  For  inputs  x,  y  G  {0,  l}m,  a  partial  transcript  T,  i  G  [to]  and  f3  G  {0, 1},  we  say 
that  (y,T)  (resp.,  (x,  T))  is  (5,  e)-binding  for  (i,/3)  if  the  following  two  conditions  hold: 

1.  There  exists  x'  G  {0,  l}m  with  x\  =  (3  (resp.,  y'  G  {0,  l}m  with  y'i  =  f3)  such  that  p(x' ,  y ,  T)  >  5 
(resp.,  p(x,y',T)  >  5). 

2.  For  every  x'  G  {0,  l}m  with  x\  /  (3  (resp.,  y'  G  {0,  l}m  with  y[  /  f3),  p(x',y,T)  <  e  (resp., 
p(x,y',T)  <  e). 

Intuitively,  this  means  that  ( y ,  T )  “determines”  Xi  =  (3.  Consider  an  execution  T  ■<—  trans[Qi(a:,  r\) 

<52(2/1  ^2)]  for  some  inputs  x,  y  G  {0,  l}m  and  randomness  rq,  V2  G  {0, 1}00.  Note  that  since  the  prob¬ 
ability  p(x ,  y,  T)  can  be  estimated  by  sampling,  the  above  two  conditions  can  be  checked  in  time 
poly(2c,  1/5, 1/e),  which  allows  player  1  to  “decode”  the  bit  yi  from  (x,  T)  when  (x,  T )  is  binging  for 
player  2’s  7-tli  bit  input.  Specifically,  there  is  an  algorithm  Deci  with  runtime  poly(n,  2C,  1/5,1/e) 
that  takes  ( x,T,i,5,e )  as  input  such  that  (a)  if  (x,  T)  is  (5,  e)-binding  for  (i,/3),  then  Deci  outputs 
j3  with  probability  at  least  1  —  2~n,  and  (b)  if  (x,  T)  is  not  (5/2,  2e)-binding  for  both  (i,0)  and 
(i,  1),  then  Dec  outputs  _L  with  probability  at  least  1  —  2~n.  Analogously,  there  is  an  algorithm 
Dec2  to  “decode”  player  l’s  bit  x,;  from  ( y,T ). 

Define  the  i-th  binding-point  for  player  1  (resp.,  2)  of  the  execution  (x,  y,  rq,  r2)  with  parameters 
(5,  e)  to  be  the  shortest  partial  transcript  T\  i  <  T  (resp.,  -<  T )  such  that  (i)  the  last  message  in 
T\  j  (resp.,  T2,i)  is  sent  by  player  1  (resp.  player  2),  and  (ii)  ( y,T\ tj)  (resp.,  (x,  T^))  is  (5,  e)-binding 
for  (i,Xi)  (resp.,  (i,  x/i)) ;  if  no  such  partial  transcript  exists,  define  =  _L  (resp.,  T\  i  =  T).  For 
convenient,  we  use  notation  T^i(x,  y,  r\ ,  rq;  5,  e)  to  denote  the  i-th  binding-point  for  player  d  of  the 
execution  (x,y,r\,r2)  with  parameters  (5,  e). 

Intuitively,  is  the  point  where  player  d  sends  its  i-bit  to  the  other  player  (corresponding  to 
the  i-th  message  in  the  implicit  computation  of  7r).  Formally,  let  the  predicate  lmplicitComp(x,  y,  ri,r2\  5,  e) 
1  iff  (i)  Tcii(x,y,ri,r2-,5,e)  /  _L  for  every  d  G  {1,2}  and  i  G  [to],  (ii)  T\  i  -<  T2^  for  every  i  G  [to], 
and  (iii)  T2 -<  T\^+\  for  every  i  G  [to  —  1];  that  is,  the  i-th  binding-points  for  both  players  occur  in 
a  chronological  order  corresponding  to  the  execution  of  7r  and  do  not  occur  at  the  same  time.  When 
lmplicitComp(x,  y,  rq,  r2]  5,  e)  =  1,  the  interaction  of  n1  can  be  partitioned  into  non-empty  chunks  as 
before:  for  every  i  G  [m],  the  i-th  chunk  of  the  execution  <5i(^,?q)  GG  Q-2(y,  n.)  starts  after  T2^_ \ 
and  finishes  at  the  end  of  T2X1  that  is,  the  i-th  chunk  starts  when  player  1  starts  sending  i-message 
and  finished  when  player  1  receives  the  i-th  message  from  player  2. 
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The  following  lemma  shows  that  ImplicitComp  holds  with  high  probability  for  every  input  pair 
(x,  y)  and  appropriate  (sufficiently  small)  inverse  polynomial  6  and  e. 

Lemma  40  (Implicit  Computation  Lemma).  For  every  polynomial  q{n )  >  n5  •  25("m(n)+c(n)) ;  for 
sufficiently  large  nGN, 

Pr[x,  y  G-  {0,  n,  r2  G  {0, 1}°°  :  lmplicitComp(x,  y.  r±,r2’,  l/q(n),  l/q2(n ))  =  1]  >  1  —  1  jn. 

Proof.  Let  S(n)  =  1  /q(n)  and  e(n)  =  l/q2{n).  Let  y(n)  be  a  negligible  function  such  that  it'  is  a 
computational  knowledge  preserving  variant  of  n  with  respect  to  /i(n)  (for  both  completeness  and 
computational  knowledge  preservance) .  Recall  that  the  completeness  property  says  that  for  every 
n  G  N,  every  x,  y  G  {0,  l}m(”), 

Pr[out[Qi(x)  G>  Q2 (j/)]  =  out[A(x)  G>  R(y)]  >  1  —  //(n). 

Fix  n  to  be  a  sufficiently  large  security  parameter  such  that  fi(n)  <  l/q5(n).  We  first  show  that 
for  every  x,  y  G  {0,  l}m, 

Pr [n,r2  G-  {0, 1}°°  :  Vd  G  {1,2},*  G  [m\,  Td>i{x,  y,  n,  r2;  <5,  e)  /  _L]  >  1  -  l/2n. 

Namely,  condition  (i)  of  the  predicate  ImplicitComp  is  satisfied  for  every  inputs  x,y{ 0,  l}m(n)  with 
high  probability.  Note  that  it  suffices  to  show  that  with  probability  at  least  1  —  l/2n  over  T  g- 
trans[Qi(x)  G>  Q2(y)],  for  every  i  G  [m],  (y,  T)  is  (5,  e)-binding  for  (*,  Xj)  and  (x,T)  is  (5,  e)-binding 
for  (*,  yi)\  that  is,  every  bit  of  both  players’  input  are  eventually  binding  at  the  end  of  the  execution. 
To  show  this,  it  suffices  to  show  the  following  two  statements. 

1.  For  every  x,  y  G  {0,  Pr[T  G-  trans[Qi(x)  G>  Q2(y)]  :  p(x,  y,  T)  >  <)'(n)]  >  1  —  l/2n. 

2.  For  every  x  7^  x'  G  {0,  y  f  y'  G  {0,  and  a  full  transcript  T  G  {0, 1}*, 

min{p(x,  y,  T),p(x' ,  y,  T)}  <  3 y(n)  and  min{y(x,  y,  T),p(x,  y',  T)}  <  3 y(n). 

Statement  (1)  implies  that  condition  (1)  in  the  definition  of  binding  is  satisfied  with  probability  at 
least  1  —  1/2 n,  and  when  the  event  in  statement  (1)  holds,  statement  (2)  guarantees  that  condition 
(2)  is  also  satisfied.  Now,  statement  (1)  follows  by  noting  that 

Pr[T  trans[Qi(x)  G>  Q^y)]  :  p(x,  y,  T)  <  <5(n)]  <  6(n)  ■  2c<yV2>  <  1/2 n. 

For  statement  (2),  suppose  that  there  exist  x  f  x'{0,  l}m(n),  y  G  {0,  l}m(n)  and  a  full  transcript 
T  G  {0, 1}*  such  that  both  p(x,y,T),p(x' ,y,T)  >  3 y(n).  Consider  two  executions  <2i(x)  G>-  Q2(y) 
and  Qi(x')  G>  Q2(y)-  Note  that  conditioned  on  the  full  transcript,  the  output  of  player  2  is 
independent  of  the  input  of  player  1.  Thus,  when  the  transcript  is  T,  player  2  must  generate  an 
incorrect  output  for  one  of  the  two  executions  (i.e.,  out2[Qi(x)  G>  Q2 (y)]  f  out2^4(x)  G>  B(y)\, 
which  is  simply  (x,  y)).  Since  in  both  executions,  T  occurs  with  probability  at  least  3 p(n),  it  follows 
that  player  2  produces  incorrect  output  in  one  of  the  execution  with  probability  >  3y(n)/2  >  p(n), 
violating  the  completeness  property.  This  shows  that  min {p(x,y,T),p(x' ,y,T)}  <  3 y(n)  for  every 
x/x'g  {0, 1  }m(n),  y  G  {0, 1  }m(n),  and  full  transcript  T  G  {0, 1}*.  An  analogous  argument  shows 
that  min {p(x,y,T),p(x,y' ,T)}  <  3 y(n)  for  every  x  f  x'  G  {0,  l}m(n),  y  G  {0,  l}m(n),  and  full 
transcript  T  G  {0, 1}*. 

We  proceed  to  show  that  condition  (ii)  and  (iii)  hold  with  high  probability,  relying  on  the 
following  claim. 
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Claim  41.  For  every  i  £  [m],  suppose  one  of  the  following  holds. 

•  Pr [x,y  4-  {0, 1  }m(n),n,r2  4-  {0, 1}°°  :  Xi  ^  yt  A  T2ji(x,  y,  n,  r2;  S,  e)  -4  TM(x,  y,  n,  r2;  5,  e)]  > 
l/g(n),  or 

•  Pr[x,y  4-  {0,  l}m(n),ri,r2  4-  {0, 1}°°  :  Xi  =  yt  A  T2ji(x,  y,  n,  r2;  5,  e)  -4  Tg^x,  y,  n,  r2;  5,  e)]  > 
l/g(n). 

Then  there  exists  an  adversarial  strategy  A*  for  player  1  such  that 

Pr  x,  y  4-  {0,  l}m,o  4-  out2[A*(x)  4-»  Q2(y)]  :  Matchi^o)  =  1  -1/2  >  l/8g(n). 

Similarly,  for  every  i  £  [m  —  1] ,  suppose  one  of  the  following  holds. 

•  Pr[x,y  4-  {0,  l}m(n),ri,r2  4-  {0, 1}°°  :  y*  /  xi+i  A  Tiii+i(x,  y,  n,  r2;  6,  e)  -4  T2ji(x,  y,  n,  r2;  e)]  > 

l/g(n),  or 

•  Pr[x,  y  4-  {0,  l}m(n),ri,r2  4-  {0, 1}°°  :  yl  =  xi+1  A  Tiii+i(x,  y,  n,  r2;  S,  e)  -4  T2)i(x,  y,  n,  r2;  e)]  > 

l/q(n),  or 

Then  there  exists  an  adversarial  strategy  B*  for  player  2  such  that 

Pr  x,y  4-  {0,  l}m,  o  4-  out2[Qi(x)  4A-  B*(y)\  :  Match2)i(o)  =  1  -1/2  >1/8 q(n). 

Note  that  the  conclusions  of  the  claim  contradict  to  the  knowledge  preserving  property.  Thus, 
it  follows  that  for  every  i  £  [m], 

Pr [x,y  4-  {0,  l}m(n),ri,r2  4-  {0,1}°°  :  T2)i(x,  y,  n,  r2;  S,  e)  -4  Titi(x,  y,  n,  r2;  6,  e)]  <  2 /q(n),and 

Pr[x,  y  4—  {0,  l}m(n),ri,r2  4-  {0,1}°°  :  Ti)i+i(x,  y,  n,  r2;  e)  -4  T2ji(x,  y,  n,  r2;  5,  e)]  <  2/y(n). 

It  now  follows  by  a  union  bound  that  condition  (ii)  and  (iii)  hold  with  probability  at  least  1  — 

4 m/q(n)  >1  —  1/2 n,  and  another  union  bound  concludes  that 

Pr[x,  y  4—  {0,  l}m(n),ri,  r2  £  {0, 1}°°  :  lmplicitComp(x,  y,  r\,  r2;  1  /q(n),  l/q2(n))  =  1]  >  1  —  1  /n. 

It  remains  to  prove  the  claim. 

Proof  of  Claim  fl.  We  start  by  proving  the  first  case  of  the  claim.  Namely,  we  show  that  if 
Pr [x,y  4-  {0,  l}m(n),ri,r2  4-  {0,1}°°  :  x*  /  yi  A  T2>i(x,  y,  n,  r2;  6,  e)  -4  TM(x,  y,  n,  r2;  <5,  e)]  >  l/g(n), 


then 

Pr  x,  y  4-  {0,  l}m,  o  4-  out2[A*(x)  4A  Q2(y)]  :  Matchp^o)  =  1  >  1/2  +  l/8g(n). 

At  a  high  level,  the  idea  is  simple:  whenever  yt  is  bound  at  point  T2j  before  x*  is  bound,  A*  can 
first  decode  y*  from  (x,  T2jj),  and  then  if  x*  =  yi,  A*  simply  continues  honestly,  but  if  x,  /  x*,  A* 
changes  its  input  from  x  to  some  x'  with  x'-  =  yi  (A*  can  do  so  since  Xj  is  not  bound  yet).  Formally, 
on  input  x  £  {0,  l}m,  A*  performs  the  following  strategy  to  interact  with  Q2: 

•  A*  samples  a  uniform  randomness  r\  4—  {0, 1}°°  and  starts  by  honestly  executing  the  protocol 
Qi,  but  at  the  end  of  each  round  j ,  A*  runs  Deci(x,  Tj,i,  5,  e)  where  Tj  is  the  current  partial 
transcript.  If  Deci  outputs  _L,  then  A*  simply  continues  honestly  at  round  j  +  1.  If  Deci 
outputs  /3  £  {0, 1},  let  T*  denote  the  current  transcript  and  A*  proceeds  as  follows. 
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—  If  f3  =  Xi,  then  A*  simply  continues  the  execution  honestly  throughout. 

—  If  /3  /  Xi,  then  A*  uses  rejection  sampling  to  sample  a  random  (x1 ,  r\ )  conditioned  on 
x\  =  /3  and  the  current  transcript  T* .  A*  cuts-off  the  rejection  sampling  procedure  when 
it  fails  for  more  than  M  =  0(n2m  /  5e)  samples;  in  this  case,  A*  sets  (x' ,  r\ )  =  ( x,r± ) 
(i.e.,  does  not  change  the  input-randomness  pair).  Then  A*  continues  executing  the 
protocol  Q i  with  the  alternative  input-randomness  pair  (x',r[)  throughout. 


We  proceed  to  analyze  A*.  The  following  sub-claim  says  that  Matchi^  holds  with  high  proba¬ 
bility  when  Xi  =  yi. 


Sub-claim  42.  Pr 

1/8 q(n). 


x,y  A-  {0,  l}m,o  A-  out2[y4*(rc)  aa  Q2(y)\  :  Xi  =  y*  A  MatchM(o)  =  1  >  1/2  - 


Proof.  First  note  that  by  completeness,  we  have 


Pr  [x,y  A-  {0,  1}”>  A-  out2 [Qi(x)  AA  Q2(y)\  :  x%  =  m  A  Matchpj(o)  =  1]  >  1/2  -  p{n). 

Additionally,  note  that  when  xt  =  yi  and  there  is  no  “decoding  error”  (i.e.,  during  the  execution 
Deci  does  not  return  (3  =  yt),  then  A*  simply  executes  Q\  honestly.  Thus,  to  lower  bound  the 
probability  of  the  desired  event,  it  suffices  to  upper  bound  the  probability  that  a  decoding  error 
occur  during  the  execution.  Now,  observe  that  during  the  execution,  the  property  of  Deci  ensures 
that  when  p{x,y,T)  >  2e,  Deci  (x,T,i,6,e)  outputs  incorrect  answer  (3  =  yi  with  probability  at 
most  2~n.  Noting  that  for  every  (x,y),  Pr[T  A-  trans[Qi(x)  A>  6My)]  ‘  p(x,y,T )  <  2e]  <  2c(n)  •  2e, 
and  that  A*  (x)  invokes  Deci  at  most  m'{n)  times,  the  probability  that  a  decoding  error  occur  can 
be  upper  bounded  by  m!(ri)  ■  2~n  +  2C ("1  •  2e.  A  final  union  bound  implies  that 


Pr 


x,y<r-  {0,  l}m,o^  out 2[A*(x)  Q2(j/)]  :  xt  =  yt  A  Matchp^o)  =  1 

1/2  -  pin)  -  m'{n)  ■  2~n  -  2c(n)  •  2e  >  1/2  -  1/8 q(n). 


□ 


We  next  show  that  when  X{  yi,  Matchpj  still  holds  with  noticeable  probability. 


Sub-claim  43.  Pr 


x,y  <-  {0,  l}m,o  out2 \A*(x)  o  Q2(y)]  :  /  y*  A  Matchpj(o) 


1  >  l/4g(n). 


Proof.  Let  Good  denote  the  event  that  during  the  execution,  the  tuple  ( x,y,T *)  satisfies  the  fol¬ 
lowing  three  conditions:  (i)  x\  /  yi,  (ii)  p(x,y,T*)  >  5,  (iii)  Deci (x,T* ,i,5,e)  outputs  y*  (i.e.,  Deci 
decodes  correctly),  and  (iv)  let  T~  denote  the  partial  transcript  obtained  by  removing  the  last 
message  from  T*  (thus,  the  last  message  is  from  player  1  to  player  2);  (■ y,T~ )  is  not  (6,  e)-binding 
for 

We  first  show  that  Good  happens  with  probability  at  least  1/2 q(n).  Recall  that  A*  executes  Q\ 
honestly  before  the  end  of  T* ,  and  that  in  the  execution  of  Qi(x)  -fA  Q2(y), 


Pr[x,  y  4-  {0,  l}m(n) 


n,r2  <-  {0, 1}°°  :  Xi  yi  A  T2ji(x,y,r1,r2-,S,e)  -<  Tlti(x,y,ri,r2;6,e)}  >  l/q(n). 


Now,  consider  any  tuple  (x,  y,  r\,  r2)  such  that  the  above  event  hold,  and  let  T2^  =  T2^{x,  y,  r\,  r2;  5,  e ) 
and  Tffi  be  T2  l  with  the  last  message  removed.  Note  that  Deci (x,T2^,i,  5,  e)  outputs  yi  with 
probability  at  least  1  —  2~n,  and  that  (y,  is  not  (6,  e)-binding  for  ( i,Xi ).  Therefore,  in  the 
execution  of  A*(x)  -fA  Q2(y),  conditioned  on  such  {x,y,r\,r2),  we  have  that  with  probability  at 
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least  1  —  m!{n )  •  2~n,  it  holds  that  the  above  four  conditions  hold  with  T*  A  (the  mf(n)  ■  2~n 
term  comes  from  union  bound  over  at  most  m'(n )  invocation  of  Deci;  note  that  it  is  possible  that 
T*  -<  T2,i  and  in  this  case,  the  probability  that  Deci  outputs  yi  is  also  upper  bounded  by  2~n). 
Therefore,  the  probability  that  the  Good  event  happens  is  at  least  1  / q(n)  ■  {1  —  m' (n)  -  2~n  >  1/2 q(n). 

We  next  show  that  conditioned  on  any  tuple  (. x,y,T *)  such  that  the  Good  event  holds,  with 
probability  at  least  (1  —  1/8 q(n)),  (a)  A*  can  successfully  sample  a  fresh  input-randomness  pair 
(x' .  r\ )  through  rejection  sampling,  and  (b)  Q2  outputs  (x',y)  at  the  end  of  the  execution.  For  (a), 
the  fact  that  ( y,T~ )  is  not  (6,  e)-binding  for  (i,Xi)  and  p(x,y,T~ )  >  p(x,y,T*)  >  5  implies  that 
there  exists  some  x*  such  that  x*  /  x*  and  p(x*,y,  T~)  >  e.  Now,  the  facts  that  the  last  message  of 
T*  is  sent  by  player  2  and  that  p(x,y,T*)  >  5  imply  that  p(x*  ,y,T*)  >  e5.  Therefore,  the  chance 
of  sampling  a  pair  [x' .  r\ )  that  is  consistent  with  T*  is  at  least  2~me5,  and  rejection  sampling  with 
M  =  0(n2m /5e)  samples  can  succeed  with  probability  at  least  1  —  2~n .  For  (b),  note  that  the 
execution  now  is  equivalent  to  an  honest  execution  of  Q\(x')  4—  Q2{y)  conditioned  on  transcript 
T* .  By  completeness,  Q2  outputs  (. xf,y )  with  probability  at  least  1  —  fj,(n)/p(x',y,T*).  Now,  recall 
that  there  exists  x*  with  p{x*  ,y,T*)  >  eS.  A  Markov  argument  shows  that  the  rejection  sampling 
procedure  returns  an  x'  with  p(x',y,T*)  <  e62~m /8q(n)  is  at  most  1  —  1/8 q(n).  Therefore,  when 
condition  (a)  holds,  we  have  that  condition  (b)  also  holds  with  probability  at  least  (1  —  1/8 q(n))  ■ 
(1  —  u(n)8q(n)2m /e5)  >  (1  —  1/4 q(n)).  Therefore,  the  probability  that  both  conditions  hold  is  at 
least  (1  -  2~n)  ■  (1  -  1/4 q(n))  >  1  -  l/2g(n). 

Finally,  we  can  conclude  that 


Pr 


X,y  <r-  {0,  l}m,o  out 2[A*(x)  Q2(y)\  ■  Xi  /  yi  A  Matchi.i(o)  =  1 


>  1/2 q(ri)  ■  (1  —  1/2 q(n))  >  1/4 q(n). 

□ 


Combining  the  above  two  sub-claims,  we  have  that 


Pr 


X,  y  <r-  {0,  l}m,  o  <r-  out2 [A* (x)  Q2(l/)]  :  Matchi]j(o)  =  1 


>  1/2  -  1/8 q(n)  +  1/4 q(n)  >  1/2  +  1/8 q(n). 

This  completes  the  proof  of  the  first  case  of  the  claim.  The  remaining  three  cases  of  the  claim  can 
be  proved  by  an  analogous  argument. 

□ 

□ 


Obtaining  a  match-deviation  in  7 t'  Now  that  we  have  established  that  implicit  computation 
holds  in  ir1  with  high  probability,  we  can  obtain  a  deviation  on  the  matching  probability  in  tt1 
relying  on  a  similar  forking  attack  as  in  the  proof  of  Theorem  27;  such  deviation  shows  that  n' 
cannot  be  a  knowledge-preserving  variant  of  7 r. 

Let  S(n)  =  1/n5  •  25(m(n)+c(n^  and  e(n)  =  <52(n).  For  i  €  [m]  and  e  G  {0,1},  consider  the 
following  adversarial  strategy  A*e  for  player  1.  On  input  x  €  {0,  l}m,  and  randomness  rq,  A* 
performs  the  follow  “forking”  attack: 

1.  A*e  uniformly  picks  a  random  round  j  [m'(n)\  and  honestly  executes  the  encoded  protocol 
Qi  up  to  the  end  of  ( j  —  l)-th  round.  Let  T  be  the  resulting  partial  transcript. 
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2.  A*  e  samples  a  fresh  input-randomness  pair  (x' ,  r\ )  conditioned  on  the  partial  transcript  T 
using  rejection  sampling  with  a  sufficiently  large  cuts-off  parameter  M  =  1/e5 .  Then,  A* 
continues  executing  Q\  but  now  with  inputs  x'  and  randomness  r[ ,  for  as  many  rounds  as 
possible,  subject  to  the  restriction  that  the  number  of  bits  it  transmitted  since  round  j  does 
not  exceed  77(71)  •  CCn(7r/).  Let  T'  be  the  resulting  partial  transcript. 

3.  A*e  invokes  Deci(x,  T',  i,  <5,  e),  and  proceeds  with  the  following  two  cases. 

•  If  Deci  outputs  1  or  {3  £  {0, 1}  such  that  (3  ©  x\  =  e,  then  A*e  continues  the  rest  of  the 
interaction  honestly,  with  the  “true”  input  x  and  randomness  r±  of  Qi  5  (pretending  that 
it  was  player  2  that  deviated  since  round  j,  but  its  own  messages  were  correctly  sent), 
(pretending  that  it  sent  its  own  messages  correctly  but  was  corrupted  by  the  channel). 

•  If  Deci  outputs  /3  £  {0, 1}  such  that  ©  Xi  /  e,  then  A*e  samples  another  fresh  input¬ 
randomness  pair  (x",r'{),  conditioned  on  the  partial  transcript  T  and  that  (3  ©  x"  =  e, 
using  rejection  sampling  with  a  sufficiently  large  cuts-off  parameter  M  =  1/e5;  if  the 
rejection  sampling  fails,  A*e  sets  ( x",r '/)  =  (. x,ri )  (i.e. ,  A;>e  does  not  change  the  input¬ 
randomness  pair).  Then  A*e  continues  the  rest  of  the  interaction  honestly,  with  the 
“new”  input  x"  and  randomness  r'[  of  Q\  (again,  pretending  that  it  sent  its  own  messages 
correctly  but  was  corrupted  by  the  channel). 

4.  Ai>e  produces  no  output. 

Claim  44.  For  sufficiently  large  n,  there  exists  i  £  [777(77)]  and  e  £  {0, 1}  such  that 

Pr  x,  y  •<-  {0,  l}m,o  •<-  out2[^4*e(x)  -H-  Q2(j/)]  :  Match^/o)  =  1  -1/2  >  l/32m'(n). 

Proof,  (sketch.)  The  claim  is  proved  by  combining  the  analysis  of  Sub-claim  32  in  Theorem  27  and 
the  proof  of  Claim  41  above. 

Recall  that  implicit  computation  holds  with  probability  at  least  1  — 1/n,  and  in  such  case,  chunks 
are  well-defined.  Let  i*  £  [m]  be  such  that  the  i*-th  chunk  has  shortest  expected  length  when 
chunks  are  well-defined.  By  an  averaging  argument,  the  expected  length  of  the  i*-th  chunk  is  at 
most  (I/777.)  •  CC„(7r/).  By  an  identical  argument  to  the  analysis  of  Sub-claim  32,  for  both  e  £  {0, 1}, 
in  the  experiment  {x,  y  •(—  {0,  l}m  :  A**  e(x)  <->■  Q 2(2/)},  (x\  y,  r/  rf)  is  uniformly  distributed  and 
independent  of  j.  By  a  Markov  argument,  with  probability  at  least  1/2,  the  z*-th  chunk  has  length 
at  most  (2/777)  •  CCn(7r)  <  77(77)  •  CCn(7r).  Define  Good  to  be  the  event  that  (i)  chunks  are  well- 
defined,  (ii)  the  7*-tli  chunk  has  length  at  most  (2/777.) -CCn(7r)  and  (iii)  j  equals  to  the  starting  round 
of  the  T-tlr  chunk.  Note  that  when  Good  happens,  the  7*-th  chunk  finished  before  T'  and  when 
Ai*  e  invokes  Deci,  it  returns  a  correct  bit  (3  =  yi  with  overwhelming  probability.  Additionally,  by 
definition,  ( y,T~ )  is  not  (d,  e)-binding  for  X{.  where  T~  is  obtained  by  removing  the  last  message 
from  T.  Note  that  Good  happens  with  probability  at  least  (1  —  l/n)-(l/2)-(l/m'(n))-(l  —  negl(7i))  > 
1/4777' (77). 

By  a  similar  argument  to  the  proof  of  Sub-claim  43,  when  Good  happens,  Q2  outputs  (a,  b )  with 
a,  ©  bi  =  e  with  high  probability.  Roughly,  the  reason  is  that  in  this  case,  with  high  probability  (a) 
A**  e  can  sample  a  input-randomness  pair  {x" .  r'/)  such  that  x'f  ©  y*  =  e  and  (b)  the  error-resilient 
property  implies  that  Q2  outputs  (x" .y).  Therefore,  for  either  e  =  0  or  e  =  1,  A*t  e  can  gain 
at  least  1/16777/(77)  advantage  from  the  Good  event.  On  the  other  hand,  as  argued  in  the  proof 
of  Sub-claim  42,  the  only  chance  that  A**  is  when  Deci  returns  incorrect  answer  f3  =  y*,  which 
happens  with  negligible  probability.  Therefore,  the  overall  advantage  of  A*e  is  at  last  1/32777' (77). 

□ 
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ABSTRACT 

The  simulation  paradigm,  introduced  by  Goldwasser,  Mi- 
cali  and  Rackoff,  is  of  fundamental  importance  to  modern 
cryptography.  In  a  breakthrough  work  from  2001,  Barak 
(FOCS’Ol)  introduced  a  novel  non-black-box  simulation  tech¬ 
nique.  This  technique  enabled  the  construction  of  new  cryp¬ 
tographic  primitives,  such  as  resettably-sound  zero-knowledge 
arguments,  that  cannot  be  proven  secure  using  just  black¬ 
box  simulation  techniques.  The  work  of  Barak  and  its  follow¬ 
ups,  however,  all  require  stronger  cryptographic  hardness 
assumptions  than  the  minimal  assumption  of  one-way  func¬ 
tions. 

In  this  work,  we  show  how  to  perform  non-black-box  sim¬ 
ulation  assuming  just  the  existence  of  one-way  functions. 
In  particular,  we  demonstrate  the  existence  of  a  constant- 
round  resettably-sound  zero-knowledge  argument  based  only 
on  the  existence  of  one-way  functions.  Using  this  technique, 
we  determine  necessary  and  sufficient  assumptions  for  sev¬ 
eral  other  notions  of  resettable  security  of  zero-knowledge 
proofs.  An  additional  benefit  of  our  approach  is  that  it 
seemingly  makes  practical  implementations  of  non-black-box 
zero-knowledge  viable. 
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1.  INTRODUCTION 

Zero-knowledge  (ZK)  interactive  protocols  [16]  are  para¬ 
doxical  constructs  that  allow  one  player  (called  the  Prover) 
to  convince  another  player  (called  the  Verifier)  of  the  validity 
of  a  mathematical  statement  x  €  L,  while  providing  zero  ad¬ 
ditional  knowledge  to  the  Verifier.  Beyond  being  fascinating 
in  their  own  right,  ZK  proofs  have  numerous  cryptographic 
applications  and  are  one  of  the  most  fundamental  crypto¬ 
graphic  building  blocks. 

The  zero-knowledge  property  is  formalized  using  the  so- 
called  simulation  paradigm:  for  every  malicious  verifier  V* , 
we  require  the  existence  of  a  “simulator”  S  that,  given  just 
the  input  x,  can  indistinguishably  reproduce  the  view  of  V* 
in  an  interaction  with  the  honest  prover.  (We  note  that  the 
simulation  paradigm  extends  well  beyond  the  notion  of  zero- 
knowledge,  and  is  a  crucial  component  of  modern  definitions 
of  protocol  security.)  The  most  typical  way  of  performing 
such  a  simulation  is  using  black-box  simulation  [15]:  here  we 
exhibit  a  universal  simulator  S  that,  given  only  black-box 
access  to  any  (efficient)  V* ,  can  reproduce  the  view  of  V* 
in  an  interaction  with  the  honest  prover.  Indeed  most  zero- 
knowledge  protocols  (and  more  generally  protocols  for  secure 
computation)  are  analyzed  using  black-box  simulators.  But 
several  limitations  of  black-box  simulators  are  also  known; 
see  e.g.  [13,  10,  3,  26]. 

In  a  breakthrough  result  from  2001,  Barak  [1]  demon¬ 
strated  a  new,  powerful  non-black-box  simulation  technique, 
and  used  this  technique  to  construct  a  constant-round  public- 
coin  zero-knowledge  argument;  by  the  result  of  [13]  such  pro¬ 
tocols  cannot  be  proved  zero-knowledge  using  just  black-box 
simulation.  In  the  same  year,  Barak,  Goldwasser,  Goldreich 
and  Lindell  [3]  demonstrated  that  this  non-black-box  simula¬ 
tion  technique  could  be  used  to  acheive  a  new  cryptographic 
primitive  that  cannot  be  proven  secure  using  black-box  sim¬ 
ulation,  namely  resettably-sound  zero-knowledge  protocols. 
In  a  resettably-sound  zero-knowledge  protocol,  the  sound¬ 
ness  property  is  required  to  hold  even  if  the  malicious  prover 
is  allowed  to  “reset”  and  “restart”  the  verifier.  This  model  is 
particularly  relevant  for  cryptographic  protocols  being  ex¬ 
ecuted  on  embedded  devices,  such  as  smart  cards.  (Since 
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these  devices  have  neither  a  built-in  power  supply,  nor  a  non¬ 
volatile  rewritable  memory,  they  can  be  “reset”  by  simply 
disconnecting  and  reconnecting  the  power  supply.)  Roughly 
speaking,  the  reason  why  non-black-simulation  is  cruicial  for 
resettably-sound  zero-knowledge  protocols  is  that  a  black¬ 
box  simulator  has  essentially  the  same  “powers”  as  a  ma¬ 
licious  resetting  prover  (i.e.,  it  can  only  reset  and  restart 
the  verifier);  from  this  observation  it  follows  that,  unless 
L  £  BPP,  a  “good”  simulator  can  be  as  a  successful  cheating 
prover.  Since  these  results,  non-black-box  simulation  tech¬ 
niques  have  found  applications  in  various  other  contexts  (see 
e.g.  [2,  24,  25,  11]). 

One  important  limitation  of  the  non-black-box  simulation 
technique  of  Barak  [1]  (also  present  in  its  follow-up  works)  is 
that  the  technique  requires  stronger  assumptions  than  those 
typically  needed  for  constructing  zero-knowledge  protocols. 
In  particular,  the  protocol  of  Barak  (using  the  refinement  in 
[2])  relies  on  the  existence  of  families  of  collision-resistant 
hash  functions  (CRH),  and  as  a  consequence,  such  hash 
functions  are  needed  in  the  above  applications  too.1  In  con¬ 
trast,  for  “plain”  zero-knowledge  (i.e.,  without,  for  instance, 
resettable  soundness)  one-way  functions  are  both  sufficient 
and  (essentially)  necessary  [14,  17,  23],  leaving  open  the  fol¬ 
lowing  question,  which  is  the  focus  of  this  work. 

Do  one-way  functions  suffice  for  performing  non- 
black-box  simulation  (for  primitives  that  cannot 
be  proven  secure  using  black-box  simulation  tech¬ 
niques)? 

A  very  recent  elegant  work  by  Bitansky  and  Paneth  [6]  takes 
us  a  step  closer  to  answering  this  question.  They  present  a 
resettably-sound  zero-knowledge  argument  without  relying 
on  hash  functions;  instead,  they  rely  on  the  existence  of  an 
oblivious  transfer  (OT)  protocol.  Although,  the  existence  of 
an  OT  protocol  is  seemingly  a  more  “complex”  assumption 
than  the  existence  of  CRHs,2  it  is  not  known  whether  the 
existence  of  an  OT  protocol  implies  the  existence  of  CRH  (or 
vice  versa).  More  important,  to  achieve  this  result,  Bitansky 
and  Paneth  devise  a  quite  different  method  for  performing 
non-black-box  simulation. 

l.l  Our  Result 

In  this  work,  we  answer  the  above  question  in  the  affir¬ 
mative.  We  show  that  for  the  case  of  resettably-sound  zero- 
knowledge,  the  existence  of  one-way  functions  suffices. 

Theorem  1  (Main  Theorem).  Assume  the  existence 
of  one-way  function.  Then  there  exists  a  constant-round 
resettably-sound  zero-knowledge  argument  for  all  of  NP. 

Interestingly,  our  protocol  is  quite  close  in  spirit  to  Barak’s 
original  protocol,  while  dispensing  of  the  need  for  collision- 
resistant  hash  functions. 

By  relying  on  the  above  main  theorem,  we  establish  sev¬ 
eral  other  results  on  resettable  security:  Assuming  one-way 
functions,  all  of  NP  has 

JThe  original  protocol  of  Barak  relies  on  a  very  slightly 
super-polynomially  hard  collision-resistant  hash  function; 
the  need  for  super-polynomial  hardness  was  removed  in  [2]. 
2  Most  candidate  constructions  of  OT  protocols  rely  on 
“structured”,  number-theoretic  or  lattice-based,  assump¬ 
tions.  Additionally,  all  these  assumptions  are  known  to  im¬ 
ply  also  the  existence  of  collision-resistance  hash  function 
(but  the  converse  is  not  true). 


•  a  constant-round  resettably-witness-indistinguishable 
argument  of  knowledge; 

•  a  0(logn)-round  resettable-zero-knowledge  argument 
of  knowledge. 

(Roughly  speaking,  in  a  resettably-witness  indistinguishable 
(resp.,  zero-knowledge)  argument,  the  witness  indistinguisha- 
bility  (resp.,  zero-knowledge)  property  is  required  to  hold 
also  in  the  presence  of  a  resetting  verifier.)  For  the  above- 
mentioned  primitives,  previous  results  required  additional 
cryptographic  assumptions  (the  existence  of  collision-resistant 
hash-functions  or  oblivious  transfer  protocols) .  We  addition¬ 
ally  show  how  to  eliminate  the  need  for  CRHs  in  the  con¬ 
struction  of  [11]  of  a  simultaneously  resettable  zero-knowledge 
argument  for  NP — simultaneous  resettability  here  means  that 
security  (both  zero-knowledge  and  soundness)  holds  even 
with  respect  to  resetting  attackers. 

We  emphasize  that  for  all  the  above  results,  the  use  of 
non-black-box  techniques  are  inherent.  Our  results  lead  to 
improvements  also  for  cases  when  black-box  simulation  can 
be  used:  prior  to  our  results,  resettable  zero-knowledge  argu¬ 
ments  (without  the  argument  of  knowledge  property)  were 
known  only  based  on  the  existence  of  CRHs,  but  these  pro¬ 
tocols  were  actually  proven  secure  using  black-box  simula¬ 
tion.  As  mentioned  above,  we  are  able  to  establish  even  the 
stronger  notion  of  a  resettable  zero-knowledge  argument  of 
knowledge  assuming  only  one-way  functions. 

1.2  Our  Techniques 

To  explain  our  techniques,  let  us  start  by  very  briefly  re¬ 
calling  the  idea  behind  Barak’s  constant-round  public-coin 
protocol;  we  will  then  explain  how  this  protocol  is  used  to 
get  a  resettably-sound  zero- knowledge  protocol.  The  proto¬ 
col  relies  on  the  existence  of  a  family  of  collision-resistant 
hash  function  A  :  {0, 1}*  — »{0,l}n;  note  that  any  such  fam¬ 
ily  of  collision-resistant  hash  functions  can  be  implemented 
from  a  family  of  collision-resistant  hash  functions  mapping 
n-bit  string  into  n/2-bit  strings  using  tree  hashing  [19]. 

Roughly  speaking,  on  common  input  1"  and  x  £  {0,  l}poly(n) 
the  Prover  P  and  Verifier  V,  proceed  in  two  stages.  In 
Stage  1,  V  starts  by  selecting  a  function  h  from  a  family  of 
collision-resistant  hash  function  and  sends  it  to  P;  P  next 
sends  a  commitment  c  =  Com(0n)  of  length  n,  and  finally, 

V  next  sends  a  “challenge”  r  £  {0,  l}2".  In  Stage  2,  P  shows 
(using  a  witness  indistinguishable  argument  of  knowledge) 
that  either  x  is  true,  or  that  c  is  a  commitment  to  a  “hash” 
(using  h)  of  a  program  M  (i.e.,  c  =  Com (h(M))  such  that 
M(c)  =  r. 

Roughly  speaking,  soundness  follows  from  the  fact  that 
even  if  a  malicious  prover  P *  tries  to  commit  to  (the  hash 
of)  some  program  M  (instead  of  committing  to  0”),  with 
high  probability,  the  a  string  r  sent  by  V  will  be  different 
from  M(c)  (since  r  is  chosen  independently  of  c).  To  prove 
ZK,  consider  the  non-black-box  simulator  S  that  commits 
to  a  hash  of  the  code  of  the  malicious  verifier  V*;  note  that, 
by  definition,  it  thus  holds  that  M(c)  =  r,  and  the  simulator 
can  use  c  as  a  “fake”  witness  in  the  final  proof.  To  formal¬ 
ize  this  approach,  the  witness  indistinguishable  argument  in 
Stage  2  must  actually  be  a  witness  indistinguishable  univer¬ 
sal  argument  (WIUARG)  [20,  2]  since  the  statement  that  c  is 
a  commitment  to  a  program  M  of  arbitrary  polynomial-size, 
and  that  proving  M(c)  =  r  within  some  arbitrary  polyno¬ 
mial  time,  is  not  in  NP.  WIUARG  are  known  based  on  the 
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existence  of  CRH  and  those  protocols  are  constant-round 
public-coin;  as  a  result,  the  whole  protocol  is  constant-round 
and  public-coin. 

Finally,  Barak  et  al.  [3]  show  that  any  constant-round 
public-coin  zero-knowledge  argument  of  knowledge  can  be 
transformed  into  a  resettable-sound  zero-knowledge  argu¬ 
ment,  by  simply  having  the  verifier  generate  its  (random) 
message  by  applying  a  pseudorandom  function  to  the  cur¬ 
rent  partial  transcript.3 

Why  hash  functions  are  needed  Note  that  hash  func¬ 
tions  are  needed  in  two  locations  in  Barak’s  protocol.  First, 
since  there  is  no  a-priori  polynomial  upper-bound  of  the 
length  of  the  code  of  V* ,  we  require  the  simulator  to  com¬ 
mit  to  the  hash  of  the  code  of  V*  .  Secondly,  since  there  is 
no  a-priori  polynomial  upper-bound  on  the  running-time  of 
V* ,  we  require  the  use  of  universal  arguments  (and  such  con¬ 
structions  are  only  known  based  on  the  existence  of  collision- 
resistant  hash  functions). 

Using  signature  schemes  instead  of  CRHs  Our  main 
idea  is  noticing  that  digital  signature  schemes — which  can 
be  constructed  based  on  one-way  functions — share  many  of 
the  desirable  properties  of  CRHs.  In  particular,  we  will  show 
how  to  appropriately  instantiate  (a  variant  of)  Barak’s  pro¬ 
tocol  using  signature  schemes  instead  of  using  CRHs.  Re¬ 
call  that  “fixed-length”  signature  schemes,  that  allow  signing 
messages  of  arbitrary  polynomial-length  (e.g  length  2 n)  us¬ 
ing  a  length  n  signature,  are  known  based  on  just  one-way 
functions  [27].  In  fact,  based  on  the  same  assumption,  strong 
fixed-length  signature  schemes  are  known:  in  a  strong  signa¬ 
ture  scheme  no  polynomial  time  attacker  can  obtain  a  new 
signature  even  for  messages  that  it  has  seen  a  signature  on 
[12].  We  observe  that  such  signature  scheme  share  a  lot  of 
properties  with  CRHs.  First  of  all,  they  are  compressing. 
More  importantly,  we  observe  that  by  the  unforgeability  re¬ 
quirement  of  strong  signatures,  no  attacker  can  find  a  sin¬ 
gle  valid  signature  <r  for  two  distinct  messages  m,  m' — that 
is,  signatures  satisfy  a  collision-resistance  property.  Addi¬ 
tionally,  by  using  an  appropriate  analog  of  tree  hashing,  a 
signature  tree  could  be  used  to  compress  arbitrary  length 
messages  into  a  signature  of  length  n. 

So,  can  we  just  replace  the  CRHs  in  Barak’s  protocol  with 
strong,  fixed-length,  signature  schemes?  The  problem  with 
naively  implementing  this  idea  is  that  the  collision-resistance 
property  of  strong  signature  schemes  only  holds  against  an 
attacker  that  does  not  know  the  secret  key.  On  the  other 
hand,  to  generate  signatures,  knowledge  of  the  secret  key 
is  needed.  In  our  application,  the  simulator — acting  as  a 
prover — needs  to  be  able  to  generate  signature  (in  order  to 
“hash  down”  the  program,  and  in  the  universal  argument) 
but  at  the  same  time,  we  need  to  ensure  collision-resistance 
against  cheating  provers.  So  if  we  let  the  prover  generate  the 
signature  keys,  simulation  is  easy,  but  soundness  no  longer 
holds,  whereas  if  we  let  the  verifier  generate  the  signature 
keys  and  only  sends  the  verification  key  to  the  prover,  then 
soundness  holds,  but  it  is  no  longer  clear  how  to  perform 
a  simulation.  We  resolve  this  issue  by  using  a  “hybrid  ap¬ 
proach”:  we  let  the  verifier  generate  the  signature  keys,  but 
gives  the  prover  access  to  a  single  signing  query.  More  pre- 

3  Strictly  speaking,  Barak’s  protocol  is  not  a  argument  of 
knowledge,  but  rather  a  “weak”  argument  of  knowledge  (see 
[2,  3]  for  more  details),  but  the  transformation  of  [3]  applies 
also  to  such  protocol. 


cisely,  in  an  initial  stage  of  the  protocol,  the  verifier  gener¬ 
ates  a  signature  key-pair  sk,  vk  and  send  only  the  verification 
key  vk  to  the  prover.  Next,  in  a  “signature  slot”,  the  prover 
sends  a  message  m  to  the  verifier,  and  the  verifier  computes 
and  returns  a  valid  signature  o  of  m  (using  sk).  (We  note 
that  such  a  signature  slot  previously  used  by  [18]  in  a  quite 
different  context,  but  as  we  shall  see  shortly,  some  of  their 
techniques  will  be  useful  also  to  us.)  Finally,  the  protocol 
proceeds  essentially  as  in  Barak’s  protocol,  but  where  the 
CRH  is  replaced  using  the  signature  scheme.  Implement¬ 
ing  this  is  somewhat  subtle:  First,  the  statement  proved  in 
the  WIUARG  in  Barak’s  protocol  considers  the  hash  func¬ 
tion  h  (e.g.,  prover  needs  to  prove  statements  of  the  type 
h(m)  =  q).  In  our  approach  since  “hashing”  has  been  re¬ 
placed  by  “signing”,  this  would  require  the  honest  prover  to 
prove  things  related  to  the  secret-key  (e.g.,  Signsk(m)  =  q), 
but  the  honest  prover  does  not  know  sk.  This  issue  is  easily 
resolved  by  instead  of  letting  the  prover  show  that  signatures 
used  (as  “hashes”)  verify — i.e. ,  that  Vervk(m)  =  q.  Another 
issue  is  that  in  Barak’s  protocol,  the  honest  prover  actu¬ 
ally  needs  to  perfom  hashes  to  complete  the  WIUARG.  We 
resolve  this  second  issue  by  relying  on  an  instantiation  of 
Barak’s  protocol  due  to  Pass  and  Rosen  [25],  which  relies 
on  a  special-purpose  WIUARG,  in  which  the  honest  prover 
never  needs  to  perform  any  hashing.4  Now  completeness  of 
this  protocol  follows  in  exactly  the  same  way  as  in  [1,  25]. 

For  soundness,  note  that  since  the  prover  does  not  get  to 
see  sk,  soundness  follows  in  a  similar  way  to  Barak’s  pro¬ 
tocol.  In  fact,  if  the  signature  scheme  used  satisfies  strong 
unforgeability,  then  the  signature  trees  are  collision-resistant 
with  respect  to  attackers  that  get  vk  and  have  access  to  a 
signing  oracle ,  and  collision-resistance  of  the  signature  tree 
is  the  only  property  needed  to  prove  soundness  as  in  Barak’s 
protocol.  (Note  that  we  here  only  require  collision-resistance 
with  respect  to  attackers  that  get  a  single  query  to  a  signing 
oracle,  but  the  more  general  result  will  be  useful  when  we 
consider  resettable-soundness . ) 

Let  us  turn  to  zero-knowledge.  At  first  sight,  it  seems  that 
we  still  have  an  issue.  The  prover  just  gets  a  single  signature, 
but  to  complete  the  simulation,  the  simulator  needs  an  a- 
priori  unbounded  polynomial  number  of  signatures  (to  e.g., 
“hash  down”  a  program  of  a-priori  unbounded  polynomial- 
size.5)  Note,  however,  that  the  simulator  can  always  rewind 
the  verifier  to  get  as  many  signatures  as  it  wants  and  can 
thus  complete  the  simulation  in  a  similar  way  to  the  one 
used  in  Barak’s  protocol.  This  approach  doesn’t  quite  work: 
the  malicious  verifier  V*  may  not  always  agree  to  sign  every 
message  requested  by  the  simulator;  we  deal  with  this  issue 
in  the  same  way  as  in  [18],  rather  than  having  the  simula¬ 
tor  send  the  messages  it  wants  to  be  signed  in  the  clear,  it 
simply  sends  a  commitment  to  them.  To  make  use  of  such 
a  simulator  strategy,  we  appropriately  modify  the  notion  of 
a  signature  tree  to  consist  of  signatures  of  commitments  to 
signatures  etc;  we  refer  to  this  type  of  a  signature  tree  as  a 
“sig-com”  tree. 

So,  we  now  have  a  zero-knowledge  protocol  that  is  based 
on  one-way  functions  (and  is  constant-round).  But  it  is  no 
longer  public-coin! 

Nonetheless,  let  us  still  apply  the  PRF  transformation  of 

4In  fact,  an  early  version  of  Barak’s  protocol  also  had  this 
property. 

5 Also  in  the  implementation  of  the  WIUARG,  an  a-priori 
unbounded  number  of  “hashes”  are  needed. 
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[3]  to  the  protocol  (i.e.,  we  have  the  verifier  generate  its 
random  coins  in  each  round  by  applying  a  PRF  to  the  cur¬ 
rent  partial  transcript).  Clearly,  the  protocol  is  still  zero- 
knowledge  (since  we  only  modified  the  verifier  strategy).  As 
it  turns  out,  the  resulting  protocol  is  actually  also  resettably- 
sound:  note  that,  except  for  the  signature  slot  added  in  the 
beginning  of  the  protocol,  the  protocol  still  is  public-coin, 
and  the  same  argument  as  in  [13,  3]  can  be  used  to  show  that 
in  the  public-coin  part  of  the  protocol,  rewindings  do  not 
“help”  a  resetting  cheating  prover.  So,  in  essence,  the  only 
“advantages”  a  resetting  prover  gets  is  that  it  may  rewind  the 
signature  slot,  and  thus  get  an  arbitrary  polynomial  number 
of  signatures  on  messages  of  its  choice.  But,  as  noted  above, 
signature  trees  are  collision-resistant  even  with  respect  to  an 
attacker  that  gets  an  arbitrary  polynomial  number  of  queries 
to  a  signing  oracle  and  thus  resettable-soundness  follows  in 
exactly  the  same  way  as  the  (non-resetting)  soundness  prop¬ 
erty. 

Beyond  resettably-sound  zero-knowledge  For  the  ap¬ 
plications  of  a)  a  constant-round  resettably  witness-indist¬ 
inguishable  argument  of  knowledge,  and  b)  0(logn)-round 
resettable-zero-knowledge  argument  of  knowledge  for  NP,  we 
simply  plug  in  our  resettably-sound  zero-knowledge  argu¬ 
ment  of  knowledge  into  the  protocols  of  [8,  3]  with  some 
minor  modifications. 

To  achieve  simulateously  resettable  zero-knowledge,  we  in¬ 
stead  instantiate  the  protocol  of  Deng,  Goyal  and  Sahai  [11] 
with  signature  trees,  in  exactly  the  same  way  as  Barak’s 
protocol.  Resettable-soundness  follows  exactly  as  in  [11],  re¬ 
lying  on  the  collision-resistance  property  of  signature  trees. 
Resettable-zero-knowledge  is  more  tricky  though:  [11]  pro¬ 
vides  an  intricate  simulation  strategy  that  combines  black¬ 
box  simulation,  using  rewinding,  and  non-black-box  simu¬ 
lation  (as  in  [1]).  Roughly  speaking,  the  protocol  consists 
of  polynomially  many  “rewinding  slots”  (say  2 n2),  and  for 
each  session  started  by  the  resetting  verifier,  the  simulator 
of  [11]  rewinds  a  polynomial  fraction  (say  2n)  of  them  twice. 
Their  argument  shows  that  for  each  such  slot,  the  rewinding 
“succeeds”  with  probability  close  to  1/2  and  the  slot  gets 
“solved”;  as  a  consequence,  except  with  negligible  probabil¬ 
ity,  for  each  session,  there  exists  some  slot  that  is  “solved” 
and  this  suffices  for  simulating  the  session.  In  our  instan¬ 
tiation  of  their  protocol,  rewinding  a  slot  just  once  does 
not  suffice  to  “solve”  the  session  (and  complete  the  simula¬ 
tion  of  that  session).  Rather  we  need  polynomially  many, 
say  g(n)  =  polydP*!)  where  IP*!  is  the  size  of  the  verifier 
(including  its  auxiliary  input),  successful  rewindings  (in  or¬ 
der  to  rewind  the  signature  slot  sufficiently  many  times  to 
provide  the  signature  trees).  We  deal  with  this  issue  in  a 
straight-forward  way:  we  use  exactly  the  same  rewinding 
strategy  as  in  [11]  but  instead  rewind  each  slot  (that  was 
being  rewound  once  in  [11])  3g(n)  times.  It  follows  using  a 
slight  generalization  of  the  argument  in  [11]  that  each  slot 
that  is  rewound  is  successfully  solved  with  probability  close 
to  1/2,  and  the  rest  of  the  simulation  argument  continues 
in  identically  the  same  way  as  [11].  Additionally,  rewind¬ 
ing  polynomially  many  times  (as  opposed  to  twice)  only  in¬ 
creases  the  running-time  by  a  polynomial  factor  (the  tech¬ 
nical  reason  for  this  is  that  the  [11]  simulator  only  performs 
a  constant-number  of  recursive  rewindings) . 

A  PCP-free  construction  Just  as  the  construction  of 
Barak’s  protocol,  our  constructions  rely  on  universal  ar¬ 


guments,  which  in  turn  rely  on  Probabilistically  Checkable 
Proofs  (PCPs).  Intriguingly,  the  approach  of  Bitansky  and 
Paneth  [6]  does  not  rely  on  PCPs;  on  the  other  hand,  it  re¬ 
lies  on  some  other  quite  heavy  machinery:  “unobfuscatable 
functions”  [4]  and  general  secure  two-party  computation  [14]. 

As  we  now  sketch,  our  approach  can  be  instantiated  with¬ 
out  the  use  of  PCPs,  and  without  introducing  any  other 
machinery.  (Indeed,  although  we  have  not  verified  the  de¬ 
tails,  it  would  seem  that  a  practical  implementation  of  our 
protocol  can  be  given  by  relying  on  efficient  signatures  and 
zero-knowledge  proofs  of  committed  signatures,  as  in  e.g., 
[7].)  Recall  that  in  Barak’s  protocol  the  universal  argument 
is  used  to  prove  a  statement  of  the  form  c  is  a  commitment 
to  a  hash  of  a  program  M  such  that  M(c)  =  r.  Also  recall 
that  (in  the  [25]  variant  of  [1])  the  honest  prover  never  needs 
to  engage  in  the  universal  argument,  it  is  only  the  simula¬ 
tor  that  needs  to  prove  the  above  statement.  Rather  than 
providing  a  universal  argument,  we  let  the  simulator  prove 
M (c)  =  r  in  a  piecemeal  fashion,  by  making  the  verifier  cer¬ 
tify  every  step  of  the  computation  of  M.  This  strategy  is 
very  similar  to  one  employed  in  the  “impossibility  of  instan¬ 
tiating  random  oracles”  result  of  [9] 6  (On  a  high-level,  this 
type  of  piecemeal  decomposition  is  also  somewhat  similar  to 
what  is  done  in  the  impossibility  result  of  [4[;  as  such  our 
approach  brings  out  the  connection  between  the  techniques 
from  [1]  and  [6].)  More  precisely,  in  the  actual  protocol,  the 
verifier  generates  a  key-pair  vk',sk'  for  a  signature  scheme 
and  sends  vk'  to  the  prover.  The  prover  then  provides  the 
verifier  with  a  commitment  ci  to  a  tree  hash7  of  a  current- 
configuration,  a  commitment  C2  to  a  tree-hash  of  a  next- 
configuration,  and  a  witness  indistinguishable  argument  of 
knowledge  that  either  a)  x  £  L  or  b)  next- configuration  is  a 
starting  configuration  or  c)  performing  one  step  of  computa¬ 
tion  given  current- configuration  leads  to  next- configuration, 
and  current- configuration  has  been  previously  signed.  (Note 
that  since  we  use  tree-hashing,  verification  of  condition  b) 
and  c)  can  both  be  done  in  time  polylogarithmic  in  the 
length  of  the  configurations).  If  the  argument  of  knowl¬ 
edge  is  accepting,  the  verifier  signs  C2.  Roughly  speaking, 
the  above  “slot”  makes  it  possible  for  the  simulator  to  get  a 
signature  on  (commitments  to  signature-trees  of)  so,  where 
So  is  the  initial  configuration  of  M(a)  (using  condition  b), 
and  next  by  rewinding  the  verifier  sufficiently  many  times  to 
get  signatures  on  later  configurations  St.  in  the  computation 
of  M  (a)  (using  condition  c).  Thus,  finally,  the  simulator  can 
get  a  signature  on  st  where  st  is  the  terminating  configu¬ 
ration  of  the  computation  of  M(a).  The  simulator  can  then 
use  this  signature  to  convince  the  verifier  that  M(c)  =  r 
where  M  is  the  program  committed  to  in  c.  A  complete 
formalization  appears  in  the  full  version  of  this  paper. 

1.3  Subsequent  Work 

A  very  recent  elegant  work  by  Bitansky  and  Paneth  [5] 
(developed  subsequently  to  our  results)  shows  an  alternative 
approach  for  obtaining  resettably-sound  arguments  (and  re- 

6  They  key  difference  is  that  construction  of  [9]  only  consid¬ 
ers  an  honest  “non-aborting”  verifier,  whereas  we  need  to 
deal  with  also  malicious  “aborting”  verifiers.  This  issue  is 
analogous  to  why  we  rely  on  “sig-com”  trees  (consisting  of 
signatures  of  commitments  to  signatures  etc.)  as  opposed 
to  “plain”  signature  trees. 

'We  may  also  instantiate  tree-hashing  with  signature-trees 
to  get  an  implementation  based  on  one-way  functions. 


Approved  for  Public  Release;  Distribution  Unlimited. 

676 


lated  primitives)  from  one-way  functions,  by  first  construct¬ 
ing  functions  that  are  “approximately”  unobfuscatable,  and 
relying  on  the  connection  between  resettable-soundness  and 
unobfuscatable  functions  from  [6]. 

1.4  Outline 

In  Section  3  we  provide  formal  definitions  of  signature 
trees,  and  provide  collision-resistance  properties  of  such  trees. 
To  formalize  our  construction  of  resettably-sound  zero-know¬ 
ledge  in  a  modular  way,  in  Section  4,  we  first  consider  an 
“oracle-aided”  model,  in  which  players  have  access  to  a  sign¬ 
ing  oracle.  We  first  show  that  the  universal  argument  con¬ 
struction  of  Barak  and  Goldreich  [2]  can  be  instantiated 
using  one-way  functions  in  such  an  oracle-aided  model,  by 
replacing  “hashing”  with  “signing”.  We  next  show  how  to 
instantiate  Pass  and  Rosen’s  [25]  variant  of  Barak  protocol 
in  the  same  way  (by  relying  on  the  oracle-aided  construc¬ 
tion  of  universal  arguments).  This  leads  to  a  constant-round 
oracle-aided  public-coin  zero-knowledge  argument  of  knowl¬ 
edge,  satifying  a  key  property:  the  honest  prover  never  needs 
to  access  the  oracle.  We  may  next  apply  the  transformation 
of  [3]  to  this  protocol  to  obtain  an  oracle-aided  resettably- 
sound  zero-knowledge  argument  of  knowledge  satisfying  the 
same  key  property  (the  results  of  [3]  relativize  and  thus  we 
can  directly  apply  them  also  to  oracle-aided  protocols). 

In  Section  5,  we  present  a  general  transformation,  trans¬ 
forming  any  oracle-aided  resettably-sound  zero- knowledge 
argument  (of  knowledge)  satisyfing  the  above  key  property, 
into  a  resettably-sound  zero-knowledge  argument  (of  knowl¬ 
edge)  in  the  “plain”  model  (i.e.  without  any  oracle):  the 
transformation  simply  consists  of  adding  a  signature  slot 
at  the  beginning  of  the  protocol.  Taken  together  with  our 
result  in  Section  4,  this  yields  a  constant-round  resettably- 
sound  zero-knowledge  argument  of  knowledge  for  N  P  based 
on  one-way  functions. 

Applications  (such  as  simultanously  resettable  zero-know¬ 
ledge)  are  presented  in  the  full  version  of  the  paper. 

2.  DEFINITIONS 

We  assume  familiarity  with  interactive  arguments,  argu¬ 
ments  of  knowledge  and  witness  indistinguishability;  see  the 
full  version  for  more  details. 

We  start  by  recalling  the  definition  of  zero  knowledge 
from  [16]. 

Definition  1  (Zero-knowledge  [16]).  An  interactive 
protocol  ( P ,  V)  for  language  L  is  zero-knowledge  if  for  every 
PPT  adversarial  verifier  V* ,  there  exists  a  PPT  simulator 
S  such  that  the  following  ensembles  are  computationally  in¬ 
distinguishable  over  x  £  L: 

(Viewv*  (P,V*(z))  (x)}xeL,ze{ o,i}*  «  {S'(*,«)}xeiiZe{o!i}. 
Let  us  recall  the  definition  of  resettable  soundness  due  to  [3] . 

Definition  2  (Resettably-sound  Arguments  [3]). 

A  resetting  attack  of  a  cheating  prover  P *  on  a  resettable 
verifier  V  is  defined  by  the  following  two-step  random  pro¬ 
cess,  indexed  by  a  security  parameter  n. 

1.  Uniformly  select  and  fix  t  =  poly(n)  random-tapes,  de¬ 
noted  n , ,rt,  forV,  resulting  in  deterministic  strate¬ 


gies  V^\x)  =  Vx,rj  defined  by  Vx,rj  (a)  =  V(x,rj,a),8 
where  x  £  {0, 1}"  and  j  £  [f].  Each  V^\x)  is  called 
an  incarnation  of  V  . 

2.  On  input  ln ,  machine  P*  is  allowed  to  initiate  poly (n)- 
many  interactions  with  the  V^'>  (x)  ’s.  The  activity  of 
P*  proceeds  in  rounds.  In  each  round  P*  chooses  x  £ 
{0, 1}"  and  j  £  [t],  thus  defining  V^\x),  and  conducts 
a  complete  session  with  it. 

Let  (P,V)  be  an  interactive  argument  for  a  language  L. 
We  say  that  ( P ,  V)  is  a  resettably-sound  argument  for  L  if 
the  following  condition  holds: 

•  Resettable-soundness:  For  every  polynomial-size  reset¬ 
ting  attack,  the  probability  that  in  some  session  the 
corresponding  V^\x)  has  accepted  and  x  ^  L  is  neg¬ 
ligible. 

We  will  also  consider  a  slight  weakening  of  the  notion  of 
resettable  soundness,  where  the  statement  to  be  proven  is 
fixed,  and  the  verifier  uses  a  single  random  tape  (that  is, 
the  prover  cannot  start  many  independent  instances  of  the 
verifier). 

Definition  3  (Fixed-input  r.s.  Arguments  [?]).  An 
interactive  argument  ( P ,  V )  for  a  NP  language  L  with  wit¬ 
ness  relation  Rl  is  fixed- input  resettably-sound  if  it  satisfies 
the  following  property:  For  all  non-uniform  polynomial-time 
adversarial  prover  P* ,  there  exists  a  negligible  function  /r(-) 
such  that  for  every  all  x  L, 

Pr [R  «-  {0, 1}°°;  (P*Vr ^pp),Vr)(x)  =  1]  <  M |*|) 

As  the  following  claim  (which  essentially  follows  from  tech¬ 
niques  in  [3])  shows,  any  zero-knowledge  argument  of  knowl¬ 
edge  satisfying  the  weaker  notion  can  be  transformed  into 
one  that  satisfies  the  stronger  one,  while  preserving  zero- 
knowledge  (or  any  other  secrecy  property  against  malicious 
verifiers). 

Claim  2.  Let(P,V)  be  a  fixed-input  resettably  sound  zero- 
knowledge  (resp.  witness  indistinguishable)  argument  of  knowl¬ 
edge  for  a  language  L  £  NP  .  Then  there  exists  a  pro¬ 
tocol  ( P' ,V' )  that  is  a  (full-fledged)  resettably-sound  zero- 
knowledge  (resp.  witness  indistinguishable)  argument  of  knowl¬ 
edge  for  L. 

The  proof  is  found  in  the  full  version. 

3.  SIGNATURE  TREES 

In  this  section,  we  define  an  analogue  of  Merkle-hash  trees 
using  signature  schemes.  Towards  this,  we  will  rely  on  the 
existence  of  strong,  fixed-length,  deterministic  secure  signa¬ 
ture  schemes.  Recall  that  in  a  strong  signature  scheme,  no 
polynomial-time  attacker  having  oracle  access  to  a  signing 
oracle  can  produce  a  valid  message-signature  pair,  unless  it 
has  received  this  pair  from  the  signing  oracle.  The  signature 
scheme  being  fixed-length  means  that  signatures  of  arbitrary 
(polynomial-length)  messages  are  of  some  fixed  polynomial 
length.  Deterministic  signatures  do  not  use  any  randomness 
in  the  signing  process  once  the  signing  key  has  been  chosen. 

In  particular,  once  a  signing  key  has  been  chosen,  a  message 
m  will  always  be  signed  in  the  same  way. 

sHere,  V(x,r,a)  denotes  the  message  sent  by  the  strat¬ 
egy  V  on  common  input  x,  random-tape  r,  after  seeing  the 
message-sequence  a. 
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Definition  4  (Strong  Signatures).  A  strong,  length- 
l,  signature  scheme  SIG  is  a  triple  (Gen,  Sign,  Ver)  of  PPT 
algorithms,  such  that 

1.  for  all  n  £  N, m  £  {0, 1}*, 

Pr[(sk,vk)  <—  Gen(ln),  a  <—  Signsk(m); 

Vervk(m,  a)  =  1  A  |a|  <  £(n)}  =  1 

2.  for  every  non-uniform  PPT  adversary  A,  there  exists 
a  negligible  function  p(-)  such  that 

Pr[(sk,  vk)  <r-  Gen(l"),  (to,  a)  «—  ASlgllsk^  (ln); 

Vervk(m,  a)  =  1  A  (to,  a)  L\  <  p(n), 

where  L  denotes  the  list  of  query-answer  pair  of  A’s 
query  to  its  oracle. 

Strong,  length-!!,  deterministic  signature  schemes  with  £(ri)  = 
n  are  known  based  on  the  existence  of  OWFs;  see  [22,  27,  12] 
for  further  details.  In  the  rest  of  this  paper,  whenever  we  re¬ 
fer  to  signature  schemes,  we  always  means  strong,  length-n 
deterministic  signature  schemes. 

Let  us  first  note  that  strong  signatures  satisfy  a  “collision- 
resistance”  property. 

Claim  3.  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong  (length- 
n)  signature  scheme.  Then,  for  all  non-uniform  PPT  ad¬ 
versaries  A,  there  exists  a  negligible  function  p(-)  such  that 
for  every  n  £  N, 

Pr  [(sk,  vk)  <—  Gen(l”),  (mi,  m2,  a )  <—  ASlgnsk<d->  (ln,  vk); 

Vervk(mi,  a)  =  Vervk(m2,o-)  =  1]  <  p(n) 

Proof.  Assume  for  contradiction  that  there  exists  some 
non-uniform  polynomial-time  A  such  that  A  breaks  “collision- 
resistance”  property  of  SIG  with  probability  yyAy  for  infinitely 
many  n  £  N,  where  p  is  a  polynomial.  We  show  that  A 
can  be  used  to  break  the  strong  unforgeability  property  of 
SIG.  More  precisely,  note  that  if  A  outputs  a  valid  signa¬ 
tures  (mi,  a),  (m2,  a)  without  querying  querying  the  sign¬ 
ing  oracle  with  mi  and  m2  and  receiving  a  as  a  response 
to  both  queries,  then  A  already  breaks  the  security  of  the 
signature  scheme.  Thus  w.l.o.g.  we  may  assume  A  queries 
both  toi  and  m2  to  the  signing  oracle  and  receives  a  as  a 
response.  We  then  simulate  A,  recording  the  previous  mes¬ 
sages  queried  to  the  oracle  along  with  the  responses.  At  each 
point  during  the  execution  of  A,  before  forwarding  the  next 
query  to  to  the  oracle,  we  test  if  any  of  the  previously  re¬ 
ceived  signatures  are  valid  signatures  for  m.  If  so,  we  output 
to  together  with  such  a  signature  a.  Notice  that  if  A  always 
queries  Toi  and  to2  and  receives  a  as  a  response,  then  we  will 
intercept  whichever  of  the  two  A  queries  second.  Thus,  for 
infinitely  many  n,  with  probability  >  we  forge  a  sig¬ 

nature  a  for  some  to  before  ever  querying  the  signing  oracle 
and  receiving  a  as  a  response.  □ 

We  now  define  an  analog  of  Merkle-hash  tree  which  we  call 
signature  trees  and  show  that  they  also  satisify  a  collision- 
resistant  property.  We  index  each  node  of  a  complete  binary 
tree  T  of  depth  d  by  a  binary  string  of  length  at  most  d, 
where  the  root  is  indexed  by  the  empty  string  A,  and  each 
node  indexed  by  7  has  left  and  right  children  indexed  7O 
and  7I,  respectively 


Definition  5  (Signature  Trees).  Let  SIG  =  (Gen, 
Sign,  Ver)  be  a  strong,  length-n  signature  scheme.  Let  (sk,  vk) 
be  a  key-pair  of  SIG,  and  s  be  a  string  of  length  2d.  A  signa¬ 
ture  tree  of  the  string  s  w.r.t.  (sk,  vk)  is  a  complete  binary 
tree  of  depth  d,  defined  as  follows. 

•  A  leaf  l~i  indexed  by  7  £  {0,  l}d  is  set  as  the  bit  at 
position  7  in  s. 

•  An  internal  node  1-,  indexed  by  7  £  Ui=o  {0,  l}1  satis¬ 
fies  that  Vervk((7yo,  f7i),  £7)  =  1. 

Note  that  to  verify  whether  a  T  is  a  valid  signature-tree 
of  a  string  s  w.r.t.  the  signature  scheme  SIG  and  the  key- 
pair  (sk,  vk)  knowledge  of  the  secret  key  sk  is  not  needed. 
However,  to  create  a  signature-tree  for  a  string  s,  the  secret 
key  sk  is  needed. 

The  following  notion  of  a  signature  path  is  the  natural 
analog  of  an  authentication  path  in  a  Merkle-tree. 

Definition  6  (Signature  Path).  A  signature  path 
w.r.t.  SIG,vk  and  the  root  lx  for  the  bit  b  at  leaf  7  £  {0, 1} 
is  a  vector  p  —  ((lo,  l\  ) ,  ((^^cn  ^7<ii)>  •  •  •  (^<d- ^7<d-io)) 
such  that  for  every  i  £  {0, ... ,  d—l\,  Vervk((I7<io,  <*) 

=  1.  Let  PATHSIG(p,  b,  7,  l\,  vk)  =  1  if  p  is  a  signature  path 
w.r.t.  SIG,  vk,  lx  for  b  at  7. 

The  following  claim  states  that  signature  trees  also  satisfy 
an  appropriate  collision-resistance  property:  no  non-uniform 
PPT  attacker  having  oracle  access  to  a  signing  oracle  can 
output  a  root  and  valid  signature  paths  for  both  0  and  1  at 
some  leaf  7. 

Claim  4.  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length- 
n,  signature  scheme.  Then,  for  every  non-uniform  PPT  ad¬ 
versary  A,  there  exists  a  negligible  function  p  such  that: 

Pr[(sk,vk)  £-  Gen(l”),  (p0,Pi,T,l\)  <-  ASlgr,sk(  ) (1”,  vk); 

V6  £  {0, 1}  PATHSIG(pj,,  b,  7,  lx,  vk)  =  1]  <  p(n) 

Proof.  The  claim  directly  follows  from  Claim  3  since  any 
two  valid  signature-paths  with  the  same  root  but  different 
leaf  value  must  contain  a  collision  for  the  underlying  signa¬ 
ture  scheme.  □ 

3.1  Sig-Com  Schemes 

For  the  technical  reason  explained  in  the  introduction,  we 
will  rely  on  variant  of  signature  trees  consisting  of  alter¬ 
nating  signatures  and  commitments.  To  formalize  this,  we 
consider  the  notion  of  a  “sig-com”  scheme: 

Definition  7  (Sig-Com  Schemes).  Let  SIG  =  (Gen, 
Sign,  Ver)  be  a  strong,  length-n,  signature  scheme,  and  let 
Com  be  a  non-interactive  commitment  schemes.  Define  SIG'  = 
(Gen',  Sign',  Ver')  to  be  a  triple  of  PPT  machines  defined  as 
follows: 

•  Gen'  =  Gen. 

•  Sign(k(m)  :  compute  a  commitment  c=  Com (to;t)  us¬ 
ing  a  uniformly  selected  r,  and  let  a  =  Signsk(c);  out¬ 
put  (a,  t) 

•  Ver'k(m,  a,  t)  :  Output  1  iff  Vervk (Com (to,  t),  a)  =  1. 

We  call  SIG'  the  Sig-Com  Scheme  corresponding  to  SIG  and 

Com. 
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Note  that  the  above  definition  of  a  sig-com  scheme  assumes 
that  Com  is  a  non-interactive  commitment  scheme.  This  is 
only  for  convenience  of  notation;  the  above  definition,  as 
well  as  all  subsequent  results  directly  apply  also  to  2-round 
commitment  (i.e.,  families  of  non-interactive  commitment 
schemes),  as  in  [21],  by  simply  adding  the  first  message  q  to 
the  verfication  key  of  the  sig-com  scheme. 

Sig-com  schemes  also  satisfy  a  collision-resistant  property: 

Claim  5  (Collision  Resistance  of  Sig-Coms).  Let  SIG 
=  (Gen,  Sign,  Ver)  be  a  strong,  length-n  signature  scheme, 
Com  be  non-interactive  commitment  scheme,  and  let  SIG'  = 
(Gen',  Sign',  Ver')  be  a  sig-com  scheme  corresponding  to  SIG 
and  Com.  Then,  for  any  non-uniform  PPT  adversary  A, 
there  exists  a  negligible  function  p  such  that  for  all  n  £  N: 

Pr[(sk,  vk)  <—  Gen(l”),  (a,  mi,  m2,  it,  T2)  <—  yJSlgr'sk(':i  (ln,  vk); 

mi  =/=  m2,  Ver'k(mi,CT,  n)  =  Ver(k(m2,  a,  r2)  =  1]  <  p(n) 

Proof.  Note  that  by  the  binding  property  of  Com,  no 
non-uniform  PPT  can  output  a  valid  commitment  c  to  two 
different  messages  mi  ^  m2  except  with  negligible  proba¬ 
bility.  Thus,  except  with  negligible  probability,  a  successful 
non-uniform  PPT  attacker  must  output  a  signature  for  two 
different  commitments  ci  ^  c2,  violating  collision-resistance 
of  SIG  (i.e.,  Claim  3).  □ 

Note  that  in  Claim  5,  the  attacker  gets  oracle  access  to  a 
signature  oracle  (for  SIG)  as  opposed  to  a  sig-com  oracle. 

We  may  now  define  sig-com  trees  and  sig-com  path  in  an 
analogous  way  to  (plain)  signature  trees  and  paths. 

Definitions  (Sig-Com  Trees).  Let  SIG  =  (Gen,  Sign, 
Ver)  be  a  strong,  length-n  signature  scheme,  let  Com  be  a 
non-interactive  commitment  and  let  SIG'  =  (Gen',  Sign',  Ver') 
be  the  sig-com  scheme  corresponding  to  SIG  and  Com.  Let 
(sk,  vk)  be  a  key-pair  of  SIG',  and  s  be  a  string  of  length  2d. 

A  signature  tree  of  the  string  s  w.r.t.  (sk,vk)  is  a  complete 
binary  tree  of  depth  d,  defined  as  follows. 

•  A  leaf  Z7  indexed  by  7  £  {0,  l}d  is  set  as  the  bit  at 
position  7  in  s. 

•  An  internal  node  t7  indexed  by  7  €  U<=o  {0,  1}'  satis¬ 
fies  that  there  exists  some  r7  such  that  Ver(k((f7o,  l~/i), 
f7,  t7)  —  1. 

Definition  9  (Sig-Com  Path).  Let  SIG'  =  (Gen',  Sign', 
Ver')  be  a  sig-com  scheme.  A  sig-com  path  w.r.t.  SIG'.vk 
and  the  root  l\  for  the  bit  b  at  leafy  £  {0,  l}d  is  a  vector  p  = 

((lo,h,T\),  /-}(<■!  1,  T7<1  )>  ■  •  •  >  ^7<d-l0i  T7<d-i) 

such  that  for  every  i  £  {0,...,d—  1},  Ver'k((f7<io, Z7<ii, 
Z7<i,  r7<i))  =  1.  Let  PATHsig  (p,b,  7,  Mvk)  =  1  if  p  is  a 
signature  path  w.r.t.  SIG',  vk,  l\  for  b  at  7. 

Sig-com  trees  also  satisfy  a  collision-resistance  property: 

Claim  6.  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n 
signature  scheme,  let  Com  be  a  non-interactive  commitment 
and  let  SIG'  =  (Gen',  Sign',  Ver')  be  the  sig-com  scheme  cor¬ 
responding  to  SIG  and  Com.  Then,  for  every  non-uniform 
PPT  adversary  A,  there  exists  a  negligible  function  p  such 
that: 

Pr[(sk,  vk)  <-  Gen(l"),  (po, pi,1,l\)  <-  ASlg"sk(')  (ln,  vk); 

V6  £  {0, 1}  PATHsig'  (pb,  b,  7,  lx,  vk)  =  1  <  p(n) 


Proof.  As  in  Claim  4,  the  claim  follows  directly  from 
Claim  5  since  any  two  valid  sig-com  paths  with  the  same 
root  but  different  leaf  values  must  contain  a  collision  for  the 
underlying  sig-com  scheme.  □ 

Canonical  Sig-com  Schemes  Throughout  the  rest  of  the 
paper,  we  consider  sig-com  schemes  SIG'  and  sig-com  trees 
corresponding  to  a  strong,  length-n  deterministic  signature 
scheme  SIG  and  a  non-interactive  commitment  Com  that 
generates  n2  bits  long  commitments  to  2 n  bits  strings.  Thus, 
each  node  of  the  sig-com  tree  is  an  n-bit  signature  of  an  n2 
bits  commitment  of  the  two  signatures  of  the  children  nodes. 
Hereafter,  we  refer  to  such  a  SIG'  as  a  canonical  sig-com 
scheme. 

4.  ORACLE-AIDED  RS-ZK 

In  this  section  we  show  how  to  construct  a  resettably- 
sound  ZIC  argument  in  an  oracle-aided  model  where  prover 
and  verifier  additionally  have  access  to  a  public  parameter 
generated  prior  to  the  interaction  (in  our  protocol,  this  will 
be  the  verification  key  for  a  signature  scheme),  and,  further 
the  prover  has  access  to  an  oracle,  also  generated  prior  to  the 
interaction  (in  our  protocol,  this  will  be  a  signature/sig-com 
oracle) . 

More  formally,  let  O  be  a  probabilistic  algorithm  that  on 
input  a  security  parameter  n,  outputs  a  polynomial-length 
(in  n)  public-parameter  pp,  as  well  as  the  description  of 
an  oracle  O.  The  oracle-aided  execution  of  an  interactive 
protocol  with  common  input  x  between  a  prover  P  with 
auxiliary  input  y  and  a  verifier  V  consist  of  first  generating 
pp,  O  <—  0(  1^)  and  then  letting  P°(x,y,  pp)  interact  with 
V(x,  pp). 

Definition  10  (Oracle- aided  Interactive  Arg).  A 

pair  of  oracle  algorithms  ( P ,  V)  is  an  O-oracle  aided  ar¬ 
gument  for  a  NP  language  L  with  witness  relation  Rl  if  it 
satisfies  the  following  properties: 

•  Completeness:  There  exists  a  negligible  function  p(-), 
such  that  for  all  x  £  L,  if  w  £  Rl(x), 

Pr[pp,  O  <-  C>(1N);  (P°(w),  V)(x,  pp)  =  1]  =  1— MM) 

•  Soundness:  For  all  non-uniform  polynomial-time  ad¬ 
versarial  prover  P* ,  there  exists  a  negligible  function 
p(-)  such  that  for  every  all  x  £  L, 

Pr[pp,  O  <-  C>(1N);  (P*°,  V){x,  pp)  =  1]  <  MM) 

We  will  also  define  an  O-oracle  aided  version  of  arguments 
of  knowledge,  essentially  analogously  to  their  canonical  def¬ 
initions,  except  with  a  setup  phase  in  which  pp  and  O  are 
generated  and  made  available  to  the  players.  The  formal 
definitions  can  be  found  in  the  full  version  of  this  paper. 

Towards  our  goal  of  constructing  of  oracle-aided  reset- 
tably-sound  zero-knowledge,  we  now  define  and  construct 
an  oracle-aided  version  of  universal  arguments. 

4.1  Oracle-aided  Universal  Arguments 

Universal  arguments  (introduced  in  [2]  and  closely  related 
to  CS-proofs  [20])  are  used  in  order  to  provide  “efficient” 
proofs  to  statements  of  the  form  y  =  ( M,x,t ),  where  y  is 
considered  to  be  a  true  statement  if  M  is  a  non-deterministic 
machine  that  accepts  x  within  t  steps.  The  corresponding 
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language  and  witness  relation  are  denoted  Lu  and  Rz^  re¬ 
spectively,  where  the  pair  ((M,  x,  t),w)  is  in  R^  if  M  (viewed 
here  as  a  two-input  deterministic  machine)  accepts  the  pair 
( x,w )  within  t  steps.  Notice  that  every  language  in  NP  is 
linear  time  reducible  to  Lu-  Thus,  a  proof  system  for  Lu  al¬ 
lows  us  to  handle  all  N  P-statements.  In  fact,  a  proof  system 
for  Lu  enables  us  to  handle  languages  that  are  presumably 
“beyond”  NP,  as  the  language  Lu  is  NE-complete  (hence  the 
name  universal  arguments).9 

Definition  11  (Oracle-aided  Universal  argument). 
An  oracle-aided  protocol  (P,  V )  is  called  an  O- oracle- aided 
universal  argument  system  if  it  satisfies  the  following  prop¬ 
erties: 

•  Efficient  verification:  There  exists  a  polynomial  p  such 
that  for  any  y  =  ( M,x,t ),  and  for  any  pp,0  gener¬ 
ated  by  O,  the  total  time  spent  by  the  (probabilistic) 
verifier  strategy  V,  on  common  input  y,  pp.  is  at  most 
p(\y\  +  |pp|).  In  particular,  all  messages  exchanged  in 
the  protocol  have  length  smaller  than  p(\y\  +  |pp|). 

•  Completeness  by  a  relatively  efficient  oracle-aided  prover: 
For  every  (y  =  ( M,x,t),w )  in  R u, 

Pr[pp,  o  «-  0(lMy,  ( P°(w ),  V)(y,  pp)  =  1]  =  1. 

Furthermore,  there  exists  a  polynomial  q  such  that  the 
total  time  spent  by  P°(w),  on  common  input  y  = 

( M,x,t ),  pp,  is  at  most  q(TM(x,w)+ |ppj)  <  g(f+|pp|), 
where  Tm{x,w)  denotes  the  running  time  of  M  on  in¬ 
put  (x,  w). 

•  Weak  proof  of  knowledge  for  adaptively  chosen  state¬ 
ments:  For  every  polynomial  p  there  exists  a  poly¬ 
nomial  p'  and  a  probabilistic  polynomial-time  oracle 
machine  E  such  that  the  following  holds:  for  every 
non-uniform  polynomial-time  oracle  algorithm  P* ,  if 
Pr[pp,  o  <-  0(ry,  R  «-  {0, 1}°°;  y  «-  Pr°( pp)  : 
{Pr°(pp),  V(y,  pp))  =  1]  >  1  /p(n)  then 

Pr[pp,0  <-  0(1");  R,  r  <-  {0, 1  <-  Pr°  ( pp)  : 

3w  =  wi, . .  .wt  £  R u(y)  s.t.  Vi  £  [t], 


where  R u(y)  =  {w  :  ( y,w )  €  Rw}. 

Note  that  our  proof  of  knowledge  condition  is  somewhat  dif¬ 
ferent  from  the  one  used  in  [2]  in  that  we  allow  the  (cheating) 
prover  to  adaptively  choose  the  statement  to  be  proved,  af¬ 
ter  having  seen  the  public  parameter,  and  having  interacted 
with  its  oracle. 

Nevertheless,  as  we  shall  see,  the  construction  of  [2]  and 
their  analysis  will  be  useful  to  us.  Recall  that  in  the  con¬ 
struction  of  [2]  tree  hashing  is  used  to  hash  down  a  “long” 
PCP  proof  into  a  fixed-length  “tree  root”;  the  soundness 
property  relies  on  collision  resistant  of  this  tree  hashing.  Let 
SIG'  be  a  canonical  sig-com  scheme  with  SIG  =  (Gen,  Sign, 
Ver)  and  Com  being  its  underlying  signature  scheme  and 
commitment  scheme.  We  observe  that  if  we  replace  the  use 
of  tree  hashing  in  [2]  scheme  with  a  sig-com  tree  using  SIG', 
then  the  resulting  protocol  is  an  CPSIG-aided  universal  argu¬ 
ment  for  the  following  signature  oracle  OslG. 

furthermore,  every  language  in  NEXP  is  polynomial-time 
(but  not  linear-time)  reducible  to  Lu 


Definition  12  (Signature  Oracle).  A  signature  or¬ 
acle  CPSIG  is  defined  as  follows:  On  input  a  security  pa¬ 
rameter  n,  C?SIG(1")  generates  (vk,sk)  t—  Gen(ln)  and  lets 
pp  =  vk  and  0(m)  =  Signsk(m)  for  every  m  £  {0,  l}poly(-n\ 

In  fact,  the  universal  argument  has  an  even  stronger  com¬ 
pleteness  property  that  will  be  useful  for  us:  completeness 
hold  even  if  the  prover  only  gets  access  to  a  sig-com  oracle 
(instead  of  a  signature  oracle),  and  even  if  this  is  an  ar¬ 
bitrary  (not  necessarily  using  the  honest  sign  and  commit 
algorithms)  sig-com  oracle,  as  long  as  the  oracle  outputs 
valid  sig-com’s  (for  messages  of  a  certain  fixed  length)  with 
overwhelming  probability.  More  formally, 

Definition  13  (Valid  Sig-com  Oracle).  An  oracle  O' 
is  a  valid  (SIG',1?)  oracle  if  there  is  a  negligible  /r(-)  such 
that  for  every  n  £  N,  the  following  holds  with  probability 
1  —  /r(n)  over  pp ,0  <—  0'(  1"):  for  every  m  £  {0,  l}£t">, 
0(m)  returns  (ct,t)  such  that  Ver'k(m,  a,  t)  =  1  with  proba¬ 
bility  at  least  1  —  p(n). 

We  note  that  oracles  that  use  arbitrarily  biased  random¬ 
ness  for  commitment  are  also  considered  valid  sig-com  or¬ 
acles.  (These  are  precisely  the  kind  of  oracles  we  will  be 
forced  to  use  later  on). 

Definition  14.  An  OSIG -aided  universal  argument  (P,V) 
has  (SIG '  ,1)- completeness  if  there  exists  a  prover  P'  such 
that  the  completeness  condition  holds  for  ( P',V )  when  the 
oracle  CPSIG  is  replaced  by  any  valid  (SIG',f?)  oracle  O' . 

We  now  have  the  following  theorem. 

Theorem  7.  Let  SIG'  be  a  canonical  sig-com  scheme  with 
SIG  and  Com  being  its  underlying  signature  scheme  and  com¬ 
mitment  scheme.  Then  there  exists  a  polynomial  l  and  a 
(SIG ' ,1)- complete  OSIG -aided  universal  argument  II. 

The  proof  of  the  theorem  identically  follows  that  of  Barak 
and  Goldreich  [2],  with  a  minor  modification  to  deal  with 
adaptively  chosen  statements.  The  proof  is  found  in  the  full 
version. 

4.2  Oracle-aided  Zero-Knowledge  Protocols 

We  now  turn  to  constructing  oracle-aided  resettably-sound 
zero-knowledge  protocols.  We  start  by  defining  a  strong  no¬ 
tion  of  an  CP-oracle-aided  version  of  ZK.  First  of  all,  we  re¬ 
strict  to  protocols  where  the  honest  prover  does  not  accesses 
the  oracle.  Secondly,  we  require  that  simulation  can  be  per¬ 
formed  given  oracle  access  to  any  valid  SIG'  oracle.  These 
two  restrictions  will  be  important  when  we  later  instantiate 
the  oracle-aided  protocol  in  the  plain  model. 

Definition  15  (Oracle- aided  Zero-Knowledge).  A 
pair  of  algorithms  (P,V)  is  (SIG', f?)-oracle  aided  zero- 
knowledge  for  a  NP  language  L  with  witness  relation  Rl 
if  for  every  non-uniform  adversarial  verifier  V* ,  there  exists 
a  simulator  S,  such  that  for  every  valid  (SIG',£)  oracle  O' , 
the  following  ensembles  are  indistinguishable  over  x  £  L, 

{PP,  O  <-  C>'(1N);  Viewv,.(P(w),  V*(z))(x,  pp)}*,™,* 

«  {pp,  O  <r-  0'( l1*1);  S°( X,  z,  pp)}*,™,* 
where  the  ensembles  are  over  x  £  L,w  £  Rl(x),z  £  {0, 1}*. 
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We  now  turn  to  the  question  of  constructing  a  protocol  that 
satisfies  the  above  requirements.  Note  that,  as  a  first  at¬ 
tempt,  we  could  try  constructing  a  constant-round  public- 
coin  ZK  protocol  by  replacing  the  tree  hashing  in  Barak’s 
protocol  [1]  with  sig-com  trees,  and  then  apply  the  PRF 
transformation  of  [3]  to  achieve  resettable  soundness.  While 
this  indeed  could  be  used  to  get  a  resettably-sound  ZK  pro¬ 
tocol  in  the  oracle-aided  model,  the  resulting  protocol  would 
require  the  honest  prover  to  make  polynomially  many  queries 
to  the  oracle  (to  complete  the  WIUARG).  To  get  around 
this,  we  instead  rely  on  a  variant  of  Barak’s  protocol  used 
in  Pass  and  Rosen  [25],  which  provides  a  “special-purpose” 
implementation  of  the  WIUARG  used  in  Barak’s  protocol 
in  which  the  honest  prover  does  not  need  to  perform  any 
“hashing”.10 

More  precisely,  our  protocol  proceeds  as  follows.  In  Stage 
1,  sends  a  commitment  c  =  Com(0"),  and  then  Vzk 
sends  back  a  challenge  r  €  {0,  l}2n  as  in  Barak’s  protocol. 

In  Stage  2,  P ^  and  Vzk  first  execute  an  “encrypted”  univer¬ 
sal  argument  (P(j Vua)  of  the  statement  that  “c  is  a  com¬ 
mitment  to  a  sig-com  tree  root  of  a  program  M  and  there  is  a 
short  string  y  £  {0,  l}n  such  that  M(y)  =  r,”  where  instead 
of  sending  the  message  in  the  clear,  the  prover  sends  com¬ 
mitments  to  the  messages.  The  honest  prover  simply  sends 
commitments  to  0  (and  thus  will  fail  in  this  encrypted  uni¬ 
versal  argument).  Finally,  P®K  and  Vzk  execute  a  witness- 
indistinguishable  argument  of  knowledge  of  the  statement 
that  “x  £  L  OR  Vua  accepts  in  the  encrypted  universal  ar¬ 
gument”. 

A  formal  description  of  the  protocol  can  be  found  in  Fig.  1 
and  Fig.  2.  Note  that,  in  this  construction,  the  honest  prover 
Pzk  can  convince  the  verifier  by  proving  x  £  L  in  the  final 
witness  indistinguishable  argument  without  making  any  or¬ 
acle  queries. 

Theorem  8.  Let  SIG'  be  a  canonical  sig-com  scheme  with 
SIG  and  Com  being  its  underlying  signature  scheme  and  com¬ 
mitment  scheme.  Then  there  exists  an  OslG -oracle  aided  ar¬ 
gument  of  knowledge  {P,V)  for  NP ;  additionally, 

1.  ( P ,  V)  is  constant-round  and  public-coin; 

2.  P  does  not  make  any  queries  to  its  oracle; 

3.  ( P ,  V)  is  (SIG',  (.)- oracle- aided  zero-knowledge  for  some 
polynomial  i. 

The  proof  of  Theorem  8  is  found  in  the  full  version.  The 
proof  closely  follows  [1,  25]  but  the  proof  of  the  “argument 
of  knowledge”  property  requires  special  care  to  deal  with 
the  fact  that  a  cheating  prover  may  adaptively  choose  the 
statements  to  be  proved  in  the  encrypted  universal  argument 
(after  having  interacted  with  its  oracle).11 

Finally,  we  apply  the  PRF  transformation  of  [3]  to  (Pzk,  Vzk) 
to  achieve  resettable  soundness.  More  precisely,  we  modify 
the  public-coin  verifier  Vzk  to  a  “PRF- verifier”  Vzk  that  sam¬ 
ples  a  seed  s  for  a  PRF  fs  at  beginning  and  then  generates 
each  verifier  message  by  applying  fs  to  the  current  tran¬ 
script.  The  proof  in  [3]  relativizes  and  as  a  consequence  we 
have  the  following  theorem: 

10In  fact,  early  versions  of  Barak’s  protocol  also  relied  on 
such  a  special-purpose  implementation  of  WIUARG. 
nIn  [1,  25]  these  issue  does  not  arise  since  different,  inde¬ 
pendently  chosen  hash-functions  are  used  in  Stage  1  and  in 
Stage  2. 


Common  Input:  An  instance  £  of  a  language  L  £  NP  with 
witness  relation  Rl. 

Auxiliary  input  to  P:  A  witness  w  such  that  ( x,w )  £  Rj,. 

Primitives  Used:  A  canonical  sig-com  scheme  SIG'  with  SIG 
and  Com  as  the  underlying  signature  and  commitment 
schemes,  <PSIG  defined  relative  to  SIG,  and  a  C9SIG-aided 
universal  argument  ( P\j,\.  Vua)  defined  in  Sec.  4.1. 

Set  Up:  Run  (pp,0)  <—  CPIG(  1").  add  pp  to  common  input 
for  P  and  V .  Further,  allow  P  oracle  access  to  O. 

Stage  One  (Trapdoor): 

Pi:  Send  co  =  Com(02n,ro)  to  V  with  uniform  to 
Vi:  Send  r  A{0, 1}"  to  P 
Stage  Two  (Encrypted  OA-UA): 

P2:  Send  ci  =  Com(02n,ri)  for  uniformly  selected  t\ 
V3:  Send  r\  uniformly  chosen  random  tape  for 

VoA-XJA 

P3:  Send  C2  =  Com(0fc,T2)  for  uniformly  selected  T2, 
where  k  is  the  length  of  Poa—ua’s  second  message. 

Stage  Three  (Main  Proof): 

P  <^>  V:  A  WI-AOK  (Pwb  Vwi)  proving  the  OR  of  the 
following  statements: 

1.  3  w  £  (0,  l}poly(|:c|)  s.t.  (®, w)  £Rl. 

2.  3  (pi,P2,ri,T2)  s.t. 

((co,r,ci,C2,r',pp),(pi,p2,Ti,75))  S  Ri2 

(defined  in  Fig.  2). 

Figure  1:  OSIG-aided  ZK  argument  of  knowledge. 


Relation  1:  Let  SIG/  a  sig-com  scheme,  with  underlying  sig¬ 
nature  scheme  SIG  and  commitment  scheme  Com.  Let 
ECC  be  a  strong  error-correcting  code.  We  say  that 
(co,r,  pp)  G  Li  if  3 (to,  d,  l\,  C,  {pi}ie[2d])  such  that 

•  co  =  Com((d,  1\),tq) 

•  (d,  l\)  are  the  depth  and  root  of  a  sig-com  tree  for 
C  w.r.t.  pp 

•  Each  is  a  valid  sig-com  path  for  leaf  i  of  this  sig- 

com  tree.  That  is,  PATHSIG  pp)  =  1 

for  each  i. 

•  C  =  ECC(Il)  for  some  circuit  II 

•  ri(co)  =  r. 

We  let  R l1  be  the  witness  relation  corresponding  to  Li. 

Relation  2:  Let  Li  be  described  as  above,  with  respect  to 
schemes  SIG/  and  ECC.  Let  (Pjja^ua)  be  the  OSIG- 
aided  universal  argument  constructed  in  Sec.  4.1.  We 
say  that  (co,  r,  ci,  C2,  r',  pp)  G  L2  if  3(pi,p2,  n,  t2) 
such  that 

•  ci  =  Com  (pi,  n),  c2  =  Com(p2,T2) 

•  (Phr'iP2)  constitutes  an  accepting  {PjjAi  Vua) 
transcript  for  (co,?")  E  L\. 

We  let  R l2  be  the  witness  relation  corresponding  to  L2. 

Figure  2:  Relations  used  in  (9SIG-aided  ZK  protocol. 
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Theorem  9.  Let  SIG'  be  a  canonical  sig-com  scheme  with 
SIG  and  Com  being  its  underlying  signature  scheme  and  com¬ 
mitment  scheme.  Then  there  exists  an  OSIG -aided  constant- 
round  resettably-sound  argument  of  knowledge  ( P ,  V)  for  NP; 
additionally, 

1.  P  does  not  make  any  queries  to  its  oracle; 

2.  (P,V)  is  (SIG' ,1)- oracle- aided  zero-knowledge  for  some 
polynomial  i. 

5.  RS-ZK  IN  THE  PLAIN  MODEL 

Let  SIG'  be  a  canonical  sig-com  scheme  with  SIG  and 
Com  being  its  underlying  signature  scheme  and  commitment 
scheme.  Let  ( P ,  V )  be  a  CPSIG-aided  resettably  sound  argu¬ 
ment  of  knowledge  for  the  language  L  with  witness  rela¬ 
tion  Rl,  where  P  does  not  make  any  queries  to  its  oracle. 
Consider  the  protocol  (P,  V )  that  on  common  input  x,  and 
auxiliary  prover  input  w  proceeds  as  follows. 

1.  Init:  V  runs  (sk,  vk)  «—  Gen(l”)  and  sends  vk  to  P. 

2.  Signing  Slot: 

•  P  generates  c  =  Com(02n;r),  where  r  is  uni¬ 
formly  sampled,  and  sends  c  to  V. 

•  V  replies  with  a  =  Signsk(c). 

•  P  aborts  if  a  is  not  a  valid  signature  of  c. 

3.  Body:  Invoke  (P(w),  V)(x ,  pp)  with  pp  =  vk. 

Lemma  10.  If(P,V)is( S\G' ,2n)~ oracle- aided  zero-know¬ 
ledge  for  L  with  witness  relation  Rl,  then  ( P ,  V )  is  a  single¬ 
instance  resettably-sound  zero-knowledge  argument  of  knowl¬ 
edge  for  L  with  witness  relation  Rl  ■ 

Note  that  here  we  only  obtain  a  single-instance  resettably 
sound  argument  of  knowledge  (defined  in  Defn.  3),  but  this 
can  be  transformed  into  a  ’’full-fledged”  resettably  sound  one 
by  using  the  transformation  in  Claim  2,  which  thus  estab¬ 
lishes  our  main  Theorem  1.  The  proof  of  Lemma  10  is  found 
in  the  full  version.  We  provide  a  very  brief  sketch  below. 

Proof,  (sketch)  Completeness  of  (P,  V)  follows  directly 
from  the  completeness  of  (P,V)  since  by  assumption,  P 
never  makes  any  oracle  queries.  Resettable-soundness  and 
the  argument  of  knowledge  property,  roughly  speaking,  fol¬ 
low  by  emulating  all  signature  slot  messages  using  the  oracle; 
note  that  we  here  rely  on  the  fact  that  the  signature  scheme 
is  deterministic  to  ensure  that  “rewindings”  of  the  signature 
slot  can  be  emulated  as  oracle  queries.  The  zero-knowledge 
simulator  proceeds  by  first  honestly  emulating  the  signature 
slot  for  the  malicious  verifier  V* ,  and  if  V*  provides  an  ac¬ 
cepting  signature,  we  next  run  the  oracle-aided  simulator, 
and  appropriately  rewinding  the  malicious  verifier  during 
the  signature  slot  to  appropriately  implement  some  valid 
sig-com  oracle.  The  verifier  may  not  always  answer,  but  we 
can  “keep  rewinding”  him,  sending  fresh  commitments  until 
he  does.  Roughly  speaking,  the  key  point  is  that  if  V *  did 
provide  a  valid  signature  during  the  first  pass,  then  in  expec¬ 
tation,  by  the  hiding  property  of  the  commitment  scheme, 
we  only  need  a  polynomial  number  of  rewindings.  This  “al¬ 
most”  works:  just  as  in  [13],  we  need  to  take  special  care  to 
deal  with  verifier’s  that  only  provide  valid  signatures  with 
very  small  probability.  □ 
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Fast  Two-Party  Secure  Computation  with 
Minimal  Assumptions 


ABSTRACT 

Almost  all  existing  protocols  for  secure  two-party  computa¬ 
tion  require  a  specific  hardness  assumption  such  as  decisional 
Deffie-Hellman,  discrete  logarithm,  or  a  random  oracle  even 
after  assuming  oracle  access  to  the  oblivious  transfer  func¬ 
tionality  for  their  correctness  and/or  efficiency.  We  propose 
and  implement  a  Yao-based  protocol  that  is  secure  against 
malicious  adversaries  and  enjoys  the  following  benefits: 

1.  it  requires  the  minimal  hardness  assumption,  i.e. ,  OTs; 

2.  it  uses  10  rounds  of  communication  plus  OT  rounds; 

3.  it  has  the  optimal  overhead  complexity  (for  an  approach 
that  uses  the  circuit-level  cut-and-choose  technique);  and 

4.  it  is  embarrassingly  parallelizable  in  the  sense  that  each 
circuit  can  be  processed  in  a  pipelined  manner,  and  all  cir¬ 
cuits  can  be  processed  in  parallel. 

To  achieve  these  properties,  we  solve  the  three  main  is¬ 
sues  for  achieving  malicious  security  in  a  novel  and  effi¬ 
cient  manner.  In  particular,  we  propose  an  efficient  witness- 
indistinguishable  proof  for  the  generator’s  output  authentic¬ 
ity,  we  suggest  the  use  of  an  auxiliary  circuit  that  computes 
a  hash  to  ensure  the  generator’s  input  consistency,  and  we 
advance  the  performance  of  the  state-of-the-art  approach 
defending  the  selective  failure  attack. 

Not  only  does  our  protocol  require  weaker  cryptographic 
assumptions,  but  our  implementation  of  this  protocol  also 
demonstrates  a  several  factor  improvement  over  the  best 
prior  work,  which  relies  on  specific  number-theoretic  as¬ 
sumptions.  Thus,  we  show  that  performance  does  not  rely 
on  specific  assumptions. 

‘This  work  is  supported  by  Defense  Advanced  Research 
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ernment. 
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1.  INTRODUCTION 

Secure  two-party  computation  research  aims  to  allow  two 
parties  to  collaborate  in  a  way  that  achieves  maximal  pri¬ 
vacy  of  their  inputs  with  simultaneous  guarantees  of  correct¬ 
ness  of  outputs.  The  correctness  property  guarantees  that 
when  both  parties  follow  the  protocol  honestly,  the  proto¬ 
col  output  is  indeed  the  output  of  the  objective  function. 
The  privacy  property  ensures  that  during  the  protocol  ex¬ 
ecution,  neither  party  can  learn  more  than  that  derivable 
from  her  own  input  and  output.  A  trivial  solution  is  have 
both  parties  hand  their  private  inputs  to  this  third  party 
who  performs  the  work  and  later  distributes  the  computa¬ 
tion  result.  However,  the  solution  that  cryptographers  desire 
achieves  the  effect  of  a  trusted  party  without  one. 

The  first  generic  solution  for  secure  two-party  computa¬ 
tion  in  the  honest-but- curious  model  was  proposed  by  Yao  [24] 
In  this  protocol,  both  parties  agree  on  an  objective  function 
and  its  boolean  circuit  format  (called  the  objective  circuit ) 
in  advance1.  One  party  (called  the  generator )  constructs  a 
garbled  version  of  this  objective  circuit,  and  the  other  party 
(called  the  evaluator )  then  obliviously  evaluates  this  gar¬ 
bled  circuit  and  gets  the  output.  By  oblivious  evaluation 
we  mean  that  the  evaluator  does  not  learn  any  intermediate 
value  of  the  computation.  This  protocol  satisfies  the  two 
security  properties  if  both  participants  follow  the  protocol 
instructions  honestly. 

This  basic  protocol  must  be  hardened  to  handle  the  sit¬ 
uation  in  which  either  party  arbitrarily  deviates  from  the 
protocol.  A  simply  cheat  is  for  a  malicious  generator  to  con¬ 
struct  a  faulty  circuit  that  breaks  the  security  properties,  for 
example,  one  that  purposely  reveals  the  evaluator’s  private 
input.  Since  the  circuit  is  garbled,  the  evaluator  could  not 
tell  whether  the  circuit  is  faulty  or  not. 

The  cut-and-choose  technique  is  one  of  the  most  efficient 
methods  that  enforce  honest  circuit  garbling  [9,13,14,17,21]. 
At  a  high  level,  this  technique  instructs  the  generator  to 
prepare  multiple  copies  of  the  garbled  circuit,  each  with  in¬ 
dependent  randomness,  and  instructs  the  evaluator  then  to 
randomly  pick  a  fraction  of  the  circuits  whose  randomness  is 
later  revealed.  If  any  of  the  chosen  circuits  (called  the  check 
circuits )  is  not  consistent  with  the  revealed  randomness,  the 
evaluator  aborts  and  the  generator  is  caught  cheating;  other- 

1The  equivalence  between  the  objective  function  and  the 
objective  circuit  is  out  of  the  scope  of  this  paper. 
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wise,  the  evaluator  starts  to  evaluate  the  remaining  circuits 
(called  the  evaluation  circuits)  as  instructed  in  the  Yao  pro¬ 
tocol.  Finally,  the  evaluator  takes  the  majority  of  the  eval¬ 
uation  outputs  as  the  final  output.  As  a  result,  a  malicious 
generator  constructs  either  too  many  faulty  circuits  and  gets 
caught,  or  only  a  few  and  does  not  influence  the  final  output 
at  all. 

Besides  the  threat  of  faulty  circuits,  there  remain  three 
other  subtle  but  equally  critical  security  issues  that  need  to 
be  addressed  when  dealing  with  malicious  adversaries.  The 
first  two  in  fact  result  from  the  use  of  multiple  garbled  cir¬ 
cuits  (as  instructed  by  the  cut-and-choose  technique):  two- 
output  function  handling  and  the  generator’s  input  consis¬ 
tency.  The  third  issue  is  also  known  as  the  selective  failure 
attack.  Prior  work  in  this  area  that  addresses  these  three 
concerns  either  requires  specific  hardness  assumptions,  or 
introduces  large  overheads  in  communication  and  computa¬ 
tion. 

1.1  Contributions 

The  main  contribution  of  this  work  is  to  construct  an  op¬ 
timal  protocol  in  the  circuit-level  cut-and-choose-based  cat¬ 
egory  that  (1)  it  requires  minimal  hardness  assumptions, 
namely,  an  oblivious  transfer  (OT)  protocol  secure  in  the 
presence  of  malicious  adversaries;  (2)  it  introduces  little 
computational  and  communicational  overhead  to  solve  the 
above  three  problems.  In  particular,  its  complexity  is  lin¬ 
ear  (in  terms  of  the  security  parameter)  to  the  original  Yao 
protocol’s,  which  is  the  best  a  circuit-level  cut-and-choose- 
based  solution  could  ever  achieve.  In  other  words,  we  show 
that  malicious  security  comes  almost  for  free  both  in  terms 
of  required  hardness  assumptions  and  various  protocol  per¬ 
formance  metrics.  Let  n  denote  the  input  and  output  size, 
k  denote  the  security  parameter,  a  denote  the  number  of 
garbled  circuits  needed  (typically,  cr  =  0{k)).  The  contri¬ 
butions  of  this  work  are  as  follows: 

1.  We  propose  a  novel  witness-indistinguishable  proof  to  en¬ 
sure  the  generator’s  output  authenticity  that  requires  only 
standard  primitives  (any  symmetric  encryption  scheme  and 
commitment  scheme  to  be  precise)  and  incurs  about  the 
same  amount  of  overhead  as  garbling  and  evaluating  the  gen¬ 
erator’s  output  gates.  In  other  words,  it  requires  only  O(an) 
symmetric  cryptographic  operations;  prior  approaches  re¬ 
quire  0(a2n)  symmetric  operations  [13,20]  or  O(cm)  sym¬ 
metric  operations  plus  O(a)  algebraic  operations  [9]. 

2.  We  suggest  the  use  of  an  auxiliary  circuit  to  achieve  the 
generator’s  input  consistency.  This  auxiliary  circuit  only 
needs  to  compute  the  (universal)  hash  of  the  generator’s  in¬ 
put.  By  utilizing  an  XOR-homomorphic  hash,  we  are  able 
to  evaluate  the  auxiliary  circuit  almost  for  free.  Our  solu¬ 
tion  is  much  more  efficient  than  the  prior  works  which  need 
0(a2n)  symmetric  operations  [13,16]  or  O(ern)  algebraic  op¬ 
erations  [21]. 

3.  Most  importantly,  the  above  two  techniques  allow  us  to 
handle  issues  of  two-output  functions  and  the  generator’s  in¬ 
put  consistency  while  avoiding  algebraic  operations  entirely. 
Lindell  and  Pinkas’  [13]  and  Woodruff’s  [23]  approaches  are 
the  only  prior  works,  to  the  best  of  our  knowledge,  that 
do  not  rely  on  any  number-theoretic  assumptions.  Never¬ 
theless,  our  approach  works  in  a  more  efficient  manner  as 
shown  in  Table  1. 


4.  Lindell  and  Pinkas  suggested  the  use  of  a  fc-probe-resistant 
matrix  (cf.  Definition  5)  to  defend  against  the  selective  fail¬ 
ure  attack  [13].  This  solution  has  little  overhead  while  com¬ 
bining  with  the  free-XOR  technique.  However,  it  increases 
the  number  of  OTs  needed  at  the  same  time.  While  XOR 
gates  can  be  computed  almost  for  free,  the  OTs  can  not. 
While  there  exist  extension  techniques  for  OTs,  not  all  vari¬ 
ants  of  OTs  can  be  efficiently  extended.  We  therefore  design 
a  probabilistic  algorithm  based  on  Reed-Solomon  code  such 
that  the  number  of  OTs  needed  can  be  as  low  as  25%  of  that 
in  the  original  Lindell  and  Pinkas’  solution. 

5.  We  propose  an  optimization  technique  that  can  save  com¬ 
munication  overhead  by  up  to  60%  (when  60%  of  all  the 
garbled  circuits  are  check  circuits)  with  the  price  of  a  slight 
increase  of  computation  overhead.  We  stress  that  our  tech¬ 
nique  compares  favorably  with  the  Random  Seed  Checking 
technique  [12].  In  particular,  our  approach  is  compatible 
with  the  pipelining  technique  [6]. 

6.  Based  on  an  open-source  system  [12],  we  experimentally 
verify  our  theories  by  developing  some  of  the  above  tech¬ 
niques.  The  integrated  system  can  process  650,000+  gates 
per  second  on  Stampede  [22].  This  is  the  fastest  maliciously 
secure  two-party  system  reported. 

1.2  Related  Work 

While  substantial  efforts  have  been  spent  on  converting 
the  Yao  protocol  based  on  the  cut-and-choose  technique  [9, 
12-14, 16,  20,  21,  23]  into  maliciously  secure  protocols,  sev¬ 
eral  completely  different  approaches  have  been  reported. 
Jarecki  and  Shmatikov  suggested  an  approach  that  needs 
only  a  single  copy  of  the  garbled  circuit,  but  this  approach 
requires  expensive  zero-knowledge  proof  of  correctness  for 
every  single  gate  [8]  that  also  rely  on  specific  RSA-based 
hardness  assumptions.  Nielson  et  al.  reported  a  solution 
that  uses  efficient  OTs  to  generate  a  pool  of  authenticated 
primitives  [19].  With  these  primitives,  both  parties  are  able 
to  securely  evaluate  a  boolean  circuit  based  on  the  generic 
Goldreich,  Micali,  and  Wigderson  protocol  [3].  However, 
this  protocol  requires  interactive  communication  for  every 
AND  gate,  and  therefore  the  number  of  rounds  of  commu¬ 
nication  depends  on  the  circuit.  While  suitable  for  small 
circuits,  large  complicated  circuits  will  require  thousands  of 
back-and-forth  messages.  Damgard  et  al.  proposed  a  solu¬ 
tion  that  uses  somewhat  homomorphic  encryption  to  pre¬ 
compute  a  bunch  of  triples  that  are  later  used  to  securely 
compute  an  arithmetic  circuit  [1]. 

Our  approach  outperforms  other  approaches  in  the  cut- 
and-choose-based  category  in  terms  of  the  number  of  sym¬ 
metric  or  algebraic  operations  needed,  as  shown  in  Table  1. 
Note  that  by  “in  the  cut-and-choose-based  category,”  we 
mean  that  the  number  of  the  garbled  circuits  needed  is  lin¬ 
ear  to  the  security  parameter.  So  there  is  a  hidden  cost  of 
O(fcC)  of  symmetric  cryptographic  operations  in  all  these 
approaches,  where  C  is  circuit  size.  More  details  about  Ta¬ 
ble  1  will  be  given  in  Section  3. 

Our  approach  is  also  as  competitive  as  any  other  in  terms 
of  computation  complexity,  round  complexity,  and  the  com¬ 
putation  assumptions  needed,  as  shown  in  Table  2.  While 
Jarecki  and  Shmatikov’s  approach  requires  hundreds  of  ex¬ 
pensive  algebraic  operations  per  gate,  ours  does  not  need 
any  (given  oracle  access  to  OTs)  [8].  Although  Neilson  et 
al.’s  approach  favorably  compares  to  our  approach  in  terms 
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Gen.  Input  Consist. 
Symm.  Op.  1  Alge.  Op. 

Gen.  Output  Auth. 
Symm.  Op.  |  Alge.  Op. 

Assumptions 
(besides  OT) 

[13] 

0{k2n ) 

0{k2n ) 

Standard  (OWF) 

[9] 

0(k2n ) 

O(kn) 

0{k) 

Discrete  Log. 

[14] 

O(kn) 

0(kn) 

not  mentioned 

Decisional  Diffie-Hellman 

[21] 

0(kn ) 

0(kn) 

O(fcn) 

0(kn) 

Discrete  Log. 

[12] 

O(fcn) 

O(kn) 

O(fcn) 

0(k) 

Discrete  Log. 

This  Work 

O(fcn) 

O(fcn) 

Standard  (OWF) 

Table  1:  Complexity  of  various  circuit-level  cut-and-choose-based  approaches  in  terms  of  symmetric  (or  algebraic)  operations. 


of  computation  complexity,  ours  requires  constant  communi¬ 
cation  rounds  while  theirs  needs  rounds  linear  to  the  circuit 
depth  [19].  At  last,  since  Damgard  et  al.’s  approach  works 
with  arithmetic  circuits,  it  is  incomparable  to  our  work  and 
thus  omitted  in  the  table  [1] 


1 

Symm.  Op. 

Alge.  Op. 

Rounds 

1  Assumptions 

[8]  | 

0(C) 

0(C) 

0(1) 

|  DCR  +  RSA 

[18]  | 

°(l JCC) 

0(1) 

Discrete  Log 

[19]  | 

°(ikbc) 

O(D) 

Random  Oracle 

This  | 

O(fcC) 

0(1) 

|  Standard  (OWF) 

Table  2:  Overall  complexity  comparison  with  prior  works,  where 
C  is  the  circuit  size  and  Df  is  the  circuit  depth. 

We  recently  noticed  an  independent  work  by  Mohassel 
and  Riva  that  also  proposes  an  optimal  Yao-based  proto¬ 
col  [17].  Their  protocol  indeed  shares  the  same  asymptotic 
complexity  as  ours  and  also  relies  on  minimal  assumptions. 
However,  our  approach  favorably  compares  to  theirs  for  two 
reasons: 

1.  The  protocols  for  ensuring  the  generator’s  output  au¬ 
thenticity  in  both  works  are  essentially  the  same.  Both  pro¬ 
tocols  capture  the  idea  that  the  evaluator  provides  a  unique 
random  key  corresponding  to  each  of  the  generator’s  out¬ 
put  wires  as  the  proof  of  authenticity.  The  only  difference 
is  that  for  each  of  the  generator’s  output  wires  in  each  of 
the  garbled  circuits,  Mahassel  and  Riva’s  protocol  requires 
two  possible  random  keys,  which  correspond  to  0  or  1,  to  be 
encrypted  and  exchanged,  whereas  our  protocol  only  needs 
the  one  that  corresponds  to  the  generator’s  output  value  to 
be  encrypted  and  exchanged.  In  other  words,  although  both 
solutions  need  O(cro)  symmetric  cryptographic  operations, 
ours  has  a  smaller  constant  factor. 

2.  Their  approach  for  checking  Gen’s  input  consistency  uses 
a  different  instance  of  circuit  garbling,  in  which  Gen’s  and 
Eval’s  roles  are  reversed.  In  other  words,  while  their  so¬ 
lution  introduces  0{n )  instances  of  OTs,  which  is  arguably 
the  most  expensive  component  of  the  Yao  protocol,  ours  in¬ 
troduces  only  cryptographic  symmetric  operations. 

Paper  Organization:  We  first  give  background  and  no¬ 
tations  in  Section  2.  We  then  show  how  the  three  attacks 
are  handled  by  cryptographic  primitives  in  Section  3.  A  de¬ 
tailed  description  of  our  main  protocol  and  the  argument  of 
its  security  is  presented  in  Section  4.  The  optimization  tech¬ 
nique  that  saves  the  communication  overhead  by  at  much  as 


60%  is  reported  in  Section  5.  Finally,  experimental  results 
are  reported  in  Section  6. 

2.  PRELIMINARIES 

Since  our  solution  is  based  on  the  Yao  protocol,  the  two 
parties  are  referred  to  as  Gen  and  Eval  for  the  rest  of 
this  paper.  We  denote  by  f{x,y)  eA  (fi{x,  y),  f2(x,  y))  a 
two-output  objective  function,  where  Gen  with  input  x  gets 
output  fi(x,y)  and  Eval  with  input  y  gets  output  f2(x,y). 
For  simplicity,  fi(x,y)  and  fz(x,y)  are  often  noted  as  /i 
and  /2,  respectively.  We  use  /i  =  1  or  /2  =  1  to  indi¬ 
cate  that  either  Gen  or  Eval  gets  no  output.  We  denote  by 
com(a;;  r)  the  commitment  to  message  x  with  randomness  r. 
The  randomness  may  be  omitted  for  simplicity.  We  denote 
by  ence(a:)  the  encryption  of  message  x  under  encryption 
key  e  and  by  decd(c)  the  decryption  of  ciphertext  c  under 
decryption  key  d.  Additionally,  we  denote  by  x\\y  or  some¬ 
times  (x,  y)  the  concatenation  of  x  and  y,  and  by  [n]  the  set 
{1,  2, . . . ,  n}  for  some  n  G  N.  We  also  adopt  the  notation 
that  x^'s  superscript  implies  that  this  variable  is  related  to 
the  j- th  garbled  circuit. 

Furthermore,  for  the  rest  of  this  paper,  we  denote  by  k 
the  security  parameter,  by  a  the  number  of  copies  of  the 
garbled  circuit  needed  (also  known  as  the  statistical  security 
parameter),  and  by  n  the  size  of  a  participant’s  input  and 
output.. 

3.  MALICIOUS  SECURITY 

Our  protocols  achieve  security  against  malicious  adver¬ 
saries  according  to  the  standard  ideal-real  paradigm  for  defin¬ 
ing  security.  In  the  full  version  of  this  paper,  we  present  the 
standard  definition  of  ideal-real  security  and  prove  that  our 
protocols  achieve  this  notion.  Since  the  proof  techniques  al¬ 
ready  highlighted  in  [13]  and  [21]  suffice  for  our  proof,  in 
this  short  abstract,  we  omit  the  full  proofs  and  focus  on  dis¬ 
cussing  our  important  contributions — namely,  how  we  solve 
the  three  security  issues  faced  by  the  protocol  that  trans¬ 
forms  the  Yao  protocol  into  one  that  is  secure  in  the  mali¬ 
cious  model  via  the  cut-and-choose  technique. 

3.1  Two-Output  Function  Handling 

For  many  real-world  applications,  both  parties  want  to 
learn  an  output  from  the  secure  computation.  Since  Eval 
always  learns  her  output,  the  challenge  is  for  Gen  to  learn 
hers  securely.  In  particular,  a  solution  needs  to  achieve 
Gen’s  output  privacy  and  output  authenticity.  The  former 
requires  that  Eval  does  not  learn  Gen’s  output,  and  the 
latter  requires  that  Gen  gets  either  an  authentic  output  or 
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no  output  at  all,  in  which  case  Eval  is  caught  cheating.  We 
stress  that  the  two-output  protocols  we  consider  are  not  fair, 
that  is,  Eval  may  learn  her  own  output  but  refuse  to  send 
Gen’s  back — but  if  so,  Eval  is  caught  cheating. 

Goldreich  suggested  the  use  of  an  auxiliary  circuit  that 
encrypts  Gen’s  output  and  computes  the  digital  signature 
of  the  resulting  ciphertext  so  that  a  malicious  Eval  could 
neither  learn  Gen’s  output  from  the  ciphertext  nor  forge 
an  arbitrary  signature  [2].  Later,  Lindcll  and  Pinkas  pro¬ 
posed  an  approach  that  uses  one-time-pad  encryption  and 
one-time  MAC  circuits  instead,  which  incurs  O(kn)  extra 
gates  per  circuit  [13].  Kiraz  presented  a  two-party  protocol 
in  which  a  zero- knowledge  proof  of  size  0(a)  is  executed  at 
the  end  [9] .  shelat  and  Shen  reported  a  signature-based  solu¬ 
tion  that  adds  0(n)  gates  to  each  circuit,  and  requires  a  WI 
proof  of  size  0(a  +  n)  [21]  that  requires  specific  complexity 
assumptions. 

Our  approach  solves  Gen’s  output  privacy  problem  with 
a  one-time-pad  encryption  circuit,  which  requires  only  0{n) 
extra  XOR-gates  per  circuit.  The  novel  part  of  our  ap¬ 
proach  is  that  we  tackle  the  output  authenticity  problem 
in  a  way  that  needs  no  algebraic  operations  at  all  (hence  no 
number-theoretic  intractability  assumption  is  needed).  Our 
idea  comes  from  the  following  three  observations. 

We  first  observe  that  the  random  keys  retrieved  from  eval¬ 
uating  Gen’s  output  gates  can  in  fact  serve  as  “message  au¬ 
thentication  codes”  sufficient  for  Eval  to  prove  Gen’s  out¬ 
put  authenticity.  Recall  that  the  Yao  protocol  ensures  that 
Eval  learns  exactly  one  of  the  two  random  keys  assigned  to 
each  wire.  So  the  knowledge  of  the  retrieved  random  key 
corresponding  to  Gen’s  output  wire  is  more  than  enough 
for  Eval  to  show  the  output  authenticity.  What  remains 
is  how  Eval  demonstrates  this  knowledge  without  revealing 
the  index  of  the  garbled  circuit  from  which  Eval  retrieves 
the  random  key.  This  index  has  been  shown  to  be  exploitable 
in  breaching  Eval’s  input  privacy  [9]. 

The  second  observation  we  have,  which  is  also  pointed  out 
in  shelat  and  Shell’s  work  [21],  is  that  a  WI  proof  suffices  the 
purposes  here.  Let  us  consider  the  case  in  which  Gen  (plays 
as  the  verifier)  has  private  input  U  =  (u^\  . . . , u^) 

for  some  s  G  N,  and  Eval  (plays  as  the  prover)  knows  u <'m') 
for  some  m  £  [s] .  In  the  honest-but-curious  model,  a  simple 
WI  proof  of  Eval’s  knowledge  can  be  done  as  follows: 

1.  Gen  picks  random  nonce  r,  and  sends  Eval 

(enc„(i)  (r),  encu(2)  (r), . . . ,  encttW  (r)). 

2.  Eval  receives  C  =  ,cf2' , . . . ,  c(-3'>)  and  returns  decuo)  (c^ 

3.  Gen  receives  r'  and  accepts  if  r'  —  r ,  or  aborts  other¬ 
wise. 

This  proof  is  sound  because  an  Eval  with  no  knowledge  of 
any  u ^  £  U  can  only  guess  r  with  negligible  probability. 
However,  this  proof  is  not  WI  in  the  malicious  model.  In 
fact,  a  malicious  Gen  may  pick  distinct  r^'s  and  send  Eval 

(encu(i)  (r(1)),  encu(2)  (r(2)), . . . ,  encu(s)  (r(s))) 

so  that  u (rn'>  can  later  be  deduced  by  locating  r’  in  (r*-1-1 ,  r . . . ,  r ^ 

To  force  Gen  to  behave  honestly  in  Step  1,  we  suggest  that 
Gen  discloses  (U,  r)  after  receiving  r1  so  that  Eval  could 
check  if  C  is  constructed  correctly.  Our  third  observation  is 
that  this  disclosure  does  not  compromise  Gen’s  input  pri¬ 
vacy.  Indeed,  Eval  should  have  already  learned  the  majority 


of  U  from  the  circuit  evaluation,  and  r  is  a  random  nonce 
that  has  no  information  about  Gen’s  input  at  all.  So  Gen’s 
input  is  not  leaked  through  (17,  r).  Moreover,  this  disclosure 
does  not  compromise  the  soundness  of  the  protocol  since  af¬ 
ter  Gen  receives  r' ,  Eval  has  already  delivered  her  proof 
of  authenticity  so  that  learning  ( U ,  r)  afterwards  will  not 
change  the  proof  retroactively.  Nonetheless,  we  stress  that 
Gen  should  not  learn  r'  before  Eval  finishes  the  check,  and 
nor  should  Eval  be  able  to  change  r'  after  the  check.  This 
property  suggests  the  use  of  a  commitment  scheme.  Our 
idea  is  that  Eval  commits  to  decu(m)  {cP1')  instead  of  giv¬ 
ing  it  away  in  clear.  After  Gen  reveals  (17,  r),  Eval  checks 
if  C  is  indeed  correctly  generated.  If  the  check  fails,  Eval 
aborts;  otherwise,  Eval  decommits  to  r' .  Then  Gen  checks 
if  r'  =  r  and  responds  as  in  the  honest-but-curious  protocol. 

One  more  issue  is  that  a  malicious  Gen  could  learn  Eval’s 
private  input  u('7n'1  with  non-negligible  probability  by  faking 
her  private  inputs  from  the  beginning.  More  specifically, 
a  malicious  Gen  could  guess  u ^  with  probability  1/s  and 
then  pretend  that  her  private  input  is  17  =  (w^ ,  ...,u(rn~1\u 
instead  of  17,  where  vS^  is  randomly  picked.  With  this  at¬ 
tack,  a  malicious  Gen  is  capable  of  providing  checkable  ci¬ 
phertexts  C  when  Eval’s  private  input  is  indeed  u^m\  Be¬ 
sides,  the  fact  that  Eval  can  provide  the  correct  nonce  r 
confirms  that  her  private  input  is  u<'rn'> .  A  straightforward 
way  to  get  around  this  issue  is  for  the  two  parties  to  share 
the  commitments  to  Gen’s  private  inputs  in  the  first  place. 
By  the  binding  property  of  the  commitment  scheme,  a  ma¬ 
licious  Gen  cannot  change  her  private  inputs  at  will.  The 
correctness  of  these  commitments  will  be  guaranteed  by  the 
circuit-level  cut-and-choose  technique. 

The  complete  description  of  our  Gen’s  output  authentic¬ 
ity  protocol  is  presented  in  Figure  1,  and  the  security  of  this 
protocol  is  stated  in  Lemma  1. 


Common  Input:  security  parameter  lfe,  statisti¬ 
cal  security  parameter  Is,  Gen’s  output  bit 
b,  and  commitments  to  Gen’s  private  input 

{(com(43)),com(43)))}j£[s]. 

Private  Input:  Gen  has  {(uqJ\ anc^  Eval  has 
random  key  v  corresponding  to  Gen’s  output  wire  of 
value  b  in  the  m-th  garbled  circuit  for  some  m  E  [s]. 

1.  Gen  picks  a  random  nonce  r  E  {0,  l}fc  and  sends  Eval 

(enc  (i)  (r),  enc  (2)  (r),  •  •  •  ,  enc  (s)  (r)). 

ub  Ub  Ub 

2.  After  receiving  C  =  (c^1),  c^2\  •  •  •  ,  c(s)),  Eval  sends 
com  (dec i>(c(m)))  back  to  Gen. 

3.  After  receiving  com(r,/),  Gen  decommits  to  {u^}je[s]- 

4.  Eval  checks  the  decommitted  values  that 

(a) if  com(u[^)  is  correctly  opened  to  u U)  for  all  j? 

(b) if  decu(i)(cW)  =  decuij)  (c^))  for  all  i,j? 

Eval  aborts  if  any  of  the  checks  fails;  otherwise,  she  decom¬ 
mits  to  r' . 

5.  Gen  accepts  the  proof  if  com(r/)  is  correctly  opened  and 
r'  =  r;  otherwise,  she  rejects. 


Figure  1:  A  WI  proof  for  Gen’s  output  authenticity  with  mali¬ 
cious  security  (where  Eval  plays  the  role  of  the  prover) 


Approved  for  Public  Release;  Distribution  Unlimited. 


Lemma  1.  Let  {(com(uQ^),  co/n(uj^))}jg[s]  and  bit  b  be 
common  inputs.  Suppose  Gen  has  private  input  {(wq3^,  )}je[s], 

where  Uq\uP  £  {0,  l}fc.  The  protocol  presented  in  Figure  1 
satisfies  the  following  properties: 

1.  (Completeness)  If  Eval  knows  up1  for  some  j  £  [s], 

Gen  always  accepts. 

2.  (Soundness)  If  Eval  does  not  know  any  ofu^s,  Gen 
rejects  with  probability  at  least  1  —  2~k . 

3.  (Witness-indistinguishability)  Let  us  denote  by  VIEW„ 

the  view  of  Gen  from  running  the  protocol  with  Eval  using 
input  v .  If  Eval  knows  the  majority  V  of  ,  lip'1 , ... ,  ) , 

then  for  any  vi,i>2  £  V,  {VIEWujJ-fcgN  and  {VIEW„2}fceN 
are  computationally  indistinguishable. 

3.2  Generator’s  Input  Consistency 

In  the  cut-and-choose  technique,  multiple  copies  of  the 
garbled  circuit  are  constructed  and  then  either  checked  or 
evaluated.  It  is  conceivable  that  a  malicious  Gen  may  pro¬ 
vide  inconsistent  inputs  to  different  evaluation  circuits.  Lin- 
dell  and  Pinkas  showed  that  for  some  functions,  it  is  not 
difficult  for  a  malicious  Gen  to  use  inconsistent  inputs  to 
extract  information  of  Eval’s  input  [13].  For  instance,  sup¬ 
pose  both  parties  agree  upon  the  objective  function 

/((ai,  a2,  03),  (61 , 62,  63))  (0161  ©  a2&2  ©  a3b3,  -L), 

where  ai  and  &;  is  Gen’s  and  Eval’s  z-th  input  bit,  re¬ 
spectively.  Instead  of  providing  (ai,  a2, 03)  consistently,  a 
malicious  Gen  may  send  (1,0,0),  (0,1,0),  and  (0,0,1)  to 
different  evaluation  circuits.  In  the  end,  Gen  learns  the  ma¬ 
jority  bit  of  Eval’s  input,  which  is  the  extra  information 
that  Eval  did  not  agree  to  reveal. 

Several  approaches  have  been  proposed  to  defend  this  at¬ 
tack.  Mohassel  and  Franklin  proposed  the  equality-checker 
technique,  which  requires  O(o2n)  commitments  to  be  com¬ 
puted  and  exchanged  [16].  Lindell  and  Pinkas  developed 
an  approach  that  also  requires  0(a2n)  commitments  [13]. 
Later,  they  realized  that  O(o2n)  commitments  are  too  much 
of  the  communication  overhead,  and  then  further  suggested 
a  pseudo-random  synthesizer  that  relies  on  efficient  zero- 
knowledge  proofs  under  specific  hardness  assumptions  and 
requires  O(an)  algebraic  operations  [14].  shelat  and  Shen 
proposed  the  use  of  malleable  claw-free  collections,  which 
also  uses  0(an )  algebraic  operations,  but  they  showed  that 
the  witness-indistinguishability  is  sufficient  [21].  Our  ap¬ 
proach  gets  the  best  of  the  both  worlds,  i.e.,  it  requires  only 
0(an)  symmetric  cryptographic  operations. 

We  suggest  to  tackle  this  issue  with  an  auxiliary  circuit,  in 
addition  to  the  objective  circuit,  that  computes  a  function 
of  Gen’s  input.  At  a  high  level,  the  circuit-level  cut-and- 
choose  technique  ensures  the  correctness  of  this  auxiliary 
circuit,  and  its  output  is  used  to  ensure  Gen’s  input  consis¬ 
tency.  In  particular,  for  this  idea  to  work,  we  need  to  endow 
the  output  of  this  auxiliary  circuit  with  collision-free  and 
hiding  properties.  The  former  ensures  that  the  consistency 
of  the  auxiliary  outputs  implies  the  consistency  of  Gen’s  in¬ 
puts,  and  the  latter  ensures  that  the  auxiliary  outputs  do 
not  reveal  any  information  of  Gen’s  inputs. 

A  natural  candidate  for  this  auxiliary  circuit  is  a  commit¬ 
ment  circuit.  The  binding  and  hiding  properties  of  a  com¬ 
mitment  scheme  satisfy  the  two  security  properties  needed 


here.  This  is  a  conceptually  much  simpler  solution.  We, 
however,  failed  to  find  a  commitment  circuit  that  intro¬ 
duces  less  overhead  than  the  previous  state-of-the-art  so¬ 
lution  does.  Fortunately,  we  figured  that  a  universal  hash 
circuit  is  a  sufficient  and  much  more  efficient  alternative. 
We  next  give  the  definition  of  universal  hash  functions,  and 
then  we  discuss  how  we  achieve  both  collision-free  and  hiding 
properties  with  a  universal  hash  circuit.  Finally,  we  present 
an  efficient  instantiation  with  proper  parameters. 

Definition  2  (Universal  Hash).  A  collection  of  hash 
functions  H  =  {h\h  :  A  —>  B }  is  called  universal  if  for  any 
distinct  x,y  £  A,  the  probability  that  a  uniformly  chosen 
h  £  TL  satisfies  that  h(x)  =  h(y)  is  at  most  1/|B|. 

3.2.1  Collision-Free  Property 

This  property  comes  naturally  with  universal  hash  func¬ 
tions.  Indeed,  Definition  2  shows  that  for  any  distinct  x,  y, 
if  they  are  fixed  before  h  is  uniformly  chosen,  their  hashes 
are  unlikely  to  collide.  This  suggests  that  the  collision- 
free  property  can  be  achieved  by  letting  Gen  commit  to 
(fix)  her  inputs  before  a  hash  function  is  jointly  (uniformly) 
picked.  Later,  the  consistency  of  Gen’s  inputs  can  be  ver¬ 
ified  by  checking  the  consistency  of  the  auxiliary  outputs 
(the  hashes).  Since  both  the  objective  circuit  and  the  aux¬ 
iliary  circuit  share  the  same  input  from  Gen,  Gen’s  input 
consistency  to  the  auxiliary  circuits  implies  the  same  to  the 
objective  circuits.  Our  protocol  is  outlined  as  follows: 

1.  Gen  commits  to  her  inputs  a;^,  x'2\  . . . ,  x^\  where  x^'1 
denotes  her  input  to  the  j- th  garbled  circuit. 

2.  Gen  and  Eval  jointly  and  uniformly  pick  h  £  Tl. 

3.  Gen  constructs  a  copies  of  the  garbled  circuit.  Each  cir¬ 
cuit  contains  two  parts:  the  objective  circuit  and  the  aux¬ 
iliary  circuit.  While  the  first  part  computes  the  objective 
function,  the  j'-th  auxiliary  circuit  uses  the  input  wires  of 
the  objective  circuit  to  compute  h(x^p. 

4.  Eval  asks  to  check  the  correctness  of  a  random  fraction 
of  the  garbled  circuits.  If  the  check  fails,  Eval  aborts;  oth¬ 
erwise,  Eval  asks  Gen  to  decommit  to  her  inputs  for  the 
remaining  (unchecked)  circuits. 

5.  Eval  first  evaluates  the  remaining  auxiliary  circuits.  If 
the  evaluation  outputs  (the  hashes)  are  not  consistent,  Eval 
aborts;  otherwise,  Eval  proceeds  to  evaluating  the  remain¬ 
ing  objective  circuits. 

Since  the  cut-and-choose  technique  instructs  a  majority 
operation  at  the  end,  the  final  evaluation  output  will  not 
be  influenced  by  a  few  inconsistent  inputs  introduced  by  a 
malicious  Gen.  We  next  argue,  at  a  high  level,  that  with 
high  probability,  this  protocol  enjoys  the  desired  security 
property  that  Gen ’s  inputs  to  the  majority  of  the  remaining 
circuits  are  consistent.  Indeed,  if  a  malicious  Gen  is  able 
to  pass  the  hash  consistency  check  and  provide  inconsistent 
inputs  to  the  majority  of  the  remaining  objective  circuits, 
there  are  only  three  possibilities:  (1)  The  (auxiliary)  circuits 
are  faulty:  The  cut-and-choose  technique  ensures  that  with 
high  probability,  this  only  happens  to  a  minority  of  the  re¬ 
maining  circuits.  (2)  Gen  is  really  lucky  to  have  found  a 
collision:  By  Definition  2,  this  happens  with  probability  at 
most  1/|B|,  which  becomes  negligible  if  B  is  properly  chosen. 
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(3)  Gen  is  able  to  break  the  binding  property  of  the  commit¬ 
ments:  Note  that  since  universal  hash  functions  do  not  even 
provide  pre-image  resistance,  given  h  and  h[x ^),  it  can  be 
easy  to  find  such  that  h(x^)  =  h(x .  Thus,  if  Gen 
is  able  to  open  the  commitment  from  Step  1  to  some  value 
computed  after  h  is  chosen  in  Step  2,  she  breaks  the  desired 
security  property.  However,  this  would  imply  that  Gen  is 
able  to  break  the  commitment  scheme’s  binding  property. 
This  happens  with  negligible  probability  too. 

Remark  3.1.  Since  the  above  protocol  is  not  the  final  ver¬ 
sion  of  our  solution,  we  only  provide  the  intuitions  for  now. 
A  simpler  and  more  elaborate  protocol  will  be  given  in  Fig¬ 
ure  2,  but  the  same  outline  and  security  argument  will  apply. 

3.2.2  Hiding  Property 

A  deterministic  universal  hash  h  :  A  — >•  B  provides  the 
collision-free  property  we  need,  yet  it  is  insufficient  for  the 
purposes  here  due  to  the  lack  of  the  hiding  property.  Indeed, 
if  the  size  of  A  is  small,  Eval  could  exhaustively  compute  the 
hash  of  all  possibilities  in  A  and  then  deduce  x^')  G  A  from 
h( x™').  As  a  result,  the  hash  function  has  to  be  randomized. 
If  the  hashes  are  pseudo-random,  they  reveal  little  informa¬ 
tion  about  the  input,  which  is  the  hiding  property  we  desire. 
In  particular,  the  celebrated  left-over-hash  lemma  [7]  (LHL 
for  short,  omitted  here  for  space)  states  that  the  output 
of  a  uniformly  picked  universal  hash  function  h  is  pseudo¬ 
random  (even  if  h  is  made  public)  as  long  as  the  input  has 
enough  (min-)entropy.  As  a  consequence,  all  we  need  to  do 
is  introduce  entropy  to  the  input  of  the  auxiliary  circuit. 
We  suggest  that  objective  function  f(x,  y )  eA  (/i,  ff)  is  con¬ 
verted  to  g(x\\r,y)  i-A  (/i,  h(x\\r)\\f2),  where  r  is  a  proper 
randomness  picked  by  Gen  at  the  beginning  and  h  is  a  uni¬ 
versal  hash  function  uniformly  picked  after  Gen  commits  to 
her  new  input  x\\r. 

We  argue  that  the  introduction  of  random  input  r  does 
provide  the  hiding  property  even  when  h  is  public.  Indeed, 
given  h(x\\r)  and  h,  as  long  as  r  is  long  enough  (has  enough 
entropy),  for  any  x' ,  there  must  exist  r'  such  that  h(x\\r)  = 
h(x'\\r').  This  shows  that  fixing  h{x\\r)  does  not  rule  out 
any  possibilities  of  x. 

Efficient  Instantiation. 

We  suggest  the  use  of  the  matrix  universal  hash  family 

Mk,m  =  {hM |  Lm(x )  =  M  ■  x  for  some  M  G  {0,  l}fcXm}, 

for  some  m  G  N.  A  nice  property  of  this  hash  family  is  that 
it  is  ©-homomorphic,  that  is,  for  any  x,y  G  {0,  l}m  and 
hM  G  Mk,m,  it  holds  that  hM{x®y)  =  hM(x)®hM(y).  This 
homomorphism  allows  a  very  efficient  instantiation  of  the 
protocol  outline  presented  in  Section  3.2.1  with  the  following 
twists: 

1.  Gen  commits  not  to  directly  but  to  x^’  ©  and 
7r^  instead,  where  tv^'1  is  uniformly  picked  from  {0,  l}m. 

2.  Gen  provides  not  a  garbled  circuit  that  lets  Eval  com¬ 
pute  h(x^')  obliviously  but  rather  h{ n^'1)  that  Gen  com¬ 
putes  locally. 

3.  Let  S  be  the  indices  of  the  evaluation  circuits. 

•For  j  G  [sj/S1,  Eval  checks  not  the  correctness  of  the 
j- th  garbled  circuit  but  the  correctness  of  h( tt^')  (by 
asking  Gen  to  decommit  to  7 first). 


•For  j  G  S,  Eval  learns  h(x'^)  not  via  evaluating  the 
j-th  garbled  circuit  but  via  asking  Gen  to  decommit  to 
yU)  —  XU)  07J-O)  ancj  then  computing  h{y^)®h(ix^). 

The  main  goal  of  the  above  twist  is  to  replace  the  garbled 
circuit  that  computes  h(x^)  with  h(n^'>)  that  is  locally 
computed  while  maintaining  the  main  structure  of  the  pro¬ 
tocol,  that  is,  letting  Gen  commit  to  her  inputs  before  h 
is  jointly  picked  and  letting  Eval  learn  the  hash  of  the  in¬ 
put  to  the  evaluation  circuits.  The  complete  protocol  of  our 
Gen’s  input  consistency  check  is  presented  in  Figure  2,  and 
its  security  is  stated  in  Lemma  3. 


Common  Input:  security  parameter  1 k ,  statistical  secu¬ 
rity  parameter  1 a ,  and  matrix  hash  function  family 
Affc  m  f°r  some  m  G  N. 

Private  Input:  Gen  has  private  inputs 

xf1) ;  x(2 3) ;  •  •  • ,  x(CT)  G  {0,  l}m,  and  Eval  has 
private  input  S  C  [tr], 

1.  Gen  randomly  picks  ttI1!,  7rl2l, ...,  7rlCT)  G  (0,  l}m. 

2.  For  all  j  G  [tr] ,  Gen  commits  to  y'D  =  X^  ©7tU3  and 
it  A)  by  sending  comfyAr))  and  com  (7 to  Eval. 

3.  Gen  and  Eval  jointly  pick  a  random  h  E  A4k  m- 

4.  Gen  sends  h(7r^),  h( tt^),  . . . ,  to  Eval. 

5.  Eval  receives  hf£\  h^\  . . . ,  and  asks  Gen  to 
open 

•  com  (71^  )  if  j  E  [s]  VS'.  Let  7 fit)  be  the  opened 
value.  Eval  checks  if  h  f }  =  /i(7rD); 

•  com(x'D)  if  j  G  S.  Let  x'(j)  be  the  opened 
value.  Eval  computes  h ^  =  h(x'(i))  0  h!f\ 

Eval  rejects  if  any  of  the  commitments  fail  to  open, 
any  of  the  checks  fails,  or  for  any  distinct  i,j  G  S , 
hff  A  b-'fi :  otherwise,  Eval  accepts. 


Figure  2:  A  proof  for  Gen’s  input  consistency 

Lemma  3  (Gen’s  Input  Consistency  Check).  Letk,o  g 
N  be  common  inputs.  Gen  has  input 

and  Eval  has  input  S  C  [tr].  If  \S\  =  c  ■  a  for  some 
1  >  c  >  0  and  Eval  accepts  the  proof  presented  in  Fig¬ 
ure  2,  the  probability  that  no  x ^  appears  more  than  |<S'|/2 
times  in  {x^LeS  at  most  2~°P+a\ 

Remark  3.2.  fc  in  Lemma  3  is  the  security  parameter  for 
the  commitment  scheme  used  in  the  protocol  presented  in 
Figure  2. 

Remark  3.3.  We  chose  to  let  Eval  have  a  total  control 
over  S,  the  set  of  circuits  to  evaluate.  This  saves  the  effort 
of  jointly  picking  S,  but  still  guarantees  that  whatever  S  that 
Eval  picks  will  not  compromise  Gen ’s  privacy.  Lemma  3 
holds  as  long  as  S  is  a  constant  fraction  of  [a] .  However, 
Eval  is  motivated  to  use  the  optimal  c  =  2/5  as  suggested 
by  shelat  and  Shen  [21]. 

Finally,  we  suggest  the  parameters  for  security  level  2~k . 

By  Definition  2,  Gen  cannot  find  a  collision  with  probability 
better  than  1/|B|.  So  |B|  needs  to  be  at  least  2k .  As  to  the 
size  of  random  input  r,  the  LHL  lemma  shows  that  if  the 
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min-entropy  of  x\\r  is  at  least  k  +  2k  =  3fc  and  the  output 
hash  is  fc-bits  long,  then  the  output  is  indistinguishable  from 
a  truly  random  fe-bit  string  with  probability  at  least  1  —  2~k . 
Since  we  make  no  assumptions  about  the  input  distribution 
of  a;,  a  simple  approach  is  to  uniformly  pick  r  such  that 
|r|  =  3 k.  We  can  do  better  by  exploiting  specific  properties 
of  Mk,m  and  reach  the  same  goal  with  |r|  =  2 k  +  lg(fc)  as 
shown  in  Lemma  4. 

Lemma  4.  Let  Xn  denote  {0,  l}n  for  some  n  £  N  and 
Mk,m  be  defined  as  above.  For  any  x  £  Xn  and  any  t  > 
2fc  +  lg(fc),  distributions  {(h,  h(x\\r))}  and  {(h,y)}  are  sta¬ 
tistically  indistinguishable  with  probability  at  least  1  —  2~k , 
where  h,r,  and  y  are  uniformly  chosen  from  Mk,n+t,  Xt, 
and  Xk,  respectively. 

Proof  omitted  for  space. 

3.3  Selective  Failure  Attack 

A  subtle  selective  failure  attack  possible  in  the  presence  of 
malicious  adversaries  has  been  pointed  out  by  Mohassel  and 
Franklin  [16]  and  independently  by  Kiraz  and  Schoenmak- 
ers  [10].  This  attack  occurs  when  a  malicious  Gen  assigns 
(7\o,  Ki)  to  an  Eval’s  input  wire  in  the  garbled  circuit  while 
using  (Kq,  K i  K i)  instead  in  the  corresponding  OT.  Con¬ 
sequently,  if  Eval’s  input  is  1,  she  learns  K*,  gets  stuck 
during  the  evaluation,  and  so  Gen  eventually  learns  that 
Eval’s  input  is  1. 

Lindell  and  Pinkas  [13]  suggested  that  Eval  picks  M  £ 
{0,  l}nxm  for  some  m  £  N  and  computes  her  new  input 
y  £  {0,  l}m  such  that  M  ■  y  =  y.  An  auxiliary  circuit  will 
later  convert  y  back  to  y  to  use  as  input  to  the  original 
circuit.  The  insight  is  that  selective  failures  allow  Gen  to 
probe  some  partial  information  of  y.  For  this  approach  to 
work,  the  security  property  needed  here  is  given  as  follows: 

Definition  5.  For  some  m,n,k  £  N,  M  £  {0, 1  }’lXm  is 
called  fc-probe-resistant  if  for  any  non-empty  L  C  [n],  the 
Hamming  distance  o/®;gi  Mi  is  at  least  k,  where  Mi  is  the 
i-th  row  of  M . 

As  long  as  M  is  fc-probe-resistant,  a  malicious  Gen  will  have 
to  successfully  probe  k  bits  of  y  in  order  to  gain  any  partial 
information  of  y,  the  probability  of  which  is  negligible.  [13] 
shows  that  when  M  is  uniformly  chosen  from  {0,  l}”xm 
where  m  =  max(4n,  8fc),  the  probability  that  M  fails  to  be 
fc-probe-resistant  will  be  negligible.  We  stress  that  matrix  M 
can  even  be  made  public  so  that  the  auxiliary  circuit  could 
consist  of  only  XOR-gates,  which  requires  no  communication 
overhead  and  can  be  computed  efficiently  when  combining 
with  the  free-XOR  trick  [11].  In  short,  not  only  does  this 
approach  elegantly  reduce  the  selective  failure  attack  prob¬ 
lem  to  the  classic  error  correcting  code  construction,  it  also 
has  the  potential  to  incur  only  little  overhead. 

Our  idea  to  construct  a  fc-probe-resistant  matrix  is  to  use 
a  maximum  distance  separable  code  such  as  Reed-Solomon 
codes.”  We  will  work  on  the  Reed-Solomon  code  over  F 2t 
for  some  t  £  N  with  codeword  size  N  and  message  size  K. 

2We  acknowledge  that  this  direction  has  indeed  been  men¬ 
tioned  in  the  original  work  by  Lindell  and  Pinkas:  “an  ex¬ 
plicit  construction  can  be  achieved  using  any  explicit  lin¬ 
ear  code.  [13]”  However,  we  believe  an  explicit  solution  that 
enjoys  the  optimal  performance — optimal  asymptotic  com¬ 
plexity  with  a  constant  factor  of  one — is  worth-reporting. 


By  optimizing  parameters,  we  prove  the  following  in  the 
full  version  of  this  paper: 

Lemma  6.  Suppose  K  >  (\g(n)+n+k)/t.  Let  Pi,  P2,  ■  ■  . ,  Pn 
be  distinct,  non-zero  polynomials  with  degree  at  least  K  —  1 
uniformly  picked  from  F2t  \x\ .  The  probability  that  there  exist 
some  i  £  [n]  and  some  L  C  [n]\{i}  such  that  Pi  =  Pj 

is  at  most  2~k . 

Finally,  we  describe  and  implement  an  algorithm  to  find 
a  fc-probe-resistant  M  with  high  probability  and  prove  the 
correctness  of  this  algorithm  as  follows: 

Theorem  7.  With  probability  at  least  1  —  2~k ,  the  al¬ 
gorithm  presented  in  Figure  5  outputs  a  k-probe-resistant 
M  £  {0,  l}™xm  such  that  m  £  N  and  m  <  lg(n)  +  n  +  k  + 
k  •  max(lg(4n), lg(4fc)). 

Proof  omitted. 

4.  THE  MAIN  PROTOCOL 

Our  presentation  uses  the  permuted  garbled  truth  table 
technique  [15]  (also  known  as  the  point- and-permute  tech¬ 
nique  in  literature).  Briefly,  this  technique  suggests  to  as¬ 
sign  each  wire  Wi  an  extra  random  permutation  bit  7r,.  The 
circuit  garbling  and  evaluating  is  then  slightly  modified:  for 
Gen,  each  garbled  truth  table  is  constructed  in  the  way  that 
its  entries  are  permuted  according  to  its  input  wires’  permu¬ 
tation  bits;  and  for  Eval,  each  random  key  now  comes  with 
a  locator  that  helps  Eval  identify  the  right  entry  in  the 
garbled  truth  table  while  evaluating  it. 

For  each  wire,  Eval  learns  exactly  one  key-locator  pair 
out  of  the  two  assigned  to  that  wire  from  the  circuit  evalua¬ 
tion,  and  the  learned  locator  is  in  fact  the  evaluation  result 
of  that  wire  one-time  padded  with  the  permutation  bit.  This 
property  ensures  that  Eval  is  oblivious  to  the  intermediate 
result  of  the  circuit  evaluation  and  allows  Eval  to  learn  the 
output  by  revealing  the  permutation  bits  assigned  to  circuit- 
output  wires. 

Common  Input:  security  parameter  1  ,  statistical  secu¬ 
rity  parameter  1CT,  symmetric  cipher  (enc,  dec)  with  se¬ 
mantic  security,  (perfectly-hiding)  commitment  scheme 
com,  and  objective  function  /  :  (x,y)  eA  (fa,  fa). 

Private  Input:  Gen  has  input  x  and  Eval  has  input  y. 

Private  Output:  Gen  receives  /1  and  Eval  receives  fa. 

1.  (New  Inputs)  Gen  uniformly  picks  e  £  {0, 1}^  (as 
the  one-time  pad  for  fa)  and  r  £  {0,  i)2k+1s(k)  (as  her 
random  input  for  computing  the  universal  hash) .  Eval 
samples  a  fc-probe-resistant  matrix  M  and  computes  y 
such  that  M  ■  y  =  y.  From  now  on,  Gen’s  input  refers 
to  x  =  x||e||r  =  x\X2  ■  ■  .  a:mi  and  Eval’s  input  refers 
to  y  =  j/ij/2  •  •  •  ym2-  Let  Xi  and  yi  denote  the  i-th  bit 
of  x  and  y,  respectively. 

Remark  4.1.  By  definition,  k-probe-resistant  ma¬ 
trix  M  has  to  have  full  (row)  rank.  So  for  any  y,  there 
must  exist  some  y  such  that  M  ■  y  =  y.  Moreover, 
given  y  and  M,  y  can  be  efficiently  computed  by  Gaus¬ 
sian  elimination. 

2.  (Pick  the  randomness)  For  all  j  £  [cr],  Gen  picks 
randomness  pU'  for  the  j- th  garbled  circuit. 
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Remark  4.2.  Randomness  p(j  can  be  considered  as 
either  a  pool  of  truly  random  bits  or  a  truly  random 
seed  to  a  pseudo-random  number  generator.  It  has  in¬ 
ternal  states  that  keep  track  of  used  and  fresh  random 
bits,  and  it  always  returns  fresh  random  bits  when  it  is 
used.  We  stress  that  when  later  requested,  Gen  needs 
to  reveal  pU)  ’s  initial  state  so  that  Eval  will  be  able  to 
regenerate  the  random  bits  that  Gen  used  to  construct 
the  j-th  garbled  circuit. 


3.  (Fix  Gen’s  input)  For  all  j  G  [a]  and  i  G  [mi],  Gen 
uses  to  compute  (K^q,K^, ir^)  G  {0,  l}2k+1 . 
Let  denote  the  key-locator  pair  (K^ ,  b  ©  n^). 

is  called  the  label  corresponding  to  wire  Wi  of 
value  b  in  the  j-th  garbled  circuit  hereafter.  Gen  com¬ 
mits  to  her  input  by  sending  {r^}.jerCT]  to  Eval,  where 
pO)  —  (com Moreover,  Gen  uses 
pU)  to  commit  to  both  labels  assigned  to  {uh}igrmi] 
by  sending  {0^},je[(r]  to  Eval,  where 


QU)  =  {com(IF(j)  ( ., ;  flf0),  com (Wu)  u) ;  6\j))} 


i,  0©7T 


Remark  4.3.  It  is  crucial  that  commitments 
cannot  use  the  randomness  from  p^l  like  commitments 
0^'  do.  If  they  do,  Eval  will  learn  Gen’s  inputs  to 
all  check  circuits. 


4.  (Determine  the  objective  circuit)  Eval  first  re¬ 

veals  M,  and  then  both  parties  jointly  run  a  coin  flip¬ 
ping  protocol  to  uniformly  pick  H  G  {0,  .  Both 

parties  now  have  determined  the  objective  circuit  C 
that  computes  g  :  (x,y)  n-  ( .].,  (c.  gj)).  where  x  = 
x\\e\\r,  y  =  M  ■  y,  gx  m,  fi{x,y),  c  =  gi  ®  e,  and 
ff2  =  f2(x,y). 

5.  (Commit  to  input/output  label  pairs)  Let  {wi}ieimi] 
be  the  wires  corresponding  to  Gen’s  input,  {wmi+;}ie[m2 ] 
be  those  corresponding  to  Eval’s  input,  and  {wijigOi 

be  those  corresponding  to  the  first  part  of  Eval’s  out¬ 
put  (output  c  in  particular).  Gen  uses  randomness 
pU)  to 


Moreover,  the  commitment  pairs  corresponding  to  Gen ’s 
input  wires  need  to  be  randomly  swapped  so  that  each 
label’s  semantics  is  independent  of  its  location.  In 
other  words,  the  location  of  a  successfully  decommit¬ 
ted  label  will  not  disclose  Gen’s  input  to  Eval.  This 
random  swap  is  done  by  reusing  the  permutation  bit 
-k\^  that  is  assigned  to  each  wire  and  used  to  permute 
entries  in  garbled  truth  tables.  In  contrast,  the  commit¬ 
ment  pairs  corresponding  to  Eval ’s  input  wires,  need 
to  follow  a  known  order  so  that  Eval  can  know  the 
semantics  of  her  input  labels  and  can  verify  that  the 
successfully  decommitted  labels  actually  match  her  in¬ 
put.  As  a  result,  the  commitment  pairs  in  are 
randomly  swapped  so  that  the  commitment  to  b-label 
of  the  i-th  wire  is  the  (2  •  i  +  6©  it\^)-th  entry,  whereas 
in  the  commitment  to  b-label  of  the  i-th  wire  is 
the  (2  ■  i  +  b)-th. 

The  order  of  commitments  in  simply  follows  Gen ’s 
output  authenticity  proof  presented  in  Figure  1 . 

6.  Both  parties  jointly  execute  (m2  +  a)  instances  of  (J)- 
OTs.  In  particular, 


(a)  (Eval’s  Input  OTs)  For  each  i  G  [m2],  both 
parties  run  a  Q-OT  in  which  Gen’s  input  equals 


(« 


and  Eval’s  input  equals  yt.  Let  Y^'  denote  the 
set  of  decommitments  Eval  received  for  the  j-th 
garbled  circuit,  that  is,  Yu)  =  uj\j))}ie[rn2]. 

(b)  (Circuit  OTs)  Eval  randomly  picks  S  C  [cr] 
such  that  |S|  =  2cr/5.  Let  s  G  {0,  l}a  such  that 
Sj  =  1  if  j  G  S;  or  Sj  =  0  otherwise.  If  Sj  =  0, 

Eval  will  learn  the  randomness  and  check  the 
j-th  circuit;  otherwise,  Eval  will  retrieve  Gen’s 
input  labels  and  evaluate  the  j-th  circuit.  More 
specifically,  for  each  j  G  [a],  both  parties  run 
a  (3)-OT  in  which  Eval’s  input  equals  Sj  and 
Gen’s  input  equals  (p^\  (Ap\  X^\  hij))),  where 


X[j)  =  7®)}> 


e[rai],.Y«={(lLL, 


rU) 


6  [mi 


and  hn'1  =  H  ■  (7r^||7r. 


O')  I 
2 


.0) 


{)■ 


(a)  compute  (A|Jq  ,  K^,  G  (0, 1}2,S+1  for  all  wires 
but  those  corresponding  to  Gen’s  input'5  and 

(b)  commit  to  the  label  pairs  assigned  to  {R’i}i6[m2]uOi 
by  sending  {fi^,  $^}jg[CT]  to  Eval,  where 

Q(j)  =  {com(W^l)+i0;4J)),com(W^1)+i;1;a;^))}i6[m2], 
$U)  =  {com(W/i(-70)),com(VK1(:i))}ieOi- 

Remark  4.4.  Gen  commits  to  the  label  pairs  as¬ 
signed  to  Gen’s  input  wires  (in  Step  3)  and  Eval’s 
input  wires  so  that  when  Eval  later  receives  proper 
decommitments,  she  will  know  that  the  decommitted 
labels  are  valid.  Gen  also  commits  to  the  label  pairs  as¬ 
signed  to  Gen ’s  output  wires,  and  these  commitments 
are  for  Gen ’s  output  authenticity  proof. 

3  The  random  keys  assigned  to  the  wires  corresponding  to 
Gen’s  input  were  already  computed  in  Step  3. 


Either  party  aborts  if  any  (2)-OT  fails. 

Remark  4.5.  The  above  (f)-OTs  could  run  in  par¬ 
allel  if  they  provide  security  for  parallel  execution. 

Remark  4.6.  We  chose  to  let  Eval  have  a  total 
control  over  S,  the  set  of  circuits  to  evaluate.  On  one 
hand,  both  parties  save  the  efforts  to  jointly  pick  S.  On 
the  other  hand,  our  solution  has  the  property  that  what¬ 
ever  S  that  Eval  picks  will  not  compromise  Gen ’s 
privacy. 

Remark  4.7.  Decommitments  x[^  are  for  Eval 
to  retrieve  Gen’s  input  labels  from  commitments 
which  Eval  received  in  Step  3;  decommitments 
are  for  Eval  to  retrieve  Gen ’s  input  labels  from  com¬ 
mitments  Q^\  which  Eval  received  in  Step  3;  and 
decommitments  Y ^  are  for  Eval  to  retrieve  Eval  ’s 
input  labels  from  commitments  which  Eval  re¬ 

ceived  in  Step  5b. 
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7.  (Circuit  Garbling)  For  each  gate  g  :  {0, 1}  x  {0, 1}  i — ► 
{0, 1}  with  input  wires  wa  and  Wb  and  output  wire  wc, 
Gen  computes  its  garbled  truth  table 

G(g)U)  K(^V£©>,<^©,1©^©>, 

(1  ©  TT*©^©),  (1  ©  *a\  1  © 
where  (&i,fe2)  =  encK0)  (enc^y,  (W^(biM)). 

a,i>  i  b,b  2 

Remark  4.8.  Note  that  once  (R'|©  ,  A'|© ,  7r©)  are 
chosen  for  every  wire  Wi,  no  more  randomness  is  needed 
for  generating  the  j-th  garbled  circuit.  So  p ©  is  not 
used  here. 

8.  (Circuit  Checking)  Let  {wi}i^o  be  the  circuit-output 
wires.  Gen  then  sends  {G(G)(©}.,g[CT]  to  Eval,  where 

G(C)«*  ({G(S)W}96C,KW}.eo). 

•  (Check  Circuits)  For  each  j  £  [(t]\>S',  Eval 
checks: 

(a)  if  p *©  received  in  Step  6b  can  regenerate  com¬ 
mitments  {  ©  ©  ^ ,  r2  ©© ,  <J>  G ) }  received  in  Step  5b 
and  reconstruct  garbled  circuit  G(C)©? 

(b)  if  hi ©  indeed  equals  H ■  (7r{©  1 1 7roJ ^  1 1  ■  ■  •  |  |7r© )? 

•  (Evaluation  Circuits)  For  each  j  £  S,  Eval 
checks: 

(a)  if  x\'!>  and  X©  both  received  in  Step  6b  suc¬ 
cessfully  opens  r©  and  half  of  0*©  both  re¬ 
ceived  in  Step  3,  respectively?  and  if  the  de¬ 
committed  labels  match?  In  particular, 

i.  if  the  i-th  entry  of  X©  successfully  opens 
the  i-th  entry  of  r©? 

ii.  if  the  j-th  entry  of  X©  successfully  opens 
the  (2  •  j  +  Xi  ©  7r©)-th  entry  of  0©? 

iii.  if  the  i-th  decommitted  labels  from  the 
above  two  steps  coincide? 

(b)  if  Y©  received  in  Step  6a  successfully  opens 
half  of  the  commitments  in  fi©?  In  particu¬ 
lar,  if  the  i-th  entry  of  Y©  successfully  opens 
the  (2  •  i  +  i/i)-th  entry  of  A©? 

Eval  aborts  immediately  as  long  as  a  failure  occurs. 

Remark  4.9.  For  evaluation  circuits,  the  fact  that 
decommitments  X©  (resp.  Y© )  successfully  open  0© 
(resp.  A©)  shows  that  the  decommitted  labels  corre¬ 
sponding  to  Gen’s  (resp.  Eval’s)  input  to  the  j-the 
garbled  circuit  are  valid.  Furthermore ,  the  fact  that  the 
decommitted  labels  from  F©  coincide  with  those  from 
0©  shows  that  Gen  indeed  commits  to  her  inputs  be¬ 
fore  H  is  chosen,  which  is  the  necessary  condition  for 
our  2-universal  hash  idea  to  work. 

9.  (Circuit  Evaluating)  Eval  has  now  obtained  gar¬ 
bled  circuit  G(G)©  and  (mi  ©m2)  labels  correspond¬ 
ing  to  the  circuit-input  wires  of  G.  Eval  then  evalu¬ 
ates  the  circuit: 


(a)  For  each  gate  g  with  retrieved  input  labels  wi©  = 
(X©,  <5£©)  and  W©  =  (X©,  5(bj)),  Eval  picks  the  (2- 
5©  +<5^)-th  entry  E  in  G(g )©  and  computes  output 
label  Wi©  =  (xi©,<5£©)  =  dec^y) (dec^yj (E)). 

(b)  For  each  circuit-output  wire  Wi  with  correspond¬ 
ing  label  W ©  =  (X©,^©),  Eval  computes  the  wire 
value  6©  =  6©  ©  7r©. 

Eval  interprets  {&©}  as  (c©,p©).  Let  Z©  denote 
the  labels  that  came  with  c©. 

10.  (Gen’s  Input  Consistency  Check)  Let  {u>i}ig[mi] 
be  the  wires  corresponding  to  Gen’s  input  and  W-  = 
(<£©,  X©)  be  the  decommitted  label  corresponding  to 
Wi  in  the  j-th  garbled  circuit.  Eval  computes  the  hash 
of  Gen’s  input 

=h^®H-(8[j)\\5ij)\\---\\5iil). 

Eval  verifies  Gen’s  input  consistency  by  checking  if 
for  any  i,  j  £  S,  /i©  =  hi?  .  Eval  aborts  if  any  of  the 
checks  fails. 

Remark  4.10.  The  proof  for  Gen’s  input  consis¬ 
tency  presented  in  Figure  2  is  in  fact  embedded  in  our 
main  protocol.  In  particular,  Step  3,  Step  4,  Step  6b, 
Step  8,  and  this  step  constitute  that  proof.  It  is  worth- 
mentioning  that  r(©  and  0©  here  are  equivalent  to 
the  commitments  to  x©  ©  7r©  and  ^ r©,  respectively, 
in  the  protocol  presented  in  Figure  2. 

11.  (Majority  Operation)  Let  (c,  <?2)  be  the  most  com¬ 
mon  tuple  in  II  =  {(c©,  <72©)};jes-  Eval  aborts  if 
(c,  g2)  is  not  the  majority  in  II,  that  is,  (c,  gr2)  does 
not  appear  more  than  ^  =  f  times  in  II;  otherwise, 
Eval  outputs  <?2. 

12.  (Gen’s  Output  Authenticity  Proof)  The  two  par¬ 
ties  conduct  the  protocol  presented  in  Figure  1.  In  par¬ 
ticular,  the  common  inputs  include  security  parameter 
lfe,  statistical  security  parameter  1© ,  commitments  to 
label  pairs  assigned  to  Gen’s  output  wires  {^©jygs, 
and  Gen’s  alleged  output  c.  Also,  Gen’s  input  equals 
{W^o,  W©  jigoyeS  and  Eval’s  input  equals  X©  for 
some  j  £  S  such  that  c!'3 '  =  c.  If  the  proof  fails,  Gen 
aborts;  otherwise,  Gen  outputs  c  ©  e. 

Remark  4.11.  Due  to  the  well-known  selective  decom¬ 
mitment  attack,  the  commitment  scheme  needs  to  be  perfectly- 
hiding  so  that  the  unopened  commitments  remain  hiding  [5]. 

Theorem  8.  Assume  that  the  (ff)-OT  protocol  is  secure 
in  the  presence  of  malicious  adversaries,  and  there  exist 
a  perfectly-hidng  commitment  scheme,  a  family  of  pseudo¬ 
random  functions,  the  main  protocol  (Gen,  Eval)  presented 
above  securely  computes  f  :  (x,  y )  (jj,  /2)  in  the  presence 
of  malicious  adversaries. 

The  proof  sketch  is  provided  in  Appendix  B. 
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5.  REDUCING  COMMUNICATION  COST 

In  this  section,  we  provide  an  effective  technique  that  re¬ 
duces  the  communication  overhead  of  the  cut-and-choose- 
based  protocol  by  up  to  60%.  We  stress  that  this  is  not  the 
first  technique  that  enjoys  such  an  improvement  [4, 12] ,  but 
this  is  the  first  one  that  is  compatible  with  the  pipeline  tech¬ 
nique  that  vastly  increases  the  scalability  of  secure  two-party 
computation  [6]. 

Our  trick  starts  from  the  idea  of  random  seed  checking  [12]. 
This  idea  suggests  that  Gen  sends  not  the  whole  check  cir¬ 
cuit  but  its  hash  to  Eval.  Since  Eval  will  learn  each  check 
circuit’s  randomness,  she  can  regenerate  the  circuit  and  ver¬ 
ify  its  correctness  by  comparing  its  hash  with  the  one  re¬ 
ceived  from  Gen.  As  a  consequence,  only  a  fixed  amount  of 
data  needs  to  be  exchanged  for  a  check  circuit  regardless  of 
the  circuit  size. 

Another  useful  technique  is  the  pipeline  technique.  This 
technique  suggests  that  circuit  garbling  and  evaluating  is 
done  in  a  pipeline  manner.  The  garbled  circuits  are  sent  in 
batches  of  gates.  The  i-th  batch  consists  the  i-th  garbled 
gate  from  all  circuits.  Gen  sends  out  the  current  batch 
immediately  after  it  is  generated.  While  Eval  is  working 
with  the  current  batch,  Gen  could  start  generating  the  next. 
The  advantages  include  that  the  idle  time  is  greatly  reduce 
and  that  minimal  memory  is  needed  (since  at  any  moment, 
only  a  batch  of  gates  reside  in  memory). 

Our  technique  nicely  combines  the  advantages  of  the  above 
two  techniques,  that  is,  each  check  circuit  incurs  only  a  small 
amount  of  communication  overhead,  while  at  the  same  time, 
circuit  garbling  and  evaluating  can  be  pipelined.  The  chal¬ 
lenge  is  that  the  random  seed  checking  technique  requires 
Gen  to  handle  a  check  circuit  and  an  evaluation  circuit  dif¬ 
ferently,  while  at  the  same  time,  she  does  not  get  to  know  if 
a  circuit  is  checked  or  evaluated.  The  problem  can  thus  be 
formulated  as  follows: 

Gen  wants  to  send  a  numbers  ,  g ^ , . . . ,  } 

to  Eval,  while  Eval  actually  knows  g  of  them. 

How  do  they  reduce  the  communication  overhead 
while  Gen  remains  oblivious  to  which  numbers 
Eval  knows? 

An  interesting  trick  is  that  they  could  treat  {p^}  as  co¬ 
efficients  of  a  polynomial,  that  is,  P(x)  =  p(1)  +  g^x  + 
•  •  •  g<'rT^xa~1.  Although  Gen  does  not  know  which  g  num¬ 
bers  out  of  {pi-7-1}  that  Eval  knows,  she  does  know  that  Eval 
only  needs  (a—g)  points  to  fully  recover  the  polynomial.  We 
therefore  suggest  that  Gen  sends  -P(l),  P( 2), . . . ,  P(a  —  g) 
to  Eval.  With  the  g  coefficients  she  already  knew  and  the 
(a  —  g)  points  from  Gen,  Eval  can  efficiently  recover  all 
{g^P}  with  simple  polynomial  interpolation. 

Since  our  protocol  suggests  60%-40%  check  circuit  and 
evaluation  circuit  ratio,  with  a  slight  increase  of  the  compu¬ 
tation  overhead  due  to  the  polynomial  interpolations,  this 
trick  reduces  the  communication  overhead  by  60%,  and  more 
importantly,  this  trick  is  compatible  with  the  pipeline  tech¬ 
nique. 


6.  EXPERIMENTAU  RESULTS 

In  this  section,  we  report  empirical  evidence  of  our  per¬ 
formance  advantages  over  prior  work.  We  implemented  our 
work  on  top  of  the  open-source  project-  KSS  [12].  We  ran 
our  experiments  on  the  grid  Stampede  hosted  in  Texas  Ad¬ 


vanced  Computing  Center.  Each  instance  of  the  experiments 
invokes  32  computing  nodes;  each  node  has  32GB  memory 
and  two  2  Intel  Xeon  E5-2680  2.7G  processors;  and  each 
processor  has  8  cores. 

Performance  of  our  Proposed  Technique:. 

We  show  the  performance  of  our  Gen’s  input  consistency 
check  and  fc-probe-resistant  matrix  generating  algorithm  com¬ 
pared  with  the  prior  state-of-the-art  in  Figure  3. 

We  first  compare  the  performance  of  the  KSS  system  with 
that  of  the  KSS  system  integrated  with  our  Gen’s  input  con¬ 
sistency  check.  This  experiment  is  conducted  by  using  both 
systems  to  evaluate  circuits  of  various  input  sizes.  These 
circuits  compute  2n  blocks  of  AES128  encryption,  where 
n  =  1,  2, . . . ,  10  in  which  Gen  provides  inputs  for  2n  blocks 
of  AES128  (and  thus  has  a  2n+'-bit  input),  Eval  provides 
a  128-bit  encryption  key,  and  Eval  receives  the  2n+7-bit 
ciphertext.  Figure  3a  shows  that  when  the  input  size  in¬ 
creases  only  to  a  moderate  level  (217),  the  performance  gap 
due  to  Gen’s  input  consistency  check  has  almost  dominated 
the  whole  protocol  execution.  Specifically,  the  wall-clock 
running  of  the  improved  protocol  is  48.8  seconds  versus  92.1 
seconds  for  KSS  (which  was  the  fastest  published  protocol 
whose  results  we  could  replicate  on  our  setup). 

Next,  we  show  in  Figure  3b  that  as  Gen’s  input  size  in¬ 
creases,  the  ratio  between  the  width  and  height  of  the  k- 
probe-resistant  matrices  generated  by  our  algorithm  indeed 
approximates  1,  while  the  ratio  of  those  generated  by  Lindell 
and  Pinkas’s  approach  remains  constant  4.  This  compari¬ 
son  suggests  that  for  a  circuit  that  has  OTs  as  the  dominant 
component,  the  overall  protocol  execution  time  could  be  re¬ 
duced  to  25%  simply  by  replacing  the  fc-probe-resistant  ma¬ 
trix  generated  by  the  original  work  with  the  one  generated 
by  our  algorithm. 


(a) 


(b) 


Figure  3:  Performance  comparison  with  prior  works 


Performance  of  the  Main  Protocol:. 

We  show  in  Figure  4  the  overall  execution  time  of  our 
system  securely  evaluating  circuits  EDT-40954 * *,  RSA-256  ’, 
and  1024-AES128.  Overall,  our  system  is  able  to  handle 
650,  000+  (or  ~  200,  000  non-XOR)  gates  per  second.  We 
also  observe  that  for  all  three  circuits  that  we  evaluated, 
more  than  60%  of  the  execution  time  is  spent  on  commu¬ 
nicating  the  huge  amount  of  data,  the  garbled  circuits.  If 
we  consider  only  the  circuit  garbling,  the  rate  that  our  sys¬ 
tem  actually  achieves  could  be  as  high  as  1,600,000+  (or 
500,000+  non-XOR)  gates  per  second,  with  the  help  of  var- 

4This  circuit  computes  the  edit  distance  of  two  4,095-bit 

inputs. 

‘’This  circuit  computes  a  256-bit  modular  exponentiation. 
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Gen 

Eval 

Comm 

(sec) 

(sec) 

(MB) 

OT 

comp 

0.4±0.09% 

- 

6 

comm 

0.1± 

1% 

0.3±0.6% 

cut-& 

comp 

- 

- 

9 

chk 

comm 

- 

- 

Inp. 

comp 

0.8± 

1% 

0.3±0.2% 

2,008 

Chk 

comm 

0.3± 

1% 

0.9±  1% 

Evl. 

comp 

comm 

11. 4± 
9.2± 

0.6% 

1% 

28.0±0.4% 

30.3±0.8% 

72,271 

Total 

comp 

comm 

12. 6± 
9.6± 

0.3% 

1% 

28.0±0.2% 

31.5±0.4% 

74,294 

Table  3:  The  95%  two-sided  confidence  intervals  of  the  com¬ 
putation  andcommunication  time  for  each  stage  in  the  1024- 
AES128  experiment  (x,y)  (_L,  1024-AES128y(a;)). 


ious  optimization  techniques,  including  SSE2  and  AESNI 
instruction  sets,  and  the  free-XOR  technique. 


circuit 

gates 

(non-XOR) 

time  (sec) 

comm. 

EDT-4095 

5.9B 

(2.4B) 

9,042 

18  TB 

RSA-256 

0.93B 

(0.33B) 

1,437 

3  TB 

1024-AES128 

32M 

(9.3M) 

49 

74  GB 

Figure  4:  The  performance  of  our  main  protocol  with  k  =  80  and 
a  =  256.  All  numbers  in  “time”  column  come  from  an  average  of 
30  data  points  and  have  the  95%  confidence  interval  <  1%. 

It  is  also  worth-mentioning  that  our  system  has  not  reached 
its  full  potential  yet.  The  communication  overhead  is  ex¬ 
pected  to  drop  to  40%  of  the  reported  once  the  technique 
presented  in  Section  5  is  integrated.  An  interesting  future 
task  is  to  explore  the  computational  price  paid,  due  to  the 
polynomial  interpolation,  for  those  60%  savings. 
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APPENDIX 

A.  ALGORITHMS  AND  PROTOCOLS 


Input:  Eval’s  input  size  n  and  a  security  parameter  lk 
Output:  A  k-  probe-resist  ant  M  E  {0,  l}nXm  for  some  m  E 
N 

1  begin 

2  t  <—  |"max(lg(4n),  lg(4fc))l 

3  while  2t— 1  >  k  +  (lg(n)  +  n  +  k)/{t  —  1)  do 

4  |  t  <—  t  —  1; 

5  end 

6  K  E-  |"(lg(n)  +  n  +  k)/t\- 

7  TV  E-  K  +  k  —  1; 

8  for  i  4 —  1  to  n  do 

9  Pick  P{x)  =  aix% ■>  where  a i  E-  r  F2t; 

10  Mi^[P(l)2\\P{^2\\...\\P(N)2} 

]  i  end 

]  2  return  M;  //  M  E  {0,  l}nXm,  where  m  =  Nt 
]  3  end 

Remark  A.l.  Line  2-5  is  to  find  the  minimum  t  such 
that  2l  >  k  +  (lg(n)  +  n  +  k)/t,  and  P(i) 2  denotes  a  t  x  1 
row  vector  over  {0, 1}. 


Figure  5:  A  probabilistic  algorithm  to  generate  a  fc-probe- 
resistant  matrix  M  E  {0,  l}nXm  for  some  m  E  N. 
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committing  to  the  corresponding  labels.  The  commitments 
are  denoted  by  -6rCTi.  In  the  step  of  OTs,  S2  invokes 

OT’s  simulator  S^  (whose  existence  is  guaranteed  by  OT’s 
security)  to  extract  P/’s  input  to  OTs,  that  is,  her  private 
input  y'  to  Eval’s  input  OTs  and  the  choice  string  s'  to  the 
circuit  OTs.  Recall  that  s'  determines  the  check  circuits  and 
evaluation  circuits.  Next,  S2  externally  invokes  the  trusted 
third  party  with  input  y'  =  M  ■  y'  and  gets  f2(x,y')  in 
return.  Note  that  M  is  the  fc-probe-resistant  matrix  received 
from  P/  before  OTs.  After  this,  if  s'j  =  0,  the  j-th  garbled 
circuit  is  a  check  circuit  and  needs  to  be  honestly  constructed 
according  to  objective  circuit  C;  otherwise,  the  j- th  garbled 
circuit  is  an  evaluation  circuit  and  is  constructed  in  a  way 
that  it  always  outputs  (h' ,c' ,  f2(x,y')),  where  h’  and  d  are 
randomly  picked  by  5,2-  From  now  on,  S2  follows  the  Main 
protocol  faithfully.  Finally,  if  S2  accepts  in  the  step  of  Gen’s 
Output  Authenticity  Proof,  it  sends  1  to  the  external  oracle 
so  that  Si  gets  fi(x,  y');  otherwise,  S2  sends  0  to  the  external 
oracle  so  that  Si  gets  X. 

Here  we  argue  at  a  high  level  that  P/  cannot  distinguish 
S2  using  fake  input  x!  in  the  ideal  model  versus  Pi  using 
real  input  x  in  the  real  model. 

For  check  circuits,  the  only  difference  between  S2  in  the 
ideal  model  and  Pi  in  the  real  model  is  the  committed 
message  in  T®.  Note  that  this  commitment  is  never 
opened  for  check  circuits.  Therefore,  if  Pi  is  able  to 
distinguish  S2  committing  to  fake  input  x!  from  Pi 
committing  to  real  input  x  in  any  check  circuit,  P* 
is  able  to  break  the  hiding  property  of  the  commitment 
scheme. 

For  evaluation  circuits,  the  information  Pi  learned  re¬ 
lated  the  other  party’s  input  is  the  location  of  the  de¬ 
committed  labels  within  each  pair  of  commitments  and 
the  evaluation  output: 


B.  MAIN  THEOREM  PROOF  SKETCH 
B.l  Malicious  Generator  p/ 

Si  first  randomly  picks  a  fc-probe-resistant  M  and  a  fake 
input  y' .  Then  Si  finds  a  pre-image  y'  such  that  M  -y'  =  y' . 
This  y'  is  used  as  input  to  Eval’s  input  OTs.  The  OT’s 
receiver  security  ensures  that  P*  (as  the  OT  sender)  cannot 
distinguish  the  OT  receiver’s  input  being  y'  provided  by  Si 
in  the  ideal  model  from  being  y  provided  by  P2  in  the  real 
model. 

Next,  for  the  circuit  OTs,  Si  invokes  the  OT’s  simula¬ 
tor  (the  existence  of  which  is  guaranteed  by  OT’s  security) 
to  extract  both  inputs  from  P* ,  including  randomness  p1'1'1 , 
decommitments  (X^,  X^)  to  Gen’s  input  keys,  and  hash 
h\ P .  A  garbled  circuit  is  bad  if  the  retrieved  randomness 
cannot  be  used  to  regenerate  the  provided  commitments  and 
garbled  circuit.  Si  aborts  if  more  than  a/5  of  the  garbled 
circuits  are  bad.  This  step  is  indistinguishable  from  the  real 
model  due  to  the  cut-and-choose  technique.  In  particular,  if 
more  than  a/5  circuits  are  bad,  P2  in  the  real  model  would 
abort  with  high  probability  too  since  the  probability  that 
none  of  the  bad  circuits  is  checked  is  negligible. 

If  Si  does  not  abort,  it  learns  the  randomness  of  at  least 
4cr/5  good  garbled  circuits.  Note  that  after  P/  passes  the 
circuit  checking,  Si  also  learns  the  decommitments  X<J'1  of 
the  2a/ 5  evaluation  circuits.  In  other  words,  Si  learns  the 
randomness  of  at  least  a/5  evaluation  circuits,  which  are 
good  circuits  too.  The  binding  property  of  the  commitments 
ensures  that  Si  learns  the  private  inputs  that  P '/  provided 
to  those  good  evaluation  circuits.  Si  aborts  if  these  pri¬ 
vate  inputs  are  inconsistent.  This  step  is  indistinguishable 
from  the  real  model  due  to  Gen’s  input  consistency  check. 

In  particular,  the  input  consistency  check  ensures  that  the 
probability  of  good  evaluation  circuits  having  inconsistent 
inputs  is  negligible. 

Let  P/’s  private  input  extracted  from  above  be  x!  =  x'\ \r'\ \e! . 
Si  sends  x'  to  the  external  trusted  party  and  gets  fi(x',y) 
in  return,  where  y  =  M-y.  If  Si  in  the  ideal  model  (resp.  P2 
in  the  real  model)  has  come  to  this  far,  with  high  probabil¬ 
ity,  P*  must  have  provided  majority  good  evaluation  circuits 
with  valid  input  labels  corresponding  to  P/’s  input  x!  and 
SVs  input  y'  (resp.  Pi’s  input  y).  So  the  majority  of  P2’s 
evaluation  outputs  are  exactly  fi(x',y)  ©  e' .  This  implies 
that  P/  cannot  distinguish  Si  on  input  y'  but  providing 
fi(x',y)  ©  e!  (from  the  external  party)  versus  Pi  on  input 
y  and  provding  the  evaluation  output  fi{x',y)  ©  e! .  More¬ 
over,  the  fc-probe-resistant  matrix  also  helps  to  support  the 
indistinguishability  between  Si  on  protocol  input  y'  and  Pi 
on  protocol  input  y.  In  particular,  the  fc-probe-resistant  ma¬ 
trix  ensures  that  the  difference  between  the  probability  that 
Si  on  fake  input  y'  aborts  (due  to  selective  failure)  and  the 
probability  that  P2  on  real  input  y  aborts  is  negligible. 

Finally,  since  Si  knows  the  randomness  of  many  circuits,  it 
also  knows  the  random  keys  corresponding  to  P*  ’s  encrypted 
output  fi(x',  j/)©e\  Si  is  able  to  complete  the  Gen’s  output 
authenticity  proof  as  Pi  does. 

B.2  Malicious  Evaluator  P/ 

Simulator  S2  honestly  follows  the  main  protocol  all  the 
way  until  the  step  of  OTs  except  that  S2  picks  a  random 
x'  £  {0,  l}mi  at  the  beginning  and  uses  this  fake  input  as 
input.  In  particular,  S2  commits  to  fake  input  x'  in  Step  3  by 


1.  Recall  that  the  pairs  of  commitments  to  the  la¬ 
bels  assigned  to  Gen’s  input  wires  are  randomly 
swapped  by  permutation  bits  {7T^J') }ie[mi] e[cr] -  This 
random  swapping  implies  that  the  location  learned 

in  the  ideal  model  is  where  =  7r,iJ' Htt'^  ||  . . .  Htt'^ 

while  that  learned  in  the  real  model  is  x  ©  7r^, 
where  |  ||  . . .  71-^1 .  Since  and 

7r^  are  independently  chosen  from  the  uniform  dis¬ 
tribution,  the  location  information  is  statistically 
indistinguishable. 

2.  The  other  message  that  might  give  S2  away  is  the 
evaluation  output.  First,  we  claim  that  P/  always 
gets  consistent  output  among  different  garbled  cir¬ 
cuits.  Indeed,  in  the  real  model,  since  Pi  is  as¬ 
sumed  to  be  honest,  the  outputs  from  the  evalua¬ 
tion  circuits  are  identical,  and  similarly,  in  the  ideal 
model,  S2  also  generates  evaluation  circuits  that 
have  a  fixed  output.  So  it  remains  to  argue  that 
( h ,  c,  /2)  in  the  real  model  is  indistinguishable  from 
(h' ,c' ,f 2)  in  the  ideal  model.  Intuitively,  h  and  h' 
are  indistinguishable  due  to  the  hiding  property  of 
our  2-universal  hash  scheme,  c  and  c!  are  indistin¬ 
guishable  due  to  the  perfect  secrecy  of  the  one-time 
pad  encryption,  and  /2  and  /o  are  indistinguishable 
due  to  the  simulation  security  of  OTs. 
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Common  Input:  security  parameter  lk ,  symmetric  en¬ 
cryption  scheme  (enc,  dec)  with  semantic  security,  and 
boolean  circuit  C  that  computes  f(x,y). 

Private  Input:  Gen  has  private  input  x  =  x\X2’’’Xm1 
and  Eval  has  private  input  y  =  yiy2  •  •  •  2/m2>  where 
Xi  and  yi  denote  the  i-th  bit  of  x  and  y ,  respectively. 

Output:  Both  Gen  and  Eval  receive  f(x,y)  at  the  end. 

1.  (Circuit  Garbling)  Gen  garbles  C  as  follows: 

(a)  Gen  picks  fti)  E  {0,  l}2fc+1  at  random 

for  each  wire  Wi.  Let  Wi  b  denote  the  key-locator 
pair  ( Ki  &,6®  7 r^).  Wi  b  is  called  the  label  corre¬ 
sponding  to  wire  Wi  of  value  b  hereafter. 

(b)  For  each  gate  g  :  {0, 1}  X  {0, 1}  — >  {0, 1}  with 
input  wires  wa  and  Wb  and  output  wire  wc ,  Gen 
computes  its  garbled  truth  table 

G{g)  =((na,nb),  (7 ra,  1  ©  nb), 

(1  ©  7 Ta,TTb),  (1  ©  7Ta.  1  ©  7 Tb)), 

where  (61,62}  =  encKabl  (en cKbth2(Wc^g(blM))). 

Let  {wi}i£o  be  the  circuit-output  wires.  Gen  sends 
G(C)  =  ({G(g)}geC,Ui}ieo)  to  Eval. 

2.  (Input  Labels  Retrieving)  Let  {tUi}ie[mii  be 
the  wires  corresponding  to  Gen’s  input,  and  let 

be  those  corresponding  to  Eval’s  in¬ 
put. 

(a)  (Gen’s  Input  Labels)  Gen  sends  Eval  the  la¬ 
bels  corresponding  to  her  input  {Wi,Xi  }j^[mi]  • 

(b)  (Eval’s  Input  Labels)  For  each  i  E  [m2],  Gen 
and  Eval  execute  a  (^)-OT  in  which  Gen’s  in¬ 
put  equals  (Wrni-\-ijo,  Wmi+i  1)  and  Eval’s  input 
equals  y j. 

The  above  (^)-OTs  could  all  be  run  in  parallel. 

3.  (Circuit  Evaluating)  Eval  has  now  obtained  gar¬ 
bled  circuit  G(C)  and  (mi  +m2)  labels  corresponding 
to  the  (mi  m2)  circuit-input  wires.  Eval  evaluates 
the  circuit  as  follows: 

(a)  For  each  gate  g  with  retrieved  input  labels  Wa  = 
(KaiSa)  and  Wb  =  ( Kb,  5b ),  Eval  picks  the  (2  • 
5a  +  5b)-th  entry  E  in  G(g)  and  computes  the 
output  label  Wc  =  (KC,5C)  =  dec^b(d ecxa(E)). 

(b)  For  each  circuit-output  wire  wi  with  correspond¬ 
ing  label  Wi  =  ( Ki,5i ),  Eval  computes  the  wire 
value  bi  =  5i  ®  7r i.  Recall  that  7 for  wire  Wi 
comes  with  G(C). 

Finally,  Eval  interprets  {bi}  as  f(x,y)  and  sends 
f(x,y)  to  Gen.  Both  parties  output  f(x,y). 


Figure  6:  The  Yao  protocol  using  the  point-and-permute  trick. 
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Abstract 

In  this  work,  we  explore  building  constructions  with  full  domain  hash  structure,  but  with 
standard  model  proofs  that  do  not  employ  the  random  oracle  heuristic.  The  launching  point  for 
our  results  will  be  the  utilization  of  a  “leveled”  multilinear  map  setting  for  which  Garg,  Gentry, 
and  Halevi  (GGH)  recently  gave  an  approximate  candidate.  Our  first  step  is  the  creation  of  a 
standard  model  signature  scheme  that  exhibits  the  structure  of  the  Boneh,  Lynn  and  Shacham 
signatures.  In  particular,  this  gives  us  a  signature  that  admits  unrestricted  aggregation. 

We  build  on  this  result  to  offer  the  first  identity-based,  aggregate  signature  scheme  that 
admits  unrestricted  aggregation.  In  our  construction,  an  arbitrary-sized  set  of  signatures  on 
identity/message  pairs  can  be  aggregated  into  a  single  group  element,  which  authenticates  the 
entire  set.  The  identity-based  setting  has  important  advantages  over  regular  aggregate  signatures 
in  that  it  eliminates  the  considerable  burden  of  having  to  store,  retrieve  or  verify  a  set  of 
verification  keys,  and  minimizes  the  total  cryptographic  overhead  that  must  be  attached  to  a  set 
of  signer/message  pairs.  While  identity-based  signatures  are  trivial  to  achieve,  their  aggregate 
counterparts  are  not.  To  the  best  of  our  knowledge,  no  prior  candidate  for  realizing  unrestricted 
identity-based  aggregate  signatures  exists  in  either  the  standard  or  random  oracle  models. 

A  key  technical  idea  underlying  these  results  is  the  realization  of  a  hash  function  with  a 
Naor-Reingold-type  structure  that  is  publicly  computable  using  repeated  application  of  the 
multilinear  map.  We  present  our  results  in  a  generic  “leveled”  multilinear  map  setting  and  then 
show  how  they  can  be  translated  to  the  GGH  graded  algebras  analogue  of  multilinear  maps. 
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1  Introduction 


Applying  a  full  domain  hash  is  a  common  technique  in  cryptography  where  a  hash  function,  modeled 
as  a  random  oracle,  is  used  to  hash  a  string  into  a  set.  Originally,  the  concept  referred  to  a  signature 
scheme  where  one  hashed  into  the  range  of  a  trapdoor  permutation  [4],  Subsequently,  full  domain 
hash  has  been  treated  as  a  more  general  concept  and  applied  in  bilinear  map  cryptography  where 
typically  a  hash  function  if  :  {0, 1}*  — >  G  is  used  to  hash  a  string  into  a  bilinear  group.  (We  note 
that  multiple  early  works  [11,  13,  12]  employ  this  terminology.)  Pairing-based  applications  of  Full 
Domain  Hash  include:  the  original  Boneh-Franklin  [11],  short  and  aggregate  signatures  [13,  12], 
Hierarchical  Identity-Based  Encryption  [25],  and  decentralized  Attribute-Based  Encryption  [30]. 
Typically,  proofs  of  such  schemes  will  use  the  random  oracle  heuristic  to  “program”  the  output  of 
the  hash  function  in  a  certain  way  for  which  there  is  no  known  standard  model  equivalent  (see  [28]). 

Given  that  there  are  well-known  issues  with  random  oracle  instantiability  in  general  [16]  and 
problems  with  Full  Domain  Hash  in  particular  [20,  19],  there  has  been  a  push  to  find  standard  model 
realizations  of  these  applications.  These  endeavors  have  been  successful  in  several  applications  such 
as  signatures  [9,  40]  and  (Hierarchical)  Identity-Based  Encryption  [17,  7,  8,  40,  23,  41],  Despite 
this  progress,  the  current  state  is  not  entirely  satisfactory  on  two  fronts.  First,  each  of  the  standard 
model  examples  given  above  created  new  cryptographic  constructions  with  fundamentally  different 
structure  than  the  original  Full  Domain  Hash  construction.  While  creating  a  new  structure  is 
a  completely  valid  and  novel  approach,  that  path  does  not  necessarily  lend  insight  or  further 
understanding  of  the  original  constructions. 

Second,  there  are  important  applications  of  the  Full  Domain  Hash  method  where  implementing 
such  a  hash  using  a  random  oracle  introduces  significant  limitations  in  the  applicability  of  the 
Full  Domain  Hash  method.  A  prominent  example  concerns  aggregate  signature  schemes  and  their 
identity-based  counterparts: 

An  aggregate  signature  system  is  one  in  which  a  signature  a'  on  verification  key/message  pair 
(VK',  M')  can  be  combined  with  a  signature  a  on  (VK,  M )  producing  a  new  signature  a  on  the  set 
S  =  {(VK',  M'),  (VK,  M )}.  This  process  can  be  repeated  indefinitely  to  aggregrate  an  arbitrary 
number  of  signatures  together.  Crucially,  the  size  of  a  should  be  independent  of  the  number  of 
signatures  aggregated,  although  the  description  of  the  set  S  will  grow.  The  ultimate  goal,  however, 
is  to  minimize  the  entire  transmission  size  [35]. 

The  need  for  a  public- key  infrastructure  for  verification  keys  is  a  major  drawback  of  traditional 
public- key  cryptography,  and  for  this  reason  identity-based  cryptography  has  flourished  [39,  11]: 
In  an  identity-based  aggregate  signature  scheme,  verification  keys  like  VK  would  be  replaced  with 
simple  identity  strings  like  X  =  “harrypotter@hogwarts.edu”.  This  offers  a  very  meaningful  savings 
for  protocols  such  as  BGPsec,  which  require  routers  to  store,  retrieve  and  verify  certificates  for 
over  36,000  public  keys  [18,  15].  We  note  that  while  identity-based  signatures  follow  trivially  from 
standard  signatures,  identity-based  aggregate  signatures  are  nontrivial  (more  on  this  below). 

A  decade  ago,  the  Boneh,  Gentry,  Lynn  and  Shacham  (BGLS)  [12]  aggregate  signature  scheme 
was  built  using  the  Full  Domain  Hash  methodology.  In  the  original  vision  of  BGLS,  aggregation 
could  be  performed  by  any  third  party  on  any  number  of  signatures.  The  authors  showed  how 
the  Boneh,  Lynn  and  Shacham  (BLS)  [13]  signatures  (which  are  in  turn  comprised  of  Boneh- 
Franklin  [11]  private  IBE  keys)  can  be  aggregated  in  this  manner.  The  BLS  construction  uses  a  full 
domain  hash  and  its  security  proof  is  in  the  random  oracle  model.  However,  even  though  the  BGLS 
scheme  was  built  upon  the  key  mechanism  for  Boneh-Franklin  Identity-Based  Encryption,  BGLS 
does  not  support  identity-based  aggregation.  The  Full  Domain  Hash  in  BGLS  is  realized  using 
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a  random  oracle,  which  destroys  the  structure  that  would  be  needed  for  identity-based  aggregate 
signatures.  To  the  best  of  our  knowledge,  no  prior  solution  to  identity-based  aggregate  signatures 
in  either  the  standard  or  random  oracle  models  exists.  Prior  work  considered  ID-based  aggregates 
restricted  to  a  common  nonce  [24]  (e.g.,  where  signatures  can  only  be  aggregated  if  they  were 
created  with  the  same  nonce  or  time  period)  or  sequential  additions  [6]  (e.g.,  where  a  group  of 
signers  sequentially  form  an  aggregate  by  each  adding  their  own  signature  to  the  aggregate-so-far) . 

Our  results  in  a  nutshell.  In  this  work,  we  give  a  new  method  for  implementing  the  Full 
Domain  Hash  method  using  leveled  multilinear  maps,  including  the  ones  recently  proposed  by 
Garg,  Gentry,  and  Halevi  (GGH)  [21].  We  show  how  to  use  this  method  to  implement  aggregate 
signatures  in  the  standard  model  in  a  way  that  naturally  extends  to  give  the  first  full  solution  to 
the  problem  of  identity-based  aggregate  signatures  (also  in  the  standard  model). 

Prior  work  on  standard  model  aggregate  signatures.  All  previous  work  on  achieving  stan¬ 
dard  model  aggregate  signatures  did  so  by  departing  fundamentally  from  the  Full  Domain  Hash 
methodology. 

Subsequently  to  BGLS  [12],  different  standard  model  solutions  were  proposed,  but  with  differ¬ 
ent  restrictions  on  aggregation.  These  include:  constructions  [31]  where  the  signatures  must  be 
sequentially  added  in  by  the  signers,  multisignatures  [31]  where  aggregation  can  occur  only  for  the 
same  message  M ,  or  where  aggregation  is  limited  to  signatures  associated  with  the  same  nonce  or 
time  period  [l].1  These  restrictions  limit  their  practical  applicability. 

In  2009,  Rrickert  and  Schroder  [38]  gave  an  intriguing  vision  on  how  multilinear  maps  might 
enable  standard  model  constructions  of  aggregate  signatures,  also  departing  from  the  Full  Domain 
Hash  methodology.  They  did  not  discuss  or  achieve  identity-based  aggregate  signatures.  Their 
proposal  came  before  the  Garg,  Gentry  and  Halevi  [21]  candidate  and  used  the  earlier  Boneh- 
Silverberg  [14]  view  of  multilinear  maps,  where  a  fc-linear  map  would  allow  the  simultaneous  multi¬ 
plication  of  k  source  group  elements  into  one  target  group  element.  The  GGH  candidate  in  contrast 
allows  for  encodings  to  exist  on  multiple  levels  and  a  pairing  between  an  encoding  on  level  i  and 
one  on  level  j  gives  an  encoding  on  level  i  +  j  as  long  as  i  +  j  is  less  than  or  equal  to  some  k.  One 
drawback  of  the  Riickert  and  Schroder  construction  is  that  the  security  proof  requires  access  to  an 
interactive  (or  oracle-type)  assumption  in  order  to  answer  the  signature  queries  where  the  structure 
of  the  oracle  output  is  essentially  identical  to  the  signatures  required.  This  property  seems  to  be 
tightly  coupled  with  the  modeling  of  a  multilinear  map  as  a  one  time  multiplication.  In  contrast,  we 
will  exploit  the  leveling  of  the  GGH  abstraction  to  actually  replace  the  hash  function  in  a  BLS-type 
structure  and  obtain  proofs  from  non-interactive  assumptions. 

1.1  Overview  of  our  Aggregate  Signature  Constructions 

We  now  overview  the  constructions  and  their  security  claims.  To  simplify  the  description  of  the 
main  ideas,  we  describe  the  constructions  here  in  terms  of  leveled  multilinear  maps.  Later  on,  we 
explicitly  give  translations  of  both  constructions  to  the  GGH  framework. 

1We  remark  that  these  restrictions  were  considered  in  other  works  such  as  [37,  36,  33,  5,  32]  prior  to  the  standard 
model  constructions  cited  above. 
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The  Base  Construction.  A  trusted  setup  algorithm  will  take  as  input  security  parameter  A 
and  message  bit-length  £  and  run  a  group  generator  Q(lx,k  =  t  +  1)  and  outputs  a  sequence  of 
groups  G  =  (Gi, . . .  ,Gfc)  of  prime  order  p?  The  group  sequence  will  have  canonical  generators 
g  =  <7i,g2,  ■  ■  -,9k  along  with  a  pairing  operation  that  computes  e(g°',g1-)  =  gf^  for  any  a,b  £  Zp 
and  i  +  j  <  k.  The  setup  algorithm  will  also  choose  A  =  (A^o  =  gaifi ,  A\t i  =  g0,1'1),  .  .  . ,  (A^0  = 

gae’°,  A^i  =  g01’1)  G  Gf.  We  define  H  :  {0, 1}£  — »•  Gfc_i  as  H(M )  =  l'm\  where  m;  are  the 

bits  of  message  M.  The  hash  function  hashes  a  message  into  the  group  Gk-i-  It  exhibits  a  Naor- 
Reingold  [34]-type  structure  and  is  publicly  computable  using  repeated  application  of  a  multilinear 
map.  Since  a  group  element  in  Gfc_i  has  one  pairing  left,  it  intuitively  reflects  the  bilinear  map 
setting.  In  our  scheme  a  private  key  contains  a  random  exponent  a  G  Zp  and  the  corresponding 
verification  key  VK  contains  ga.  A  signature  on  a  message  M  is  computed  as  <r  =  H(M)a  and 
verified  by  testing  e(a,g)  =  e(H(M),ga). 

Stepping  back,  the  structure  of  our  scheme  very  closely  resembles  BLS  signatures.  For  this 
reason  it  is  possible  to  aggregate  them  in  the  BGLS  fashion  by  simply  multiplying  two  together.  The 
size  of  an  aggregate  signature  depends  on  the  security  parameter  plus  message  length  £  (assuming 
the  group  representation  size  increases  with  k  =  £  +  1),  but  is  independent  of  the  number  of  times 
aggregation  is  applied.  Aggregation  is  unrestricted  and  can  be  done  by  any  third  party. 

The  Riickert  and  Schroder  construction  [38]  also  insightfully  uses  a  Naor- Reingold  type  function 
for  aggregation.  A  key  distinction  is  that  in  the  RS  method  there  is  a  unique  NR  function  for  each 
signer  and  it  is  privately  computed  by  each  signer  per  each  message/input.  In  our  construction  the 
Naor-Reingold  function  is  computed  as  a  public  hash  using  the  levels  of  the  multilinear  map.  A 
signer  simply  multiplies  in  his  secret  exponent  after  computing  the  hash.  Thus,  this  mimicks  the 
BLS  structure  much  more  closely.  One  advantage  of  our  structure  is  that  the  hash  function  can  be 
derived  from  a  single  common  reference  string  and  then  public  keys  are  just  a  single  group  element. 
In  addition,  we  will  see  that  our  structure  is  amenable  to  proofs  under  non-interactive  assumptions 
and  allow  us  to  extend  to  the  identity-based  setting.  In  the  aggregation  setting,  where  bandwidth 
is  at  a  premium,  our  smaller  public  keys  and  the  ability  to  go  identity-based  is  important. 

Proofs  of  Security.  We  view  our  aggregate  signatures  as  signatures  on  a  multiset  of  mes¬ 
sage/verification  key  pairs  for  full  generality.  We  prove  security  in  a  modular  way  as  a  two  step 
process.  First,  we  define  a  weaker  “distinct  message”  variant  of  security  that  only  considers  an 
attacker  successful  if  the  aggregate  forgery  no  two  signers  sign  the  same  message.  We  then  show 
how  to  transform  any  distinct  message  secure  scheme  into  one  with  standard  security.  The  trans¬ 
formation  captures  the  BGLS  idea  (formalized  by  Bellare,  Namprempre  and  Neven  [2])  of  hashing 
the  public  key  plus  message  together.  Using  the  transformation  we  can  focus  on  designing  proofs 
in  the  distinct  message  game.  We  first  prove  selective  security  under  a  natural  analog  of  the  CDH 
assumption  we  call  the  ^-Multilinear  Computational  Diffie-Hellman  (/c-MCDH)  assumption.  We 
next  show  full  (a.k.a.,  adaptive)  security  using  a  subexponentially  secure  version  of  the  assumption. 
Finally,  we  show  full  security  with  only  polynomial  factors  in  the  reduction  using  a  non- interactive, 
but  parameterized  assumption. 

Realizing  Identity-Based  Aggregation.  The  authority  will  run  a  setup  algorithm  that  takes 
the  message  bit-length  £  and  identity  bit-length  n.  It  runs  a  group  generator  Q(lx,k  =  £  +  n) 

2In  practice  one  will  perform  a  CRHF  of  an  arbitrary  length  message  to  l  bits. 
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and  outputs  a  sequence  of  groups  G  =  (Gi, . . . ,  G &)  of  prime  order  p.  It  creates  the  parameters  A 
as  in  the  prior  scheme  and  B  =  (-Bgo  =  <7bl’°,-Bi,i  =  9b1,1),  ■  ■  ■  >  (-Bn,o  =  gbn,0,Bn^ i  =  E  Gf. 


We  define  H  :  {0, l}n  x  {0,  l}e  ->  Gfc_i  as  H(I,M)  =  where  m.  are 

the  bits  of  message  M  and  id*  the  bits  of  I.  The  hash  function  is  publicly  computable  from  the 

multilinear  map.  A  secret  key  for  identity  X  is  computed  as  SKj  =  *'ld'  E  Gn- ±.  This 


can  be  used  to  produce  a  signature  on  message  M  by  computing 


& i,m £  ) 


? 

using  the  multilinear  map.  Finally,  a  signature  can  be  verified  by  checking  e(a,g)  =  H(1 ,  A/).  The 
signatures  will  aggregate  in  the  same  manner  by  multiplying  together. 

The  distinct  message  translation  is  not  required  in  the  identity-based  setting,  because  there  is 
no  rogue  key  problem.  We  first  prove  selective  security  under  the  fe-MCDH  assumption,  and  then 
show  full  security  using  a  subexponentially  secure  version  of  the  assumption.  We  provide  these 
proofs  in  both  the  generic  multilinear  and  the  GGH  framework. 


Further  Applications.  Taken  altogether  we  show  that  multilinear  forms  provide  an  opportu¬ 
nity  for  revisiting  cryptographic  structures  that  were  strongly  associated  with  the  random  oracle 
heuristic.  It  remains  to  be  seen  how  widely  this  direction  will  apply.  One  interesting  example  of 
an  application  that  currently  requires  the  full  domain  hash  is  the  decentralized  Attribute-Based 
Encryption  system  of  Lewko  and  Waters  [30].  There  is  no  standard  model  candidate  that  has  com¬ 
parable  expressiveness.  Here  performing  an  analogous  transformation  to  our  aggregate  signatures 
hash  function  gives  a  candidate  construction  that  we  do  not  immediately  see  how  to  break.  However, 
it  is  less  easy  to  see  how  our  proof  techniques  would  extend  to  the  variant  of  the  Lewko- Waters  [30] 
decentralized  ABE  scheme. 


2  Leveled  Multilinear  Maps  and  the  GGH  Graded  Encoding 


We  give  a  description  of  generic,  leveled  multilinear  maps.  The  assumptions  used  in  this  setting 
are  defined  inline  with  their  respective  security  proofs.  More  details  of  the  GGH  graded  algebras 
analogue  of  mulitlinear  maps  are  included  in  Appendix  A,  and  for  further  details,  please  refer 
to  [21], 

For  generic,  leveled  multilinear  maps,  we  assume  the  existence  of  a  group  generator  Q,  which 
takes  as  input  a  security  parameter  1A  and  a  positive  integer  k  to  indicate  the  number  of  allowed 
pairing  operations.  Q(lx,k)  outputs  a  sequence  of  groups  G  =  (Gi, . . .  ,  G&)  each  of  large  prime 
order  p  >  2X.  In  addition,  we  let  gi  be  a  canonical  generator  of  Gj  (and  is  known  from  the  group’s 
description) .  We  let  g  =  g\. 

We  assume  the  existence  of  a  set  of  bilinear  maps  {e*j  :  Gi  x  Gj  — »  Gi+J  \  i,  j  >  1;  i  +  j  <  k}. 
The  map  e*j  satisfies  the  following  relation: 


gt,gbj)  =g?+j 


Va,  fee  Zr 


We  observe  that  one  consequence  of  this  is  that  ei,j{gi,gj)  =  g%+j  for  each  valid  i,j. 

When  the  context  is  obvious,  we  will  sometimes  abuse  notation  and  drop  the  subscripts  i,j, 
For  example,  we  may  simply  write  e 


9? -,9, 


<• 
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Algorithmic  components  of  GGH  encodings.  While  we  assume  familiarity  with  the  basics  of 
GGH  encodings  [21],  we  now  review  the  algorithmic  components  of  the  GGH  encodings  that  we  will 
use  in  our  constructions  and  proofs.  The  setup  algorithm  lnstGen(lA,  lfc)  takes  as  input  a  security 
parameter  1A  and  the  level  of  multilinearity  lfc,  and  outputs  the  public  parameters  para  ms  needed 
for  using  the  remaining  GGH  algorithms,  along  with  a  special  parameter  p zt  to  be  used  for  zero 
testing.  The  sampling  algorithm  samp  (para  ms)  outputs  a  level-0  encoding  of  a  randomly  chosen 
element.  The  canonicalizing  encoding  cence(params,  i,  a)  algorithm  takes  as  input  an  encoding  a 
of  some  element  a,  and  outputs  a  level-i  encoding  of  a,  with  re-randomization  parameter  e.  This 
canonicalizing  encoding  algorithm  can  re-randomize  an  encoding  for  a  fixed  constant  number  of 
re-randomization  parameters  e.  Finally,  the  zero-testing  algorithm  isZero(p zt,cr)  takes  as  input 
a  level- A;  encoding  a,  and  accepts  iff  a  is  an  encoding  of  0.  A  more  elaborate  review  of  these 
algorithms  can  be  found  in  Appendix  A. 

3  Definitions  for  Aggregate  and  ID-based  Aggregate  Signatures 

We  now  give  our  definitions  for  aggregate  signatures.  In  our  setting,  each  aggregate  signature  is 
associated  with  a  multiset  S  over  verification  key/message  pairs  (or  identity/message  pairs  in  the 
ID-based  setting).  A  set  S  is  of  the  form  {(VKi,  Mi), . . . ,  (VK|gi,  Migi)}.  Since  S'  is  a  multiset  it  is 
possible  to  have  (VKj,  Mt)  =  (VKj,  Mj)  for  i  /  j.  All  signatures,  including  those  that  come  out  of 
the  sign  algorithm,  are  considered  to  be  aggregate  signatures.  The  aggregation  algorithm  is  general 
in  that  it  can  take  any  two  aggregate  signatures  and  combine  them  into  a  new  aggregate  signature. 

Our  definition  allows  for  an  initial  trusted  setup  that  will  generate  a  set  of  common  public 
parameters  PP.  This  will  define  a  bit  length  of  all  messages  (and  identities).  In  practice  one  could 
set  these  fixed  lengths  to  be  the  output  length  i  of  a  collision  resistant  hash  function  and  allow 
arbitrary-length  messages/identities  by  first  hashing  them  down  to  t  bits.  In  the  ID-based  setting, 
the  authority  also  produces  a  master  secret  key  used  later  to  run  the  key  generation  algorithm. 

We  emphasize  a  few  features  of  our  setting.  First,  aggregation  is  very  general  in  that  it  allows  for 
the  combination  of  any  two  aggregate  signatures  into  a  single  one.  Some  prior  definitions  required 
an  aggregate  signature  to  be  combined  with  a  single  message  signature.  This  is  a  limitation  for 
applications  where  an  aggregator  comes  across  two  aggregate  signatures  that  is  wishes  to  combine. 
The  aggregation  operation  does  not  require  any  secret  keys.  The  multiset  structure  allows  one  to 
combine  two  aggregate  signatures  which  both  include  the  same  message  from  the  same  signer. 

We  begin  formally  with  the  ID-based  definition,  because  it  is  novel  to  this  work,  and  then 
discuss  its  simpler  counterpart. 

Authority-Setup(l'\  £,  n)  The  trusted  setup  algorithm  takes  as  input  the  security  parameter 
as  well  the  bit-length  i  of  messages  and  bit-length  n  of  the  identities.  It  outputs  a  common  set  of 
public  parameters  PP  and  master  secret  key  MSK. 

KeyGen(MSK,X  G  {0,1}")  The  key  generation  algorithm  is  run  by  the  authority.  It  takes  as 
input  the  system  master  secret  key  and  an  identity  X,  and  outputs  a  secret  signing  key  SKj. 

Sign(PP,  SKx,X  G  {0,1}",  M  G  {0,1}^)  The  signing  algorithm  takes  as  input  a  secret  signing 
key  and  corresponding  identity  X  G  {0, 1}",  the  common  public  parameters  as  well  as  a  message 
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M  E  {0, 1  }  .  It  outputs  a  signature  a  for  identity  X.  We  emphasize  that  a  single  signature  that  is 
output  by  this  algorithm  is  considered  to  also  be  an  aggregate  signature. 

Aggregate(PP,  S,  S' ,  a,  a').  The  aggregation  algorithm  takes  as  input  two  multisets  S  and  S'  and 
purported  signatures  a  and  a' .  The  elements  of  S  consist  of  identity /message  pairs  {(Xi,  Mi), . . . , 
(X|£|,  M|g|)}  and  the  elements  of  S'  consist  of  {(X{,  M[), . . . ,  (X'^,, | ,  M^s, |)}.  The  process  produces  a 

signature  cr  on  the  multiset  S  =  S  U  S',  where  U  is  a  multiset  union. 

Verify  (PP,  S',  <t).  The  verification  algorithm  takes  as  input  the  public  parameters,  a  multiset  S 
of  identity  and  message  pairs  and  an  aggregate  signature  a.  It  outputs  true  or  false  to  indicate 
whether  verification  succeeded. 

Correctness  The  correctness  property  states  that  all  valid  aggregate  signatures  will  pass  the 
verification  algorithm,  where  a  valid  aggregate  is  defined  recursively  as  an  aggregate  signature 
derived  by  an  application  of  the  aggregation  algorithm  on  two  valid  inputs  or  the  signing  algorithm. 
More  formally,  for  all  integers  A ,£,n,k  >  1,  all  PP  E  Authority-Setup(lA,  £,  n),  all  X] , . . . ,  If.  E 
{0,  l}n,  all  SKx(  E  KeyGen(PP,Xj),  Verify(PP,  S,  a)  =  1,  if  a  is  a  valid  aggregate  for  multiset  S 
under  PP.  We  say  that  an  aggregate  signature  a  is  valid  for  multiset  S  if:  (1)  S  =  {(X;,M)} 
for  some  i  E  [1,  fc] ,  M  E  {0, 1}(  and  cr  E  Sign(PP,  SKx^Xj,  M);  or  (2)  there  exists  multisets 
S'S  where  S  =  S'  U  S  and  valid  aggregate  signatures  o',  a  on  them  respectively  such  that  a  E 
Aggregate  (PP ,  S,  S' ,a,a'). 

Security  Model  for  Aggregate  Signatures.  Adapting  aggregation  [12,  2]  to  the  identity- 
based  setting  takes  some  care  in  considering  how  keys  are  handled  and  which  query  requests  the 
adversary  should  be  allowed  to  make.  Informally,  in  the  unforgeability  game,  it  should  be  computa¬ 
tionally  infeasible  for  any  adversary  to  produce  a  forgery  implicating  an  honest  identity,  even  when 
the  adversary  can  control  all  other  identities  involved  in  the  aggregate  and  can  mount  a  chosen- 
message  attack  on  the  honest  identity.  This  is  defined  using  a  game  between  a  challenger  and  an 
adversary  A  with  respect  to  scheme  II  =  (Authority-Setup,  KeyGen,  Sign,  Aggregate,  Verify). 

-  ID-Unforg(II,  A,  A,  £,  n ): 

Setup.  The  challenger  runs  Authority-Setup(lA,  £,  n)  to  obtain  PP.  It  sends  PP  to  A. 

Queries.  Proceeding  adaptively,  A  can  make  three  types  of  requests: 

1.  Create  New  Key:  The  challenger  begins  with  an  index  i  =  1  and  an  empty  sequence  of 
index/identity/private  key  triples  T.  On  input  an  identity  X  E  {0,  l}n,  the  challenger 
runs  KeyGenfMSK,  X)  to  obtain  SKj.  It  adds  the  triple  (i,X,  SKj)  to  T  and  then 
increments  i  for  the  next  call.  Nothing  is  returned  to  the  adversary.  We  note  that  the 
adversary  can  query  this  oracle  multiple  times  for  the  same  identity.  This  will  capture 
security  for  applications  that  might  release  more  than  one  secret  key  per  identity. 

2.  Corrupt  User:  On  input  an  index  i  E  [1,  |T|],  the  challenger  returns  to  the  adversary  the 
triple  (?’,Xj,  SKjJ  E  T.  It  returns  an  error  if  T  is  empty  or  i  is  out  of  range. 

3.  Sign:  On  input  an  index  i  E  [1,  |T|]  and  a  message  M  E  {0, 1}^,  the  challenger  obtains  the 
triple  (i,X,;,  SKjJ  E  T  (returning  an  error  if  it  does  not  exist)  and  returns  the  signature 
resulting  from  Sign(PP,  SKj^Xj,  M)  to  A. 
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Response.  Finally,  A  outputs  a  multiset  S*  of  identity/message  pairs  and  a  purported  aggregate 
signature  a*. 

We  say  the  adversary  “wins”  or  that  the  output  of  this  experiment  is  1  if:  (1)  Verify(PP,  S* ,  a*)  =  1 
and  (2)  there  exists  an  element  (Z*,  M*)  £  S*  such  that  M*  was  not  queried  for  a  signature  by  the 
adversary  on  any  index  corresponding  to  X*;  i.e. ,  any  index  i  such  that  ( i,X *,■)  £  T.  Otherwise, 
the  output  is  0.  Define  ID-Forg^  as  the  probability  that  Unforg(II,  A,  A,  I,  n)  =  1,  where  the 
probability  is  over  the  coin  tosses  of  the  Authority-Setup,  KeyGen,  and  Sign  algorithms  and  of  A. 

Definition  3.1  (Adaptive  Unforgeability)  An  ID-based  aggregate  signature  scheme  II  is  exis¬ 
tentially  unforgeable  with  respect  to  adaptive  chosen-message  attacks  if  for  all  probabilistic  polynomial¬ 
time  adversaries  A,  the  function  ID-Forg \  is  negligible  in  A. 

Selective  Security.  We  consider  a  selective  variant  to  ID-Unforg  (selective  in  both  the  identity 
and  the  message)  where  there  is  an  Init  phase  before  the  Setup  phase,  wherein  A  gives  to  the 
challenger  a  forgery  identity/message  pair  (X*  £  {0,  l}n,M*  £  {0,  1}j.  The  adversary  cannot 
request  a  signing  key  for  X*.  (It  may  request  that  the  challenger  create  one  or  more  keys  for  this 
identity,  but  it  cannot  corrupt  any  user  index  i  associated  with  X*.)  Moreover,  the  adversary  only 
“wins”  causing  the  experiment  output  to  be  1  if  the  normal  checks  hold  (i.e.,  its  signature  verifies 
and  it  did  not  request  that  X*  sign  M*)  and  additionally  (X*,  M*)  appears  in  S*. 

Non-ID-Based  Aggregates  and  the  Distinct  Message  Variant.  We  provide  security  defi¬ 
nitions  for  the  non- ID-based  setting  in  Appendix  B  that  follow  from  [12,  2].  We  provide  adaptive 
and  selective  variants.  We  also  identify  a  weaker  “distinct  message”  security  game  that  is  easier 
to  work  with.  In  Appendix  C,  we  describe  and  prove  secure  a  simple  transformation  from  distinct 
message  security  to  standard  aggregate  signature  security.  The  transformation  captures  the  idea 
of  hashing  the  public  key  and  message  together  [12,  2]  in  a  modular  way.  Focusing  on  distinct 
message  security  allows  one  to  avoid  the  “rogue  key”  attack  (see  Section  4.3).  We  do  not  consider 
distinct  message  security  in  the  ID-based  setting,  because  there  are  no  verification  keys. 

4  Our  Base  Aggregate  Signature  Construction 

4.1  Generic  Multlinear  Construction 

Setup(l^,f)  The  trusted  setup  algorithm  takes  as  input  the  security  parameter  as  well  as  the 
length  I  of  messages.  It  first  runs  1A,  k  =  £+1)  and  outputs  a  sequence  of  groups  G  =  (Gi, . . . ,  G&) 
of  prime  order  p,  with  canonical  generators  gi, ...  ,gk,  where  we  let  g  =  g\. 

Next,  it  outputs  random  group  elements  (Ai;o,  A^i), . . . ,  (A^0)  A^)  £  Gf.  These  will  be 
used  to  compute  a  function  H(M)  :  {0,1}^  — >  Gfc_i,  which  serves  as  the  analog  of  the  full  do¬ 
main  hash  function  of  the  BGLS  [12]  construction.  Let  mi, . . .  ,m,£  be  the  bits  of  message  M. 

It  is  computed  iteratively  as  H\(M)  =  Apmi  and  for  i  £  [2, X] ,  Hi{M )  =  e(Rj_i(M), 

We  define  H(M)  =  H((M).  The  public  parameters,  PP,  consist  of  the  group  descriptions  plus 
(A,o>  4iy), . . . ,  (A^q,  Ay). 


KeyGen(PP)  The  key  generation  algorithm  first  chooses  random  a  £  Zp.  It  outputs  the  public 
verification  key  as  VK  =  ga.  The  secret  key  SK  is  a  £  Zp. 
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Sign(PP,  SK,  M  E  {0,  l}f)  The  signing  algorithm  computes  the  signature  as  a  =  H(M)a  E  Gj~- i- 
This  serves  as  an  aggregate  signature  for  the  (single  element)  multiset  S  =  (VK,  M). 

Aggregate(PP,  S,  S' ,  a,  a').  The  aggregation  algorithm  simply  computes  the  output  signature  a 
as  a  =  a  ■  a’ .  The  serves  as  a  signature  on  the  multiset  S  =  S  U  S' ,  where  U  is  a  multiset  union. 

Verify(PP,  S ,  cr).  The  verification  algorithm  parses  S  as  {(VKi,  Afi), . . . ,  (VK|s|,  It  then 

checks  that  e(a,g)  =  n?:=i  |S|  e(M(Mj),  VKj)  and  accepts  if  and  only  if  it  holds. 

Correctness  To  see  correctness,  an  aggregate  u  on  S'  =  {(VKi,  Mi), . . . ,  (VK|g|,  M|g|}  will  be  the 

I  Cl 

product  of  individual  signatures;  i.e. ,  a  =  W=iH{Mi)ai  where  VK*  =  gai ,  and  thus  will  pass  the 
verification  equation  as  e(a,  g)  =  e(Jl[=i  H (M,)01* ,  g)  =  Yl\=i  e(H (Mi)ai ,  g)  =  Yl\=i  e(H (M,) ,  g)ai  = 
nHi  e(H(Mi),g°«)  =  nSr  e(H(M^  VK,). 

Efficiency  and  TradeofTs  An  aggregate  signature  is  one  group  element  in  Gk-i  independent  of 
the  number  of  messages  aggregated.  In  a  multilinear  setting,  the  space  to  represent  a  group  element 
might  grow  with  k  (which  is  £+1).  Indeed,  this  happens  in  the  GGH  [21]  graded  algebra  translation. 
One  way  to  mitigate  this  is  to  differ  the  message  alphabet  size  in  a  tradeoff  of  computation  versus 
storage.  The  above  construction  uses  a  binary  message  alphabet.  If  it  used  an  alphabet  of  2d 
symbols,  then  the  aggregate  signature  could  resident  in  the  group  Gp/d  with  i/d  —  1  pairings 
required  to  compute  it,  at  the  cost  of  the  public  parameters  requiring  2d£  group  elements  in  G. 

4.2  Construction  in  the  GGH  Framework 

We  give  a  translation  of  the  above  construction  to  the  GGH  [21]  framework  in  Appendix  E. 

4.3  Security  Analysis 

Assumption  4.1  (Multilinear  Computational  Diffie-Hellman:  fc-MCDH)  The  k- Multilinear 
Computational  Diffie-Hellman  (k-MCDH)  problem  states  the  following:  A  challenger  runs  Q(  1A,  k ) 
to  generate  groups  and  generators  of  order  p.  Then  it  picks  random  c±, ...  ,Ck  E  T,p.  The  assump¬ 
tion  then  states  that  given  g  =  gi,  gci , . . . ,  gCk  it  is  hard  for  any  poly-time  algorithm  to  compute 

^  3  better  than  negligible  advantage  (in  security  parameter  X). 

We  say  that  the  A:-MCDH  assumption  holds  against  subexponential  advantage  if  there  exists  a 
universal  constant  eo  >  0  such  that  no  polynomial-time  algorithm  can  succeed  in  the  experiment 
above  with  probability  greater  than  2_Aq) .  In  Section  5.3,  we  will  give  a  variant  of  the  £;-MCDH 
assumption  in  the  approximate  multilinear  maps  setting  of  GGH  [21]  that  we  will  call  the  GGH 
fc-MCDH  assumption.  We  note  that  the  best  cryptanalysis  available  of  the  GGH  framework  [21] 
suggests  that  the  GGH  fc-MCDH  assumption  holds  against  subexponential  advantage. 

In  Appendix  D,  we  show  that  the  basic  aggregate  signature  scheme  for  message  length  i  in  the 
distinct  message  unforgeability  game  is: 

•  (Theorem  D.l)  selectively  secure  under  the  (f?  +  1)-Multilinear  Computational  Diffie-Hellman 
(MCDH)  assumption. 
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•  (Corollary  D.2)  fully  secure  under  the  (£  +  1)-MCDH  assumption  against  subexponential 
advantage. 

•  (Theorem  D.4)  fully  secure  under  a  non- interactive,  parameterized  assumption  which  depends 
on  £,  the  number  of  adversarial  signing  queries  and  the  number  of  messages  in  the  adversary’s 
forgery. 

By  applying  the  simple  transformation  of  Appendix  C,  the  distinct  message  requirement  can  be 
removed.  Without  this  transformation,  there  is  a  simple  attack  where  the  attacker  sets  some  VK7  = 
VK-1  and  submits  the  identity  element  in  Gfc_i  as  an  aggregate  forgery  for  S  =  {(VK,  M),  (VK7,  M)} 
for  any  message  M  of  its  choosing. 

5  Our  ID-Based  Aggregate  Signature  Construction 

5.1  Generic  Multilinear  Construction 

Authority-Setup(lA,  £,  n)  The  trusted  setup  algorithm  is  run  by  the  master  authority  of  the 
ID-based  system.  It  takes  as  input  the  security  parameter  as  well  the  bit-length  l  of  messages 
and  bit-length  n  of  identities.  It  first  runs  Q(lx,k  =  l  +  n)  and  outputs  a  sequence  of  groups 
G  =  (Gi, . . . ,  Gfc)  of  prime  order  p,  with  canonical  generators  gi, .  .  .  ,gk,  where  we  let  g  =  g\ . 

Next,  it  chooses  random  group  elements  (Aqo  =  gai’0,Ai,\  =  g,ai-1), . . . ,  (A^o  =  fjae’°i  Aq  = 
g^'1)  £  G2.  It  also  chooses  random  exponents  (&i,o,  6i,i), . . . ,  (bn, o,  6n,i)  £  Zp2  and  sets  Bt  p  =  gb%^ 
for  i  £  [l,n]  and  f3  £  {0, 1}. 

These  will  be  used  to  define  a  function  H(Z,M)  :  {0,  l}n  x  {0, 1 Y  Gfc.  Let  m i, . . . ,  mi  be 
the  bits  of  message  M  and  idi, . . . ,  idn  as  the  bits  of  X.  It  is  computed  iteratively  as 

Hx{X,  M )  =  B1)idl  for  i  £  [2,  n]  H%{T,  M)  =  e(^_i(X,  M),  BiMi) 

for  i  £  [n  +  1,  n  +  £  =  k]  Hi(Z,  M )  =  e(Hj_i(X,  M), 

We  define  H{X,  M)  =  Hk=i+n(I,  M). 

The  public  parameters,  PP,  consist  of  the  group  sequence  description  plus: 

(A,o>  Al.i),  •  •  • ,  (A^0,  (Sii0,  ■  ■  ■ ,  (Bn! o,  Bn> i) 

The  master  secret  key  MSK  includes  PP  together  with  the  values  (6i,o,  61,1), . . . ,  (bn,o,  bn, i). 

KeyGen(MSK,X  £  {0,  l}n)  The  signing  key  for  identity  X  is  SKx  =  ',ldl  £  Gn-\. 

Sign(PP,  SKj,X  £  {0,  l}n,M  £  {0,1}^)  The  signing  algorithm  lets  temporary  variable  Do  = 
SKj.  Then  for  i  =  1  to  £  it  computes  Di  =  e(Z?j_i,  Aj>mi)  £  Gn-\+i.  The  output  signature  is 

a  =  De  =  (^_1)(nie[i,„]L,idi)(nie[M]ai,^). 

This  serves  as  an  ID-based  aggregate  signature  for  the  (single  element)  multiset  S  =  (X,  M). 

Aggregate(PP,  S,  S' ,  a,  a').  The  aggregation  algorithm  simply  computes  the  output  signature  a 
as  a  =  a  ■  a' .  The  serves  as  a  signature  on  the  multiset  S  =  S  U  S' ,  where  U  is  a  multiset  union. 
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Verify(PP,  S,  a).  It  parses  S  as  {(Zi,  Mi), . . . ,  (Z|s|,  M|5|)}.  It  then  accepts  if  and  only  if 

e(<r,g)=  I] 

i=l,...,\S\ 

Correctness  and  Security  To  see  correctness,  an  aggregate  a  on  5  =  {(Zi,  Mi), . . . ,  (Z|gi,  M|gi) 
will  be  the  product  of  individual  signatures;  i.e.,  at  where  e(ai,g )  =  77(Zj,Mj),  and  thus  we  have 
ni=i  e(<Tj,  g)  =  e(ni=i  d)  =  e(cr,  t/)  =  We  show  that  this  scheme  is  selectively 

secure  under  the  fc-MCDH  assumption  in  Appendix  F,  where  the  proof  is  very  similar  to  that  of 
the  GGH  translation  which  we  provide  shortly  in  Section  5.3. 

5.2  ID-Based  Construction  in  the  GGH  Framework 

We  show  how  to  modify  our  ID-based  construction  to  use  the  GGH  [21]  graded  algebras  analogue 
of  multilinear  maps.  Please  note  that  we  use  the  same  notation  developed  in  [21],  with  some  minor 
changes:  Firstly,  we  use  the  canonical  encoding  function  cenc  provided  by  the  GGH  framework 
more  than  once  at  each  level  of  the  encoding,  but  only  a  globally  fixed  constant  number  of  times 
per  level.  This  is  compatible  with  the  GGH  encoding  [21],  and  allows  for  a  simpler  exposition  of 
our  scheme  and  proof.  Also,  for  ease  of  notation  on  the  reader,  we  suppress  repeated 
para  ms  arguments  that  are  provided  to  every  algorithm.  Thus,  for  instance,  we  will  write 
a  •(—  samp()  instead  of  a  f-  samp(params).  Note  that  in  our  scheme,  there  will  only  ever  be  a 
single  uniquely  chosen  value  for  para  ms  throughout  the  scheme,  so  there  is  no  cause  for  confusion. 
Finally,  we  use  the  variant  of  the  GGH  framework  with  “strong”  zero-testing,  where  the  zero  test 
statistically  guarantees  that  a  vector  is  a  valid  encoding  of  zero  if  it  passes  the  zero  test.  For  further 
details  on  the  GGH  framework,  please  refer  to  [21].  See  also  the  summary  of  [22]  as  included  in 
Appendix  A. 

Authority-Setup(l'\  £,  n)  The  trusted  setup  algorithm  is  run  by  the  master  authority  of  the 
ID-based  system.  It  takes  as  input  the  security  parameter  as  well  the  bit-length  £  of  messages  and 
bit-length  n  of  identities.  It  then  runs  (params,  p zt)  lnstGen(lA,  \k=?+ny  Recall  that  params  will 
be  implicitly  given  as  input  to  all  GGH-related  algorithms  below. 

Next,  it  chooses  random  encodings  =  samp()  for  i  G  [l,f]  and  f5  G  {0,1};  and  random 
encodings  btjj  =  samp()  for  i  G  [l,n]  and  j3  G  {0,1}.  Then  it  assigns  =  cenci(l, a^p)  for 
i  G  [l,f]  and  (3  G  {0, 1};  and  it  assigns  Br  p  =  cenci(l,  6jj(g)  for  i  G  [1  ,n]  and  /3  G  {0, 1}. 

These  will  be  used  to  compute  a  function  H  mapping  £  +  n  bit  strings  to  level  k  —  1  encodings. 
Let  mi, . . .  ,rri£  be  the  bits  of  M  and  idi, . . . , idn  be  the  bits  of  Z.  It  is  computed  iteratively  as 

H\  (Z,  M)  =  £1)idl  for  i  G  [2,  n]  Ht  (Z,  M)  =  Mj_1(Z,  M)  •  BlMi 

for  i  G  [n  +  l,n  +  £  =  k }  Mj(Z,  M)  =  ifi_1(Z, M)  • 

We  define  H(I,  M)  =  cenc2(A:,  Hk=i+n(l,  M)). 

The  public  parameters,  PP,  consist  of  the  params,  pzt  plus: 

(^4-1,0,  ^4i,i),  •  •  • ,  {Att o,  A^ i),  (Hpo,  Hiy), . . . ,  (Bn,: o,  Bn> i) 

Note  that  params  includes  a  level  1  encoding  of  1,  which  we  denote  as  g. 

The  master  secret  key  MSK  includes  PP  together  with  the  encodings  (&i,o,  &i,i), . . . ,  (bn, o,  6re,i)- 
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KeyGen(MSK,X  G  {0,  l}n)  The  signing  key  for  identity  X  is  SKx  =  cenc2(n  —  1,  n,:G[i  n]  &i,id<)- 

Sign(PP,  SKj,X  G  {0,  l}n,M  G  {0, 1  }^)  The  signing  algorithm  lets  temporary  variable  Do  = 
SKj.  Then  for  i  =  1  to  i  it  computes  Di  =  Dj_i  •  At.mi .  The  output  signature  is 

cr  =  cenc3(&:  —  1,  Df). 

This  serves  as  an  ID-based  aggregate  signature  for  the  (single  element)  multiset  S  =  (X.  M). 

Aggregate(PP,  S,  S' ,  a,  a').  The  aggregation  algorithm  simply  computes  the  output  signature  a 
as  a  =  a  +  a'.  The  serves  as  a  signature  on  the  multiset  S  =  S  U  S',  where  U  is  a  multiset  union. 

Verify(PP,  S,  a).  The  verification  algorithm  parses  S  as  {(X\,  Mi), . . . ,  {X\s\ :  M|5|)}.  It  rejects  if 
the  multiplicity  of  any  identity/message  pair  is  greater  than  2A. 

The  algorithm  then  proceeds  to  check  the  signature  by  setting  r  =  cenc2(l,fll),  and  testing:  : 

isZero  I  Pzt,  t  ■  a  —  ^  H(X,  ,  Mi) 

\  i=l,...,|S| 

and  accepts  if  and  only  if  the  zero  testing  procedure  outputs  true.  Recall  that  g  above  is  a  canonical 
level  1  encoding  of  1  that  is  included  in  para  ms,  part  of  the  public  parameters. 


Correctness.  Correctness  follows  from  the  same  argument  as  for  the  ID-based  aggregate  signa¬ 
ture  scheme  in  the  generic  multilinear  setting. 


5.3  Proof  of  Security  for  ID-based  Aggregate  Signatures  in  the  GGH  framework 

We  now  describe  how  to  modify  our  proof  of  security  for  our  ID-based  construction  to  use  the 
GGH  [21]  graded  algebras  analogue  of  multilinear  maps.  As  before,  for  ease  of  notation  on  the 
reader,  we  suppress  repeated  para  ms  arguments  that  are  provided  to  every  algorithm.  For  further 
details  on  the  GGH  framework,  please  refer  to  Appendix  A  or  [21]. 

We  begin  by  describing  the  GGH  analogue  of  the  /c-MCDH  assumption  that  we  will  employ: 

Assumption  5.1  (GGH  analogue  of  fc-MCDH:  GGH  fc-MCDH)  The  GGH  k -Multilinear 
Computational  Diffie- Heilman  ( GGH  k-MCDH)  problem  states  the  following:  A  challenger  runs 
lnstGen(lA,  lk)  to  obtain  (params,  pzt).  Note  that  params  includes  a  level  1  encoding  of  1,  which  we 
denote  as  g.  Then  it  picks  random  ci, . . . ,  c\~  each  equal  to  the  result  of  a  fresh  call  to  samp(). 

The  assumption  then  states  that  given  params,  pzt,  cenci(l,  ci), . . . ,  cenci(l,  c^)  it  is  hard  for  any 
poly-time  algorithm  to  compute  an  integer  t  G  [1, 2A]  and  an  encoding  z  such  that 


outputs  true. 


zTst  pzt,cenc2(l,fif) 


z  —  cenci (k, t  ■  n 
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We  say  the  GGH  fc-MCDH  assumption  holds  against  subexponential  advantage  if  there  exists 
a  universal  constant  eo  >  0  such  that  no  polynomial-time  algorithm  can  succeed  in  the  experiment 
above  with  probability  greater  than  2Aqi .  The  best  cryptanalysis  available  of  the  GGH  frame¬ 
work  [21]  suggests  that  the  GGH  /c-MCDH  assumption  holds  against  subexponential  advantage. 

We  establish  full  security  of  our  ID-based  aggregate  signature  scheme  conditioned  on  the  k- 
MCDH  assumption  holding  against  subexponential  advantage.  This  follows  immediately  from  the 
following  theorem  and  a  standard  complexity  leveraging  argument: 

Theorem  5.2  (Selective  Security  of  GGH  ID-Based  Construction)  The  ID-based  aggregate 
signature  scheme  for  message  length  I  and  identity  length  n  in  Section  5.2  is  selectively  secure  in 
the  un forgeability  game  in  Section  3  under  the  GGH  (£  +  n)-MCDH  assumption. 

Corollary  5.3  The  ID-based  aggregate  signature  scheme  for  message  length  £  in  Section  5.2  is 
fully  secure  in  the  distinct  message  unforgeability  game  under  the  GGH  (£  +  n)-MCDH  assumption 
against  subexponential  advantage. 

Proof.  This  follows  immediately  from  a  complexity  leveraging  argument:  the  security  parameter 
A  is  chosen  to  ensure  that  2^°  »  2  ,  where  2_Aq>  is  the  maximum  probability  of  success  allowed 
in  the  /c-MCDH  assumption  against  subexponential  advantage.  Now,  to  establish  full  security,  the 
simulator  performs  exactly  as  in  the  selective  security  proof,  but  first  it  simply  guesses  the  message 
that  will  be  forged  (instead  of  expecting  the  adversary  to  produce  this  message).  Because  this 
guess  will  be  correct  with  probability  at  least  2  ,  and  the  security  parameter  A  is  chosen  carefully, 

full  security  with  polynomial  advantage  (or  even  appropriately  defined  subexponential  advantage) 
implies  an  attacker  on  the  GGH  /r-MCDH  assumption  with  subexponential  advantage.  □ 

Proof.  (of  Theorem  5.2)  We  show  that  if  there  exists  a  PPT  adversary  A  that  can  break 
the  selective  security  of  the  ID-based  aggregate  signature  scheme  in  the  unforgettability  game 
with  probability  e  for  message  length  £,  identity  length  n  and  security  parameter  A,  then  there 
exists  a  PPT  simulator  that  can  break  the  GGH  {£  +  n)-MCDH  assumption  for  security  parameter 
A  with  probability  e.  The  simulator  takes  as  input  a  GGH  MCDH  instance  params,  pz^,  C\  = 
cenci(l,  ci), . . . ,  Cf  =  cenci(l,  cyf)  where  k  =  £  +  n.  Let  m;  denote  the  ith  bit  of  M  and  idj  denote 
the  ith  bit  of  T.  The  simulator  plays  the  role  of  the  challenger  in  the  game  as  follows. 

Init.  Let  Z*  G  {0,  l}n  and  M*  G  {0, 1 Y  be  the  forgery  identity /message  pair  output  by  A. 

Setup.  The  simulator  chooses  random  xi, . . . ,  xg,  yi, . . . ,  yn  with  fresh  calls  to  samp().  For  i  =  1 
to  £,  let  Aim*  =  Ci+n  and  A-  -*  =  cenci(l, xf).  For  i  =  1  to  n,  let  Biid*  =  Ci  and 
Biid*  =  cenci(l,r/j).  We  remark  that  the  parameters  are  distributed  independently  and 
uniformly  at  random  as  in  the  real  scheme. 

Queries.  Conceptually,  the  simulator  will  be  able  to  create  keys  or  signatures  for  the  adversary, 
because  his  requests  will  differ  from  the  challenge  identity  or  message  in  at  least  one  bit. 
More  specifically, 

1.  Create  New  Key:  The  simulator  begins  with  an  index  i  =  1  and  an  empty  sequence  of 
index/identity/private  key  triples  T .  On  input  an  identity  Z  G  {0,  l}n,  if  Z  =  Z* ,  the 
simulator  records  (i,Z*,l.)  in  T.  Otherwise,  the  simulator  computes  the  secret  key  as 
follows.  Let  [3  be  the  first  index  such  that  id,;  /  id*.  Compute  s  =  n,:=i  nAi^/3  ^*4d,  - 
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Then  compute  SKj  =  cenc2 (to  —  l,s  ■  yp).  Record  (i,Z,  SKj)  in  T.  Secret  keys  are 
well-formed  and,  due  to  the  rerandomization  in  the  cenc2  algorithm,  are  distributed  in 
a  manner  statistically  exponentially  close  to  the  keys  generated  in  the  real  game. 

Corrupt  User:  On  input  an  index  i  £  [1,  |T|],  the  simulator  returns  to  the  adversary  the 
triple  (i.  X,,  SKjJ  £  T.  It  returns  an  error  if  T  is  empty  or  i  is  out  of  range.  Recall  that 
i  cannot  be  associated  with  Z*  in  this  game. 

Sign:  On  input  an  index  i  £  [1,  |T|]  and  a  message  M  £  {0, 1}^,  the  simulator  obtains 
the  triple  (i,Z,;,  SKjJ  £  T  or  returns  an  error  if  it  does  not  exist.  If  Zj  A  Z* ,  then  the 
simulator  signs  M  with  SKx;  in  the  usual  way. 

If  Zi  =  Z* ,  then  we  know  M  A  M* .  Let  f3  be  the  first  index  such  that  mp  A  m*p. 
First  compute  o'  =  R=1  iM^p  Next,  compute  o"  =  o'  •  x*.  Also  compute  7  = 

FU  „  Ri,idj-  Finally,  compute  o  =  cenc3(&;  —  1,7  •  o")  Return  o  to  A.  Signatures  are 
are  well-formed  and,  due  to  the  rerandomization  in  the  cenc3  algorithm,  are  distributed 
in  a  manner  statistically  exponentially  close  to  the  keys  generated  in  the  real  game. 

Response.  Eventually,  A  outputs  an  aggregate  signature  o*  on  multiset  S*  where  ( Z*,M *)  £ 
S* .  The  simulator  will  extract  from  this  a  solution  to  the  MCDH  problem.  This  works 
by  iteratively  computing  all  the  other  signatures  in  S*  and  then  subtracting  them  out  of 
the  aggregate  until  only  one  or  more  signatures  on  (Z* .  M*)  remain.  That  is,  the  simulator 
takes  an  aggregate  for  S*  and  computes  an  aggregate  signature  for  S'  where  S'  has  one  less 
verification  key/message  pair  than  S  at  each  step.  These  signatures  will  be  computed  as  in 
the  query  phase. 

Eventually,  we  have  an  aggregate  a'  on  t  >  1  instances  of  ( Z*,M *).  However  recall  that 
H (Z* ,  M* )  is  a  level  k  encoding  of  dlieRn]  bMd*)(ri;e[i/]  a*,m *)  =  ]lie[fc]  c*-  Thus  verification 
of  the  signature  o'  implies  that  ( t ,  o')  is  a  solution  to  the  GGH  fe-MCDH  problem,  and  so  the 
simulator  returns  (t,  o')  to  break  the  GGH  /c-MCDH  assumption. 

As  remarked  above,  the  responses  of  the  challenger  are  distributed  statistically  exponentially 
closely  to  the  real  unforgeability  game.  The  simulator  succeeds  whenever  A  does.  □ 


2. 


3. 
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A  Background  on  GGH 

In  this  section,  we  provide  some  background  on  the  GGH  framework.  We  use  the  GGH  framework 
in  a  manner  very  similar  to  the  way  it  was  used  in  the  recent  work  of  Garg,  Gentry,  Halevi,  Sahai, 
and  Waters  on  constructing  Attribute-Based  Encryption  for  Circuits  [22],  For  consistency,  the 
following  text  is  taken  verbatim  from  [22]: 

A.l  Graded  Encoding  Systems:  Definition 

Garg,  Gentry  and  Halevi  (GGH)  [21]  defined  an  “approximate”  version  of  a  multilinear  group  family, 
which  they  call  a  graded  encoding  system.  As  a  starting  point,  they  view  gf  in  a  multilinear  group 
family  as  simply  an  encoding  of  a  at  “level-?”.  This  encoding  permits  basic  functionalities,  such  as 
equality  testing  (it  is  easy  to  check  that  two  level-?'  encodings  encode  the  same  exponent),  additive 
homomorphism  (via  the  group  operation  in  G i),  and  bounded  multiplicative  homomorphism  (via 
the  multilinear  map  e).  They  retain  the  notion  of  a  somewhat  homomorphic  encoding  with  equality 
testing,  but  they  use  probabilistic  encodings,  and  replace  the  multilinear  group  family  with  “less 
structured”  sets  of  encodings  related  to  lattices. 

Abstractly,  their  ??-graded  encoding  system  for  a  ring  R  includes  a  system  of  sets  S  =  { S C 
{0, 1}*  :  i  G  [0,n],a  G  R}  such  that,  for  every  fixed  i  G  [0,n],  the  sets  (Sj-T  :  a  G  R}  are  disjoint 
(and  thus  form  a  partition  of  S)  :=  (JQ  The  set  sja^  consists  of  the  “level-?  encodings  of  a”. 

Moreover,  the  system  comes  equipped  with  efficient  procedures,  as  follows:3 

Instance  Generation.  The  randomized  lnstGen(l'\  1”)  takes  as  input  the  security  parameter  A 
and  integer  n.  The  procedure  outputs  (params,  pzt),  where  params  is  a  description  of  an 
n-graded  encoding  system  as  above,  and  p zt  is  a  level-n  “zero-test  parameter”. 

Ring  Sampler.  The  randomized  samp(params)  outputs  a  “level-zero  encoding”  a  G  Sq,  such  that 
the  induced  distribution  on  a  such  that  a  G  S’g0'*  is  statistically  uniform. 

Encoding.  The  (possibly  randomized)  enc(params,  i,  a)  takes  i  G  [n]  and  a  level-zero  encoding 
a  G  for  some  a  G  R,  and  outputs  a  level-?  encoding  u  G  for  the  same  a. 

Re-Randomization.  The  randomized  reRand(params,  ?,  ??)  re-randomizes  encodings  to  the  same 
level,  as  long  as  the  initial  encoding  is  under  a  given  noise  bound.  Specifically,  for  a  level 
?  G  [n]  and  encoding  u  G  s!-a\  it  outputs  another  encoding  v!  G  s\a\  Moreover  for  any  two 

3Since  GGH’s  realization  of  a  graded  encoding  system  uses  “noisy”  encodings  over  ideal  lattices,  the  procedures 
incorporate  information  about  the  magnitude  of  the  noise. 
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encodings  u\ .  u-i  £  sja^  whose  noise  bound  is  at  most  some  b,  the  output  distributions  of 
reRand(params,  i,  u\)  and  reRand(params,  i,  112)  are  statistically  the  same. 

Addition  and  negation.  Given  para  ms  and  two  encodings  at  the  same  level,  u  \  £  S and 
U2  £  s\a2\  we  have  add(params,  u\,  U2)  G  s\a'+°'2\  and  neg(params,  ui)  G  s\~ai\  subject  to 
bounds  on  the  noise. 

Multiplication.  For  u\  G  112  G  S^2> .  we  have  mult(params, u\,  112)  G  S^'®2\ 

Zero-test.  The  procedure  isZero(params,  pzt,  u)  outputs  1  if  u  £  Sn^  and  0  otherwise.  Note  that 
in  conjunction  with  the  procedure  for  subtracting  encodings,  this  gives  us  an  equality  test. 

Extraction.  This  procedure  extracts  a  “canonical”  and  “random”  representation  of  ring  elements 
from  their  level-n  encoding.  Namely  ext(params,  pzt,  u)  outputs  (say)  K  G  {0,1}A,  such  that: 

(a)  With  overwhelming  probability  over  the  choice  of  a  G  R,  for  any  two  u\ ,  112  G  S^\ 
ext(params,  pzt,ui)  =  ext(params,  pzt,  tt2), 

(b)  The  distribution  {ext(params,  pzt,  u)  :  a  €  R,u  G  S^}  is  statistically  uniform  over 
{0,1}A. 

We  can  extend  add  and  mult  to  handle  more  than  two  encodings  as  inputs,  by  applying  the 
binary  versions  of  add  and  mult  iteratively.  Also,  it  is  convenient  to  define  a  canonicalized  encoding 
algorithm  cenc^params,  i,  a)  which  takes  as  input  encoding  of  a  and  generates  another  encoding 
according  to  a  “nice”  distribution.  The  parameter  t  denotes  that  the  noise  introduced  with  l 
successive  invocations  of  the  re  Rand  operation.  This  parameter  was  implicit  in  [21]  encoding  scheme 
and  we  make  it  explicit.  This  parameter  essentially  captures  the  noise  present  in  the  encodings. 
In  our  scheme  we  will  need  to  re-randomize  at  most  a  constant  number  of  times  and  hence  the 
maximum  value  £  takes  will  be  a  small  constant. 

A. 2  Graded  Encoding  Systems:  Realization 

Concretely,  GGH’s  n-graded  encoding  system  works  as  follows.  (This  is  a  whirlwind  overview;  see 
[21]  for  details.)  The  system  uses  three  rings.  First,  it  uses  the  ring  of  integers  O  of  the  m-th 
cyclotomic  held.  This  ring  is  typically  represented  as  the  ring  of  polynomials  O  =  Z[x]/($m(a;)), 
where  <&m{x)  is  the  m-th  cyclotomic  polynomial,  which  has  degree  N  =  <j>(m).  Second,  for  some 
suitable  integer  modulus  q.  it  uses  the  quotient  ring  0/(q)  =  Zg[.x]/(<hm(x)),  similar  to  the  NTRU 
encryption  scheme  [26].  The  encodings  live  in  0/(q).  Finally,  it  uses  the  quotient  ring  R  =  O /T. 
where  Z  =  ( g )  is  a  principal  ideal  of  O  that  is  generated  by  g  and  where  \0/X\  is  a  large  prime. 
This  is  the  ring  “i?”  referred  to  above;  elements  of  R  are  what  is  encoded. 

What  does  a  GGH  encoding  look  like?  For  a  fixed  random  z  G  0/(q ),  an  element  of  -  that 
is,  a  level- i  encoding  of  a  G  R  -  has  the  form  e/ z1  G  0/(q),  where  e  £  0  is  a  “small”  representative 
of  the  coset  a  +  Z  (it  has  coefficients  that  are  very  small  compared  to  q).  To  add  encodings 
e\ / z1  G  s\ai'>  and  e.2 1 z1  £  s\a2\  just  add  them  in  Of(q)  to  obtain  {e\  +e2 )/V,  which  is  in  s\ai+a2^ 
if  e\  +  &2  is  “small”.  To  mult  encodings  e\ / z11  G  and  e2 / z12  G  S^2\  just  multiply  them  in 

0/(q )  to  obtain  ei  •  e2 / zil+i2 ,  which  is  in  if  e\  -e2  is  “small” .  This  smallness  condition  limits 

the  GGH  encoding  system  to  degree  polynomial  in  the  security  parameter.  Intuitively,  dividing 
encodings  does  not  “work” ,  since  the  resulting  denominator  has  a  nontrivial  term  that  is  not  z. 
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The  GGH  params  allow  everyone  to  generate  encodings  of  random  (known)  values.  The  params 
include  a  level-1  encoding  of  1  (from  which  one  can  generate  encodings  of  1  at  other  levels),  and 
(for  each  i  E  [n])  a  sufficient  number  of  level-?'  encodings  of  0  to  enable  re-randomization.  To  encode 
(say  at  level-1),  run  samp(params)  to  sample  a  small  element  a  from  O,  e.g.  according  to  a  discrete 
Gaussian  distribution.  For  a  Gaussian  with  appropriate  deviation,  this  will  induce  a  statistically 
uniform  distribution  over  the  cosets  of  X.  Then,  multiply  a  with  the  level- 1  encoding  of  1  to  get 
a  level-1  encoding  u  of  a  E  R.  Finally,  run  reRand(params,  1 ,  it),  which  involves  adding  a  random 
Gaussian  linear  combination  of  the  level-1  encodings  of  0,  whose  noisiness  (i.e.,  numerator  size) 
“drowns  out”  the  initial  encoding.  The  parameters  for  the  GGH  scheme  can  be  instantiated  such 
that  the  re-randomization  procedure  can  be  used  for  any  pre-specified  polynomial  number  of  times. 

To  permit  testing  of  whether  a  level-n  encoding  u  =  e/ zn  E  Sn  encodes  0,  GGH  publishes  a 
level- n  zero-test  parameter  pzt  =  hz11  / g ,  where  h  is  “somewhat  small”4  and  g  is  the  generator  of  X. 
The  procedure  isZero(params,  pzt,  u)  simply  computes  p z*  •  u  and  tests  whether  its  coefficients  are 
small  modulo  q.  If  u  encodes  0,  then  e  E  X  and  equals  g  ■  c  for  some  (small)  c,  and  thus  pzj  -u  =  h-c 
has  no  denominator  and  is  small  modulo  q.  If  u  encodes  something  nonzero,  pzt  •  u  has  g  in  the 
denominator  and  is  not  small  modulo  q.  The  ext(params,  pzt,  u)  procedure  works  by  applying  a 
strong  extractor  to  the  most  significant  bits  of  pzt  ■  u.  For  any  two  u\,  U2  E  sia\  we  have  (subject 
to  noise  issues)  ui  —  U2  E  Sn  \  which  implies  pzt(ui  —  U2 )  is  small,  and  hence  pz*  •  u\  and  pzj  •  U2 
have  the  same  most  significant  bits  (for  an  overwhelming  fraction  of  a’s). 

Garg  et  al.  provide  an  extensive  cryptanalysis  of  the  encoding  system,  which  we  will  not 
review  here.  We  remark  that  the  underlying  assumptions  are  stronger,  but  related  to,  the  hardness 
assumption  underlying  the  NTRU  encryption  scheme:  that  it  is  hard  to  distinguish  a  uniformly 
random  element  from  0/(q )  from  a  ratio  of  “small”  elements  -  i.e.,  an  element  u/v  E  Of(q )  where 
u,v  E  Of(q)  both  have  coefficients  that  are  on  the  order  of  (say)  q€  for  small  constant  e. 

B  Definitions  for  Aggregate  Signatures 

We  introduced  our  general  definitional  setting  in  Section  3.  Now,  for  our  regular  aggregate  security 
definition,  we  define  adaptive  and  selective  variants.  We  also  identify  a  slightly  weaker  “distinct 
message”  security  game  that  is  easier  to  work  with.  In  Appendix  C,  we  describe  and  prove  secure 
a  simple  transformation  from  distinct  message  security  to  standard  aggregate  signature  security. 
The  transformation  captures  the  idea  of  hashing  the  public  key  and  message  together  [12,  2]  in  a 
modular  way. 

An  aggregate  signature  scheme  is  comprised  of  the  following  algorithms: 

Setup(lA,f)  The  trusted  setup  algorithm  takes  as  input  the  security  parameter  as  well  the  bit- 
length  l  of  messages.  It  outputs  a  common  set  of  public  parameters  PP. 

KeyGen(PP)  The  key  generation  algorithm  takes  as  input  the  system  public  parameters  and 
outputs  a  signature  verification  key  and  secret  key  pair  (VK,  SK). 

4Its  coefficients  are  on  the  order  of  (say)  q2^3,  while  other  terms  -  such  as  a  numerator  e  or  the  principal  ideal 
generator  g  -  are  much,  much  smaller. 
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Sign(PP,  SK,  M  £  {0,  l}f )  The  signing  algorithm  takes  as  input  a  secret  signing  key,  the  common 
public  parameters  as  well  as  a  message  M  £  {0, 1}(.  It  outputs  a  signature  a.  We  emphasize  that 
a  single  signature  that  is  output  by  this  algorithm  is  considered  to  also  be  an  aggregate  signature. 

Aggregate(PP,  S,  S',  a,  a').  The  aggregation  algorithm  takes  as  input  two  multisets  S  and  S', 
two  purported  signatures  on  these  multisets  and  the  public  parameters.  The  elements  of  S  consist 
of  verification  key/message  pairs  {(VKi,  Mi),  ■ .  ■ ,  (VK|<j|,  M§ |)}  and  the  elements  of  S  consist  of 

{(VK/, ,  M[), . . . ,  (VKj5,|,  The  process  produces  a  signature  a  on  the  multiset  S  =  S  Li  S', 

where  U  is  a  multiset  union. 

Verify  (PP,  S,  cr).  The  verification  algorithm  takes  a  input  the  public  parameters,  a  multiset  S  of 
verification  key/message  pairs  and  a  purported  aggregate  signature  a.  It  outputs  true  or  false  to 
indicate  whether  verification  succeeded. 

Correctness  The  correctness  property  states  that  all  valid  aggregate  signatures  will  pass  the 
verification  algorithm,  where  a  valid  aggregate  is  defined  recursively  as  an  aggregate  signature 
derived  by  an  application  of  the  aggregation  algorithm  on  two  valid  inputs  or  the  signing  algorithm. 
More  formally,  for  all  integers  A ,£,k  >  1,  all  PP  £  Setup(lA,Q,  all  (VKj,SKj)  £  KeyGen(PP)  for 
i  =  1  to  k,  Verify(PP,  S ,  cr)  =  1,  if  a  is  a  valid  aggregate  for  multiset  S  under  PP.  We  say  that  an 
aggregate  signature  a  is  valid  for  multiset  S  if:  (1)  S  =  {(VK*,  M)}  for  some  i  £  [1,  k],  M  £  {0, 1 Y 
and  a  £  Sign(PP,  SK,;,  M);  or  (2)  there  exists  multisets  S',  S  where  S  =  S'  U  S  and  valid  aggregate 
signatures  a' ,  a  on  them  respectively  such  that  cr  £  Aggregate(PP,  S,  S' ,  a,  a'). 

B.l  Security  Model  for  Aggregate  Signatures 

We  define  the  adaptive  security  game  as  in  [12,  2],  Informally,  it  should  be  computationally 
infeasible  for  any  adversary  to  produce  a  forgery  implicating  an  honest  signer,  even  when  the 
adversary  can  control  all  other  keys  involved  in  the  aggregate  and  can  mount  a  chosen-message 
attack  on  the  honest  signer.  This  is  defined  using  a  game  between  a  challenger  and  an  adversary 
A  with  respect  to  scheme  II  =  (Setup,  KeyGen,  Sign,  Aggregate,  Verify). 

Unforg(II,  A,  A,  £): 

Setup.  The  challenger  runs  Setup(lA,t)  to  obtain  PP  and  KeyGen(PP)  to  obtain  (VK,  SK).  It 
sends  (PP,  VK)  to  A. 

Queries.  Proceeding  adaptively,  A  requests  signatures  under  VK  on  f-bit  messages  of  his  choice. 
Response.  Finally,  A  outputs  a  multiset  S*  of  verification  key/message  pairs  and  a  purported 
aggregate  signature  cr*. 

We  say  the  adversary  “wins”  or  that  the  output  of  this  experiment  is  1  if:  (1)  Verify(PP,  S* ,  a*)  =  1 
and  (2)  there  exists  an  element  (VK,  M*)  £  S*  such  that  M*  was  not  queried  for  a  signature  by  the 
adversary.  Otherwise,  the  output  is  0.  Define  Forg^  as  the  probability  that  Unforg(II,  A,  \,£)  =  1, 
where  the  probability  is  over  the  coin  tosses  of  the  Setup,  KeyGen,  and  Sign  algorithms  and  of  A. 

Definition  B.l  (Adaptive  Unforgeability)  An  aggregate  signature  scheme  II  is  existentially 
unforgeable  with  respect  to  adaptive  chosen-message  attacks  if  for  all  probabilistic  polynomial-time 
adversaries  A,  the  function  ForgA  is  negligible  in  A. 
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Selective  Security.  We  consider  a  selective  variant  to  Unforg  where  there  is  an  Init  phase 
before  the  Setup  phase,  wherein  A  gives  to  the  challenger  the  forgery  message  M*  £  {0, 1}  .  This 
message  M*  cannot  be  queried  for  a  signature  and  yet  (VK,  M*)  must  appear  in  S* . 

Distinct  Message  Security.  We  consider  a  distinct  message  variant  to  Unforg,  where  the 
game  is  the  same  as  above,  but  we  change  how  we  define  the  experiment  output.  The  output  of  the 
experiment  is  1  if  and  only  if:  (1)  it  was  1  in  the  Unforg  game,  and  (2)  the  message  M*  was  not 
associated  with  any  other  signer.  That  is,  for  all  (VKj,  Afj)  £  S*,  if  VKj  A  VK,  then  Mj  A  M*. 
(The  forgery  message  M*  could  be  associated  with  the  key  VK  multiple  times.  This  is  allowed.) 

C  Transforming  Distinct  Message  Security  into  Standard  Security 

In  this  section,  we  show  how  to  transform  any  aggregate  signature  scheme  proved  in  the  distinct 
message  security  game  into  one  which  is  secure  in  the  standard  security  game.  This  will  apply  to 
both  the  selective  and  full  security  games.  We  remind  the  reader  that  distinct  message  security  is 
not  used  in  the  ID-based  setting,  so  we  consider  only  regular  signatures  here. 

The  transformation  essentially  captures  and  modularizes  idea  of  Boneh,  Gentry,  Lynn  and 
Shacham  [12],  which  was  formally  captured  by  Bellare,  Namprempre,  and  Neven  [2],  of  hashing  the 
public  key  and  message  to  get  an  output  that  is  plugged  in  as  the  message  for  the  core  scheme. 
To  execute  this  transformation  the  message  length,  £,  of  the  core  scheme  must  be  as  large  as  the 
output  of  a  collision-resistant  hash  function.  We  give  the  construction. 

Let  II  =(Setup,  KeyGen,  Sign,  Aggregate,  Verify)  be  an  aggregate  signature  scheme  for  message 
length  £.  Let  H  :  {0, 1}*  — >  {0, 1}(  be  a  collision  resistant  hash  function.  We  build  a  second 
aggregate  signature  scheme  II7  derived  from  II  as  follows.  The  public  parameters  now  include  the 
description  of  H .  Keys  are  generated  as  before.  To  sign  a  message  M  £  {0, 1}*  for  the  user 
associated  with  verification  key  VK,  first  compute  M'  =  H(VK,M )  and  then  run  the  regular 
signing  algorithm  on  M' .  Aggregation  works  the  same  as  before.  The  verification  algorithm  re¬ 
computes  Mj  =  H(VKi,  Mf)  for  each  (VKj,  Mj)  £  S  and  treats  these  as  the  messages  in  the  regular 
verification  algorithm. 

Lemma  C.l  (Distinct  Message  to  Standard  Transformation)  If  II  is  an  adaptively  (resp., 
selectively) ,  distinct  message  secure  aggregate  signature  scheme  for  message  length  i  and  H  : 
{0, 1}*  — >  {0, 1 Y  is  a  collision-resistant  hash  function,  then  II'  as  defined  above  is  an  adaptively 
(reps.,  selectively)  secure  aggregate  signature  scheme. 

Proof.  We  argue  that  any  PPT  adversary  A'  against  II'  can  be  turned  into  a  PPT  adversary  A 
that  breaks  either  II  in  the  distinct  message  game  or  finds  a  collision  in  H.  Let  a*  be  the  forgery 
on  S*  submitted  by  the  adversary  at  the  end  of  the  standard  security  game.  Let  M{, . . . ,  be 
derived  as  Mj  =  H (VKj,  Mj)  for  each  entry  (VKj,  Mi)  in  S* .  We  consider  two  cases. 

First,  suppose  there  exists  some  Mj ,  Mj  such  that  Mj  =  Mj  and  yet  (VKj,  Mi)  A  (VKj,  Mj). 
Then,  the  simulator  can  use  the  adversary  to  find  a  collision  in  the  hash  function  since  H (VKj,  Mj)  = 
H(VKj,  Mj)  and  the  inputs  are  not  equal. 

Otherwise,  it  must  be  the  case  that  if  Mj  =  Mj,  then  (VK j,Mj)  =  (VKj,  Mj).  Thus,  the 
adversary  is  not  violating  the  distinct  message  property  since  there  cannot  be  VKj  A  VKj  where 
Mj  =  M'y  The  simulator  can  reduce  to  the  security  of  the  underlying  distinct  message  secure 
scheme.  □ 
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There  are  alternatives  to  proving  security  in  the  distinct  message  setting  and  then  applying  the 
above  transformation,  which  have  been  explored  in  prior  works.  One  possibility  is  to  require  public 
keys  to  be  registered  with  some  authority,  where  registration  is  contingent  upon  proving  knowledge 
of  the  secret  key  to  the  authority.  Verification  only  proceeds  if  the  public  key  includes  a  registration 
certificate  from  the  authority.  Alternatively,  one  could  include  a  non-interactive  zero  knowledge 
proof  of  knowledge  of  the  private  key  as  part  of  the  private  key.  Verification  only  proceeds  after 
the  verifier  checks  the  NIZKs.  While  we  choose  the  distinct  message  plus  transformation  route,  we 
expect  these  other  alternatives  would  be  viable  with  only  minor  technical  modifications. 

D  Security  of  the  Base  Construction 

We  provide  three  claims  on  the  security  of  the  generic,  base  construction  from  Section  4.1.  The 
proofs  for  the  translation  to  the  GGH  framework  follow  along  the  same  lines  from  these  and  the 
proof  of  the  ID-Based  construction  in  the  GGH  framework. 

D.l  Security  against  Selective  or  Subexponential  Advantage  Attacks 

The  fe-Multilinear  Computational  Diffie-Hellman  (/r-MDDH)  assumption  was  defined  in  Section  4.3. 
We  establish  full  security  of  our  basic  aggregate  signature  scheme  conditioned  on  the  /r-MCDH 
assumption  holding  against  subexponential  advantage.  This  follows  immediately  from  the  following 
theorem  and  a  standard  complexity  leveraging  argument: 

Theorem  D.l  (Selective  Security  of  Base  Construction)  The  aggregate  signature  scheme  for 
message  length  l  in  Section  4-1  is  selectively  secure  in  the  distinct  message  unforgeability  game  un¬ 
der  the  (£  +  1  )-MCDH  assumption. 

Corollary  D.2  The  aggregate  signature  scheme  for  message  length  l  in  Section  4-1  is  fully  secure 
in  the  distinct  message  unforgeability  game  under  the  (f  +  1  )-MCDH  assumption  against  subexpo¬ 
nential  advantage. 

Proof.  This  follows  immediately  from  a  complexity  leveraging  argument:  the  security  parameter 
A  is  chosen  to  ensure  that  2^°  »  2  ,  where  2~^‘°  is  the  maximum  probability  of  success  allowed 
in  the  /c-MCDH  assumption  against  subexponential  advantage.  Now,  to  establish  full  security,  the 
simulator  performs  exactly  as  in  the  selective  security  proof,  but  first  it  simply  guesses  the  message 
that  will  be  forged  (instead  of  expecting  the  adversary  to  produce  this  message).  Because  this 
guess  will  be  correct  with  probability  at  least  2  ,  and  the  security  parameter  A  is  chosen  carefully, 

full  security  with  polynomial  advantage  (or  even  appropriately  defined  subexponential  advantage) 
implies  an  attacker  on  the  fc-MCDH  assumption  with  subexponential  advantage.  □ 

Proof.  (of  Theorem  D.l)  We  show  that  if  there  exists  a  PPT  adversary  A  that  can  break  the 
selective  security  of  the  aggregate  signature  scheme  in  the  distinct  message  unforgeability  game  with 
probability  e  for  message  length  t  and  security  parameter  A,  then  there  exists  a  PPT  simulator 
that  can  break  the  (f  +  1)-MCDH  assumption  for  security  parameter  A  with  probability  e.  The 
simulator  takes  as  input  a  MCDH  instance  (g,gCl,  ■  ■  ■  ,gCk)  together  with  the  group  descriptions 
where  k  =  i  +  1.  The  simulator  plays  the  role  of  the  challenger  in  the  game  as  follows. 

Init.  Let  M*  e  {0, 1}^  be  the  forgery  message  output  by  A. 
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Setup.  The  simulator  chooses  random  G  Zp.  Let  Ajm*  =  gCi  and  Ai  =  gXi .  Set 

x  5  i 

the  challenge  verification  key  as  VK*  =  gCk .  We  remark  that  the  parameters  are  distributed 
independently  and  uniformly  at  random  as  in  the  real  scheme. 


Queries.  The  simulator  can  sign  any  of  A’s  message  requests  using  the  multilinear  map.  Let 
M  G  {0, 1 Y  be  the  request.  The  key  point  is  that  since  M  ^  AI*  there  will  be  at  least  one  i 
where  xt  is  used  (and  Xi  is  known  to  the  simulator).  So  at  most  I  of  the  k  =  1+  1  parameters 
associated  with  ct  will  need  to  be  accumulated  to  make  a  which  is  doable.  That  is,  letting  (3 
be  the  first  index  such  that  mp  /  rrip,  compute  the  pairing  of  all  l  —  1  elements  A^mi  where 
i  ^  j3  together  with  VK*  and  denote  this  o' .  This  requires  t  —  1  pairings  resulting  in  an 
element  in  G^-i-  Next  compute  a  =  o'xP  and  return  a.  Signatures  are  unique  and  perfectly 
distributed  as  in  the  real  game. 


Response.  Eventually,  A  outputs  an  aggregate  signature  a*  on  multiset  S*  where  (VK *,M*)  G 
S* .  The  simulator  will  extract  from  this  a  solution  to  the  MCDH  problem.  This  works 
by  iteratively  computing  all  the  other  signatures  in  S*  and  then  dividing  them  out  of  the 
aggregate  until  only  one  or  more  signatures  on  (VK *,M*)  remain.  That  is,  the  simulator 
takes  an  aggregate  for  S*  and  computes  an  aggregate  signature  for  S'  where  S'  has  one  less 
verification  key/message  pair  than  S  at  each  step.  These  signatures  will  be  peeled  off  in  one 
of  two  ways.  If  the  signature  is  under  key  VK*,  then  it  can  be  computed  as  in  the  query 
phase.  If  the  signature  is  under  key  VK  /  VK*,  then  due  to  the  distinct  message  restriction, 
we  know  M  ^  AI* .  Thus,  there  is  some  (3  where  mp  ^  ml  The  signature  can  be  computed 
similarly  to  the  query  phase  by  pairing  VK  with  all  Aj  mi  where  if -  (3  and  then  raising  the 
result  to  xp.  To  help  see  why  this  works,  recall  that  these  signatures  are  unique. 


Eventually,  we  have  an  aggregate  a'  on  t  >  1  instances  of  (VK*,  AI*).  We  have  that  e(a' ,  g)  = 
e(H(AI*),VK*)t  =  g^'1=1  c‘  and  thus  a'  =  The  simulator  computes  anA  (recall 


that  t  is  not  0  mod  p)  which  gives  glk_\ 
problem. 


and  this  is  given  as  the  solution  to  the  MCDH 


As  remarked  in  the  Setup  and  Query  phase,  the  responses  of  the  challenger  are  distributed 
identically  to  the  real  unforgeability  game.  The  simulator  succeeds  whenever  A  does.  □ 


D.2  Security  against  Adaptive  Attacks 

We  now  give  an  adaptive  proof  of  security  under  a  polynomial  assumption  (as  opposed  to  the 
subexponential  advantage  assumption  necessary  to  achieve  full  security  given  previously).  We 
will  employ  a  parameterized  assumption  family,  where  the  choice  of  assumption  depends  on  the 
adversary’s  behavior.  It  can  be  viewed  as  a  modification/adaptation  of  the  computation  Bilinear- 
Diffie  Heilman  Assumption  (introduced  by  Boneh,  Boyen,  and  Goh  [10])  to  the  multilinear  map 
setting. 

Assumption  D.3  ((n,  fc)-Modified  Multilinear  Computational  Diffie-Hellman  Exponent) 

The  (n,k)- Modified  Multilinear  Computational  Diffie-Hellman  Exponent  (( n,k)-MMCDHE )  prob¬ 
lem  states  the  following:  A  challenger  runs  Q(lx,k)  to  generate  groups  and  generators  of  order  p. 
Then  it  picks  random  a,b,c  G  Zp. 
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The  assumption  then  states  that  given 

g  =  gi,g\  Vi  €  [l  ,n]  /c,  Vi  +  n  g  [1,2  n] 

it  is  hard  to  compute  ( gk-i )aUck  lf>  with  better  than  negligible  advantage  (in  security  parameter  X). 

The  above  assumption  is  only  defined  for  k  >  3  due  to  the  reference  of  the  gk-2  generator. 
Intuitively,  our  proof  will  follow  in  the  Waters  [40]  framework.  Waters  gave  a  technique  for 
partitioning  approximately  a  (hidden)  1/Q  fraction  of  messages  to  be  useful  as  challenge  forgeries 
and  the  other  1  —  1/Q  to  be  messages  a  reduction  algorithm  could  create  signatures  on.  5  Typically, 
one  sets  Q  to  be  the  maximum  number  of  queries  made  by  the  adversary,  although  in  this  case,  we 
must  also  add  in  the  messages  involved  in  the  adversary’s  forgery  aggregate  signature.  We  will  use 
a  multiplicative  analog  of  the  technique  which  is  closer  to  the  VRF  analysis  of  Hohenberger  and 
Waters  [29]. 

Theorem  D.4  (Adaptive  Security  of  Base  Construction)  The  aggregate  signature  scheme  for 
message  length  t  in  Section  4-1  is  adaptively  secure  in  the  distinct  message  unforgeability  game  un¬ 
der  the  (4 Q(£  +  2),£  +  1  )-MMCDHE  assumption,  where  Q  is  the  number  of  signing  queries  made 
by  the  adversary  plus  one  minus  the  number  of  distinct  messages  in  the  forgery  aggregate. 


Proof.  We  show  that  if  there  exists  a  PPT  adversary  A  that  can  break  the  adaptive  security  of 
the  aggregate  signature  scheme  in  the  distinct  message  unforgeability  game  with  probability  e  for 
message  length  £,  security  parameter  A,  making  at  most  Q  signing  queries  and  Q'  distinct  messages 
in  the  forgery  aggregate,  then  there  exists  a  PPT  simulator  that  can  break  the  (n,  fc)-MMCDHE 
assumption  for  security  parameter  A  with  probability  >  64 Q(t+i)  ■ 

The  simulator  takes  as  input  an  MMCDHE  instance 


(g,gb,  Vi  E  [1,  n]  «fv,  Vi  +  n  G  [1,2 n\  (gk.2fc  “  ) 


together  with  the  group  descriptions  where  n  =  AQ{£  +  2)  and  k  =  £  +  1.  The  simulator’s  challenge 
is  to  compute  (gk- i)a"c(fc  1)6  =  (gk~  1)a"ceb.  The  simulator  plays  the  role  of  the  challenger  in  the 
game  as  follows. 


Setup.  The  simulator  first  sets  an  integer  z  =  4 Q  and  chooses  an  integer  t  uniformly  at  random 
between  0  and  £.  Recall  that  Q  is  the  number  of  queries  made  by  the  adversary  plus  one 
minus  the  number  of  distinct  messages  in  S*  that  forms  the  forgery  aggregate  and  £  is  the 
message  bit-length.  It  then  chooses  random  integers  rqcprpi,  •  •  •  Al,Qirt,ur>  between  0  and 
z  —  1.  Additionally,  the  simulator  chooses  random  values  spo,  spi, . . . ,  spo>  se, l  €  Zp*.  These 
values  are  all  kept  internal  to  the  simulator.  Intuitively,  the  r  values  will  be  used  to  embed  the 
challenge,  while  the  s  values  will  be  used  as  blinding  factors  to  present  the  proper  distribution 
to  the  adversary. 

Let  mi  denote  the  zth  bit  of  M.  For  M  E  {0, 1}^,  define  the  functions: 

l  t 

C(M)  =  zt  +  r'  +  '^2  E,m,:  ,  J (M)  =  si)ini 

i= 1  i= 1 

5There  exists  some  variants  of  this  technique  [3,  28,  27]  with  different  loss  tradeoffs.  We  believe  these  tradeoffs 
are  applicable  to  our  setting,  but  we  choose  to  stick  closest  to  the  original  analysis. 
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For  M  £  {0, 1}^,  define  the  binary  function: 


K(M) 


0  if  r'  +  J2i=i  ri^i  =  0  mod  z; 
1  otherwise. 


If  the  function  K  outputs  1  on  a  given  message,  then  we  know  that  the  simulator  will  be 
able  to  correctly  produce  a  signature  on  this  message.  If  the  function  outputs  0,  then  the 
simulator  may  or  may  not  be  able  to  do  it.  This  function  will  be  used  in  later  analysis. 


q)  (  2 £  — T'  ^  ~ j-  7*  "j^  ^ 

The  simulator  sets  the  public  parameters  as  Ago  =  {ga  '  c)Sl’° ,  A\^\  =  (ga  '  c)Sl’1, 

and  Aito  =  ( ga  ,,0c)Si’ 0  and  A,-Lg  =  (ga  !,lc)si.i  for  i  =  2  to  £.  The  simulator  can  compute 
these  values  from  the  challenge  input  since  all  powers  of  a  in  the  exponent  are  at  most 
zt  +  2 (z  —  1)  =  4Q(£  +  2)  —  2  <  n  for  any  possible  choice  of  r',ri,t.  It  sets  the  challenge 
verification  key  as  VK*  =  gb.  It  passes  the  public  information  to  the  adversary.  We  remark 
that  the  parameters  are  distributed  independently  and  uniformly  at  random  as  in  the  real 
scheme. 


Queries.  The  adversary  will  ask  for  signatures  under  the  challenge  verification  key.  On  message 
input  M,  the  simulator  first  checks  if  C{M)  =  n  and  aborts  if  this  is  true.  Otherwise,  it 
outputs  the  signature  as 


Given  the  above  settings,  we  can  verify  that  for  any  value  of  M  £  {0,1}^,  the  maximum  value 
of  C(M)  is  zi  +  (£  +  1  )(z  —  1)  <  2 z{£  +  1)  =  2 n.  Thus,  if  C(M )  /  n,  then  the  simulator  can 
correctly  compute  the  signature. 

Response.  Eventually,  the  adversary  will  output  a  multiset  S*  of  verification  key/message  pairs 
and  a  purported  aggregate  signature  a*  such  that: 

1.  Verify(PP,  S*,  a*)  =  1,  and 

2.  there  exists  an  element  (VK,  M*)  £  S*  such  that  M*  was  not  one  of  the  adversary’s 
signature  query  inputs,  and 

3.  the  message  M*  is  not  signed  by  any  other  signer.  (This  is  the  distinct  message  require¬ 
ment.) 


If  C(M*)  ^  n,  then  the  simulator  will  abort.  The  goal  is  that  the  forgery  message  will  fall 
into  the  “hole”  of  the  assumption  and  that  all  other  messages  with  not. 

If  C(M*)  =  n,  then  the  simulator  will  now  work  to  extract  a  forgery  on  M*  from  the  aggregate 
by  calculating  the  other  signatures  and  then  removing  them  from  the  aggregate.  These  can 
come  both  from  the  challenge  signer  and  other  signers.  The  simulator  does  this  as  follows: 

Signatures  from  other  signers.  For  (VK /,M)  where  VK7  =  gb'  ^  VK,  if  C(M)  =  n,  then  the 
simulator  aborts.  Otherwise,  it  computes  the  signature  as 


<7  = 


e(VK  \g% 


C(M)ck- 1 
-2 


y(M) 


b'acl~M'lceJ(M) 

9  k- 1 
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Signatures  from  challenge  signer.  For  (VK,  M)  where  M  fi  M* ,  if  C{M)  =  n,  then  the 
simulator  aborts.  Otherwise,  it  computes  the  signature  as 


c t  = 


bacl~M'>ceJ(M) 

9k- 1 


Extracting  the  response.  Once  these  signatures  are  calculated  they  can  be  removed  from  the 
aggregate  by  division,  resulting  in  an  aggregate  on  to  >  1  (non-multiple  of  p )  signatures  by 
the  challenge  signer  on  M* .  The  uniqueness  of  this  scheme  dictates  that  this  aggregate  is: 

_  Ugfc  -Abo,c(M*)c?\J(M*)w  _  ((gi-  i 

and  raising  a’  to  1  /  (J  (M*)w)  results  in  {gk- i)6a"cfe  1,  the  solution  to  the  MMCDHE  instance. 
Recall  that  w  is  not  a  multiple  of  the  group  order  p.  J(M*)  is  a  product  of  elements  from 
Z p*  where  p  is  prime  and  therefore  will  also  have  an  inverse  modulo  p. 


A  Series  of  Games  Analysis.  We  now  argue  that  any  successful  adversary  A  against  our  scheme 
will  have  success  in  the  game  presented  by  the  simulator.  To  do  this,  we  first  define  a  sequence  of 
games,  where  the  first  game  models  the  real  security  game  and  the  final  game  is  exactly  the  view 
of  the  adversary  when  interacting  with  the  simulator.  We  then  show  via  a  series  of  claims  that  if 
A  is  successful  in  Game  j,  then  it  will  also  be  successful  in  Game  j  +  1. 


Game  1:  This  game  is  defined  to  be  the  same  as  the  distinct  message  unforgeability  game. 


Game  2:  The  same  as  Game  1,  with  the  exception  that  we  keep  a  record  of  each  signing  query 
made  by  A  concatenated  together  with  each  distinct  message  in  the  forgery  multiset  S*  minus 
M* .  We’ll  denote  M  =  (Mq,  Mi,  M2,  ....,Mq).  Without  loss  of  generality,  let  Mo  =  M*.  At 
the  end  of  the  game,  we  set  z  =  4 Q  and  choose  random  integers  r  =  (rqo,  rgi, . . . ,  mg,  r^i,r') 
between  0  and  z  —  1  and  a  random  integer  t  between  0  and  l.  We  define  the  regular  abort 
function: 


regabort(M,  r,  t) 


1  if  C(M*)  A  n  V?=  1  K(Mi)  =  0; 

0  otherwise. 


This  function  evaluates  to  0  if  the  queries  and  forgery  messages  will  not  cause  a  regular 
abort  by  the  simulator  for  the  given  choice  of  simulation  values.  Consider  the  probabil¬ 
ity  over  all  simulation  values  for  the  given  set  of  queries  and  forgery  messages  as  £(M)  = 
Prj?t[regabort  (M,f,t)  =  0]. 

As  in  [40],  the  simulator  estimates  C [(M )  as  by  evaluating  r(M,f,t )  with  fresh  random 
f,t  values  a  total  of  0(e-2  ln(£“^))  times,  where  £min  =  8q^+1)  •  This  does  not 

require  running  the  adversary  again. 

The  adversary’s  success  in  the  game  is  determined  as  follows: 

1.  Regular  Abort.  If  regabort (M,r,t)  =  1,  then  the  adversary  wins. 

2.  Balancing  (Artificial)  Abort.  Let  Cmin  =  8Q(g+i)  as  derived  from  Claim  D.5.  If  ('  >  Cmim 

the  simulator  will  abort  with  probability  -  (not  abort  with  probability  ^T).  If  it 
aborts,  then  the  adversary  wins. 
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3.  Otherwise,  the  adversary  wins  if  and  only  if  it  outputs  a  valid  forgery. 

Game  3:  The  same  as  Game  2,  with  the  exception  that  the  simulator  tests  if  any  abort  conditions 
are  satisfied,  with  each  new  query  or  response  from  the  adversary,  and  if  so,  follows  the  abort 
procedure  immediately  instead  of  waiting  until  the  end. 

Game  3  is  exactly  the  view  of  the  adversary  when  interacting  with  the  simulator.  We  will 
shortly  prove  that  if  A  succeeds  in  Game  1  with  probability  e,  then  it  succeeds  in  Game  3  with 
probability  >  64Q^+1)- 

Claims  Regarding  the  Probability  of  Aborting.  We  now  establish  one  claim  which  was 
referenced  above  and  two  claims  which  will  be  needed  shortly.  Our  first  claim  helps  us  establish  a 
minimum  probability  that  a  given  set  of  queries/forgery  sets  do  not  cause  a  regular  abort.  We  use 
this  minimum  during  our  balancing  abort  in  Game  2,  to  “even  out”  the  probability  of  an  abort  over 
all  possible  queries/forgery  sets.  In  the  next  two  claims,  we  employ  Chernoff  Bounds  to  establish 
upper  and  lower  bounds  for  any  abort  (regular  or  balancing)  for  any  adversary  behavior.  The  latter 
two  claims  will  be  used  in  the  analysis  of  the  adversary’s  probability  of  success  in  Game  2. 

Proofs  of  these  claims  are  similar  to  related  arguments  in  [40,  29],  but  we  include  them  here  for 
completeness. 

Claim  D.5  Let  £min  =  8q(£+1)  •  For  any  vector  M ,  ( )(M )  >  Cmin- 

Proof.  In  other  words,  the  probability  of  the  simulation  not  triggering  a  general  abort  is  at  least 
Cmin-  This  analysis  follows  that  of  [40],  which  we  reproduce  here  for  completeness.  Without  loss 
of  generality,  we  can  assume  the  adversary  always  makes  the  maximum  Q  queries  and  number  of 
distinct  messages  in  the  output  forgery  set  (since  the  probability  of  not  aborting  increases  with 
fewer  queries/smaller  output  set  size).  Fix  an  arbitrary  M  =  (M* ,  M\, . . . ,  Mq)  G  {0, 1}(<3+1)X^. 


27 

Approved  for  Public  Release;  Distribution  Unlimited. 

723 


Then,  with  the  probability  over  the  choice  of  r.  t,  we  have  that  Pr[abort  on  M]  is 


Q 


Pr[/\  K(Mi)  =  1  A  C(M*)  =  n)\ 


2= 1 

Q  i  Q 

=  (1  -  Pr[\/  K(Mf)  =  0])  Pr \{zt  +  r'  +  ri>m.  =  n)|  [\  K(Mi)  =  1] 

2= 1  2—1  2=1 

Q  IQ 

>  0--J2  Pr [K(Mi)  =  0])  Pr[(zt  +  r'  +  ri>m.  =  n)|  /\  K{Mf)  =  1] 

2=1 

t  Q 


2=1 


2=1 


(1  -  •  Pr[(zi  +  r'  +  ^  rijm.  =  n)  |  f\  K(Mi)  =  1] 


2=1 


2=1 


Q 


1  ■  (1  -  9.)  •  Pr  [JL(M*)  =  0  |  /\  K{Mi)  =  1] 

2=1 


’+1 

1 


_  q  gr \mn  =  o]  •  jMAgg  m)  - 1]  i  mn  =  q] 

+  1  *  Pv[/\f=1K(Mi)  =  l}} 


> 


i 


{i  +  l)z 

1 


{!--)■  Pr[/\  K(Mi)  =  1]  |  K{M*)  =  0] 


Q 


2=1 


•  (1  -  |)  •  (1  -  Pr[\/  K(Mj)  =  0]  |  K(M*)  =  0]) 
'  '  2=1 


Q 


> 


•  (!  -  f )  •  (!  -  E  Pr[^(M*)  =  °]  I  K(M*)  =  0]) 
V  '  2=1 


Q 


> 


_ 1 _ (l-^)2 

(l  +  \)z  1 

(^  +  l)z  1  z  ; 

1 


8Q(£  +  1) 


(1) 

(2) 

(3) 

(4) 

(5) 

(6) 

(7) 

(8) 

(9) 

(10) 

(11) 

(12) 


Equations  4  and  7  derive  from  Pr [K(M)  =  0]  =  1  for  any  query  M.  Equation  5  gets  a  factor  of 
j-  from  the  simulator  taking  a  guess  of  t.  Equation  6  follows  from  Bayes’  Theorem.  Equation  10 
follows  from  the  pairwise  independence  of  the  probabilities  that  K(M)  =  0 =  0  for  any 
pair  of  queries  M  M1,  since  they  will  differ  in  at  least  one  random  rj  value.  Equation  12  follows 
from  our  setting  of  z  =  4 Q.  □ 

Claim  D.6  For  any  vector  M ,  the  probability  that  there  is  an  abort  (i.e.,  regular  or  balancing)  is 
^1  Cmin  aCmin^- 


Proof.  Let  Qx  =  £(M)  be  the  probability  that  the  set  of  queries/forgery  messages  M  do  not  cause 
a  regular  abort.  In  Game  2,  T  =  0(e~ 2  ln(e-1)£~ji  ln(Cmin))  samples  are  taken  to  approximate  this 
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value  as  Q'x.  By  Chernoff  Bounds,  we  have  that  for  all  M , 

pr [T('x  <  T(x(  1  -  -)]  <  e^128£-2  , 

8 

which  reduces  to 

PrKi<Cr(l-|)]<Cmin|. 

The  probability  of  not  aborting  is  equal  to  the  probability  of  not  regular  aborting  (RA)  times  the 
probability  of  not  artificial  aborting  (AA).  Recall  that  for  a  measured  an  artificial  abort  will  not 
happen  with  probability  Cm i n / -  The  probability  of  aborting  is  therefore 


Prfabort]  =  1  —  Pr  [abort]  =  1  —  Pr[RA]  Pr[AA]  =  1  —  (x  Pr[AA] 


C  1  Ca:(Cmin  0  T 


Cmir 


8  Ca:(l  —  e/8) ' 

>  l  -  (C  ■  -  +  <*min  ) 

Umm8  +  i-e/8) 

>  i-(^  +  Wi  +  |)) 

>  1  -  c  -  c  — 

_  J-  Smin  Smin  0 


□ 


Claim  D.7  For  any  vector  M ,  the  probability  that  there  is  no  abort  (i.e.,  regular  or  balancing)  is 
—  Cmin  jCmirR- 

Proof.  Let  (x  =  £(M)  be  the  probability  that  the  set  of  queries/forgery  messages  M  do  not  cause 
a  regular  abort.  In  Game  2,  T  =  0(e~2  hi(e_1)Cmi1n  ln(Cmin))  samples  are  taken  to  approximate  this 
value  as  Cfx.  By  Chernoff  Bounds,  we  have  that  for  all  M, 

Pl[T('x  >  T(x(  1  +  -)]  <  e-[256e“2ln((e/8)-1)C“iJ11n(C“iJ1)](Cmin)(e/8)2/4]^ 

8 

which  reduces  to 

Pr[<i>C*(l  +  |)]  <Cmin|. 

Recall  that  for  a  measured  Qx  an  artificial  abort  (A A)  will  not  happen  with  probability  Cmin/Cx- 
Therefore,  for  any  M,  the  Pr[AA]  >  (1  —  •  It  follows  that 

Pr  [abort]  >  Cr(l  -  ^  )^q^78)  “  Cmin(1  “  8)2  “  Cmin(1  - 

□ 
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Analyzing  A’s  Probability  of  Winning  in  Each  Game.  Define  A’s  probability  of  success  in 
Game  x  as  Adv_4[Ganre  x\.  We  reason  about  the  probability  of  A’s  success  in  the  series  of  games 
as  follows. 


Lemma  D.8  If  Adv_4[Ganre  1]  =  e,  then  Adv_4[Game  2]  >  64q3(|+1)  ■ 


Proof.  We  begin  by  observing  that  Adv_4[Game  2]  is 


> 

> 


Adv_4[Ganre  2 1 a bort]  •  Prfabort]  +  Adv_4[Game  2|abort]  •  Pr[abort] 
Pr[abort]  +  Adv^fGame  2|  a  bort]  •  Pr[abort] 

Pr[abort]  +  Pr[A  forges  |  a  bort]  •  Prfabort] 

Prfabort]  +  Pr[A  forges]  •  Pr[abort|A  forges] 

Pr[abort]  +  e  •  Pr[abort|  A  forges] 

(1-C  min  Cmin  g  :)  +  MC  min  Cmin^) 

3  •  e  •  Cmin 


3  •  e 

64  Q(£  +  1) 


(13) 

(14) 

(15) 

(16) 

(17) 

(18) 

(19) 

(20) 


Equation  14  follows  from  the  fact  that,  in  the  case  of  abort,  A  always  wins.  It  would  be  very 
convenient  if  we  could  claim  that  Adv_4[Ganre  2  |  abort]  =  Adv_4[Game  1],  but  unfortunately,  this 
is  false.  The  event  that  A  wins  Game  2  and  the  event  of  an  abort  are  not  independent;  however, 
we  have  inserted  the  balancing  abort  condition  in  the  attempt  to  lessen  the  dependence  between 
these  events.  Equation  15  simply  states  that,  when  there  is  no  abort,  A  wins  if  and  only  if  it  forges 
correctly.  Equation  16  follows  from  Bayes’  Theorem.  In  Equation  17,  we  observe  that  Pr[A  forges] 
is  exactly  A’s  success  in  Game  1. 

Now,  the  purpose  of  our  balancing  abort  is  to  even  the  probability  of  aborting,  for  all  queries 
and  outputs  of  A,  to  be  roughly  Cmin-  This  will  also  get  rid  of  the  conditional  dependence  on  A 
forging.  There  will  be  a  small  error,  which  must  be  taken  into  account.  We  set  Cmin  =  8Q(i+i)  ^roin 
Claim  D.5.  We  know,  for  all  queries/outputs,  that  Prfabort]  >  1  —  Cmin  —  §Cmin£  from  Claim  D.6 
and  that  Pr[abort]  >  Cmin  —  jCminf  from  Claim  D.7.  Plugging  these  values  into  Equations  18  and 
20  establishes  the  lemma.  □ 


Lemma  D.9  Ad  [Game  3]  =  Ad  [Game  2]. 

Proof.  We  make  the  explicit  observation  that  these  games  are  equivalent  by  observing  that  their 
only  difference  is  the  time  at  which  the  regular  aborts  occur.  The  artificial  abort  stage  is  identical. 
All  public  parameters  and  signatures  provided  by  the  simulator  have  the  same  distribution.  □ 

□ 


E  The  Base  Aggregate  Construction  in  the  GGH  framework 

We  now  describe  how  to  modify  the  construction  of  Section  4.1  to  use  the  GGH  [21]  graded  algebras 
analogue  of  multilinear  maps.  The  translation  of  our  scheme  above  is  straightforward  to  the  GGH 
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setting.  Please  note  that  we  use  the  same  notation  developed  in  [21],  with  some  minor  changes: 
Firstly,  we  use  the  canonical  encoding  function  cenc  provided  by  the  GGH  framework  more  than 
once  at  each  level  of  the  encoding,  but  only  a  globally  fixed  constant  number  of  times  per  level.  This 
is  compatible  with  the  GGH  encoding  [21],  and  allows  for  a  simpler  exposition  of  our  scheme  and 
proof.  Also,  for  ease  of  notation  on  the  reader,  we  suppress  repeated  para  ms  arguments 
that  are  provided  to  every  algorithm..  Thus,  for  instance,  we  will  write  a.  samp()  instead  of 
a  <r-  samp(params).  Note  that  in  our  scheme,  there  will  only  ever  be  a  single  uniquely  chosen  value 
for  params  throughout  the  scheme,  so  there  is  no  cause  for  confusion.  Finally,  we  use  the  variant 
of  the  GGH  framework  with  “strong”  zero-testing,  where  the  zero  test  statistically  guarantees  that 
a  vector  is  a  valid  encoding  of  zero  if  it  passes  the  zero  test.  For  further  details  on  the  GGH 
framework,  please  refer  to  [21]. 

Setup(lA,f?)  The  trusted  setup  algorithm  takes  as  input  the  security  parameter  as  well  as  the 
length  (.  of  messages.  It  then  runs  (params,  pzt)  lnstGen(lA,  1A:=£+1).  Recall  that  params  will  be 
implicitly  given  as  input  to  all  GGH-related  algorithms  below. 

Next,  it  generates  elements  (Aqo,  Aqi), . . . ,  A^i),  each  equal  to  a  fresh  invocation  of 

cenci(l,  samp()). 

These  will  be  used  to  compute  a  function  H  mapping  l  bit  messages  to  level  k  —  1  encodings. 
This  function  serves  as  the  analog  of  the  full  domain  hash  function  of  the  BGLS  [12]  construction. 
Let  mi, . . . ,  rri£  be  the  bits  of  message  M.  It  is  computed  iteratively  as 

HX{M)  =  Ahmi  for  i  g  [2, l\  Ht(M )  =  H*_i(M)  ■  A^M. 

We  define  H{M )  =  cenc2(fc  —  1  ,H((M)). 

The  public  parameters,  PP,  consist  of  the  params,  pzt  plus: 


0^1, 0)  Aqi), . . . ,  {A^ o,  A^i) 


Note  that  params  includes  a  level  1  encoding  of  1,  which  we  denote  as  g. 

KeyGen(PP)  The  key  generation  algorithm  first  chooses  random  a  =  samp().  It  outputs  the 
public  verification  key  as 

VK  =  cenc2(l,  a). 

The  secret  key  SK  is  a. 

Sign(PP,  SK,  M  G  {0, 1}^)  The  signing  algorithm  computes  the  signature  as 

a  =  cenc3 (k  —  1  ,H(M)  ■  a). 

This  serves  as  an  aggregate  signature  for  the  (single  element)  multiset  S  =  {(VK,  M)}. 

Aggregate(PP,  S,  S' ,  <x,  a').  The  aggregation  algorithm  simply  computes  the  output  signature  a 
as  a  =  a  +  a'.  The  serves  as  a  signature  on  the  multiset  S  =  S  U  S' ,  where  U  is  a  multiset  union. 
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Verify (PP,  S,  cr).  The  verification  algorithm  parses  S  as  {(VKi,  Mi), . . . ,  (VK|g|,  M|5|)}.  It  re¬ 
jects  if  the  multiplicity  of  any  public  key,  message  pair  is  greater  than  2A.  We  don’t  expect  this  to 
naturally  occur  much  in  practice. 

The  algorithm  then  proceeds  to  check  the  signature  by  setting  r  =  cenc2(l,gi),  and  testing: 

isZero  |  pzt,  r  •  a  -  ^  H(Mi )  •  VIC,;  J 

and  accepts  if  and  only  if  the  zero  testing  procedure  outputs  true.  Recall  that  g  above  is  a  canonical 
level  1  encoding  of  1  that  is  included  in  para  ms,  part  of  the  public  parameters. 

Correctness.  Correctness  follows  from  the  same  argument  as  for  the  “basic”  aggregate  signature 
scheme  in  the  generic  multilinear  setting. 

Proof  of  Security.  In  Section  5.2,  we  generalize  this  construction  to  provide  ID-based  aggregate 
signatures  in  the  GGH  framework.  We  provide  a  proof  of  selective  security  for  the  ID-based  version 
of  this  scheme  in  the  GGH  framework,  based  on  a  variant  of  the  MCDH  assumption.  Since  our  main 
focus  is  the  ID-based  aggregate  signature  scheme,  we  omit  the  formal  proof  of  selective  security  for 
this  scheme,  but  we  note  that  it  would  be  essentially  identical  to  the  proof  of  the  ID-based  scheme 
that  we  give  in  Section  5.3. 

Efficiency  and  Tradeoffs.  An  aggregate  signature  is  one  level  k  —  1  encoding,  independent  of  the 
number  of  messages  aggregated.  In  a  multilinear  setting,  the  space  to  represent  an  encoding  might 
grow  with  k  (which  is  i  +  1).  Indeed,  this  happens  in  the  GGH  [21]  graded  algebra  translation. 
One  way  to  mitigate  this  is  to  differ  the  message  alphabet  size  in  a  tradeoff  of  computation  versus 
storage.  The  above  construction  uses  a  binary  message  alphabet.  If  it  used  an  alphabet  of  2d 
symbols,  then  the  aggregate  signature  could  be  an  i/d  level  encoding,  with  i/d  —  1  multiplications 
required  to  compute  it,  at  the  cost  of  the  public  parameters  requiring  2 di  encodings  in  order  to 
define  the  hash  function  H. 

F  Proof  of  Security  for  the  Generic  ID-Based  Construction 

The  fc-MCDH  assumption  is  defined  in  Appendix  D.l. 

Theorem  F.l  (Selective  Security  of  ID-Based  Construction)  The  ID-based  aggregate  sig¬ 
nature  scheme  for  message  length  I  and  identity  length  n  in  Section  5.1  is  selectively  secure  in  the 
unforgeability  game  in  Section  3  under  the  ( i  +  n)-MCDH  assumption. 

Proof.  We  show  that  if  there  exists  a  PPT  adversary  A  that  can  break  the  selective  security 
of  the  ID-based  aggregate  signature  scheme  in  the  unforgettability  game  with  probability  e  for 
message  length  £,  identity  length  n  and  security  parameter  A,  then  there  exists  a  PPT  simulator 
that  can  break  the  (I  +  ?r)-MCDH  assumption  for  security  parameter  A  with  probability  e.  The 
simulator  takes  as  input  a  MCDH  instance  (g,  gCl , . . . ,  gCk)  together  with  the  group  descriptions 
where  k  =  I  +  n.  Let  m;  denote  the  ith  bit  of  M  and  idj  denote  the  ith  bit  of  X.  The  simulator 
plays  the  role  of  the  challenger  in  the  game  as  follows. 
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Init.  Let  X*  G  {0,  l}n  and  M*  G  {0,  l}e  be  the  forgery  identity /message  pair  output  by  A. 

Setup.  The  simulator  chooses  random  x\, . . . ,  xg,  yi, . . . ,  yn  G  Zp.  For  i  =  1  to  £,  let  Ahm*  =  gCi+n 
and  =  gXi .  For  i  =  1  to  n,  iet  B.g icj*  =  gCi  and  B-  i(j*  =  .  We  remark  that  the 

parameters  are  distributed  independently  and  uniformly  at  random  as  in  the  real  scheme. 

Queries.  Conceptually,  the  simulator  will  be  able  to  create  keys  or  signatures  for  the  adversary, 
because  his  requests  will  differ  from  the  challenge  identity  or  message  in  at  least  one  bit. 
More  specifically, 


1.  Create  New  Key:  The  simulator  begins  with  an  index  i  =  1  and  an  empty  sequence  of 
index/identity /private  key  triples  T .  On  input  an  identity  X  G  {0,  l}n,  if  X  =  X*,  the 
simulator  records  (i,X*,X)  in  T.  Otherwise,  the  simulator  computes  the  secret  key  as 
follows.  Let  fi  be  the  first  index  such  that  idj  /  id*.  Use  n— 2  pairings  on  the  Bj^  values 
to  compute  s  =  (^n_1)ni=i....,nAi^/3  L,id.;  _  Then  compute  SKj  =  syP  =  {gn-  1)^=1,.. 

Record  (i,X,  SKx)  in  T.  Secret  keys  are  unique  and  perfectly  distributed  as  in  the  real 
game. 

2.  Corrupt  User:  On  input  an  index  i  G  [1,  |T|],  the  simulator  returns  to  the  adversary  the 
triple  (LX,,  SKjJ  G  T.  It  returns  an  error  if  T  is  empty  or  i  is  out  of  range.  Recall  that 
i  cannot  be  associated  with  X*  in  this  game. 

3.  Sign:  On  input  an  index  i  G  [1,  |X|]  and  a  message  M  G  {0,1}^,  the  simulator  obtains 
the  triple  (LX,,  SKx()  G  T  or  returns  an  error  if  it  does  not  exist.  If  X,-  7^  X*,  then  the 
simulator  signs  M  with  SKj,  in  the  usual  way. 

If  Zi  =  X*,  then  we  know  M  /  M*.  Let  j3  be  the  first  index  such  that  mg  /  m*g.  Use 
£  —  2  pairings  on  the  values  to  compute  a'  =  (g^-1)^i=i’-’Mi^ai’m*.  Next,  compute 
<j"  =  (j’Xi  =  (g£_ _  pjge  n  _  ]_  pairings  on  the  Bi  i(ji  values  to  compute 
7  =  (5r).)^i=1"  bi,ldi  ■  Finally,  compute  a  =  e(q,  a")  =  (yfc_1)^<6[i,n]  b<.idi)(nie[i,^] 
Return  a  to  A.  Signatures  are  unique  and  perfectly  distributed  as  in  the  real  game. 


Response.  Eventually,  A  outputs  an  aggregate  signature  a*  on  multiset  S*  where  (X*,M*)  G 
S* .  The  simulator  will  extract  from  this  a  solution  to  the  MCDH  problem.  This  works 
by  iteratively  computing  all  the  other  signatures  in  S*  and  then  dividing  them  out  of  the 
aggregate  until  only  one  or  more  signatures  on  (X*,AL*)  remain.  That  is,  the  simulator 
takes  an  aggregate  for  S*  and  computes  an  aggregate  signature  for  S'  where  S'  has  one  less 
verification  key/message  pair  than  S  at  each  step.  These  signatures  will  be  computed  as  in 
the  query  phase. 


Eventually,  we  have  an  aggregate  a'  on  t  >  1  instances  of  (X*,M*).  We  have  that  e(a',g)  = 

h(z* , m*y  =  (5fc)^ni6[i,n] Uid*)(ni6[i, =  (gkynLi*  and  thus  a’  =  (c/fc_i)fnti^.  The 

simulator  computes  a’1/'  (recall  that  t  is  not  0  mod  p)  which  gives  (<7fc_i)n»=i  °i  and  this  is 
given  as  the  solution  to  the  MCDH  problem. 


As  remarked  in  the  Setup  and  Query  phase,  the  responses  of  the  challenger  are 
identically  to  the  real  unforgeability  game.  The  simulator  succeeds  whenever  A  does. 


distributed 

□ 
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Abstract — Bitcoin  is  the  first  e-cash  system  to  see  widespread 
adoption.  While  Bitcoin  offers  the  potential  for  new  types  of 
financial  interaction,  it  has  significant  limitations  regarding 
privacy.  Specifically,  because  the  Bitcoin  transaction  log  is 
completely  public,  users’  privacy  is  protected  only  through  the 
use  of  pseudonyms.  In  this  paper  we  propose  Zerocoin,  a  crypto¬ 
graphic  extension  to  Bitcoin  that  augments  the  protocol  to  allow 
for  fully  anonymous  currency  transactions.  Our  system  uses 
standard  cryptographic  assumptions  and  does  not  introduce 
new  trusted  parties  or  otherwise  change  the  security  model  of 
Bitcoin.  We  detail  Zerocoin’s  cryptographic  construction,  its 
integration  into  Bitcoin,  and  examine  its  performance  both  in 
terms  of  computation  and  impact  on  the  Bitcoin  protocol. 

I.  Introduction 

Digital  currencies  have  a  long  academic  pedigree.  As  of 
yet,  however,  no  system  from  the  academic  literature  has 
seen  widespread  use.  Bitcoin,  on  the  other  hand,  is  a  viable 
digital  currency  with  a  market  capitalization  valued  at  more 
than  $100  million  [1]  and  between  $2  and  $5  million  USD 
in  transactions  a  day  [2].  Unlike  many  proposed  digital 
currencies,  Bitcoin  is  fully  decentralized  and  requires  no 
central  bank  or  authority.  Instead,  its  security  depends  on  a 
distributed  architecture  and  two  assumptions:  that  a  majority 
of  its  nodes  are  honest  and  that  a  substantive  proof-of- 
work  can  deter  Sybil  attacks.  As  a  consequence,  Bitcoin 
requires  neither  legal  mechanisms  to  detect  and  punish  double 
spending  nor  trusted  parties  to  be  chosen,  monitored,  or 
policed.  This  decentralized  design  is  likely  responsible  for 
Bitcoin’s  success,  but  it  comes  at  a  price:  all  transactions 
are  public  and  conducted  between  cryptographically  binding 
pseudonyms. 

While  relatively  few  academic  works  have  considered  the 
privacy  implications  of  Bitcoin’s  design  [2, 3],  the  preliminary 
results  are  not  encouraging.  In  one  example,  researchers 
were  able  to  trace  the  spending  of  25,000  bitcoins  that  were 
allegedly  stolen  in  201 1  [3, 4],  Although  tracking  stolen  coins 
may  seem  harmless,  we  note  that  similar  techniques  could 
also  be  applied  to  trace  sensitive  transactions,  thus  violating 
users’  privacy.  Moreover,  there  is  reason  to  believe  that 
sophisticated  results  from  other  domains  (e.g.,  efforts  to  de¬ 
anonymize  social  network  data  using  network  topology  [5]) 
will  soon  be  applied  to  the  Bitcoin  transaction  graph. 

Since  all  Bitcoin  transactions  are  public,  anonymous 
transactions  are  necessary  to  avoid  tracking  by  third  parties 
even  if  we  do  not  wish  to  provide  the  absolute  anonymity 


typically  associated  with  e-cash  schemes.  On  top  of  such 
transactions,  one  could  build  mechanisms  to  partially  or 
explicitly  identify  participants  to  authorized  parties  (e.g., 
law  enforcement).  However,  to  limit  this  information  to 
authorized  parties,  we  must  first  anonymize  the  underlying 
public  transactions. 

The  Bitcoin  community  generally  acknowledges  the 
privacy  weaknesses  of  the  currency.  Unfortunately,  the 
available  mitigations  are  quite  limited.  The  most  common 
recommendation  is  to  employ  a  laundry  service  which 
exchanges  different  users’  bitcoins.  Several  of  these  are  in 
commercial  operation  today  [6,7].  These  services,  however, 
have  severe  limitations:  operators  can  steal  funds,  track  coins, 
or  simply  go  out  of  business,  taking  users’  funds  with  them. 
Perhaps  in  recognition  of  these  risks,  many  services  offer 
short  laundering  periods,  which  lead  to  minimal  transaction 
volumes  and  hence  to  limited  anonymity. 

Our  contribution.  In  this  paper  we  describe  Zerocoin.  a 
distributed  e-cash  system  that  uses  cryptographic  techniques 
to  break  the  link  between  individual  Bitcoin  transactions 
without  adding  trusted  parties.  To  do  this,  we  first  define 
the  abstract  functionality  and  security  requirements  of  a  new 
primitive  that  we  call  a  decentralized  e-cash  scheme.  We  next 
propose  a  concrete  instantiation  and  prove  it  secure  under 
standard  cryptographic  assumptions.  Finally,  we  describe 
the  specific  extensions  required  to  integrate  our  protocol 
into  the  Bitcoin  system  and  evaluate  the  performance  of  a 
prototype  implementation  derived  from  the  original  open- 
source  bitcoind  client. 

We  are  not  the  first  to  propose  e-cash  techniques  for 
solving  Bitcoin’s  privacy  problems.  However,  a  common 
problem  with  many  e-cash  protocols  is  that  they  rely 
fundamentally  on  a  trusted  currency  issuer  or  “bank,”  who 
creates  electronic  “coins”  using  a  blind  signature  scheme. 
One  solution  (attempted  unsuccessfully  with  Bitcoin  [8]) 
is  to  simply  appoint  such  a  party.  Alternatively,  one  can 
distribute  the  responsibility  among  a  quorum  of  nodes  using 
threshold  cryptography.  Unfortunately,  both  of  these  solutions 
introduce  points  of  failure  and  seem  inconsistent  with  the 
Bitcoin  network  model,  which  consists  of  many  untrusted 
nodes  that  routinely  enter  and  exit  the  network.  Moreover,  the 
problem  of  choosing  long-term  trusted  parties,  especially  in 
the  legal  and  regulatory  grey  area  Bitcoin  operates  in,  seems 
like  a  major  impediment  to  adoption.  Zerocoin  eliminates 
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Figure  1:  Two  example  block  chains.  Chain  (a)  illustrates  a  normal  Bitcoin  transaction  history,  with  each  transaction  linked 
to  a  preceding  transaction.  Chain  (b)  illustrates  a  Zerocoin  chain.  The  linkage  between  mint  and  spend  (dotted  line)  cannot 
be  determined  from  the  block  chain  data. 


the  need  for  such  coin  issuers  by  allowing  individual  Bitcoin 
clients  to  generate  their  own  coins  —  provided  that  they 
have  sufficient  classical  bitcoins  to  do  so. 

Intuition  behind  our  construction.  To  understand  the  intuition 
behind  Zerocoin,  consider  the  following  “pencil  and  paper” 
protocol  example.  Imagine  that  all  users  share  access  to 
a  physical  bulletin  board.  To  mint  a  zerocoin  of  fixed 
denomination  $1,  a  user  Alice  first  generates  a  random  coin 
serial  number  S,  then  commits  to  S  using  a  secure  digital 
commitment  scheme.  The  resulting  commitment  is  a  coin, 
denoted  C,  which  can  only  be  opened  by  a  random  number 
r  to  reveal  the  serial  number  S.  Alice  pins  C  to  the  public 
bulletin  board,  along  with  $1  of  physical  currency.  All  users 
will  accept  C  provided  it  is  correctly  structured  and  carries 
the  correct  sum  of  currency. 

To  redeem  her  coin  C,  Alice  first  scans  the  bulletin  board 
to  obtain  the  set  of  valid  commitments  (C i, . . . ,  Cjv)  that 
have  thus  far  been  posted  by  all  users  in  the  system.  She  next 
produces  a  non-interactive  zero-knowledge  proof  n  for  the 
following  two  statements:  (1)  she  knows  a  C  £  (Ci, . . . ,  Cn ) 
and  (2)  she  knows  a  hidden  value  r  such  that  the  commitment 
C  opens  to  S.  In  full  view  of  the  others,  Alice,  using  a 
disguise  to  hide  her  identity,1  posts  a  “spend”  transaction 
containing  (S,  n).  The  remaining  users  verify  the  proof  7 r 
and  check  that  S  has  not  previously  appeared  in  any  other 
spend  transaction.  If  these  conditions  are  met,  the  users  allow 

*Of  course,  in  the  real  protocol  Alice  will  emulate  this  by  using  an 
anonymity  network  such  as  Tor  [9]. 


Alice  to  collect  $1  from  any  location  on  the  bulletin  board; 
otherwise  they  reject  her  transaction  and  prevent  her  from 
collecting  the  currency. 

This  simple  protocol  achieves  some  important  aims.  First, 
Alice’s  minted  coin  cannot  be  linked  to  her  retrieved  funds: 
in  order  to  link  the  coin  C  to  the  the  serial  number  S  used 
in  her  withdrawal,  one  must  either  know  r  or  directly  know 
which  coin  Alice  proved  knowledge  of,  neither  of  which  are 
revealed  by  the  proof.  Thus,  even  if  the  original  dollar  bill 
is  recognizably  tainted  (e.g.,  it  was  used  in  a  controversial 
transaction),  it  cannot  be  linked  to  Alice’s  new  dollar  bill. 
At  the  same  time,  if  the  commitment  and  zero-knowledge 
proof  are  secure,  then  Alice  cannot  double-spend  any  coin 
without  re-using  the  serial  number  S  and  thus  being  detected 
by  the  network  participants. 

Of  course,  the  above  protocol  is  not  workable:  bulletin 
boards  are  a  poor  place  to  store  money  and  critical  informa¬ 
tion.  Currency  might  be  stolen  or  serial  numbers  removed 
to  allow  double  spends.  More  importantly,  to  conduct  this 
protocol  over  a  network,  Alice  requires  a  distributed  digital 
backing  currency.2 

The  first  and  most  basic  contribution  of  our  work  is 
to  recognize  that  Bitcoin  answers  all  of  these  concerns, 
providing  us  with  a  backing  currency,  a  bulletin  board,  and 
a  conditional  currency  redemption  mechanism.  Indeed,  the 
core  of  the  Bitcoin  protocol  is  the  decentralized  calculation 

-One  could  easily  imagine  a  solution  based  on  existing  payment  networks, 
e.g.,  Visa  or  Paypal.  However,  this  would  introduce  the  need  for  trusted 
parties  or  exchanges. 
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of  a  block  chain  which  acts  as  a  trusted,  append-only 
bulletin  board  that  can  both  store  information  and  process 
financial  transactions.  Alice  can  add  her  commitments  and 
escrow  funds  by  placing  them  in  the  block  chain  while 
being  assured  that  strict  protocol  conditions  (and  not  her 
colleagues’  scruples)  determine  when  her  committed  funds 
may  be  accessed. 

Of  course,  even  when  integrated  with  the  Bitcoin  block 
chain,  the  protocol  above  has  another  practical  challenge. 
Specifically,  it  is  difficult  to  efficiently  prove  that  a  commit¬ 
ment  C  is  in  the  set  (Ci, . . . ,  Cn)-  The  naive  solution  is  to 
prove  the  disjunction  (C  =  C\)  V  (C  =  Cf)  V  ...  V  (C  = 
Cn)-  Unfortunately  such  “OR  proofs”  have  size  0(N ), 
which  renders  them  impractical  for  all  but  small  values  of 
N. 

Our  second  contribution  is  to  solve  this  problem,  producing 
a  new  construction  with  proofs  that  do  not  grow  linearly  as 
N  increases.  Rather  than  specifying  an  expensive  OR  proof, 
we  employ  a  “public”  one-way  accumulator  to  reduce  the 
size  of  this  proof.  One-way  accumulators  [10, 11, 12, 13, 14], 
first  proposed  by  Benaloh  and  de  Mare  [10],  allow  parties  to 
combine  many  elements  into  a  constant-sized  data  structure, 
while  efficiently  proving  that  one  specific  value  is  contained 
within  the  set.  In  our  construction,  the  Bitcoin  network  com¬ 
putes  an  accumulator  A  over  the  commitments  (Ci, . . . ,  Cn), 
along  with  the  appropriate  membership  witnesses  for  each 
item  in  the  set.  The  spender  need  only  prove  knowledge  of 
one  such  witness.  In  practice,  this  can  reduce  the  cost  of  the 
spender’s  proof  to  0(log  N)  or  even  constant  size. 

Our  application  requires  specific  properties  from  the 
accumulator.  With  no  trusted  parties,  the  accumulator  and 
its  associated  witnesses  must  be  publicly  computable  and 
verifiable  (though  we  are  willing  to  relax  this  requirement 
to  include  a  single,  trusted  setup  phase  in  which  parameters 
are  generated).  Moreover,  the  accumulator  must  bind  even 
the  computing  party  to  the  values  in  the  set.  Lastly,  the 
accumulator  must  support  an  efficient  non-interactive  witness- 
indistinguishable  or  zero-knowledge  proof  of  set  membership. 
Fortunately  such  accumulators  do  exist.  In  our  concrete 
proposal  of  Section  IV  we  use  a  construction  based  on  the 
Strong  RSA  accumulator  of  Camenisch  and  Lysyanskaya  [12], 
which  is  in  turn  based  on  an  accumulator  of  Baric  and 
Phtzmann  [11]  and  Benaloh  and  de  Mare  [10]. 

Outline  of  this  work.  The  rest  of  this  paper  proceeds  as 
follows.  In  Section  II  we  provide  a  brief  technical  overview 
of  the  Bitcoin  protocol.  In  Section  III  we  formally  define 
the  notion  of  decentralized  e-cash  and  provide  correctness 
and  security  requirements  for  such  a  system.  In  Section  IV 
we  give  a  concrete  realization  of  our  scheme  based  on 
standard  cryptographic  hardness  assumptions  including  the 
Discrete  Logarithm  problem  and  Strong  RSA.  Finally,  in 
Sections  V,  VI,  and  VII,  we  describe  how  we  integrate  our 
e-cash  construction  into  the  Bitcoin  protocol,  discuss  the 


security  and  anonymity  provided,  and  detail  experimental 
results  showing  that  our  solution  is  practical. 

II.  Overview  of  Bitcoin 

In  this  section  we  provide  a  short  overview  of  the  Bitcoin 
protocol.  For  a  more  detailed  explanation,  we  refer  the  reader 
to  the  original  specification  of  Nakamoto  [15]  or  to  the 
summary  of  Barber  et  al.  [2], 

The  Bitcoin  network.  Bitcoin  is  a  peer-to-peer  network  of 
nodes  that  distribute  and  record  transactions,  and  clients  used 
to  interact  with  the  network.  The  heart  of  Bitcoin  is  the 
block  chain ,  which  serves  as  an  append-only  bulletin  board 
maintained  in  a  distributed  fashion  by  the  Bitcoin  peers. 
The  block  chain  consists  of  a  series  of  blocks  connected  in 
a  hash  chain.3  Every  Bitcoin  block  memorializes  a  set  of 
transactions  that  are  collected  from  the  Bitcoin  broadcast 
network. 

Bitcoin  peers  compete  to  determine  which  node  will 
generate  the  next  canonical  block.  This  competition  requires 
each  node  to  solve  a  proof  of  work  based  on  identifying 
specific  SFIA-256  preimages,  specifically  a  block  B  such 
that  SHA256(SHA256(B))  =  (0£||{0,  l}256"1).4  The  value 
£  is  selected  by  a  periodic  network  vote  to  ensure  that  on 
average  a  block  is  created  every  10  minutes.  When  a  peer 
generates  a  valid  solution,  a  process  known  as  mining,  it 
broadcasts  the  new  block  to  all  nodes  in  the  system.  If  the 
block  is  valid  (i.e.,  all  transactions  validate  and  a  valid  proof 
of  work  links  the  block  to  the  chain  thus  far),  then  the  new 
block  is  accepted  as  the  head  of  the  block  chain.  The  process 
then  repeats. 

Bitcoin  provides  two  separate  incentives  to  peers  that  mine 
new  blocks.  First,  successfully  mining  a  new  block  (which 
requires  a  non-trivial  computational  investment)  entitles  the 
creator  to  a  reward,  currently  set  at  25  BTC.5  Second,  nodes 
who  mine  blocks  are  entitled  to  collect  transaction  fees  from 
every  transaction  they  include.  The  fee  paid  by  a  given 
transaction  is  determined  by  its  author  (though  miners  may 
exclude  transactions  with  insufficient  fees  or  prioritize  high 
fee  transactions). 

Bitcoin  transactions.  A  Bitcoin  transaction  consists  of  a  set 
of  outputs  and  inputs.  Each  output  is  described  by  the  tuple 
(a,  V)  where  a  is  the  amount,  denominated  in  Satoshi  (one 
bitcoin  =  10°  Satoshi),  and  V  is  a  specification  of  who  is 
authorized  to  spend  that  output.  This  specification,  denoted 
SCriptPubKey,  is  given  in  Bitcoin  script,  a  stack-based  non- 
Turing-complete  language  similar  to  Forth.  Transaction  inputs 

3  For  efficiency  reasons,  this  chain  is  actually  constructed  using  a  hash 
tree,  but  we  use  the  simpler  description  for  this  overview. 

4Each  block  includes  a  counter  value  that  may  be  incremented  until  the 
hash  satisfies  these  requirements. 

3  The  Bitcoin  specification  holds  that  this  reward  should  be  reduced  every 
few  years,  eventually  being  eliminated  altogether. 
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Input : 

Previous  tx:  030b5937d9f 4aaala3133b. . . 

Index:  0 

scriptSig:  0dcd253cdf 8eallcdc710e5e92af 7647 . . . 

Output : 

Value:  5000000000 

scriptPubKey :  OP_DUP  OP_HASH160 

a45f 2757f 94fd2337ebf 7ddd018clla2 Ifb6c283 

OP_EQUAL VERIFY  OP_CHECKSIG 

Figure  2:  Example  Bitcoin  transaction.  The  output  script 
specifies  that  the  redeeming  party  provide  a  public  key  that 
hashes  to  the  given  value  and  that  the  transaction  be  signed 
with  the  corresponding  private  key. 

are  simply  a  reference  to  a  previous  transaction  output,6 
as  well  as  a  second  script.  scriptSig.  with  code  and  data 
that  when  combined  with  scriptPubKey  evaluates  to  true. 
Coinbase  transactions,  which  start  off  every  block  and  pay 
its  creator,  do  not  include  a  transaction  input. 

To  send  d  bitcoins  to  Bob,  Alice  embeds  the  hash7  of 
Bob’s  ECDSA  public  key  pkb,  the  amount  d,  and  some  script 
instructions  in  scriptPubKey  as  one  output  of  a  transaction 
whose  referenced  inputs  total  at  least  d  bitcoins  (see  Figure  2). 
Since  any  excess  input  is  paid  as  a  transaction  fee  to  the  node 
who  includes  it  in  a  block,  Alice  typically  adds  a  second 
output  paying  the  surplus  change  back  to  herself.  Once  the 
transaction  is  broadcasted  to  the  network  and  included  in 
a  block,  the  bitcoins  belong  to  Bob.  Flowever,  Bob  should 
only  consider  the  coins  his  once  at  least  five  subsequent 
blocks  reference  this  block.8  Bob  can  spend  these  coins  in 
a  transaction  by  referencing  it  as  an  input  and  including  in 
scriptSig  a  signature  on  the  claiming  transaction  under  skb 
and  the  public  key  pkb. 

Anonymity.  Anonymity  was  not  one  of  the  design  goals 
of  Bitcoin  [3, 15, 17].  Bitcoin  provides  only  pseudonymity 
through  the  use  of  Bitcoin  identities  (public  keys  or  their 
hashes),  of  which  a  Bitcoin  user  can  generate  an  unlimited 
number.  Indeed,  many  Bitcoin  clients  routinely  generate  new 
identities  in  an  effort  to  preserve  the  user’s  privacy. 

Regardless  of  Bitcoin  design  goals,  Bitcoin’s  user  base 
seems  willing  to  go  through  considerable  effort  to  maintain 
their  anonymity  —  including  risking  their  money  and  paying 
transaction  fees.  One  illustration  of  this  is  the  existence  of 
laundries  that  (for  a  fee)  will  mix  together  different  users’ 
funds  in  the  hopes  that  shuffling  makes  them  difficult  to 
trace  [2,6,7].  Because  such  systems  require  the  users  to  trust 
the  laundry  to  both  (a)  not  record  how  the  mixing  is  done 

6This  reference  consists  of  a  transaction  hash  identifier  as  well  as  an 
index  into  the  transaction’s  output  list. 

7A  34  character  hash  that  contains  the  double  SHA-256  hash  of  the  key 
and  some  checksum  data. 

individual  recipients  are  free  to  disregard  this  advice.  However,  this 
could  make  them  vulnerable  to  double-spending  attacks  as  described  by 
Karame  et  al.  [16]. 


and  (6)  give  the  users  back  the  money  they  put  in  to  the  pot, 
use  of  these  systems  involves  a  fair  amount  of  risk. 

III.  Decentralized  E-Cash 

Our  approach  to  anonymizing  the  Bitcoin  network  uses  a 
form  of  cryptographic  e-cash.  Since  our  construction  does  not 
require  a  central  coin  issuer,  we  refer  to  it  as  a  decentralized 
e-cash  scheme.  In  this  section  we  define  the  algorithms 
that  make  up  a  decentralized  e-cash  scheme  and  describe 
the  correctness  and  security  properties  required  of  such  a 
system. 

Notation.  Let  A  represent  an  adjustable  security  parameter, 
let  poly(-)  represent  some  polynomial  function,  and  let  v{-) 
represent  a  negligible  function.  We  use  C  to  indicate  the  set 
of  allowable  coin  values. 

Definition  3.1  ( Decentralized  E-Cash  Scheme):  A  decen¬ 
tralized  e-cash  scheme  consists  of  a  tuple  of  possibly 
randomized  algorithms  (Setup,  Mint,  Spend,  Verify). 

•  Setup(lA)  — ►  params.  On  input  a  security  parameter, 
output  a  set  of  global  public  parameters  params  and  a 
description  of  the  set  C. 

•  Mint  (params)  -4  ( c,skc ).  On  input  parameters 

params,  output  a  coin  c  £  C,  as  well  as  a  trapdoor 
skc. 

•  Spend(params,c,skc,R,C)  — >  (7 r,  5).  Given 

params,  a  coin  c,  its  trapdoor  skc,  some  transaction 
string  R  £  {0, 1}*,  and  an  arbitrary  set  of  coins  C, 
output  a  coin  spend  transaction  consisting  of  a  proof  ir 
and  serial  number  S  if  c  £  C  C  C.  Otherwise  output 
_L. 

«  Verify(params,  7r,  S,  R,  C)  — t  {0,1}.  Given  params, 
a  proof  7T,  a  serial  number  S,  transaction  information  II, 
and  a  set  of  coins  C,  output  1  if  C  C  C  and  (7r,  S,  R) 
is  valid.  Otherwise  output  0. 

We  note  that  the  Setup  routine  may  be  executed  by  a 
trusted  party.  Since  this  setup  occurs  only  once  and  does  not 
produce  any  corresponding  secret  values,  we  believe  that  this 
relaxation  is  acceptable  for  real-world  applications.  Some 
concrete  instantiations  may  use  different  assumptions. 

Each  coin  is  generated  using  a  randomized  minting 
algorithm.  The  serial  number  S'  is  a  unique  value  released 
during  the  spending  of  a  coin  and  is  designed  to  prevent 
any  user  from  spending  the  same  coin  twice.  We  will 
now  formalize  the  correctness  and  security  properties  of 
a  decentralized  e-cash  scheme.  Each  call  to  the  Spend 
algorithm  can  include  an  arbitrary  string  R,  which  is  intended 
to  store  transaction-specific  information  (e.g.,  the  identity  of 
a  transaction  recipient). 

Correctness.  Every  decentralized  e-cash  scheme  must  satisfy 
the  following  correctness  requirement.  Let  params  ■£- 
Setup(lA)  and  (c,  skc)  ■£-  Mint(params).  Let  C  C  C 
be  any  valid  set  of  coins,  where  |C|  <  poly  (A),  and 
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assign  (n,S)  £-  Spend(params,c,skc,R,C).  The  scheme 
is  correct  if,  over  all  C,  R,  and  random  coins  used  in 
the  above  algorithms,  the  following  equality  holds  with 
probability  1  —  v(X)\ 

Verify (params,  ir,  S,  R,  C  U  {c})  =  1 

Security.  The  security  of  a  decentralized  e-cash  system  is 
defined  by  the  following  two  games:  Anonymity  and  Balance. 
We  first  describe  the  Anonymity  experiment,  which  ensures 
that  the  adversary  cannot  link  a  given  coin  spend  transaction 
(n,  S)  to  the  coin  associated  with  it,  even  when  the  attacker 
provides  many  of  the  coins  used  in  generating  the  spend 
transaction. 

Definition  3.2  (Anonymity):  A  decentralized  e-cash 
scheme  II  =  (Setup,  Mint,  Spend,  Verify)  satisfies  the 
Anonymity  requirement  if  every  probabilistic  polynomial¬ 
time  (p.p.t.)  adversary  A  =  (Vli,^)  has  negligible 

advantage  in  the  following  experiment. 

Anonymity(II,  A.  A) 
params  <-  Setup(lA) 

For  i  £  {0, 1}:  ( Ci,skCi )  A-  Mint(params) 

(C,  R,  z)  ■£-  A\(params ,  Cq ,  Ci);  b  ■£-  {0, 1} 

(7 r,  S )  -s—  Spend(pararas,  Cb,  skcb ,  R,  C  U  {co,  ci}) 
Output:  b' t—  .42(2, 7 r,  S) 

We  define  Vi’s  advantage  in  the  above  game  as 
|Pr  [b  =  b']  —  1/2|. 

The  Balance  property  requires  more  consideration.  Intu¬ 
itively,  we  wish  to  ensure  that  an  attacker  cannot  spend  more 
coins  than  she  mints,  even  when  she  has  access  to  coins  and 
spend  transactions  produced  by  honest  parties.  Note  that  to 
strengthen  our  definition,  we  also  capture  the  property  that 
an  attacker  might  alter  valid  coins,  e.g.,  by  modifying  their 
transaction  information  string  R. 

Our  definition  is  reminiscent  of  the  “one-more  forgery” 
definition  commonly  used  for  blind  signatures.  We  provide 
the  attacker  with  a  collection  of  valid  coins  and  an  oracle 
Ospend  that  she  may  use  to  spend  any  of  them.9  Ultimately 
A  must  produce  to  coins  and  m  +  1  valid  spend  transactions 
such  that  no  transaction  duplicates  a  serial  number  or  modifies 
a  transaction  produced  by  the  honest  oracle. 

Definition  3.3  (Balance):  A  decentralized  e-cash  scheme 
II  =  (Setup,  Mint,  Spend.  Verify)  satisfies  the  Balance 
property  if  \/N  <  poly(A)  every  p.p.t.  adversary  A  has 
negligible  advantage  in  the  following  experiment. 

Balance(II,  A.  N,  A) 
params  ■£-  Setup(lA) 

For  i  =  1  to  N:  ( Ci,skci )  <-  Mint  (params) 
Output.  (d\  , .  •  • ,  cm ,  , . . . ,  Sm ,  ) 

£-  A°3pe,id^''’^  (params,  c\, . . . ,  cn) 

9We  provide  this  functionality  as  an  oracle  to  capture  the  possibility  that 
the  attacker  can  specify  arbitrary  input  for  the  value  C. 


The  oracle  Ospend  operates  as  follows:  on  the  jth 
query  03pend(cj,Cj,  Rj),  the  oracle  outputs  _L  if 
Cj  (f  {ci, . . Cjv}.  Otherwise  it  returns  (iTj,Sj)  ■£- 
Spend(params, Cj,skCj,Rj,Cj )  to  A  and  records  ( Sj,Rj ) 
in  the  set  T. 

We  say  that  A  wins  (i.e.,  she  produces  more  spends 
than  minted  coins)  if  Vs  £  {<Si, . . .  ,<STO,<STO+i}  where 
s  =  (n',  S',  R',  C'): 

•  Verify  (params,  7 V,  S' ,  R' ,  C')  =  1. 

•  C  £  {ci , . . . ,  Cjv ,  Ci , ... ,  c'mJ. 

.  (S',R!)<fT. 

•  S'  appears  in  only  one  tuple  from  {5i , . . . ,  Sm,  <Sm+i}. 

We  define  Vi’s  advantage  as  the  probability  that  Vl  wins 

the  above  game. 

IV.  Decentralized  E-Cash  from  Strong  RSA 

In  this  section  we  describe  a  concrete  instantiation  of  a 
decentralized  e-cash  scheme.  We  first  define  the  necessary 
cryptographic  ingredients. 

A.  Cryptographic  Building  Blocks 

Zero-knowledge  proofs  and  signatures  of  knowledge.  Our 
protocols  use  zero-knowledge  proofs  that  can  be  instantiated 
using  the  technique  of  Schnorr  [18],  with  extensions  due  to 
e.g.,  [19,20,21.22].  We  convert  these  into  non-interactive 
proofs  by  applying  the  Fiat-Shamir  heuristic  [23].  In  the 
latter  case,  we  refer  to  the  resulting  non-interactive  proofs 
as  signatures  of  knowledge  as  defined  in  [24]. 

When  referring  to  these  proofs  we  will  use  the  notation  of 
Camenisch  and  Stadler  [25].  For  instance,  NIZKPoK{(a:,  y)  : 
h  =  gx  A  c  =  gy}  denotes  a  non-interactive  zero-knowledge 
proof  of  knowledge  of  the  elements  x  and  y  that  satisfy  both 
h  =  gx  and  c  =  gv.  All  values  not  enclosed  in  ()’s  are 
assumed  to  be  known  to  the  verifier.  Similarly,  the  extension 
ZKSoK[?n]{(a:,  y)  :  h  =  gx  A  c  =  gv}  indicates  a  signature 
of  knowledge  on  message  m. 

Accumulators.  Our  construction  uses  an  accumulator  based 
on  the  Strong  RSA  assumption.  The  accumulator  we  use 
was  first  proposed  by  Benaloh  and  de  Mare  [10]  and  later 
improved  by  Baric  and  Pfitzmann  [11]  and  Camenisch  and 
Lysyanskaya  [12].  We  describe  the  accumulator  using  the 
following  algorithms: 

•  AccumSetup(A)  — >■  params.  On  input  a  security  param¬ 
eter,  sample  primes  p,  q  (with  polynomial  dependence  on 
the  security  parameter),  compute  N  =  pq ,  and  sample  a 
seed  value  u  £  QRn,  m/1.  Output  (N,  u)  as  params. 

•  Accumu\ate(params,C)  — ►  A.  On  input  params 
(N,  u)  and  a  set  of  prime  numbers  C  = 
{ci, . . .  ,Ci  |  c  £  [A,  $]},10  compute  the  accumulator  Vl 
as  uClC2"'Cn  mod  N. 

10See  Appendix  A  for  a  more  precise  description. 
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•  Gen\N\tness(params,  v,  C)  — »  w.  On  input  params 
( N,u ),  a  set  of  prime  numbers  C  as  described  above, 
and  a  value  v  £  C,  the  witness  w  is  the  accumu¬ 
lation  of  all  the  values  in  C  besides  v,  i.e.,  w  = 
Accumulate(params,  C  \  {r;}). 

•  AccVerify (params,  A,  v,cu)  -A  {0,1}.  On  input 
params  ( N,u ),  an  element  v,  and  witness  w,  compute 
A!  =  oov  mod  N  and  output  1  if  and  only  if  A'  =  A, 
v  is  prime,  and  v  £  [A.  rB\  as  defined  previously. 

For  simplicity,  the  description  above  uses  the  full  calculation 
of  A.  Camenisch  and  Lysyanskaya  [12]  observe  that  the 
accumulator  may  also  be  incrementally  updated,  i.e.,  given 
an  existing  accumulator  An  it  is  possible  to  add  an  element 
x  and  produce  a  new  accumulator  value  An+ 1  by  computing 
An+i  =  A *  mod  N.  We  make  extensive  use  of  this 
optimization  in  our  practical  implementation. 

Camenisch  and  Lysyanskaya  [12]  show  that  the  accumu¬ 
lator  satisfies  a  strong  collision-resistance  property  if  the 
Strong  RSA  assumption  is  hard.  Informally,  this  ensures 
that  no  p.p.t.  adversary  can  produce  a  pair  (v.  u)  such  that 
v  C  and  yet  AccVerify  is  satisfied.  Additionally,  they 
describe  an  efficient  zero-knowledge  proof  of  knowledge  that 
a  committed  value  is  in  an  accumulator.  We  convert  this  into 
a  non-interactive  proof  using  the  Fiat-Shamir  transform  and 
refer  to  the  resulting  proof  using  the  following  notation: 

NIZKPoK{(u,  w)  :  AccVerify  ((TV,  u),  A,  v,  w)  =  1}. 

B.  Our  Construction 

We  now  describe  a  concrete  decentralized  e-cash  scheme. 
Our  scheme  is  secure  assuming  the  hardness  of  the  Strong 
RSA  and  Discrete  Logarithm  assumptions,  and  the  existence 
of  a  zero-knowledge  proof  system. 

We  now  describe  the  algorithms: 

•  Setup(lA)  — >■  params.  On  input  a  security  parameter, 
run  AccumSetup(lA)  to  obtain  the  values  ( N,u ).  Next 
generate  primes  p,  q  such  that  p  =  2wq  +  1  for  w  >  1. 
Select  random  generators  g.  h  such  that  G  =  (g) 

(h)  and  G  is  a  subgroup  of  Z*.  Output  params  = 
(N,u,p,q,g,h). 

«  Mint  (params)  — »  ( c,skc ).  Select  S,  r  <—  Z*  and 
compute  c  4—  gshr  rnodp  such  that  {c  prime  |  c  £ 
[A,  $]}.u  Set  skc  =  (/S',  r)  and  output  ( c,skc ). 

•  Spend(params,c,  skc,  R,C)  -A  (7 r,  S').  If  c  ^  C 
output  _L.  Compute  A  4—  Accumulate((./V,  u),  C)  and 
u>  4—  GenWitness((./V,  u),  c,  C).  Output  (it,  S)  where  tt 
comprises  the  following  signature  of  knowledge:12 

7 r  =  ZKSoK[T?]{(c,  w,  r)  : 

AccVerify((7V,  u),  A,  c,  w)  =  1  A  c  =  gshr} 

•  \/erify(params,  it,  S,  R,  C)  — ►  {0, 1}.  Given  a  proof  n. 
a  serial  number  S,  and  a  set  of  coins  C,  first  compute 

11  See  Appendix  A  for  a  more  precise  description. 

12See  Appendix  B  for  the  construction  of  the  ZKSoK. 


A  4—  Accumulate((7V,  u),  C).  Next  verify  that  7r  is  the 
aforementioned  signature  of  knowledge  on  R  using  the 
known  public  values.  If  the  proof  verifies  successfully, 
output  1,  otherwise  output  0. 

Our  protocol  assumes  a  trusted  setup  process  for  generating 
the  parameters.  We  stress  that  the  accumulator  trapdoor 
(p,q)  is  not  used  subsequent  to  the  Setup  procedure  and 
can  therefore  be  destroyed  immediately  after  the  parameters 
are  generated.  Alternatively,  implementers  can  use  the 
technique  of  Sander  for  generating  so-called  RSA  UFOs 
for  accumulator  parameters  without  a  trapdoor  [26]. 

C.  Security  Analysis 

We  now  consider  the  security  of  our  construction. 

Theorem  4.1:  If  the  zero-knowledge  signature  of  knowl¬ 
edge  is  computationally  zero-knowledge  in  the  random  oracle 
model,  then  II  =  (Setup,  Mint,  Spend,  Verify)  satisfies  the 
Anonymity  property. 

We  provide  a  proof  sketch  for  Theorem  4. 1  in  Appendix  A. 
Intuitively,  the  security  of  our  construction  stems  from  the  fact 
that  the  coin  commitment  C  is  a  perfectly-hiding  commitment 
and  the  signature  proof  7r  is  at  least  computationally  zero- 
knowledge.  These  two  facts  ensure  that  the  adversary  has  at 
most  negligible  advantage  in  guessing  which  coin  was  spent. 

Theorem  4.2:  If  the  signature  proof  7r  is  sound  in  the 
random  oracle  model,  the  Strong  RSA  problem  is  hard,  and 
the  Discrete  Logarithm  problem  is  hard  in  G,  then  II  = 
(Setup,  Mint,  Spend,  Verify)  satisfies  the  Balance  property. 

A  proof  of  Theorem  4.1  is  included  in  Appendix  A. 
Briefly,  this  proof  relies  on  the  binding  properties  of  the  coin 
commitment,  as  well  as  the  soundness  and  unforgeability 
of  the  ZKSoK  and  collision-resistance  of  the  accumulator. 
We  show  that  an  adversary  who  wins  the  Balance  game 
with  non-negligible  advantage  can  be  used  to  either  find  a 
collision  in  the  commitment  scheme  (allowing  us  to  solve 
the  Discrete  Logarithm  problem)  or  find  a  collision  in  the 
accumulator  (which  leads  to  a  solution  for  Strong  RSA). 

V.  Integrating  with  Bitcoin 

While  the  construction  of  the  previous  section  gives  an 
overview  of  our  approach,  we  have  yet  to  describe  how  our 
techniques  integrate  with  Bitcoin.  In  this  section  we  address 
the  specific  challenges  that  come  up  when  we  combine  a 
decentralized  e-cash  scheme  with  the  Bitcoin  protocol. 

The  general  overview  of  our  approach  is  straightfor¬ 
ward.  To  mint  a  zerocoin  c  of  denomination  d,  Alice  runs 
Mint(pararas)  -A  ( c,skc )  and  stores  skc  securely.13  She 
then  embeds  c  in  the  output  of  a  Bitcoin  transaction  that 
spends  d  +  fees  classical  bitcoins.  Once  a  mint  transaction 
has  been  accepted  into  the  block  chain,  c  is  included  in  the 

13In  our  implementation  all  bitcoins  have  a  single  fixed  value.  However, 
we  can  support  multiple  values  by  running  distinct  Zerocoin  instantiations 
simultaneously,  all  sharing  the  same  set  of  public  parameters. 
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global  accumulator  A,  and  the  currency  cannot  be  accessed 
except  through  a  Zerocoin  spend,  i.e.,  it  is  essentially  placed 
into  escrow. 

To  spend  c  with  Bob,  Alice  first  constructs  a  partial 
transaction  ptx  that  references  an  unclaimed  mint  transaction 
as  input  and  includes  Bob’s  public  key  as  output.  She 
then  traverses  all  valid  mint  transactions  in  the  block 
chain,  assembles  the  set  of  minted  coins  C,  and  runs 
Sper\d(params,  c,  skc,  hash(ptx),  C)  (7 r,  S').  Finally, 

she  completes  the  transaction  by  embedding  (77,  S)  in  the 
SCriptSig  of  the  input  of  ptx.  The  output  of  this  transaction 
could  also  be  a  further  Zerocoin  mint  transaction  —  a 
feature  that  may  be  useful  to  transfer  value  between  multiple 
Zerocoin  instances  (i.e.,  of  different  denomination)  running 
in  the  same  block  chain. 

When  this  transaction  appears  on  the  network,  nodes  check 
that  Verify  (params,  7 r,  S,  hash(j>tx),  C)  =  1  and  check  that 
S  does  not  appear  in  any  previous  transaction.  If  these 
condition  hold  and  the  referenced  mint  transaction  is  not 
claimed  as  an  input  into  a  different  transaction,  the  network 
accepts  the  spend  as  valid  and  allows  Alice  to  redeem  d 
bitcoins. 

Computing  the  accumulator.  A  naive  implementation  of 
the  construction  in  Section  IV  requires  that  the  verifier  re¬ 
compute  the  accumulator  A  with  each  call  to  Verify(. . .).  In 
practice,  the  cost  can  be  substantially  reduced. 

First,  recall  that  the  accumulator  in  our  construction  can 
be  computed  incrementally,  hence  nodes  can  add  new  coins 
to  the  accumulation  when  they  arrive.  To  exploit  this,  we 
require  any  node  mining  a  new  block  to  add  the  zerocoins  in 
that  block  to  the  previous  block’s  accumulator  and  store  the 
resulting  new  accumulator  value  in  the  coinbase  transaction 
at  the  start  of  the  new  block.14  We  call  this  an  accumulator 
checkpoint.  Peer  nodes  validate  this  computation  before 
accepting  the  new  block  into  the  blockchain.  Provided  that 
this  verification  occurs  routinely  when  blocks  are  added  to 
the  chain,  some  clients  may  choose  to  trust  the  accumulator 
in  older  (confirmed)  blocks  rather  than  re-compute  it  from 
scratch. 

With  this  optimization,  Alice  need  no  longer  compute  the 
accumulator  A  and  the  full  witness  w  for  c.  Instead  she  can 
merely  reference  the  current  block’s  accumulator  checkpoint 
and  compute  the  witness  starting  from  the  checkpoint 
preceding  her  mint  (instead  of  starting  at  T0),  since  computing 
the  witness  is  equivalent  to  accumulating  C  \  {c}. 

New  transaction  types.  Bitcoin  transactions  use  a  flexible 
scripting  language  to  determine  the  validity  of  each  transac¬ 
tion.  Unfortunately,  Bitcoin  script  is  (by  design)  not  Turing- 
complete.  Moreover,  large  segments  of  the  already-limited 

14The  coinbase  transaction  format  already  allows  for  the  inclusion  of 
arbitrary  data,  so  this  requires  no  fundamental  changes  to  the  Bitcoin 
protocol. 


script  functionality  have  been  disabled  in  the  Bitcoin  produc¬ 
tion  network  due  to  security  concerns.  Hence,  the  existing 
script  language  cannot  be  used  for  sophisticated  calculations 
such  as  verifying  zero-knowledge  proofs.  Fortunately  for 
our  purposes,  the  Bitcoin  designers  chose  to  reserve  several 
script  operations  for  future  expansion. 

We  extend  Bitcoin  by  adding  a  new  instruction:  ZERO- 
COIN_MINT.  Minting  a  zerocoin  constructs  a  transaction 
with  an  output  whose  SCriptPubKey  contains  this  instruction 
and  a  coin  c.  Nodes  who  receive  this  transaction  should 
validate  that  c  is  a  well-formed  coin.  To  spend  a  zerocoin, 
Alice  constructs  a  new  transaction  that  claims  as  input 
some  Zerocoin  mint  transaction  and  has  a  SCriptSig  field 
containing  (tt,  S )  and  a  reference  to  the  block  containing  the 
accumulator  used  in  7t.  A  verifier  extracts  the  accumulator 
from  the  referenced  block  and,  using  it,  validates  the  spend 
as  described  earlier. 

Finally,  we  note  that  transactions  must  be  signed  to  prevent 
an  attacker  from  simply  changing  who  the  transaction  is 
payed  to.  Normal  Bitcoin  transactions  include  an  ECDSA 
signature  by  the  key  specified  in  the  SCriptPubKey  of  the 
referenced  input.  However,  for  a  spend  transaction  on  an 
arbitrary  zerocoin,  there  is  no  ECDSA  public  key.  Instead,  we 
use  the  ZKSoK  tt  to  sign  the  transaction  hash  that  normally 
would  be  signed  using  ECDSA.15 

Statekeeping  and  side  effects.  Validating  a  zerocoin  changes 
Bitcoin’s  semantics:  currently,  Bitcoin’s  persistent  state 
is  defined  solely  in  terms  of  transactions  and  blocks  of 
transactions.  Furthermore,  access  to  this  state  is  done  via 
explicit  reference  by  hash.  Zerocoin.  on  the  other  hand, 
because  of  its  strong  anonymity  requirement,  deals  with 
existentials:  the  coin  is  in  the  set  of  thus-far-minted  coins 
and  its  serial  number  is  not  yet  in  the  set  of  spent  serial 
numbers.  To  enable  these  type  of  qualifiers,  we  introduce 
side  effects  into  Bitcoin  transaction  handling.  Processing  a 
mint  transaction  causes  a  coin  to  be  accumulated  as  a  side 
effect.  Processing  a  spend  transaction  causes  the  coin  serial 
number  to  be  added  to  a  list  of  spent  serial  numbers  held  by 
the  client. 

For  coin  serial  numbers,  we  have  little  choice  but  to  keep 
a  full  list  of  them  per  client  and  incur  the  (small)  overhead 
of  storing  that  list  and  the  larger  engineering  overhead  of 
handling  all  possible  ways  a  transaction  can  enter  a  client. 
The  accumulator  state  is  maintained  within  the  accumulator 
checkpoints,  which  the  client  verifies  for  each  received  block. 

Proof  optimizations.  For  reasonable  parameter  sizes,  the 
proofs  produced  by  Spend(...)  exceed  Bitcoin’s  10KB 
transaction  size  limits.  Although  we  can  simply  increase  this 
limit,  doing  so  has  two  drawbacks:  (1)  it  drastically  increases 
the  storage  requirements  for  Bitcoin  since  current  transactions 

15In  practice,  this  modification  simply  requires  us  to  include  the  transaction 
digest  in  the  hash  computation  of  the  challenge  for  the  Fiat-Shamir  proofs. 
See  Appendix  A  for  details. 
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are  between  1  and  2  KB  and  (2)  it  may  increase  memory 
pressure  on  clients  that  store  transactions  in  memory.16 

In  our  prototype  implementation  we  store  our  proofs  in 
a  separate,  well-known  location  (a  simple  server).  A  full 
implementation  could  use  a  Distributed  Hash  Table  or  non 
block-chain  backed  storage  in  Bitcoin.  While  we  recommend 
storing  proofs  in  the  block  chain,  these  alternatives  do  not 
increase  the  storage  required  for  the  block  chain. 17 

A.  Suggestions  for  Optimizing  Proof  Verification 

The  complexity  of  the  proofs  will  also  lead  to  longer 
verification  times  than  expected  with  a  standard  Bitcoin 
transaction.  This  is  magnified  by  the  fact  that  a  Bitcoin 
transaction  is  verified  once  when  it  is  included  by  a  block 
and  again  by  every  node  when  that  block  is  accepted  into 
the  block  chain.  Although  the  former  cost  can  be  accounted 
for  by  charging  transaction  fees,  it  would  obviously  be  ideal 
for  these  costs  to  be  as  low  as  possible. 

One  approach  is  to  distribute  the  cost  of  verification  over 
the  entire  network  and  not  make  each  node  verify  the  entire 
proof.  Because  the  ZKSoK  we  use  utilizes  cut-and-choose 
techniques,  it  essentially  consists  of  n  repeated  iterations 
of  the  same  proof  (reducing  the  probability  of  forgery  to 
roughly  2-ra).  We  can  simply  have  nodes  randomly  select 
which  iterations  of  the  proofs  they  verify.  By  distributing  this 
process  across  the  network,  we  should  achieve  approximately 
the  same  security  with  less  duplication  of  effort. 

This  optimization  involves  a  time-space  tradeoff,  since 
the  existing  proof  is  verified  by  computing  a  series  of  (at  a 
minimum)  1024  bit  values  7) .... ,  Tn  and  hashing  the  result. 
A  naive  implementation  would  require  us  to  send  T\  Tn 
fully  computed  —  greatly  increasing  the  size  of  the  proof  - 
since  the  client  will  only  compute  some  of  them  but  needs 
all  of  them  to  verify  the  hash.  We  can  avoid  this  issue  by 
replacing  the  standard  hash  with  a  Merkel  tree  where  the 
leaves  are  the  hashed  7)  values  and  the  root  is  the  challenge 
hash  used  in  the  proof.  We  can  then  send  the  160  bit  or 
256  bit  intermediate  nodes  instead  of  the  1024  bit  T)  values, 
allowing  the  verifier  to  compute  only  a  subset  of  the  Ti 
values  and  yet  still  validate  the  proof  against  the  challenge 
without  drastically  increasing  the  proof  size. 

B.  Limited  Anonymity  and  Forward  Security 

A  serious  concern  in  the  Bitcoin  community  is  the  loss 
of  wallets  due  to  poor  endpoint  security.  In  traditional 
Bitcoin.  this  results  in  the  theft  of  coins  [4].  However,  in 
the  Zerocoin  setting  it  may  also  allow  an  attacker  to  de¬ 
anonymize  Zerocoin  transactions  using  the  stored  skc.  The 

16The  reference  bitcoind  client  stores  transactions  as  STL  Vectors, 
which  require  contiguous  segments  of  memory.  As  such,  storing  Zerocoin 
proofs  in  the  transaction  might  cause  memory  issues  far  faster  than  expected. 

^Furthermore,  this  solution  allows  for  the  intriguing  possibility  that 
proofs  be  allowed  to  vanish  after  they  have  been  sufficiently  verified  by  the 
network  and  entombed  in  the  block  chain.  However,  it  is  not  clear  how  this 
interacts  with  Bitcoin  in  theory  or  practice. 


obvious  solution  is  to  securely  delete  skc  immediately  after 
a  coin  is  spent.  Unfortunately,  this  provides  no  protection  if 
skc  is  stolen  at  some  earlier  point. 

One  solution  is  to  generate  the  spend  transaction  imme¬ 
diately  (or  shortly  after)  the  coin  is  minted,  possibly  using 
an  earlier  checkpoint  for  calculating  C.  This  greatly  reduces 
the  user’s  anonymity  by  decreasing  the  number  of  coins  in 
C  and  leaking  some  information  about  when  the  coin  was 
minted.  However,  no  attacker  who  compromises  the  wallet 
can  link  any  zerocoins  in  it  to  their  mint  transactions. 

C.  Code  Changes 

For  our  implementation,  we  chose  to  modify  bitcoind, 
the  original  open-source  Bitcoin  C++  client.  This  required 
several  modifications.  First,  we  added  instructions  to  the 
Bitcoin  script  for  minting  and  spending  zerocoins.  Next, 
we  added  transaction  types  and  code  for  handling  these 
new  instructions,  as  well  as  maintaining  the  list  of  spent 
serial  numbers  and  the  accumulator.  We  used  the  Charm 
cryptographic  framework  [27]  to  implement  the  cryptographic 
constructions  in  Python,  and  we  used  Boost’s  Python  utilities 
to  call  that  code  from  within  bitcoind.  This  introduces 
some  performance  overhead,  but  it  allowed  us  to  rapidly  pro¬ 
totype  and  leave  room  for  implementing  future  constructions 
as  well. 

D.  Incremental  Deployment 

As  described  above,  Zerocoin  requires  changes  to  the 
Bitcoin  protocol  that  must  happen  globally:  while  transactions 
containing  the  new  instructions  will  be  validated  by  updated 
servers,  they  will  fail  validation  on  older  nodes,  potentially 
causing  the  network  to  split  when  a  block  is  produced  that 
validates  for  some,  but  not  all,  nodes.  Although  this  is  not 
the  first  time  Bitcoin  has  faced  this  problem,  and  there  is 
precedent  for  a  flag  day  type  upgrade  strategy  [28],  it  is 
not  clear  how  willing  the  Bitcoin  community  is  to  repeat 
it.  As  such,  we  consider  the  possibility  of  an  incremental 
deployment. 

One  way  to  accomplish  this  is  to  embed  the  above  protocol 
as  comments  in  standard  Bitcoin  scripts.  For  non  Zerocoin 
aware  nodes,  this  data  is  effectively  inert,  and  we  can  use 
Bitcoin’s  n  of  k  signature  support  to  specify  that  such 
comment  embedded  zerocoins  are  valid  only  if  signed  by 
some  subset  of  the  Zerocoin  processing  nodes.  Such  Zerocoin 
aware  nodes  can  parse  the  comments  and  charge  transaction 
fees  for  validation  according  to  the  proofs  embedded  in  the 
comments,  thus  providing  an  incentive  for  more  nodes  to 
provide  such  services.  Since  this  only  changes  the  validation 
mechanism  for  Zerocoin,  the  Anonymity  property  holds  as 
does  the  Balance  property  if  no  more  than  n  —  1  Zerocoin 
nodes  are  malicious. 

Some  care  must  be  taken  when  electing  these  nodes  to 
prevent  a  Sybil  attack.  Thankfully,  if  we  require  that  such  a 
node  also  produce  blocks  in  the  Bitcoin  block  chain,  we  have 
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a  decent  deterrent.  Furthermore,  because  any  malfeasance 
of  these  nodes  is  readily  detectable  (since  they  signed  an 
invalid  Zerocoin  transaction),  third  parties  can  audit  these 
nodes  and  potentially  hold  funds  in  escrow  to  deter  fraud. 

VI.  Real  World  Security  and  Parameter  Choice 

A.  Anonymity  of  Zerocoin 

Definition  3.2  states  that  given  two  Zerocoin  mints  and  one 
spend,  one  cannot  do  much  better  than  guess  which  minted 
coin  was  spent.  Put  differently,  an  attacker  learns  no  more 
from  our  scheme  than  they  would  from  observing  the  mints 
and  spends  of  some  ideal  scheme.  However,  even  an  ideal 
scheme  imposes  limitations.  For  example,  consider  a  case 
where  N  coins  are  minted,  then  all  N  coins  are  subsequently 
spent.  If  another  coin  is  minted  after  this  point,  the  size  of 
the  anonymity  set  for  the  next  spend  is  k  =  1,  not  k  =  11, 
since  it  is  clear  to  all  observers  that  the  previous  coins  have 
been  used.  We  also  stress  that  —  as  in  many  anonymity 
systems  —  privacy  may  be  compromised  by  an  attacker  who 
mints  a  large  fraction  of  the  active  coins.  Hence,  a  lower 
bound  on  the  anonymity  provided  is  the  number  of  coins 
minted  by  honest  parties  between  a  coin’s  mint  and  its  spend. 
An  upper  bound  is  the  total  set  of  minted  coins. 

We  also  note  that  Zerocoin  reveals  the  number  of  minted 
and  spent  coins  to  all  users  of  the  system,  which  provides 
a  potential  source  of  information  to  attackers.  This  is  in 
contrast  to  many  previous  e-cash  schemes  which  reveal  this 
information  primarily  to  merchants  and  the  bank.  However, 
we  believe  this  may  be  an  advantage  rather  than  a  loss, 
since  the  bank  is  generally  considered  an  adversarial  party  in 
most  e-cash  security  models.  The  public  model  of  Zerocoin 
actually  removes  an  information  asymmetry  by  allowing  users 
to  determine  when  such  conditions  might  pose  a  problem. 

Lastly,  Zerocoin  does  not  hide  the  denominations  used  in 
a  transaction.  In  practice,  this  problem  can  be  avoided  by 
simply  fixing  one  or  a  small  set  of  coin  denominations  and 
exchanging  coins  until  one  has  those  denominations,  or  by 
simply  using  Zerocoin  to  anonymize  bitcoins. 

B.  Parameters 

Generally,  cryptographers  specify  security  in  terms  of  a 
single,  adjustable  security  parameter  A.  Indeed,  we  have 
used  this  notation  throughout  the  previous  sections.  In  reality, 
however,  there  are  three  distinct  security  choices  for  Zerocoin 
which  affect  either  the  system’s  anonymity,  its  resilience  to 
counterfeiting,  or  both.  These  are: 

1)  The  size  of  the  Schnorr  group  used  in  the  coin 
commitments. 

2)  The  size  of  the  RSA  modulus  used  in  the  accumulator. 

3)  A zkp*  the  security  of  the  zero-knowledge  proofs. 

Commitments.  Because  Pedersen  commitments  are  informa¬ 
tion  theoretically  hiding  for  any  Schnorr  group  whose  order 
is  large  enough  to  fit  the  committed  values,  the  size  of 


the  group  used  does  not  affect  the  long  term  anonymity 
of  Zerocoin.  The  security  of  the  commitment  scheme  does, 
however,  affect  counterfeiting:  an  attacker  who  can  break 
the  binding  property  of  the  commitment  scheme  can  mint  a 
zerocoin  that  opens  to  at  least  two  different  serial  numbers, 
resulting  in  a  double  spend.  As  a  result,  the  Schnorr  group 
must  be  large  enough  that  such  an  attack  cannot  be  feasibly 
mounted  in  the  lifetime  of  a  coin.  On  the  other  hand,  the 
size  of  the  signature  of  knowledge  n  used  in  coin  spends 
increases  linearly  with  the  size  of  the  Schnorr  group. 

One  solution  is  to  minimize  the  group  size  by  announcing 
fresh  parameters  for  the  commitment  scheme  periodically 
and  forcing  old  zerocoins  to  expire  unless  exchanged  for 
new  zerocoins  minted  under  the  fresh  parameters. lx  Since 
all  coins  being  spent  on  the  network  at  time  t  are  spent 
with  the  current  parameters  and  all  previous  coins  can  be 
converted  to  fresh  ones,  this  does  not  decrease  the  anonymity 
of  the  system.  It  does,  however,  require  users  to  convert  old 
zerocoins  to  fresh  ones  before  the  old  parameters  expire. 
For  our  prototype  implementation,  we  chose  to  use  1024  bit 
parameters  on  the  assumption  that  commitment  parameters 
could  be  regenerated  periodically.  We  explore  the  possibility 
of  extensions  to  Zerocoin  that  might  enable  smaller  groups 
in  Section  IX. 

Accumulator  RSA  key.  Because  generating  a  new  accumulator 
requires  either  a  new  trusted  setup  phase  or  generating  a 
new  RSA  UFO  [26],  we  cannot  re-key  very  frequently.  As  a 
result,  the  accumulator  is  long  lived,  and  thus  we  truly  need 
long  term  security.  Therefore  we  currently  propose  an  RSA 
key  of  at  least  3072  bits.  We  note  that  this  does  not  greatly 
affect  the  size  of  the  coins  themselves,  and,  because  the  proof 
of  accumulator  membership  is  efficient,  this  does  not  have 
a  large  adverse  effect  on  the  overall  coin  spend  proof  size. 
Moreover,  although  re-keying  the  accumulator  is  expensive, 
it  need  not  reduce  the  anonymity  of  the  system  since  the  new 
parameters  can  be  used  to  re-accumulate  the  existing  coin 
set  and  hence  anonymize  spends  over  that  whole  history. 

Zero-knowledge  proof  security  XzkP-  This  parameter  affects 
the  anonymity  and  security  of  the  zero-knowledge  proof.  It 
also  greatly  affects  the  size  of  the  spend  proof.  Thankfully, 
since  each  proof  is  independent,  it  applies  per  proof  and 
therefore  per  spend.  As  such,  a  dishonest  party  would  have 
to  expend  roughly  2Xzkp  effort  to  forge  a  single  coin  or  could 
link  a  single  coin  mint  to  a  spend  with  probability  roughly 
2>,lkp  ■  As  such  we  pick  A zkP  =  80  bits. 

VII.  Performance 

To  validate  our  results,  we  conducted  several  experiments 
using  the  modified  bitcoind  implementation  described 
in  Section  V.  We  ran  our  experiments  with  three  different 

18Note  that  this  conversion  need  not  involve  a  full  spend  of  the  coins. 
The  user  may  simply  reveal  the  trapdoor  for  the  old  coin,  since  the  new 
zerocoin  will  still  be  unlinkable  when  properly  spent. 
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Performance  of  Zerocoin  Algorithms 
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(a)  Times  for  a  single  Zerocoin  operation  measured  in  seconds.  These 
operations  do  not  include  the  time  required  to  compute  the  accumulator. 


(b)  Zerocoin  proof  sizes  measured  in  bytes  as  a  function  of  RSA 
modulus  size. 
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Zerocoin  Block  Verification  Performance 
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(c)  Time  required  to  accumulate  x  elements.  Note,  this  cost  is  amortized 
when  computing  the  global  accumulator. 


(d)  Transaction  verifications  per  minute  as  a  function  of  the  percentage 
of  Zerocoin  transactions  in  the  network  (where  half  are  mints  and  half 
are  spends).  Note,  since  we  plot  the  reciprocal  of  transaction  time,  this 
graph  appears  logarithmic  even  though  Zerocoin  scales  linearly. 


Figure  3:  Zerocoin  performance  as  a  function  of  parameter  size. 


parameter  sizes,  where  each  corresponds  to  a  length  of  the 
RSA  modulus  N:  1024  bits,  2048  bits,  and  3072  bits.19 

We  conducted  two  types  of  experiments:  (1)  microbench¬ 
marks  that  measure  the  performance  of  our  cryptographic 
constructions  and  (2)  tests  of  our  whole  modified  Bitcoin 
client  measuring  the  time  to  verify  Zerocoin  carrying  blocks. 
The  former  gives  us  a  reasonable  estimate  of  the  cost  of 
minting  a  single  zerocoin,  spending  it,  and  verifying  the 
resulting  transaction.  The  latter  gives  us  an  estimate  of 
Zerocoin’s  impact  on  the  existing  Bitcoin  network  and  the 
computational  cost  that  will  be  born  by  each  node  that  verifies 
Zerocoin  transactions. 

All  of  our  experiments  were  conducted  on  an  Intel  Xeon 
E3-1270  V2  (3.50GHz  quad-core  processor  with  hyper¬ 
threading)  with  16GB  of  RAM,  running  64-bit  Ubuntu  Server 
11.04  with  Linux  kernel  2.6.38. 


19These  sizes  can  be  viewed  as  roughly  corresponding  to  a  discrete 
logarithm/factorization  security  level  of  280,  2112,  and  2128  respectively. 
Note  that  the  choice  of  N  determines  the  size  of  the  parameter  p.  We  select 
|q|  to  be  roughly  twice  the  estimated  security  level. 


A.  Microbenchmarks 

To  evaluate  the  performance  of  our  Mint,  Spend,  and 
Verify  algorithms  in  isolation,  we  conducted  a  series  of 
microbenchmarks  using  the  Charm  (Python)  implementation. 
Our  goal  in  these  experiments  was  to  provide  a  direct  estimate 
of  the  performance  of  our  cryptographic  primitives. 

Experimental  setup.  One  challenge  in  conducting  our  mi¬ 
crobenchmarks  is  the  accumulation  of  coins  in  C  for  the 
witness  in  Spend (. . .)  or  for  the  global  accumulator  in  both 
Spend(...)  and  Verify)...).  This  is  problematic  for  two 
reasons.  First,  we  do  not  know  how  large  C  will  be  in 
practice.  Second,  in  our  implementation  accumulations  are 
incremental.  To  address  these  issues  we  chose  to  break  our 
microbenchmarks  into  two  separate  experiments.  The  first 
experiment  simply  computes  the  accumulator  for  a  number  of 
possible  sizes  of  C,  ranging  from  1  to  50,000  elements.  The 
second  experiment  measures  the  runtime  of  the  Spend). . .) 
and  Verify). . .)  routines  with  a  precomputed  accumulator 
and  witness  (A,u). 

We  conducted  our  experiments  on  a  single  thread  of  the 
processor,  using  all  three  parameter  sizes.  All  experiments 
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were  performed  500  times,  and  the  results  given  represent 
the  average  of  these  times.  Figure  3a  shows  the  measured 
times  for  computing  the  coin  operations.  Figure  3b  shows 
the  resulting  proof  sizes  for  each  security  parameter,  and 
Figure  3c  shows  the  resulting  times  for  computing  the 
accumulator.  We  stress  that  accumulation  in  our  system  is 
incremental ,  typically  over  at  most  the  200  —  500  transactions 
in  a  block  (which  takes  at  worst  eight  seconds),  and  hence 
the  cost  of  computing  the  global  accumulator  is  therefore 
amortized.  The  only  time  one  might  accumulate  50,000  coins 
at  one  time  would  be  when  generating  the  witness  for  a  very 
old  zerocoin. 

B.  Block  Verification 

Flow  Zerocoin  affects  network  transaction  processing  de¬ 
termines  its  practicality  and  scalability.  Like  all  transactions, 
Zerocoin  spends  must  be  verified  first  by  the  miner  to  make 
sure  he  is  not  including  invalid  transactions  in  a  block  and 
then  again  by  the  network  to  make  sure  it  is  not  including  an 
invalid  block  in  the  block  chain.  In  both  cases,  this  entails 
checking  that  Verify). . .)  =  1  for  each  Zerocoin  transaction 
and  computing  the  accumulator  checkpoint. 

We  need  to  know  the  impact  of  this  for  two  reasons.  First, 
the  Bitcoin  protocol  specifies  that  a  new  block  should  be 
created  on  average  once  every  10  minutes.20  If  verification 
takes  longer  than  10  minutes  for  blocks  with  a  reasonable 
number  of  zerocoins,  then  the  network  cannot  function.21 
Second,  while  the  cost  of  generating  these  blocks  and 
verifying  their  transactions  can  be  offset  by  transaction 
fees  and  coin  mining,  the  cost  of  verifying  blocks  prior  to 
appending  them  to  the  block  chain  is  only  offset  for  mining 
nodes  (who  can  view  it  as  part  of  the  cost  of  mining  a  new 
block).  This  leaves  anyone  else  verifying  the  block  chain 
with  an  uncompensated  computational  cost. 

Experimental  setup.  To  measure  the  effect  of  Zerocoin  on 
block  verification  time,  we  measure  how  long  it  takes  our 
modified  bitcoind  client  to  verify  externally  loaded  test 
blocks  containing  200,  400,  and  800  transactions  where  0, 
10,  25,  75,  or  100  percent  of  the  transactions  are  Zerocoin 
transactions  (half  of  which  are  mints  and  half  are  spends). 
We  repeat  this  experiment  for  all  three  security  parameters. 

Our  test  data  consists  of  two  blocks.  The  first  contains  z 
Zerocoin  mints  that  must  exist  for  any  spends  to  occur.  The 
second  block  is  our  actual  test  vector.  It  contains,  in  a  random 
order,  z  Zerocoin  spends  of  the  coins  in  the  previous  block, 
2  Zerocoin  mints,  and  s  standard  Bitcoin  sendToAddress 
transactions.  We  measure  how  long  the  processblock 
call  of  the  bitcoind  client  takes  to  verify  the  second 
block  containing  the  mix  of  Zerocoin  and  classical  Bitcoin 

20This  rate  is  maintained  by  a  periodic  network  vote  that  adjusts  the 
difficulty  of  the  Bitcoin  proof  of  work. 

21  For  blocks  with  unreasonable  numbers  of  Zerocoin  transaction  we  can 
simply  extend  bitcoind’s  existing  anti-DoS  mechanisms  to  reject  the 
block  and  blacklist  its  origin. 


transactions.  For  accuracy,  we  repeat  these  measurements 
100  times  and  average  the  results.  The  results  are  presented 
in  Figure  3d. 

C.  Discussion 

Our  results  show  that  Zerocoin  scales  beyond  current 
Bitcoin  transaction  volumes.  Though  we  require  significant 
computational  effort,  verification  does  not  fundamentally 
threaten  the  operation  of  the  network:  even  with  a  block 
containing  800  Zerocoin  transactions  —  roughly  double  the 
average  size  of  a  Bitcoin  block  currently  —  verification 
takes  less  than  five  minutes.  This  is  under  the  unreasonable 
assumption  that  all  Bitcoin  transactions  are  supplanted  by 
Zerocoin  transactions.22  In  fact,  we  can  scale  well  beyond 
Bitcoin’s  current  average  of  between  200  and  400  transactions 
per  block  [29]  if  Zerocoin  transactions  are  not  the  majority 
of  transactions  on  the  network.  If,  as  the  graph  suggests,  we 
assume  that  verification  scales  linearly,  then  we  can  support 
a  50%  transaction  mix  out  to  350  transactions  per  minute 
(3,500  transactions  per  block)  and  a  10%  mixture  out  to  800 
transactions  per  minute  (8,000  per  block). 

One  remaining  question  is  at  what  point  we  start  running  a 
risk  of  coin  serial  number  collisions  causing  erroneous  double 
spends.  Even  for  our  smallest  serial  numbers  —  160  bits  — 
the  collision  probability  is  small,  and  for  the  256  bit  serial 
numbers  used  with  the  3072  bit  accumulator,  our  collision 
probability  is  at  worst  equal  to  the  odds  of  a  collision  on  a 
normal  Bitcoin  transaction  which  uses  SFIA-256  hashes. 

We  stress  several  caveats  about  the  above  data.  First,  our 
prototype  system  does  not  exploit  any  parallelism  either  for 
verifying  multiple  Zerocoin  transactions  or  in  validating  an 
individual  proof.  Since  the  only  serial  dependency  for  either 
of  these  tasks  is  the  (fast)  duplicate  serial  number  check,  this 
offers  the  opportunity  for  substantial  improvement. 

Second,  the  above  data  is  not  an  accurate  estimate  of 
the  financial  cost  of  Zerocoin  for  the  network:  (a)  it  is  an 
overestimate  of  a  mining  node’s  extra  effort  when  verifying 
proposed  blocks  since  in  practice  many  transactions  in  a 
received  block  will  already  have  been  received  and  validated 
by  the  node  as  it  attempts  to  construct  its  own  contribution 
to  the  block  chain;  (b)  execution  time  is  a  poor  metric  in 
the  context  of  Bitcoin,  since  miners  are  concerned  with 
actual  monetary  operating  cost;  (c)  since  mining  is  typically 
performed  using  GPUs  and  to  a  lesser  extent  FPGAs  and 
ASICs,  which  are  far  more  efficient  at  computing  hash 
collisions,  the  CPU  cost  measured  here  is  likely  insignificant. 

Finally,  our  experiment  neglects  the  load  on  a  node  both 
from  processing  incoming  transactions  and  from  solving 
the  proof  of  work.  Again,  we  contend  that  most  nodes  will 
probably  use  GPUs  for  mining,  and  as  such  the  latter  is 
not  an  issue.  The  former,  however,  remains  an  unknown.  At 

22In  practice  we  believe  Zerocoin  will  be  used  to  anonymize  bitcoins  that 
will  then  be  spent  in  actual  transactions,  resulting  in  far  lower  transaction 
volumes. 
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the  very  least  it  seems  unlikely  to  disproportionately  affect 
Zerocoin  performance. 

VIII.  Previous  Work 

A.  E-Cash  and  Bitcoin 

Electronic  cash  has  long  been  a  research  topic  for  cryp¬ 
tographers.  Many  cryptographic  e-cash  systems  focus  on 
user  privacy  and  typically  assume  the  existence  of  a  semi- 
trusted  coin  issuer  or  bank.  E-cash  schemes  largely  break 
down  into  online  schemes  where  users  have  contact  with 
a  bank  or  registry  and  offline  schemes  where  spending  can 
occur  even  without  a  network  connection.  Chaum  introduced 
the  first  online  cryptographic  e-cash  system  [30]  based  on 
RSA  signatures,  later  extending  this  work  to  the  offline 
setting  [31]  by  de-anonymizing  users  who  double-spent. 
Many  subsequent  works  improved  upon  these  techniques 
while  maintaining  the  requirement  of  a  trusted  bank:  for 
example,  by  making  coins  divisible  [32, 33]  and  reducing 
wallet  size  [34].  One  exception  to  the  rule  above  comes 
from  Sander  and  Ta-Shma  [35]  who  presciently  developed 
an  alternative  model  that  is  reminiscent  of  our  proposal:  the 
central  bank  is  replaced  with  a  hash  chain  and  signatures 
with  accumulators.  Unfortunately  the  accumulator  was  not 
practical,  a  central  party  was  still  required,  and  no  real-world 
system  existed  to  compute  the  chain. 

Bitcoin’s  primary  goal,  on  the  other  hand,  is  not  anonymity. 
It  has  its  roots  in  a  non-academic  proposal  by  Wei  Dai 
for  a  distributed  currency  based  on  solving  computational 
problems  [36].  In  Dai’s  original  proposal  anyone  could  create 
currency,  but  all  transactions  had  to  be  broadcast  to  all  clients. 
A  second  variant  limited  currency  generation  and  transaction 
broadcast  to  a  set  of  servers,  which  is  effectively  the  approach 
Bitcoin  takes.  This  is  a  marked  distinction  from  most,  if  not 
all,  other  e-cash  systems  since  there  is  no  need  to  select  one 
or  more  trusted  parties.  There  is  a  general  assumption  that 
a  majority  of  the  Bitcoin  nodes  are  honest,  but  anyone  can 
join  a  node  to  the  Bitcoin  network,  and  anyone  can  get  the 
entire  transaction  graph.  An  overview  of  Bitcoin  and  some 
of  its  shortcomings  was  presented  by  Barber  et.  al.  in  [2]. 

B.  Anonymity 

Numerous  works  have  shown  that  “pseudonymized”  graphs 
can  be  re-identified  even  under  passive  analysis.  Narayanan 
and  Shmatikov  [5]  showed  that  real  world  social  networks 
can  be  passively  de-anonymized.  Similarly,  Backstrom  et 
al.  [37]  constructed  targeted  attacks  against  anonymized 
social  networks  to  test  for  relationships  between  vertices. 
Previously,  Narayanan  and  Shmatikov  de-anonymized  users 
in  the  Netflix  prize  data  set  by  correlating  data  from 
IMDB  [38], 

Bitcoin  itself  came  into  existence  in  2009  and  is  now 
beginning  to  receive  scrutiny  from  privacy  researchers.  De¬ 
anonymization  techniques  were  applied  effectively  to  Bitcoin 
even  at  its  relatively  small  2011  size  by  Reid  and  Harrigan  [3]. 


Ron  and  Shamir  examined  the  general  structure  of  the  Bitcoin 
network  graph  [1]  after  its  nearly  3-fold  expansion.  Finally, 
we  have  been  made  privately  aware  of  two  other  early-stage 
efforts  to  examine  Bitcoin  anonymity. 

IX.  Conclusion  and  Future  Work 

Zerocoin  is  a  distributed  e-cash  scheme  that  provides 
strong  user  anonymity  and  coin  security  under  the  assumption 
that  there  is  a  distributed,  online,  append-only  transaction 
store.  We  use  Bitcoin  to  provide  such  a  store  and  the 
backing  currency  for  our  scheme.  After  providing  general 
definitions,  we  proposed  a  concrete  realization  based  on  RSA 
accumulators  and  non-interactive  zero-knowledge  signatures 
of  knowledge.  Finally,  we  integrated  our  construction  into 
Bitcoin  and  measured  its  performance. 

Our  work  leaves  several  open  problems.  First,  although  our 
scheme  is  workable,  the  need  for  a  double-discrete  logarithm 
proof  leads  to  large  proof  sizes  and  verification  times.  We 
would  prefer  a  scheme  with  both  smaller  proofs  and  greater 
speed.  This  is  particularly  important  when  it  comes  to 
reducing  the  cost  of  third-party  verification  of  Zerocoin 
transactions.  There  are  several  promising  constructions  in  the 
cryptographic  literature,  e.g.,  bilinear  accumulators,  mercurial 
commitments  [13,39].  While  we  were  not  able  to  find  an 
analogue  of  our  scheme  using  alternative  components,  it  is 
possible  that  further  research  will  lead  to  other  solutions. 
Ideally  such  an  improvement  could  produce  a  drop-in 
replacement  for  our  existing  implementation. 

Second,  Zerocoin  currently  derives  both  its  anonymity 
and  security  against  counterfeiting  from  strong  cryptographic 
assumptions  at  the  cost  of  substantially  increased  computa¬ 
tional  complexity  and  size.  As  discussed  in  section  VI-B, 
anonymity  is  relatively  cheap,  and  this  cost  is  principally 
driven  by  the  anti-counterfeiting  requirement,  manifesting 
itself  through  the  size  of  the  coins  and  the  proofs  used. 

In  Bitcoin,  counterfeiting  a  coin  is  not  computationally 
prohibitive,  it  is  merely  computationally  costly,  requiring  the 
user  to  obtain  control  of  at  least  51%  of  the  network.  This 
provides  a  possible  alternative  to  our  standard  cryptographic 
assumptions:  rather  than  the  strong  assumption  that  com¬ 
puting  discrete  logs  is  infeasible,  we  might  construct  our 
scheme  on  the  weak  assumption  that  there  is  no  financial 
incentive  to  break  our  construction  as  the  cost  of  computing 
a  discrete  log  exceeds  the  value  of  the  resulting  counterfeit 
coins. 

For  example,  if  we  require  spends  to  prove  that  fresh 
and  random  bases  were  used  in  the  commitments  for  the 
corresponding  mint  transaction  (e.g.,  by  selecting  the  bases 
for  the  commitment  from  the  hash  of  the  coin  serial  number 
and  proving  that  the  serial  number  is  fresh),  then  it  appears 
that  an  attacker  can  only  forge  a  single  zerocoin  per  discrete 
log  computation.  Provided  the  cost  of  computing  such  a 
discrete  log  is  greater  than  the  value  of  a  zerocoin,  forging  a 
coin  is  not  profitable.  How  small  this  allows  us  to  make 


Approved  for  Public  Release;  Distribution  Unlimited. 

741 


the  coins  is  an  open  question.  There  is  relatively  little 
work  comparing  the  asymptotic  difficulty  of  solving  multiple 
distinct  discrete  logs  in  a  fixed  group.23  and  it  is  not  clear 
how  theory  translates  into  practice.  We  leave  these  questions, 
along  with  the  security  of  the  above  proposed  construction, 
as  issues  for  future  work. 

Finally,  we  believe  that  further  research  could  lead  to 
different  tradeoffs  between  security,  accountability,  and 
anonymity.  A  common  objection  to  Bitcoin  is  that  it  can 
facilitate  money  laundering  by  circumventing  legally  binding 
financial  reporting  requirements.  We  propose  that  additional 
protocol  modifications  (e.g.,  the  use  of  anonymous  creden¬ 
tials  [40])  might  allow  users  to  maintain  their  anonymity 
while  demonstrating  compliance  with  reporting  requirements. 
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Appendix  A. 

Security  Proofs 

A.  Proof  Sketch  of  Theorem  4.1 

Proof  sketch.  Consider  the  following  simulation.  First,  the 
simulation  generates  params  4—  Setup(lA)  and  two  primes 
Co,  Ci  that  are  uniformly  sampled  from  the  set  of  prime 
numbers  in  the  range  [A,  “B].24  Mi  takes  these  values  as 
input  and  outputs  a  set  C  and  transaction  string  R  using 

24“Where  A  and  ®  can  be  chosen  with  arbitrary  polynomial  dependence 
on  the  security  parameter,  as  long  as  2  <  A  and  $  <  A2 [41]  For  a  full 
description,  see  [41,  §3.2  and  §3.3]. 


any  strategy  it  wishes.  Next  the  simulation  runs  M2  with  a 
simulated25  zero-knowledge  signature  of  knowledge  tt  and  a 
random  coin  serial  number  S  sampled  from  Z*.  Note  that  if 
7r  is  at  least  computationally  zero-knowledge  then  with  all  but 
negligible  probability,  all  values  provided  to  A  are  distributed 
as  in  the  real  protocol.  Moreover,  all  are  independent  of  the 
bit  b.  By  implication,  Pr  [b  =  b’  ]  =  1/2  +  v( A)  and  M’s 
advantage  is  negligible.  □ 

B.  Proof  of  Theorem  4.2 

Proof:  Let  A  be  an  adversary  that  wins  the  Balance  game 
with  non-negligible  advantage  e.  We  construct  an  algorithm 
B  that  takes  input  {■ p,q,g,h ),  where  G  =(<?)  =  (h)  is  a 
subgroup  of  Z*  of  order  q ,  and  outputs  x  £  Zq  such  that 
gx  =  h  (mod  p ).  B  works  as  follows: 

On  input  (p,q,g,h),  first  generate  accumulator  param¬ 
eters  N,u  as  in  the  Setup  routine  and  set  params  4— 
( N,u,p,q,g,h ).  For  i  =  1  to  K,  compute  (ci,skcf)  4— 
Mint(params),  where  skc-i  =  ( Si,rt ),  and  run 
A(params,C\, . . .  ,Ck).  Answer  each  of  M’s  queries  to 
0Spend  using  the  appropriate  trapdoor  information.  Let 
(Si,  Ri), . . . ,  ( Si,Ri )  be  the  set  of  values  recorded  by  the 
oracle. 

At  the  conclusion  of  the  game,  M  outputs  a  set  of  M 
coins  (c'i, . . . ,  c'M)  and  a  corresponding  set  of  M  +  1  valid 
tuples  (7r(,  S(,  R(,  C().  For  j  =  1  to  M+l,  apply  the  ZKSoK 
extractor  to  the  jth  zero-knowledge  proof  7r'  to  extract  the 
values  ( c*,r *)  and  perform  the  following  steps: 

1)  If  the  extractor  fails,  abort  and  signal  EventExt. 

2)  If  c*  f.  C',  abort  and  signal  EventAcc. 

3)  If  c*  €  {ci, . . . ,  Ca'}: 

a)  If  for  some  i,  ( Sj,r *)  =  and  /?'  Rt, 

abort  and  signal  EventFoRge- 

b)  Otherwise  if  for  some  i,  ( Sj,r *)  =  (Si,  rf),  abort 
and  signal  EvenTcol- 

c)  Otherwise  set  (a,  b)  =  (Si,rf). 

4)  If  for  some  i,  c*  =  c*,  set  (a,b)  =  (S(,r*). 

If  the  simulation  did  not  abort,  we  now  have 
(c* ,  r* ,  Sj ,  a,  b)  where  (by  the  soundness  of  n)  we  know 
that  c*  =  gsihrt  =  gahb  (mod  p).  To  solve  for  log  h, 
output  (Sj  — a )  •  (b  —  r'j)~l  mod  q. 

Analysis.  Let  us  briefly  explain  the  conditions  behind  this 
proof.  When  the  simulation  does  not  abort,  we  are  able  to 
extract  (c*>  ■  •  •  >  CM+ 1)  where  the  win  conditions  enforce  that 
Vj  €  [1,  M  +  1],  c*eC'e{ci,...,  Ca,  ci, . . . ,  c'M}  and 
each  Sj  is  distinct  (and  does  not  match  any  serial  number 
output  by  O Spend).  Since  M  has  produced  M  coins  and  yet 
spent  M  +  1,  there  are  only  two  possibilities: 

1)  M  has  spent  one  of  the  challenger’s  coins  but  has 
provided  a  new  serial  number  for  it.  For  some  (i,j), 

25  Our  proofs  assume  the  existence  of  an  efficient  simulator  and  extractor 
for  the  ZKSoK.  See  Appendix  B. 
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c*  =  Cj  £  {ci, . . . ,  Ck}-  Observe  that  in  cases  where 
the  simulation  does  not  abort,  the  logic  of  the  simu¬ 
lation  always  results  in  a  pair  (a,  6)  =  ( )  where 
gahb  =  gs'j  hrt  =  c*  (mod  p)  and  (a,  b)  ±  (, S'pr *). 
2)  A  has  spent  the  same  coin  twice.  For  some  ( i,j ), 
c*  =  c*  and  yet  (S''  S').  Thus  again  we  identify 

a  pair  (a,  6)  =  (S',r*)  that  satisfies  g°/i&  =  c* 

(mod  p )  where  (a,  6)  ^  (S',r*). 

Finally,  we  observe  that  given  any  such  pair  (a,  b)  we  can 
solve  for  x  =  logg  h  using  the  equation  above. 

Abort  probability.  It  remains  only  to  consider  the  probability 
that  the  simulation  aborts.  Let  v\  (A)  be  the  (negligible) 
probability  that  the  extractor  fails  on  input  n.  By  sum¬ 
mation,  Pr[EVENTEXT]  <  (M  +  l)^(A).  Next  consider 
the  probability  of  EvenTcol-  This  implies  that  for  some 
i,  A  has  produced  a  pair  (S', r*)  =  ( Si,r.; )  where  S' 
has  not  been  produced  by  Ospend-  Observe  that  there  are 
l  distinct  pairs  (S,  r)  that  satisfy  c*  =  gshr  modp  and 
Al’s  view  is  independent  of  the  specific  pair  chosen.  Thus 
Pr  [EventCoL]  <  l/l. 

Next,  we  argue  that  under  the  Strong  RSA  and  Dis¬ 
crete  Log  assumptions,  Pr[EVENTAcc]  <  ^2  (A)  and 
Pr  [EvenTforge]  <  o:s(\).  We  show  this  in  Lemmas  A.  1 
and  A.2  below.  If  A  succeeds  with  advantage  e,  then  by 
summing  the  above  probabilities  we  show  that  B  succeeds 
with  probability  >  e—  ((M  +  l)ui(A)  +  ^2  (A)  +  u3(A)  +  l/l). 
We  conclude  with  the  remaining  Lemmas. 

Lemma  A.l:  Under  the  Strong  RSA  assumption, 

Pr  [Eventacc]  <  ^2 ( A) . 

Proof  sketch.  The  basic  idea  of  this  proof  is  that  an  A!  who 
induces  Eventacc  with  non-negligible  probability  can  be 
used  to  find  a  witness  u>  to  the  presence  of  a  non-member  in  a 
given  accumulator.  Given  this  value,  we  apply  the  technique 
of  [12,  §3]  to  solve  the  Strong  RSA  problem.  For  the  complete 
details  we  refer  the  reader  to  [12,  §3]  and  simply  outline  the 
remaining  details  of  the  simulation. 

Let  A!  be  an  adversary  that  induces  EventACc  with  non- 
negligible  probability  e'  in  the  simulation  above.  We  use 
A!  to  construct  a  Strong  RSA  solver  B'  that  succeeds  with 
non-negligible  probability.  On  input  a  Strong  RSA  instance 
(TV,  u),  B'  selects  ( p ,  q ,  g,  h)  as  in  Setup  and  sets  params  = 
( TV ,  u,  p,  q ,  g ,  h).  It  generates  (ci , . . .  ,Ck)  as  in  the  previous 
simulation  and  runs  A'.  To  induce  EvenTaco  <A!  produces 
valid  output  (71',  C')  and  (by  extraction  from  n')  a  c*  ^  C'. 
B'  now  extracts  lo*  from  7 r'  using  the  technique  described 
in  [12,  §3]  and  uses  the  resulting  value  to  compute  a  solution 
to  the  Strong  RSA  instance.  □ 

Lemma  A.2:  Under  the  Discrete  Logarithm  assumption, 

Pr  [EvenTforge]  <  v 3(A). 

Proof  sketch.  We  leave  a  proof  for  the  full  version  of  this 
paper,  but  it  is  similar  to  those  used  by  earlier  schemes. 


e.g.,  [25].  Let  A!  be  an  adversary  that  induces  EvenTforge 
with  non-negligible  probability  e'  in  the  simulation  above. 
On  input  a  discrete  logarithm  instance,  we  run  A!  as  in 
the  main  simulation  except  that  we  do  not  use  the  trapdoor 
information  to  answer  _4'’s  oracle  queries.  Instead  we  select 
random  serial  numbers  and  simulate  the  ZKSoK  responses 
to  A!  by  programming  the  random  oracle.  When  A!  outputs 
a  forgery  on  a  repeated  serial  number  but  a  different  string 
R'  than  used  in  any  previous  proof,  we  rewind  A!  to  extract 
the  pair  ( .S') .  r) )  and  solve  for  the  discrete  logarithm  as  in 
the  main  simulation.  □ 


Appendix  B. 

Zero-Knowledge  Proof  Construction 
The  signature  of  knowledge 
7r  =  ZKSoK[i?]{(c,  w,  r)  : 

AccVerify((iV,  u),  A,  c,  w)  =  1  A  c  =  gshrj 

is  composed  of  two  proofs  that  (1)  a  committed  value  c 
is  accumulated  and  (2)  that  c  is  a  commitment  to  S.  The 
former  proof  is  detailed  in  [41,  §3.3  and  Appendix  A].  The 
latter  is  a  double  discrete  log  signature  of  knowledge  that, 
although  related  to  previous  work  [21,  §5.3.3],  is  new  (at 
least  to  us).  A  proof  of  its  security  can  be  found  in  the  full 
version  of  this  paper.  It  is  constructed  as  follows: 

Given  y-{  =  ga*b‘ hw . 

Let  l  <  k  be  two  security  parameters  and  H  : 

{0, 1}*  —y  {0,  l}fc  be  a  cryptographic  hash  func¬ 
tion.  Generate  21  random  numbers  r\,...,ri  and 

v\ , . . .  ,vi.  Compute,  for  1  <  i  <  l,  L  =  ga*bri  hVi. 

The  signature  of  knowledge  on  the  message  m  is 
(c,  si,  s2,  •  •  • ,  81,81,82,  ■■■,  s(),  where: 

e=  JT(m||j/i||a||6||5||/i||a:||fi||...||fO 

and 

if  c[i]  =  0  then  si  =  r.j,  s'  =  vp, 

else  Si  =  Vi  —  z,  s'  =  v,  —  wbn~z; 

To  verify  the  signature  it  is  sufficient  to  compute: 
c'  =  if(m||j/i||o||6||ff||/i||x||fi|| . . .  \\ti) 

with 

if  c[i]  =  0  then  i)  =  ga  b  1  hSi ; 
else  ti  =  hSi ; 

and  check  whether  c  =  c'. 

Simulating  and  extracting.  Our  proofs  in  Appendix  A  assume 
the  existence  of  an  efficient  simulator  and  extractor  for  the 
signature  of  knowledge.  These  may  be  constructed  using  well- 
understood  results  in  the  random  oracle  model,  e.g.,  [25,42]. 
We  provide  further  details  in  the  full  version  of  this  work. 


Approved  for  Public  Release;  Distribution  Unlimited. 

744 


PCF:  A  Portable  Circuit  Format  For  Scalable  Two-Party  Secure 

Computation 


Ben  Kreuter  Benjamin  Mood  abhi  shelat 

Computer  Science  Dept.  Computer  and  Info.  Science  Dept.  Computer  Science  Dept. 
U.  Virginia  U.  Oregon  U.  Virginia 

Kevin  Butler 

Computer  and  Info.  Science  Dept. 

U.  Oregon 


Abstract 

A  secure  computation  protocol  for  a  function  f(x,y) 
must  leak  no  information  about  inputs  x,y  during  its  ex¬ 
ecution;  thus  it  is  imperative  to  compute  the  function  / 
in  a  data-oblivious  manner.  Traditionally,  this  has  been 
accomplished  by  compiling  /  into  a  boolean  circuit.  Pre¬ 
vious  approaches,  however,  have  scaled  poorly  as  the  cir¬ 
cuit  size  increases.  We  present  a  new  approach  to  com¬ 
piling  such  circuits  that  is  substantially  more  efficient 
than  prior  work.  Our  approach  is  based  on  online  cir¬ 
cuit  compression  and  lazy  gate  generation.  We  imple¬ 
mented  an  optimizing  compiler  for  this  new  representa¬ 
tion  of  circuits,  and  evaluated  the  use  of  this  representa¬ 
tion  in  two  secure  computation  environments.  Our  eval¬ 
uation  demonstrates  the  utility  of  this  approach,  allow¬ 
ing  us  to  scale  secure  computation  beyond  any  previous 
system  while  requiring  substantially  less  CPU  time  and 
disk  space.  In  our  largest  test,  we  evaluate  an  RSA-1024 
signature  function  with  more  than  42  billion  gates,  that 
was  generated  and  optimized  using  our  compiler.  With 
our  techniques,  the  bottleneck  in  secure  computation  lies 
with  the  cryptographic  primitives,  not  the  compilation  or 
storage  of  circuits. 

1  Introduction 

Secure  function  evaluation  (SFE)  refers  to  several  related 
cryptographic  constructions  for  evaluating  functions  on 
unknown  inputs.  Typically,  these  constructions  require 
an  oblivious  representation  of  the  function  being  eval¬ 
uated,  which  ensures  that  the  control  flow  of  the  algo¬ 
rithm  will  not  depend  on  its  input;  in  the  two  party  case, 
boolean  circuits  are  most  frequently  seen.  These  oblivi¬ 
ous  representations  are  often  large,  with  millions  and  in 
some  cases  billions  of  gates  even  for  relatively  simple 
functions,  which  has  motivated  the  creation  of  software 
tools  for  producing  such  circuits.  While  there  has  been 
substantial  work  on  the  practicality  of  secure  function 


evaluation,  it  was  only  recently  that  researchers  began 
investigating  the  practicality  of  compiling  such  oblivious 
representations  from  high-level  descriptions. 

The  work  on  generating  boolean  circuits  for  SFE  has 
largely  focused  on  two  approaches.  In  one  approach, 
a  library  for  a  general  purpose  programming  language 
such  as  Java  is  created,  with  functions  for  emitting  cir¬ 
cuits  [13,20].  For  convenience,  these  libraries  typically 
include  pre -built  gadgets  such  as  adders  or  multiplex¬ 
ers,  which  can  be  used  to  create  more  complete  func¬ 
tions.  The  other  approach  is  to  write  a  compiler  for  a 
high  level  language,  which  computes  and  optimizes  cir¬ 
cuits  based  on  a  high  level  description  of  the  functional¬ 
ity  that  may  not  explicitly  state  how  the  circuit  should 
be  organized  [18,21].  It  has  been  shown  in  previous 
work  that  both  of  these  approaches  can  scale  up  to  cir¬ 
cuits  with  at  least  hundreds  of  millions  of  gates  on  mod¬ 
ern  computer  hardware,  and  in  some  cases  even  billions 
of  gates  [13, 18]. 

The  approaches  described  above  were  limited  in  terms 
of  their  practical  utility.  Library-based  approaches  like 
HEKM  [13]  or  VMCrypt  [20]  require  users  to  understand 
the  organization  of  the  circuit  description  of  their  func¬ 
tion,  and  were  unable  to  apply  any  optimizations  across 
modules.  The  Fairplay  compiler  [21]  was  unable  to  scale 
to  circuits  with  only  millions  of  gates,  which  excludes 
many  interesting  functions  that  have  been  investigated. 
The  poor  scalability  of  Fairplay  is  a  result  of  the  com¬ 
piler  first  unrolling  all  loops  and  inlining  all  subroutines, 
storing  the  results  in  memory  for  later  compiler  stages. 
The  PALC  system  [23]  was  more  resource  efficient  than 
Fairplay,  but  did  not  attempt  to  optimize  functions,  re¬ 
lying  instead  on  precomputed  optimizations  of  specific 
subcircuits.  The  KSS12  [18]  system  was  able  to  apply 
some  global  optimizations  and  used  less  memory  than 
Fairplay,  but  also  had  to  unroll  all  loops  and  store  the 
complete  circuit  description,  which  caused  some  func¬ 
tions  to  require  days  to  compile.  Additionally,  the  lan¬ 
guage  used  to  describe  circuits  in  the  KSS12  system  was 
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brittle  and  difficult  to  use;  for  example,  array  index  val¬ 
ues  could  not  be  arbitrary  functions  of  loop  indices. 

1.1  Our  Approach 

In  this  work,  we  demonstrate  a  new  approach  to  compil¬ 
ing,  optimizing,  and  storing  circuits  for  SFE  systems.  At 
a  high  level,  our  approach  is  based  on  representing  the 
function  to  be  evaluated  as  a  program  that  computes  the 
circuit  representation  of  the  function,  similar  to  the  cir¬ 
cuit  library  approaches  described  in  previous  work.  Our 
compiler  then  optimizes  this  program  with  the  goal  of 
producing  a  smaller  circuit.  We  refer  to  our  circuit  rep¬ 
resentation  as  the  Portable  Circuit  Format  (PCF). 

When  the  SFE  system  is  run,  it  uses  our  interpreter 
to  load  the  PCF  program  and  execute  it.  As  the  PCF 
program  runs,  it  interacts  with  the  SFE  system,  managing 
information  about  gates  internally  based  on  the  responses 
from  the  SFE  system  itself.  In  our  system,  the  circuit  is 
ephemeral;  it  is  not  necessary  to  store  the  entire  circuit, 
and  wires  will  be  deleted  from  memory  once  they  are  no 
longer  required. 

The  key  insight  of  our  approach  is  that  it  is  not  neces¬ 
sary  to  unroll  loops  until  the  SFE  protocol  runs.  While 
previous  compilers  discard  the  loop  structure  of  the  func¬ 
tion,  ours  emits  it  as  part  of  the  control  structure  of  the 
PCF  program.  Rather  than  dealing  directly  with  wires, 
our  system  treats  wire  IDs  as  memory  addresses',  a  wire 
is  “deleted”  by  overwriting  its  location  in  memory.  Loop 
termination  conditions  have  only  one  constraint:  they 
must  not  depend  on  any  secret  wire  values.  There  is  no 
upper  bound  on  the  number  of  loop  iterations,  and  the 
programmer  is  responsible  for  ensuring  that  there  are  no 
infinite  loops. 

To  summarize,  we  present  the  following  contributions: 

•  A  new  compiler  that  has  the  same  advantages  as  the 
circuit  library  approach 

•  A  novel,  more  general  algorithm  for  translating  con¬ 
ditional  statements  into  circuits 

•  A  new  representation  of  circuits  that  is  more  com¬ 
pact  than  previous  representations  which  scales  to 
arbitrary  circuit  sizes. 

•  A  portable  interpreter  that  can  be  used  with  differ¬ 
ent  SFE  execution  systems  regardless  of  the  security 
model. 

Our  compiler  is  a  back  end  that  can  read  the  byte¬ 
code  emitted  by  a  front  end',  thus  our  compiler  allows 
any  language  to  be  used  for  SFE.  Instead  of  focusing  on 
global  optimizations  of  boolean  functions,  our  optimiza¬ 
tion  strategy  is  based  on  using  higher-level  information 


from  the  bytecode  itself,  which  we  show  to  be  more  ef¬ 
fective  and  less  resource-intensive.  We  present  compar¬ 
isons  of  our  compiler  with  previous  work  and  show  ex¬ 
perimental  results  using  our  compiler  in  two  complete 
SFE  systems,  one  based  on  an  updated  version  of  the 
KSS12  system  and  one  based  on  HEKM.  In  some  of  our 
test  cases,  our  compiler  produced  circuits  only  30%  as 
large  as  previous  compilers  starting  from  the  same  source 
code.  With  the  techniques  presented  in  this  work,  we 
demonstrate  that  the  RSA  algorithm  with  a  real-world 
key  size  and  real-world  security  level  can  be  compiled 
and  run  in  a  garbled  circuit  protocol  using  a  typical  desk¬ 
top  computer.  To  the  best  of  our  knowledge,  the  RSA- 
1024  circuit  we  tested  is  larger  than  any  previous  garbled 
circuit  experiment,  with  more  than  42  billion  gates.  We 
also  present  preliminary  results  of  our  system  running 
on  smartphones,  using  a  modified  version  of  the  HEKM 
system. 

For  testing  purposes,  we  used  the  LCC  compiler  [8] 
as  a  front-end  to  our  system.  A  high-level  view  of  our 
system,  with  the  LCC  front-end,  is  given  in  Figure  1. 

The  rest  of  this  paper  is  organized  as  follows:  Sec¬ 
tion  2  is  a  review  of  SFE  and  garbled  circuits;  Section  3 
presents  an  overview  of  bytecode  languages;  Section  4 
explains  our  compiler  design  and  describes  our  represen¬ 
tation;  Section  5  discusses  the  possibility  of  using  dif¬ 
ferent  bytecode  and  SFE  systems;  Section  6  details  the 
experiments  we  performed  to  evaluate  our  system  and  re¬ 
sults  of  those  experiments;  Section  7  details  other  work 
which  is  related  to  our  own;  and  Section  8  presents  future 
lines  of  research. 

2  Secure  Function  Evaluation 

The  problem  of  secure  two-party  computation  is  to  allow 
two  mutually  distrustful  parties  to  compute  a  function 
of  their  two  inputs  without  revealing  their  inputs  to  the 
opposing  party  (privacy)  and  with  a  guarantee  that  the 
output  could  not  have  been  manipulated  (correctness). 
Yao  was  the  first  to  show  that  such  a  protocol  can  be 
constructed  for  any  computable  function,  by  using  the 
garbled  circuits  technique  [30],  In  his  original  formula¬ 
tion,  Yao  proposed  a  system  that  would  allow  users  to  de¬ 
scribe  the  function  in  a  high  level  language,  which  would 
then  be  compiled  into  a  circuit  to  be  used  in  the  garbled 
circuits  protocol.  The  first  complete  implementation  of 
this  design  was  the  Fairplay  system  given  by  Malkihi  et 
al.  [21], 

Oblivious  Transfer  One  of  the  key  building  blocks 
in  Yao’s  protocol  is  oblivious  transfer,  a  cryptographic 
primitive  first  proposed  by  Rabin  [25].  In  this  primitive, 
the  “sender”  party  holds  a  database  of  n  strings,  and  the 
“receiver”  party  learns  exactly  k  strings  with  the  guar¬ 
antee  that  the  sender  will  not  learn  which  k  strings  were 


Approved  for  Public  Release;  Distribution  Unlimited. 

2 

746 


Figure  1 :  High-level  design  of  our  system.  We  take  a  C 
program  and  compile  it  down  to  the  LCC  bytecode.  Our 
compiler  then  transforms  the  LCC  bytecode  to  our  new 
language  PCF.  Both  parties  then  execute  the  protocol  in 
their  respective  role  in  the  SFE  protocol.  The  interpreter 
could  be  any  execution  system. 

sent  and  the  receiver  will  not  learn  more  than  k  strings; 
this  is  known  as  a  k-out-of-zz  oblivious  transfer.  Given  a 
public  key  encryption  system  it  is  possible  to  construct 
a  l-out-of-2  oblivious  transfer  protocol  [7],  which  is  the 
building  block  used  in  Yao’s  protocol. 

Garbled  Circuits  The  core  of  Yao’s  protocol  is  the  con¬ 
struction  of  garbled  circuits,  which  involves  encrypting 
the  truth  table  of  each  gate  in  a  circuit  description  of  the 
function.  When  the  protocol  is  run,  the  truth  values  in  the 
circuit  will  be  represented  as  decryption  keys  for  some 
cipher,  with  each  gate  receiving  a  unique  pair  of  keys  for 
its  output  wire.  The  keys  for  a  gate’s  input  wires  are  then 
used  to  encrypt  the  keys  for  its  output  wires.  Given  a  sin¬ 
gle  key  for  each  input  wire  of  the  circuit,  the  party  that 
evaluates  the  circuit  can  decrypt  a  single  key  that  rep¬ 
resents  a  hidden  truth  value  for  each  gate’s  output  wire, 
until  the  output  gates  are  reached.  Since  this  encryption 
process  can  be  applied  to  any  circuit,  and  since  any  com¬ 
putable  function  has  a  corresponding  circuit  family,  this 
allows  the  construction  of  a  secure  protocol  for  any  com¬ 
putable  function. 

The  typical  garbled  circuit  protocol  has  two  parties 
though  it  can  be  expanded  to  more.  Those  two  parties 
are  Bob,  the  generator  of  the  garbled  circuit,  and  Alice, 
the  evaluator  of  the  garbled  circuit.  Bob  creates  the  gar¬ 
bled  circuit  and  therefore  knows  the  decryption  keys,  but 
does  not  know  which  specific  keys  Alice  uses.  Alice  will 
receive  the  input  keys  from  Bob  using  an  oblivious  trans¬ 
fer  protocol,  and  thus  leams  only  one  key  for  each  input 
wire;  if  the  keys  are  generated  independent  of  Bob’s  in¬ 
put,  Alice  will  learn  only  enough  to  compute  the  output 
of  the  circuit. 

Several  variations  on  the  Yao  protocol  have  been  pub¬ 
lished;  a  simple  description  of  the  garbling  and  eval¬ 
uation  process  follows.  Let  /  :  {0, 1}A  x  {0, 1}S  — > 
{O.lp'x  {0, 1  }*  be  a  computable  function,  which  will 
receive  input  bits  from  two  parties  and  produce  output 
bits  for  each  party  (not  necessarily  the  same  outputs).  To 
garble  the  circuit,  a  block  cipher  (E,D,G)  will  be  used. 

For  each  wire  in  the  circuit.  Bob  computes  a  pair  of 
random  keys  (ko,ki)  k—  (G(1”),G(1")),  which  represent 


logical  0  and  1  values.  For  each  of  Alice’s  outputs.  Bob 
uses  these  keys  to  encrypt  a  0  and  a  1  and  sends  the  pair 
of  ciphertexts  to  Alice.  Bob  records  the  keys  correspond¬ 
ing  to  his  own  outputs.  The  rest  of  the  wires  in  the  cir¬ 
cuit  are  inputs  to  gates.  For  each  gate,  if  the  truth  table  is 
[vo,o,vo,i,vi,o,vi)i],  Bob  computes  the  following  cipher- 
text: 

Ekt  o  (^vo,o))i^/,o  (^L,i  (^vo,i )) 

A,1  C^r,  0  (V,0))>^,1  (^kr  i  (*vM  ))_ 

where  k/  *  and  k,-,  are  the  keys  for  the  left  and  right  input 
wires  (this  can  be  generalized  for  gates  with  more  than 
two  inputs).  The  order  of  the  four  ciphertexts  is  then 
randomly  permuted  and  sent  to  Alice. 

Now  that  Alice  has  the  garbled  gates,  she  can  begin 
evaluating  the  circuit.  Bob  will  send  Alice  his  input  wire 
keys.  Alice  and  Bob  then  use  an  oblivious  transfer  to  give 
Alice  the  keys  for  her  input  wires.  For  each  gate,  Alice 
will  only  be  able  to  decrypt  one  entry,  and  will  receive 
one  key  for  the  gate’s  output,  and  will  continue  to  de¬ 
crypt  truth  table  entries  until  the  output  wires  have  been 
computed.  Alice  will  then  send  Bob  his  output  keys,  and 
decrypt  her  own  outputs. 

Optimizations  Numerous  optimizations  to  the  basic  Yao 
protocol  have  been  published  [10,  13,  17,  24,  27].  Of 
these,  the  most  relevant  to  compiling  circuits  is  the  “free 
XOR  trick”  given  by  Kolesnikov  and  Schneider  [17], 
This  technique  allows  XOR  gates  to  be  evaluated  with¬ 
out  the  need  to  garble  them,  which  greatly  reduces  the 
amount  of  data  that  must  be  transferred  and  the  CPU  time 
required  for  both  the  generator  and  the  evaluator.  One  ba¬ 
sic  way  to  take  advantage  of  this  technique  is  to  choose 
subcircuits  with  fewer  non-XOR  gates;  Schneider  pub¬ 
lished  a  list  of  XOR-optimal  circuits  for  even  three-input 
functions  [27]. 

Huang  et  al.  noted  that  there  is  no  need  for  the  eval¬ 
uator  to  wait  for  the  generator  to  garble  all  gates  in  the 
circuit  [13].  Once  a  gate  is  garbled,  it  can  be  sent  to 
the  evaluator,  allowing  generation  and  evaluation  to  oc¬ 
cur  in  parallel.  This  technique  is  very  important  for  large 
circuits,  which  can  quickly  become  too  large  to  store  in 
RAM  [18].  Our  approach  unifies  this  technique  with  the 
use  of  an  optimizing  compiler. 

3  Bytecode 

A  common  approach  to  compiler  design  is  to  translate  a 
high  level  language  into  a  sequence  of  instructions  for  a 
simple,  abstract  machine  architecture;  this  is  known  as 
the  intermediate  representation  or  bytecode.  Bytecode 
representations  have  the  advantage  of  being  machine- 
independent,  thus  allowing  a  compiler  front-end  to  be 
used  for  multiple  target  architectures.  Optimizations  per- 
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formed  on  bytecode  are  machine  independent  as  well;  for 
example,  dead  code  elimination  is  typically  performed 
on  bytecode,  as  removing  dead  code  causes  programs  to 
run  faster  on  all  realistic  machines. 

For  the  purposes  of  this  work,  we  focus  on  a  com¬ 
monly  used  bytecode  abstraction,  the  stack  machine.  In 
this  model,  operands  must  be  pushed  onto  an  abstract 
stack,  and  operations  involve  popping  operands  off  of  the 
stack  and  pushing  the  result.  In  addition  to  the  stack,  a 
stack  machine  has  RAM,  which  is  accessed  by  instruc¬ 
tions  that  pop  an  address  off  the  stack.  Instructions  in 
a  stack  machine  are  partially  ordered,  and  are  divided 
into  subroutines  in  which  there  is  a  total  ordering.  In 
addition  to  simple  operations  and  operations  that  interact 
with  RAM,  a  stack  machine  has  operations  that  can  mod¬ 
ify  the  program  counter,  a  pointer  to  the  next  instruction 
to  be  executed,  either  conditionally  or  unconditionally. 

At  a  high  level,  our  system  translates  bytecode  pro¬ 
grams  for  a  stack  machine  into  boolean  circuits  for  SFE. 
At  first  glance,  this  would  appear  to  be  at  least  highly 
inefficient,  if  not  impossible,  because  of  the  many  ways 
such  an  input  program  could  loop.  We  show,  however, 
that  imposing  only  a  small  set  of  restrictions  on  permis¬ 
sible  sequences  of  instructions  enables  an  efficient  and 
practical  translator,  without  significantly  reducing  the  us¬ 
ability  or  expressive  power  of  the  high  level  language. 

4  System  Design 

Our  system  divides  the  compiler  into  several  stages,  fol¬ 
lowing  a  common  compiler  design.  For  testing,  we  used 
the  LCC  compiler  front  end  to  parse  C  source  code  and 
produce  a  bytecode  intermediate  representation  (1R).  Our 
back  end  performs  optimizations  and  translates  the  byte¬ 
code  into  a  description  of  a  secure  computation  proto¬ 
col  using  our  new  format.  This  representation  greatly  re¬ 
duces  the  disk  space  requirements  for  large  circuits  com¬ 
pared  to  previous  work,  while  still  allowing  optimiza¬ 
tions  to  be  done  at  the  bit  level.  We  wrote  our  compiler 
in  Common  Lisp,  using  the  Steel  Bank  Common  Lisp 
system. 

4.1  Compact  Representations  of  Boolean 
Circuits 

In  Lairplay  and  the  systems  that  followed  its  design,  the 
common  pattern  has  been  to  represent  Boolean  circuits  as 
adjacency  lists,  with  each  node  in  the  graph  being  a  gate. 
The  introduces  a  scalability  problem,  as  it  requires  stor¬ 
age  proportional  to  the  size  of  the  circuit.  Generating, 
optimizing,  and  storing  circuits  has  been  a  bottleneck 
for  previous  compilers,  even  for  relatively  simple  func¬ 
tions  like  RSA.  Loading  such  large  circuits  into  RAM 
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Ligure  2:  The  high-level  concept  of  the  PCL  design.  It 
is  not  necessary  to  unroll  loops  at  compile  time,  even  to 
perform  optimizations  on  the  circuit.  Instead,  loops  can 
be  evaluated  at  runtime,  with  gates  being  computed  on- 
the-fly,  and  loop  indices  being  updated  locally  by  each 
party.  Wire  values  are  stored  in  a  table,  with  each  gate 
specifying  which  two  table  entries  should  be  used  as  in¬ 
puts  and  where  the  output  should  be  written;  previous 
wire  values  in  the  table  can  be  overwritten  during  this 
process,  if  they  are  no  longer  needed. 


is  a  challenge,  as  even  very  high-end  machines  may  not 
have  enough  RAM  for  relatively  simple  functions. 

There  have  been  some  approaches  to  addressing  this 
scalability  problem  presented  in  previous  work.  The 
KSS12  system  reduced  the  RAM  required  for  protocol 
executions  by  assigning  each  gate’s  output  wire  a  refer¬ 
ence  count,  allowing  the  memory  used  for  a  wire  value  to 
be  deallocated  once  the  gate  is  no  longer  needed.  How¬ 
ever,  the  compiler  bottleneck  was  not  solved  in  KSS12, 
as  even  computing  the  reference  count  required  memory 
proportional  to  the  size  of  the  circuit.  Even  with  the  engi¬ 
neering  improvements  presented  by  Kreuter,  shelat,  and 
Shen,  the  KSS 12  compiler  was  unable  to  compile  circuits 
with  more  than  a  few  billion  gates,  and  required  several 
days  to  compile  their  largest  test  cases  [18]. 

The  PAL  system  [23]  also  addresses  memory  require¬ 
ments,  by  adding  control  structures  to  the  circuit  descrip¬ 
tion,  allowing  parts  of  the  description  to  be  re-used.  In 
the  original  presentation  of  PAL,  however,  a  large  circuit 
file  would  still  be  emitted  in  the  Lairplay  format  when 
the  secure  protocol  was  run.  An  extension  of  this  work 
presented  by  Mood  [22]  allowed  the  PAL  description  to 
be  used  directly  at  runtime,  but  this  work  sacrificed  the 
ability  to  optimize  circuits  automatically. 

Our  system  builds  upon  the  PAL  and  KSS  12  systems 
to  solve  the  memory  scalability  problem  without  sacri- 
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firing  the  ability  to  optimize  circuits  automatically.  Two 
observations  are  key  to  our  approach. 

Our  first  observation  is  that  it  is  possible  to  free  the 
memory  required  for  storing  wire  values  without  com¬ 
puting  a  reference  count  for  the  wire.  In  previous  work, 
each  wire  in  a  circuit  is  assigned  a  unique  global  identi¬ 
fier,  and  gate  input  wires  are  specified  in  terms  of  these 
identifiers  (output  wires  can  be  identified  by  the  position 
of  the  gate  in  the  gate  list).  Rather  than  using  global 
identifiers,  we  observe  that  wire  values  are  ephemeral, 
and  only  require  a  unique  identity  until  their  last  use  as 
the  input  to  a  gate. 

We  therefore  maintain  a  table  of  “active”  wire  values, 
similar  to  KSS12,  but  change  the  gate  description.  In 
this  format,  wire  values  are  identified  by  their  index  in 
the  table,  and  gates  specify  the  index  of  each  input  wire 
and  an  index  for  the  output  wire;  in  other  words,  a  gate 
isatuple  (f, 11,12,0),  where  t  is  atruth  table,  4,(2  are  the 
input  wire  indexes,  and  o  is  the  output  wire  index.  When 
a  wire  value  is  no  longer  needed,  its  index  in  the  table 
can  be  safely  used  as  an  output  wire  for  a  gate. 

Now,  consider  the  following  example  of  a  circuit 
described  in  the  above  format,  which  accumulates  the 
Boolean  AND  of  seven  wire  values: 

(AND[.  1 ,2,0) 

(AND2,  0,3,0) 

(AND3, 0,4,0) 

(AND4, 0,5,0) 

(AND5, 0,6,0) 

(AND6, 0,7,0) 

Our  second  observation  is  that  circuits  such  as  this  can 
be  described  more  compactly  using  a  loop.  This  builds 
on  our  first  observation,  which  allows  wire  values  to  be 
overwritten  once  they  are  no  longer  needed.  A  simple  ap¬ 
proach  to  allowing  this  would  add  a  conditional  branch 
operation  to  the  description  format.  This  is  more  general 
than  the  approach  of  PAL,  which  includes  loops  but  al¬ 
lows  only  simple  iteration.  Additionally,  it  is  necessary 
to  allow  the  loop  index  to  be  used  to  specify  the  input  or 
output  wire  index  of  the  gates;  as  a  general  solution,  we 
add  support  for  indirection,  allowing  wire  values  to  be 
copied. 

This  representation  of  Boolean  circuits  is  a  bytecode 
for  a  one-bit  CPU,  where  the  operations  are  the  16  pos¬ 
sible  two-arity  Boolean  gates,  a  conditional  branch,  and 
indirect  copy.  In  our  system,  we  also  add  instructions 
for  function  calls  (which  need  not  be  inlined  at  compile 
time)  and  handling  the  parties’  inputs/outputs.  When  the 
secure  protocol  is  run,  a  three-level  logic  is  used  for  wire 
values:  0,  1,  or  _L,  where  _L  represents  an  “unknown” 
value  that  depends  on  one  of  the  party’s  inputs.  In  the 
case  of  a  Yao  protocol,  the  _L  value  is  represented  by  a 


garbled  wire  value.  Conditional  branches  are  not  allowed 
to  depend  on  _L  values,  and  indirection  operations  use 
a  separate  table  of  pointers  that  cannot  computed  from 
_L  values  (if  such  an  indirection  operation  is  required,  it 
must  be  translated  into  a  large  multiplexer,  as  in  previous 
work). 

We  refer  to  our  circuit  representation  as  the  Portable 
Circuit  Format  or  PCF.  In  addition  to  gates  and  branches, 
PCF  includes  support  for  copying  wires  indirectly,  a 
function  call  stack,  data  stacks,  and  setting  function  pa¬ 
rameters.  These  additional  operations  do  not  emit  any 
gates  and  can  therefore  be  viewed  as  “free”  operations. 
PCF  is  modeled  after  the  concept  of  PAL,  but  instead 
of  using  predefined  sub-circuits  for  complex  operations, 
a  PCF  file  defines  the  sub-circuits  for  a  given  function 
to  allow  for  circuit  structure  optimization.  PCF  includes 
lower  level  control  structures  compared  to  PAL,  which 
allows  for  more  general  loop  structures. 

In  Appendix  A,  we  describe  in  detail  the  semantics  of 
the  PCF  instructions.  Example  PCF  files  are  available  at 
the  authors’  website. 

4.2  Describing  Functions  for  SFE 

Most  commonly  used  programming  languages  can  de¬ 
scribe  processes  that  cannot  be  translated  to  SFE;  for  ex¬ 
ample,  a  program  that  does  not  terminate,  or  one  which 
terminates  after  reading  a  specific  input  pattern.  It  is 
therefore  necessary  to  impose  some  limitation  on  the  de¬ 
scriptions  of  functions  for  SFE.  In  systems  with  domain 
specific  languages,  these  limitations  can  be  imposed  by 
the  grammar  of  the  language,  or  can  be  enforced  by 
taking  advantage  of  particular  features  of  the  grammar. 
However,  one  goal  of  our  system  is  to  allow  any  pro¬ 
gramming  language  to  be  used  to  describe  functionality 
for  SFE,  and  so  we  cannot  rely  on  the  grammar  of  the 
language  being  used. 

We  make  a  compromise  when  it  comes  to  restricting 
the  inputs  to  our  system.  Unlike  model  checking  sys¬ 
tems  [2],  we  impose  no  upper  bound  on  loop  iterations  or 
on  recursive  function  calls  (other  than  the  memory  avail¬ 
able  for  the  call  stack),  and  leave  the  responsibility  of  en¬ 
suring  that  programs  terminate  to  the  user.  On  the  other 
hand,  our  system  does  forbid  certain  easily-detectable 
conditions  that  could  result  in  infinite  loops,  such  as 
unconditional  backwards  jumps,  conditional  backwards 
jumps  that  depend  on  input,  and  indirect  function  calls. 
These  restrictions  are  similar  to  those  imposed  by  the 
Fairplay  and  KSS12  systems  [18,21],  but  allow  for  more 
general  iteration  than  incrementing  the  loop  index  by  a 
constant.  Although  false  positives,  i.e.,  programs  that 
terminate  but  which  contain  such  constructs  are  possible, 
our  hypothesis  is  that  useful  functions  and  typical  com¬ 
pilers  would  not  result  in  such  instruction  sequences,  and 
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we  observed  no  such  functions  in  our  experiments  with 
LCC. 


4.3  Algorithms  for  Translating  Bytecode 


Our  compiler  reads  a  bytecode  representation  of  the 
function,  which  lacks  the  structure  of  higher-level  de¬ 
scriptions  and  poses  a  unique  challenge  in  circuit  gener¬ 
ation.  As  mentioned  above,  we  do  not  impose  any  upper 
limit  on  loop  iterations  or  the  depth  of  the  function  call 
stack.  Our  approach  to  translation  does  not  use  any  sym¬ 
bolic  analysis  of  the  function.  Instead,  we  translate  the 
bytecode  into  PCF,  using  conditional  branches  and  func¬ 
tion  calls  as  needed  and  translating  other  instructions  into 
lists  of  gates.  For  testing,  we  use  the  IR  from  the  LCC 
compiler,  which  is  based  on  the  common  stack  machine 
model;  we  will  use  examples  of  this  IR  to  illustrate  our 
design,  but  note  that  none  of  our  techniques  strictly  re¬ 
quire  a  stack  machine  model  or  any  particular  features  of 
the  LCC  bytecode. 

In  our  compiler,  we  divide  bytecode  instructions  into 
three  classes: 

Normal  Instructions  which  have  exactly  one  successor 
and  which  can  be  represented  by  a  simple  circuit. 
Examples  of  such  instructions  are  arithmetic  and 
bitwise  logic  operations,  operations  that  push  data 
onto  the  stack  or  move  data  to  memory,  etc. 

Jump  Instructions  that  result  in  an  unconditional  con¬ 
trol  flow  switch  to  a  specific  label.  This  does  not 
include  function  calls,  which  we  represent  directly 
in  PCF  Such  instructions  are  usually  used  for  if/else 
constructs  or  preceding  the  entry  to  a  loop. 

Conditional  Instructions  that  result  in  control  flow 
switching  to  either  a  label  or  the  subsequent  instruc¬ 
tion,  depending  on  the  result  of  some  conditional 
statement.  Examples  include  arithmetic  compar¬ 
isons. 

In  the  stack  machine  model,  all  operands  and  the 
results  of  operations  are  pushed  onto  a  global  stack. 
For  “normal”  instructions,  the  translation  procedure  is 
straightforward:  the  operands  are  popped  off  the  stack 
and  assigned  temporary  wires,  the  subcircuit  for  the  op¬ 
eration  is  connected  to  these  wires,  and  the  output  of  the 
operation  is  pushed  onto  the  stack.  “Jump”  instructions 
appear,  at  first,  to  be  equally  straightforward,  but  actually 
require  special  care  as  we  describe  below. 

“Conditional”  instructions  present  a  challenge.  Condi¬ 
tional  jumps  whose  targets  precede  the  jump  are  assumed 
to  be  loop  constructs,  and  are  translated  directly  into  PCF 
branch  instructions.  All  other  conditional  jumps  require 
the  creation  of  multiplexers  in  the  circuit  to  deal  with 


Figure  3:  Nested  if  statements,  which  can  be  handled 
using  the  stack-based  algorithm. 

conditional  assignments.  Therefore,  the  branch  targets 
must  be  tracked  to  ensure  that  the  appropriate  condition 
wires  are  used  to  control  those  multiplexers. 

In  the  Fairplay  and  KSS12  compilers,  the  condition 
wire  for  an  “if”  statement  is  pushed  onto  a  stack  along 
with  a  “scope”  that  is  used  to  track  the  values  (wire  as¬ 
signments)  of  variables.  When  a  conditional  block  is 
closed,  the  condition  wire  at  the  top  of  the  stack  is  used 
to  multiplex  the  value  of  all  the  variables  in  the  scope  at 
the  top  with  the  values  from  the  scope  second  to  the  top, 
and  then  the  stack  is  popped.  This  procedure  relies  on 
the  grammar  of  “if/else”  constructs,  which  ensures  that 
conditional  blocks  can  be  arranged  as  a  tree.  An  exam¬ 
ple  of  this  type  of  “if/else”  construct  is  in  Figure  3.  In  a 
bytecode  representation,  however,  it  is  possible  for  con¬ 
ditional  blocks  to  “overlap”  with  each  other  without  be¬ 
ing  nested. 

In  the  sequence  shown  in  Figure  4,  the  first  branch’s 
target  precedes  the  second  branch’s  target,  and  indirect 
loads  and  assignments  exist  in  the  overlapping  region  of 
these  two  branches.  The  control  flow  of  such  an  overlap 
is  given  in  Figure  5.  A  stack  is  no  longer  sufficient  in  this 
case,  as  the  top  of  the  stack  will  not  correspond  to  the  ap¬ 
propriate  branch  when  the  next  branch  target  is  encoun¬ 
tered.  Such  instruction  sequences  are  not  uncommon  in 
the  code  generated  by  production  compilers,  as  they  are 
a  convenient  way  to  generate  code  for  “else”  blocks  and 
ternary  operators. 

To  handle  such  sequences,  we  use  a  novel  algorithm 
based  on  a  priority  queue  rather  than  a  stack,  and  we 
maintain  a  global  condition  wire  that  is  modified  as 
branches  and  branch  targets  are  reached.  When  a  branch 
instruction  is  reached,  the  global  condition  wire  is  up¬ 
dated  by  logically  ANDing  the  branch  condition  with 
the  global  condition  wire.  The  priority  queue  is  updated 
with  the  branch  condition  and  a  scope,  as  in  the  stack- 
based  algorithm;  the  priority  is  the  target,  with  lower 
targets  having  higher  priority.  When  an  assignment  is 
performed,  the  scope  at  the  top  of  the  priority  queue  is 
updated  with  the  value  being  assigned,  the  location  be¬ 
ing  assigned  to,  the  old  value,  and  a  copy  of  the  global 
condition  wire.  When  a  branch  target  is  reached,  multi¬ 
plexers  are  emitted  for  each  assignment  recorded  in  the 
scope  at  the  top  of  the  priority  queue,  using  the  copy  of 
the  global  condition  wire  that  was  recorded.  After  the 
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EQU4  A 
INDIRI4  16 
EQU4  B 
INDIRI4  24 
LABELV  A 
ASGNI4 
LABELV  B 
ASGNI4 

Figure  4:  A  bytecode  sequence  where  overlapping  con¬ 
ditional  blocks  are  not  nested;  note  that  the  target  of 
the  first  branch,  “A,”  precedes  the  target  of  the  second 
branch,  “B.” 


True 


Figure  5:  A  control  flow  with  overlapping  conditional 
blocks. 


multiplexers  are  emitted,  the  global  condition  wire  is  up¬ 
dated  by  ORing  the  inverse  of  the  condition  wire  at  the 
top  of  the  priority  queue,  and  then  the  top  is  removed. 

Unconditional  jumps  are  only  allowed  in  the  forward 
direction,  i.e.,  only  if  the  jump  precedes  its  target.  When 
such  instructions  are  encountered,  they  are  translated  into 
conditional  branches  whose  condition  wire  is  the  inverse 
of  the  conjunction  of  the  condition  wires  of  all  enclos¬ 
ing  branches.  In  the  case  of  a  jump  that  is  not  in  any 
conditional  block,  the  condition  wire  is  set  to  false;  this 
does  not  necessarily  mean  that  subsequent  assignments 
will  not  occur,  as  the  multiplexers  for  these  assignments 
will  be  emitted  and  will  depend  on  a  global  control  line 
that  may  be  updated  as  part  of  a  loop  construct.  The  op¬ 
timizer  is  responsible  for  determining  whether  such  as¬ 
signments  can  occur,  and  will  rewrite  the  multiplexers  as 
direct  assignments  when  possible. 

Finally,  it  is  possible  that  the  operand  stack  will  have 
changed  in  the  fall-through  path  of  a  conditional  jump. 
In  that  case,  the  stack  itself  must  be  multiplexed.  For 
simplicity,  we  require  that  the  depth  of  the  stack  not 
change  in  a  fall-through  path.  We  did  not  observe  any 
such  changes  to  the  stack  in  our  experiments  with  LCC. 

4.4  Optimization 


representation,  but  increases  the  complexity  of  the  opti¬ 
mization  process  somewhat. 

The  KSS12  compiler  bases  its  optimization  on  a  rudi¬ 
mentary  dataflow  analysis,  but  without  any  conditional 
branches  or  loops,  and  with  single  assignments  to  each 
wire.  In  our  system,  loops  are  not  eliminated  and  wires 
may  be  overwritten,  but  conditional  branches  are  elim¬ 
inated.  As  in  KSS12,  we  use  an  approach  based  on 
dataflow  analysis,  but  we  must  make  multiple  passes  to 
find  a  fixed  point  solution  to  the  dataflow  equations.  Our 
dataflow  equations  take  advantage  of  the  logical  rules  of 
each  gate,  allowing  more  gates  to  be  identified  for  elimi¬ 
nation  than  the  textbook  equations  identify. 

We  perform  our  dataflow  analysis  on  individual  PCF 
instructions,  which  allows  us  to  remove  single  gates  even 
where  entire  bytecode  instructions  could  not  be  removed, 
but  which  carries  the  cost  of  somewhat  longer  compila¬ 
tion  time,  on  the  order  of  minutes  for  the  experiments  we 
ran.  Currently,  our  framework  only  performs  optimiza¬ 
tion  within  individual  functions,  without  any  interproce¬ 
dural  analysis.  Compile  times  in  our  system  can  be  re¬ 
duced  by  splitting  a  large  procedure  into  several  smaller 
procedures. 


Optimization  128  mult.  5x5  matrix  256  RSA 


None 
Const.  Prop. 
Dead  Elim. 
Both 


707,244 

296,960 

700,096 

260,073 


260,000  904,171,008 

198,000  651,504,495 

255.875  883,307,712 

131.875  573,156,735 


Table  1:  Effects  of  constant  propagation  and  dead  code 
elimination  on  circuit  size,  measured  with  simulator  that 
performs  no  simplification  rules.  For  each  function,  the 
number  of  non-XOR  gates  are  given  for  all  combinations 
of  optimizations  enabled. 


4.4.1  Constant  Propagation 

The  constant  propagation  framework  we  use  is  straight¬ 
forward,  similar  to  the  methods  used  in  typical  compil¬ 
ers.  However,  for  some  gates,  simplification  rules  can  re¬ 
sult  in  constants  being  computed  even  when  the  inputs  to 
a  gate  are  not  constant;  for  example,  XORing  a  variable 
with  itself.  The  transfer  function  we  use  is  augmented 
with  a  check  against  logic  simplification  rules  to  account 
for  this  situation,  but  remains  monotonic  and  so  conver¬ 
gence  is  still  guaranteed. 


One  of  the  shortcomings  of  the  KSS12  system  was  the 
amount  of  time  and  memory  required  to  perform  opti¬ 
mizations  on  the  computed  circuit.  In  our  system,  opti¬ 
mization  is  performed  before  loops  are  unrolled  but  after 
the  functionality  is  translated  into  a  PCF  representation. 
This  allows  optimizations  to  be  performed  on  a  smaller 


4.4.2  Dead  Gate  Removal 

The  last  step  of  our  optimizer  is  to  remove  gates  whose 
output  wires  are  never  used.  This  is  a  standard  bit  vector 
dataflow  problem  that  requires  little  tailoring  for  our  sys¬ 
tem.  As  is  common  in  compilers,  performing  this  step 
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Function 

With 

Without 

Ratio 

Function 

With  (s) 

Without  (s) 

16384-bit  Comp. 

32,228 

49,314 

65% 

16384-bit  Comp. 

4.41  ±0.3% 

4.44  ± 

0.3% 

128-bit  Sum 

345 

508 

67% 

128-bit  Sum 

0.0581  ±0.3% 

0.060  ± 

2% 

256-sit  Sum 

721 

1,016 

70% 

256-bit  Sum 

0.103  ±0.3% 

0.105  ± 

0.3% 

1024-bit  Sum 

2,977 

4,064 

73% 

1024-bit  Sum 

0.365  ±0.3% 

0.367  ± 

0.2% 

128-bit  Mult. 

76,574 

260,073 

20% 

128-bit  Mult. 

0.892±0.1% 

0.894  ± 

0.1% 

256-bit  Mult. 

300,634 

1,032,416 

20% 

256-bit  Mult. 

3.02±0.1% 

3.04  ± 

0.1% 

1024-bit  Mult. 

8,301,962 

19,209,120 

21% 

1024-bit  Mult. 

39.7  ±0.2% 

39.9  ±0.06% 

Table  2:  Non-XOR  gates  in  circuits  computed  by  the  in¬ 
terpreter  with  and  without  the  application  of  simplifica¬ 
tion  rules  by  the  runtime  system. 

last  yields  the  best  results,  as  large  numbers  of  gates  be¬ 
come  dead  following  earlier  optimizations. 

4.5  Externally-Defined  Functions 

Some  functionality  is  difficult  to  describe  well  in  byte¬ 
code  formats.  For  example,  the  graph  isomorphism  ex¬ 
periment  presented  in  Section  6  uses  AES  as  a  PRNG 
building  block,  but  the  best  known  description  of  the 
AES  S-box  is  given  at  the  bit-level  [4],  whereas  the 
smallest  width  operation  supported  by  LCC  is  a  single 
byte.  To  compensate  for  this  difficulty,  we  allow  users  to 
specify  functions  with  the  same  language  used  internally 
to  translate  bytecode  operations  into  circuits;  an  example 
of  this  language  is  shown  in  Section  5.1.  This  allows  for 
possible  combinations  of  our  compiler  with  other  circuit 
generation  and  optimization  tools. 

4.6  PCF  Interpreter 

To  use  a  PCF  description  of  a  circuit  in  a  secure  protocol, 
an  interpreter  is  needed.  The  interpreter  simulates  the  ex¬ 
ecution  of  the  PCF  file  for  a  single -bit  machine,  emitting 
gates  as  needed  for  the  protocol.  Loops  are  not  explicitly 
unrolled;  instead,  PCF  branch  instructions  are  condition¬ 
ally  followed,  based  on  the  logic  value  of  some  wire,  and 
each  wire  identifier  is  treated  as  an  address  in  memory. 
This  is  where  the  requirement  that  loop  bounds  be  in¬ 
dependent  of  both  parties’  inputs  is  ultimately  enforced: 
the  interpreter  cannot  determine  whether  or  not  to  take  a 
branch  if  it  cannot  determine  the  condition  wire’s  value. 

For  testing  purposes,  we  wrote  two  PCF  interpreters: 
one  in  C,  which  is  packaged  as  a  reusable  library,  and 
one  in  Java  that  was  used  for  tests  on  smartphones.  The 
C  library  can  be  used  as  a  simulator  or  for  full  protocol 
execution.  As  a  simulator  it  simply  evaluates  the  PCF  file 
without  any  garbling  to  measure  the  size  of  the  circuit 
that  would  have  been  garbled  in  a  real  protocol.  This 
interpreter  was  used  for  the  LAN  tests,  using  an  updated 
version  of  the  KSS12  protocol.  The  Java  interpreter  was 


Table  3:  Simulator  time  with  simplification  rules  versus 
without,  using  the  C  interpreter.  Times  are  averaged  over 
50  samples,  with  95%  confidence  intervals,  measured  us¬ 
ing  the  time  function  implemented  by  SBCL. 

incorporated  into  the  HEKM  system  for  the  smartphone 
experiments,  and  can  also  be  used  in  a  simulator  mode. 

4.7  Threat  Model 

The  PCF  system  treats  the  underlying  secure  computa¬ 
tion  protocol  as  a  black  box,  without  making  any  as¬ 
sumptions  about  the  threat  model.  In  Section  6,  we 
present  running  times  for  smaller  circuits  in  the  mali¬ 
cious  model  version  of  the  KSS12  protocol.  This  ma¬ 
licious  model  implementation  simply  invokes  multiple 
copies  of  the  same  PCF  interpreter  used  for  the  semi- 
honest  version,  one  for  each  copy  of  the  circuit  needed 
in  the  protocol. 

4.8  Runtime  Optimization 

Some  optimizations  cannot  be  performed  without  un¬ 
rolling  loops,  and  so  we  defer  these  optimizations  until 
the  PCF  program  is  interpreted.  As  an  example,  logic 
simplification  rules  that  eliminate  gates  whose  output 
values  depend  on  no  more  than  one  of  their  input  wires 
can  only  be  partially  applied  at  compile  time,  as  some 
potential  applications  of  these  rules  might  only  be  possi¬ 
ble  for  some  iterations  of  a  loop.  While  it  is  possible  to 
compute  this  information  at  compile  time,  in  the  general 
case  this  would  involve  storing  information  about  each 
gate  for  every  iteration  of  every  loop,  which  would  be  as 
expensive  as  unrolling  all  loops  at  compile  time. 

A  side  effect  of  applying  such  logic  simplification 
rules  is  copy  propagation.  A  gate  that  always  takes  on 
the  same  value  as  one  of  its  inputs  is  equivalent  to  a  copy 
operation.  The  application  of  logic  simplification  rules  to 
such  a  gate  results  in  the  interpreter  simply  copying  the 
value  of  the  input  wire  to  the  output  wire,  without  emit¬ 
ting  any  gate.  As  there  is  little  overhead  resulting  from 
the  application  of  simplification  rules  at  runtime,  we  are 
able  to  reduce  compile  times  further  by  not  performing 
this  optimization  at  compile  time. 
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Function 

This  Work 

KSS12 

HFKV 

16384  Comp. 

32,229 

49,149 

- 

RSA  256 

235,925,023 

332,085,981 

- 

Hamming  160 

880 

- 

3,003 

Hamming  1600 

9,625 

- 

30,318 

3x3  Matrix 

27,369 

160,949 

47,871 

5x5  Matrix 

127,225 

746,177 

221,625 

8x8  Matrix 

522,304 

3,058,754 

907,776 

16x16  Matrix 

4,186,368 

24,502,530 

7,262,208 

Table  4:  Comparisons  between  our  compiler’s  output  and 
the  output  of  the  KSS12  and  Holzer  et  al.  (HFKV)  com¬ 
pilers,  in  terms  of  non-XOR  gates. 

For  each  gate,  the  interpreter  checks  if  the  gate’s  value 
can  be  statically  determined,  i.e.,  if  its  output  value  does 
not  rely  on  either  party’s  input  bits.  This  is  critical,  as 
some  of  the  gates  in  a  PCF  file  are  used  for  control  flow, 
e.g.,  to  increment  a  loop  index.  Additionally,  logic  sim¬ 
plification  rules  are  applied  where  possible  in  the  inter¬ 
preter.  This  allows  the  interpreter  to  not  emit  gates  that 
follow  an  input  or  which  have  static  outputs  even  when 
their  inputs  cannot  be  statically  determined.  As  shown 
in  Table  2,  we  observed  cases  where  up  to  80%  of  the 
gates  could  be  removed  in  this  manner.  Even  in  a  sim¬ 
ulator  that  performs  no  garbling,  applying  this  runtime 
optimization  not  only  shows  no  performance  overhead, 
but  actually  a  very  slight  performance  gain,  as  shown  in 
Table  3.  The  slight  performance  gain  is  a  result  of  the 
transfer  of  control  that  occurs  when  a  gate  is  emitted, 
which  has  a  small  but  non-trivial  cost  in  the  simulator.  In 
a  garbled  circuit  protocol,  this  cost  would  be  even  higher, 
because  of  the  time  spent  garbling  gates. 

5  Portability 

5.1  Portability  Between  Bytecodes 

Our  compiler  can  be  given  a  description  of  how  to  trans¬ 
late  bytecode  instructions  into  boolean  circuits  using  a 
special  internal  language.  An  example,  for  the  LCC  in¬ 
struction  “ADDU,”  is  shown  in  Figure  6.  The  first  line  is 
specific  to  LCC,  and  would  need  to  be  modified  for  use 
with  other  front-ends.  The  second  line  assumes  a  stack 
machine  model:  this  instruction  reads  two  instructions 
from  the  stack.  Following  that  is  the  body  of  the  transla¬ 
tion  rule,  which  can  be  used  in  general  to  describe  circuit 
components  and  how  the  input  variables  should  be  con¬ 
nected  to  those  components. 

The  description  follows  an  abstraction  similar  to  VM- 
Crypt,  in  which  a  unit  gadget  is  “chained”  to  create  a 
larger  gadget.  It  is  possible  to  create  chains  of  chains, 
e.g.,  for  a  shift-and-add  multiplier  as  well.  For  more 
complex  operations.  Lisp  source  code  can  be  embedded. 


( ' 'ADDU' '  nil  second  normal  nil  nil 
(two-stack-arg  (x  y)  (var  var) 

(chain  [ol  =  il  +  i2  +  i3, 

o2  =  il  +  (il  +  12)  *  (il  +  13)  ] 

(o2  ->  i3 
x  ->  il 
y  ->  i2 
ol  ->  stack) 

(0  ->  13) ) ) ) 

Figure  6:  Code  used  in  our  compiler  to  map  the  bytecode 
instruction  for  unsigned  integer  addition  to  the  subcircuit 
for  that  operation. 

which  can  interact  directly  with  the  compiler’s  internal 
data  structures. 

5.2  Portability  Between  SFE  Systems 

Both  the  PCF  compiler  and  the  interpreter  can  treat  the 
underlying  secure  computation  system  as  a  black  box. 
Switching  between  secure  computation  systems,  there¬ 
fore,  requires  work  only  at  the  “back  end"  of  the  inter¬ 
preter,  where  gates  are  emitted.  We  envision  two  pos¬ 
sible  approaches  to  this,  both  of  which  we  implemented 
for  our  tests: 

1.  A  single  function  should  be  called  when  a  gate 
should  be  used  in  the  secure  computation  proto¬ 
col.  The  Java  implementation  of  PCF  uses  this  ap¬ 
proach,  with  the  HEKM  system. 

2.  Gates  should  be  generated  as  if  they  are  being  read 
from  a  file,  with  the  secure  computation  system  call¬ 
ing  a  function.  The  secure  computation  system  may 
need  to  provide  “callback”  functions  to  the  PCF  in¬ 
terpreter  for  copying  protocol-specific  data  between 
wires.  The  C  implementation  we  tested  uses  this 
abstraction  for  the  KSS12  system. 

6  Evaluation 

We  compiled  a  variety  of  functions  to  test  our  com¬ 
piler,  optimizer,  and  PCF  interpreter.  For  each  circuit, 
we  tested  the  performance  of  the  KSS12  system  on  a 
LAN,  described  below.  For  the  KSS12  timings,  we  av¬ 
eraged  the  runtime  for  50  runs,  alternating  which  com¬ 
puter  acted  as  the  generator  and  which  as  the  evaluator  to 
account  for  slight  configuration  differences  between  the 
systems.  Compiler  timings  are  based  on  50  runs  of  the 
compiler  on  a  desktop  PC  with  an  Intel  Xeon  5560  pro¬ 
cessor,  8GB  of  RAM,  a  7200  RPM  hard  disk.  Scientific 
Linux  6.3  (kernel  version  2.6.32,  SBCL  version  1.0.38). 
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Function 

Total  Gates 

non-XOR  Gates 

Compile  Time  (s) 

Simulator  Time  (s) 

16384-bit  Comp. 

97,733 

32,229 

3.40  ±  4% 

4.40  ±0.2% 

Hamming  160 

4,368 

880 

9.81  ±  1% 

0.0810  ±0.3% 

Hamming  1600 

32,912 

6,375 

11.0  ±0.4% 

0.52  ±  8% 

Hamming  16000 

389,312 

97,175 

10.8  ±0.2% 

4.83  ±0.5% 

128-bit  Sum 

1,443 

345 

4.70  ±  3% 

0.0433  ±0.4% 

256-bit  Sum 

2,951 

721 

4.60  ±  3% 

0.0732  ±0.4% 

1024-bit  Sum 

11,999 

2,977 

4.60  ±  3% 

0.250  ±0.5% 

64-bit  Mult. 

105,880 

24,766 

7 1.7  ±0.2% 

0.332  ±0.4% 

128-bit  Mult. 

423,064 

100.250 

74.9  ±0.1% 

0.903  ±0.3% 

256-bit  Mult. 

1,659,808 

400.210 

79.5  ±0.9% 

3.07  ±0.2% 

1024-bit  Mult. 

25,592,368 

6,371.746 

74.0  ±0.2% 

40.9  ±0.4% 

256-bit  RSA 

673.105,990 

235,925.023 

381.  ±0.2% 

980.  ±0.3% 

512-bit  RSA 

5,397,821,470 

1,916,813.808 

350.  ±0.2% 

7, 330  ±0.2% 

1024-bit  RSA 

42,151,698,718 

15,149,856.895 

564.  ±0.2% 

56, 000  ±0.3% 

3x3  Matrix  Mult. 

92,961 

27,369 

306.  ±  1% 

0.256  ±0.5% 

5x5  Matrix  Mult. 

433,475 

127,225 

343.  ±0.7% 

0.94  ±  2% 

8x8  Matrix  Mult. 

1.782,656 

522.304 

109.  ±0.1% 

3.14±0.3% 

16x16  Matrix  Mult. 

14.308,864 

4,186,368 

109.  ±0.1% 

23.7  ±0.3% 

4-Node  Graph  Iso. 

482,391 

97.819 

684.  ±0.2% 

3.63  ±0.5% 

16-Node  Graph  Iso. 

10.908,749 

4,112,135 

1040  ±0.1% 

47.0±0.1% 

Table  5:  Summary  of  circuit  sizes  for  various  functions  and  the  time  required  to  compile  and  interpret  the  PCF  files 
in  a  protocol  simulator.  Times  are  averaged  over  50  samples,  with  95%  confidence  intervals,  except  for  RSA-1024 
simulator  time,  which  is  averaged  over  8  samples.  Run  times  were  measured  using  the  time  function  implemented  in 
SBCL. 


Source  code  for  our  compiler,  our  test  systems,  and  our 
test  functions  is  available  at  the  authors’  website. 

6.1  Effect  of  Array  Sizes  on  Timing 

Some  changes  in  compile  time  can  be  observed  as  some 
of  the  functions  grow  larger.  The  dataflow  analysis  deals 
with  certain  pointer  operations  by  traversing  the  entire 
local  variable  space  of  the  function  and  all  global  mem¬ 
ory,  which  in  functions  with  large  local  arrays  or  pro¬ 
grams  with  large  global  arrays  is  costly  as  it  increases  the 
number  of  wires  that  optimizer  must  analyze.  Reducing 
this  cost  is  an  ongoing  engineering  effort. 

6.2  Experiments 

We  compiled  and  executed  the  circuits  described  below 
to  evaluate  our  compiler  and  representation.  Several  of 
these  circuits  were  tested  in  other  systems;  we  present 
the  non-XOR  gate  counts  of  the  circuits  generated  by  our 
compiler  and  other  work  in  Table  4.  The  sizes,  compile 
times,  and  interpreter  times  required  for  these  circuits  are 
listed  in  Table  5.  By  comparison,  we  show  compile  times 
and  circuit  sizes  using  the  KSS12  and  HFKV  compilers 
in  Table  6.  As  expected,  the  PCF  compiler  outperforms 


these  previous  compilers  as  the  size  of  the  circuits  grow, 
due  to  the  improved  scalability  of  the  system. 
Arbitrary- Width  Millionaire’s  Problem  As  a  simple 
sanity  check  for  our  system,  we  tested  an  arbitrary-width 
function  for  the  millionaire’s  problem;  this  can  be  viewed 
as  a  string  comparison  function  on  32  bit  characters.  It 
outputs  a  1  to  the  party  which  has  the  larger  input.  We 
found  that  for  this  simple  function,  our  performance  was 
only  slightly  better  than  the  performance  of  the  KSS12 
compiler  on  the  same  circuit. 

Matrix  Multiplication  To  compare  our  system  with  the 
work  of  Holzer  et  al.  [12],  we  duplicated  some  of  their 
experiments,  beginning  with  matrix  multiplication  on 
32-bit  integers.  We  found  that  our  system  performed  fa¬ 
vorably,  particularly  due  to  the  optimizations  our  com¬ 
piler  and  PCF  interpreter  perform.  On  average,  our  sys¬ 
tem  generated  circuits  that  are  60%  smaller.  We  tested 
matrices  of  3x3,  5x5,  8x8,  and  16x16,  with  32  bit  integer 
elements. 

Hamming  Distance  Here,  we  duplicate  the  Hamming 
distance  experiment  from  Holzer  et  al.  [12],  Again,  we 
found  that  our  system  generated  substantially  smaller  cir¬ 
cuits.  We  tested  input  sizes  of  160,  1600,  and  16000  bits. 
Integer  Sum  We  implemented  a  basic  arbitrary- width  in¬ 
teger  addition  function,  using  ripple-carry  addition.  No 
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HFKV 

KSS12 

Function 

Total  Gates 

non-XOR  gates 

Time  (s) 

Total  Gates 

non-XOR  gates 

Time  (s) 

16384-bit  Comp. 

330,784 

131,103 

105.  ±0.1% 

98,303 

49,154 

4.66  ±  0.5% 

3x3  Matrix  Mult. 

172,315 

47,871 

2.2  ±  4% 

424,748 

160,949 

10.5  ±  0.5% 

5x5  Matrix  Mult. 

797,751 

221,625 

8.40  ±  0.3% 

1,968,452 

746,177 

48.2  ±  0.2% 

8x8  Matrix  Mult. 

3,267,585 

907,776 

59.4  ±  0.3% 

8,067,458 

3,058,754 

210  ±  2% 

16x16  Matrix  Mult. 

26,140,673 

7,262,208 

2,600  ±  7% 

64,570,969 

24,502,530 

2,200  ±  1% 

32-bit  Mult. 

65,121 

26.624 

6.43  ±  0.3% 

15,935 

5,983 

0.55  ±  5% 

64-bit  Mult. 

321,665 

126,529 

71.4  ±  0.3% 

64,639 

24,384 

1.6  ±  2% 

128-bit  Mult. 

1,409,025 

546,182 

999.  ±0.1% 

260,351 

97,663 

6.10  ±0.6% 

256-bit  Mult. 

5,880,833 

2,264,860 

16,000  ±  2% 

1,044,991 

391,935 

24.5  ±  0.2% 

512-bit  Mult. 

- 

- 

- 

4,187,135 

1,570,303 

105.  ±  0.2% 

1024-bit  Mult. 

- 

- 

- 

16,763,518 

6,286,335 

430.  ±  0.3% 

Table  6:  Times  of  HFKV  and  KSS12  compilers  with  circuit  sizes.  The  Mult,  program  uses  a  Shift-Add  implementa¬ 
tion.  All  times  are  averaged  over  50  samples  with  the  exception  of  the  HFKV  256-bit  multiplication,  which  was  run 
for  10  samples;  times  are  given  with  95%  confidence  intervals. 


array  references  are  needed,  and  so  our  compiler  easily 
handles  this  function  even  for  very  large  input  sizes.  We 
tested  input  sizes  of  128,  256,  and  1024  bits. 

Integer  Multiplication  Building  on  the  integer  addition 
function,  we  tested  an  integer  multiplication  function  that 
uses  the  textbook  shift-and-add  algorithm.  Unlike  the  in¬ 
teger  sum  and  hamming  distance  functions,  the  multipli¬ 
cation  function  requires  arrays  for  both  input  and  out¬ 
put,  which  slows  the  compiler  down  as  the  problem  size 
grows.  We  tested  bit  sizes  of  64,  128,  256,  and  1024. 
RSA  (Modular  Exponentiation)  In  the  KSS12  sys¬ 
tem  [18],  it  was  possible  to  compile  an  RSA  circuit  for 
toy  problem  sizes,  and  it  took  over  24  hours  to  compile 
a  circuit  for  256-bit  RSA.  This  lengthy  compile  time  and 
large  memory  requirement  stems  from  the  fact  that  all 
loops  are  unrolled  before  any  optimization  is  performed, 
resulting  in  a  very  large  intermediate  representation  to 
be  analyzed.  As  a  demonstration  of  the  improvement 
our  approach  represents,  we  compiled  not  only  toy  RSA 
sizes,  but  also  an  RSA-1024  circuit,  using  only  modest 
computational  resources.  We  tested  bit  sizes  of  256,  512, 
and  1024. 

Graph  Isomorpism  We  created  a  program  that  allows 
two  parties  to  jointly  prove  the  zero  knowledge  proof 
of  knowledge  for  graph  isomorphism,  first  presented  by 
Goldreich  et  al.  [9],  In  Goldreich  et  al.’s  proof  system, 
the  prover  has  secret  knowledge  of  an  isomorphism  be¬ 
tween  two  graphs,  g\  and  g2-  To  prove  this,  the  prover 
sends  the  verifier  a  random  graph  that  is  isomorphic 
to  gi  and  g 2,  and  the  verifier  will  then  choose  to  learn 
either  the  g i  —>■  g 3  isomorphism  or  the  g 2  — >  gj,  isomor¬ 
phism.  We  modify  this  protocol  so  that  Alice  and  Bob 
must  jointly  act  as  the  prover;  each  is  given  shares  of 
an  isomorphism  between  graphs  gi  and  g2,  and  will  use 
the  online  protocol  to  compute  g 3  and  shares  of  the  two 
isomorphisms. 


Our  implementation  works  as  follows:  the  program 
takes  in  XOR  shares  of  the  isomophism  between  gi  and 
g 2  and  a  random  seed  from  both  participants.  It  also 
takes  the  adjacency  matrix  representation  of  g  1  as  input 
by  a  single  party.  The  program  XORs  the  shares  together 
to  create  the  g  1  — >  g2  isomorphism.  The  program  then 
creates  a  random  isomorphism  from  gi  — >  g3  using  AES 
as  the  PRNG  (to  reduce  the  input  sizes  and  thus  the  OT 
costs),  which  effectively  also  creates  g 3. 

Once  the  random  isomorphism  g \  — >  g]  is  created,  the 
original  isomorphism,  g  1  -±  g 2,  is  inverted  to  get  an  iso¬ 
morphism  from  g 2  — >  gi.  Then  the  two  isomorphisms 
are  “followed”  in  a  chain  to  get  the  g2  to  g3  isomor¬ 
phism,  i.e.,  for  the  ith  instance  in  the  isomorphic  ma¬ 
trix,  «o2->3 [(]  =  is()]^j[is02^\  [(]]•  The  program  outputs 
shares  of  both  the  isomorphism  from  gi  to  gj  and  the 
isomorphism  from  g2  to  g 3  to  both  parties. 

An  adjacency  matrix  of  #3  is  also  an  output  for  the 
party  which  input  the  adjacency  matrix  g \.  This  is  calcu¬ 
lated  by  using  g \  and  the  gi  — >■  g 3  isomorphism. 

6.3  Online  Running  Times 

To  test  the  online  performance  of  our  new  format,  we 
modified  the  KSS12  protocol  to  use  the  PCF  interpreter. 
Two  sets  of  tests  were  run:  one  between  two  computers 
with  similar  specifications  on  the  University  of  Virginia 
LAN,  a  busy  100  megabit  Ethernet  network,  and  one  be¬ 
tween  two  smartphones  communicating  over  a  wifi  net¬ 
work. 

For  the  LAN  experiments,  we  used  two  comput¬ 
ers  running  ScientificLinux  6.3,  a  four  core  Intel  Xeon 
E5506  2.13GHz  CPU,  and  8GB  of  RAM.  No  time  limit 
on  computation  was  imposed  on  these  machines,  so  we 
were  able  to  run  the  RSA-1024  circuit,  which  requires  a 
little  less  than  two  days.  To  compensate  for  slight  con- 
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Function 

CPU  (s) 

Network  (s) 

CPU  (s) 

Network  (s) 

Generator 

Evaluator 

16384-bit  Comp. 

99.8  ±0.2% 

5.63  ±0.6% 

26.0  ±0.6% 

79.4  ±0.2% 

Hamming  1600 
Hamming  16000 

9.13  ±0.4% 
91.2  ±0.2% 

0.64  ±  4% 

5.67  ±0.7% 

2.9  ±  4% 

28.  ±3% 

6.87  ±  2% 

69.  ±  2% 

64-bit  Mult. 

128-bit  Mult. 

256-bit  Mult. 

1024-bit  Mult. 

0.749  ±0.3% 
2.04  ±0.3% 
5.74±0.5% 
72.7  ±0.2% 

0.158  ±0.7% 
0.52  ±  1% 

1.2±  2% 

28.  ±  4% 

0.409  ±0.3% 
1.25  ±0.2% 

4.2  ±  2% 

60.  ±  2% 

0.494  ±0.6% 
1.31  ±0.6% 

2.7  ±  3% 

40.  ±  3% 

256-bit  RSA 

1024-bit  RSA 

1940  ±0.2% 
1.15  x  105  ±0.5% 

767.  ±0.7% 
4.4  x  104  ±  4% 

1620  ±  2% 
9.5  x  104  ±  5% 

1080±  3% 
6.5  x  104±  7% 

3x3  Matrix  Mult. 

5x5  Matrix  Mult. 
8x8  Matrix  Mult. 

5.33  ±0.4% 
24.4  ±0.2% 
100.  ±0.2% 

0.403  ±0.6% 
1.81  ±0.4% 
7.39  ±0.4% 

1.45  ±0.8% 
6.75  ±0.9% 
26.8  ±0.7% 

4.28  ±0.6% 

19.5  ±0.4% 
81.1  ±0.3% 

4-node  ISO 
16-node  ISO 

10.1  ±0.1% 
116.  ±0.2% 

1.05  ±0.7% 
15.7  ±0.6% 

4.96  ±0.3% 
71.6±0.3% 

6. 15  ±0.4% 
60.3  ±0.6% 

Table  7:  Total  running  time,  including  PCF  operations  and  protocol  operations  such  as  oblivious  transfer,  for  online 
protocols  using  the  PCF  interpreter  and  the  KSS12  two  party  computation  system,  on  two  computers  communicating 
over  the  University  of  Virginia  LAN.  With  the  exception  of  RSA-1024,  all  times  are  averaged  over  50  samples;  RSA- 
1024  is  averaged  over  8  samples.  Running  time  is  divided  into  time  spent  on  computation  and  time  spent  on  network 
operations  (including  blocking). 


figuration  differences  between  the  two  systems,  we  alter¬ 
nated  between  each  machine  acting  as  the  generator  and 
acting  as  the  evaluator. 

We  give  the  results  of  this  experiment  in  Table  7.  We 
note  that  while  the  simulator  times  given  in  Table  5  are 
more  than  half  the  CPU  time  measured,  they  are  also  on 
par  with  the  time  spent  waiting  on  the  network.  Non- 
blocking  I/O  or  a  background  thread  for  the  PCF  inter¬ 
preter  may  improve  performance  somewhat,  which  is  an 
ongoing  engineering  task  in  our  implementation. 

6.4  Malicious  Model  Tests 

The  PCF  system  is  not  limited  to  the  semi-honest  model. 
We  give  preliminary  results  in  the  malicious  model  ver¬ 
sion  of  KSS 12.  These  experiments  were  run  on  the  same 
test  systems  as  above,  using  two  cores  for  each  party. 
We  present  our  results  in  Table  9.  The  increased  running 
times  are  expected,  as  we  used  only  two  cores  per  party. 
In  the  case  of  16384-bit  comparison,  the  increase  is  very 
dramatic,  due  to  the  large  amount  of  time  spent  on  obliv¬ 
ious  transfer  (as  both  parties  have  long  inputs). 

6.5  Phone  Execution 

We  created  a  PCF  interpreter  for  use  with  the  HEKM  ex¬ 
ecution  system  and  ported  it  to  the  Android  environment. 
We  then  ran  it  on  two  Galaxy  Nexus  phones  where  one 


phone  was  the  generator  and  another  phone  was  the  eval¬ 
uator.  These  phones  have  dual  core  1.2Ghz  processors 
and  were  linked  over  Wi-Fi  using  an  Apple  Airport. 

6.6  Phone  Trials 

As  seen  in  Table  8,  we  were  able  to  run  the  smaller  pro¬ 
grams  directly  on  two  phones.  Since  the  interpreter  ex¬ 
ecutes  slower  on  a  phone  and  what  would  have  taken 
a  week  of  LAN  trials  would  have  taken  years  of  phone 
time,  we  did  not  complete  trials  of  the  larger  programs. 
Not  all  of  the  programs  had  output  for  the  generator,  al¬ 
lowing  the  generator  to  finish  before  the  evaluator.  This 
leads  to  a  noticeable  difference  in  total  running  time  be¬ 
tween  the  two  parties. 

Mood’s  work  on  designing  SFE  applications  for  mo¬ 
bile  devices  [22]  found  that  allocation  and  deallocation 
was  a  bottleneck  to  circuit  execution.  This  issue  was 
addressed  by  substituting  the  standard  Biglnteger  type 
for  a  custom  class  that  reduced  the  amount  of  alloca¬ 
tion  required  for  numeric  operations,  resulting  in  a  four¬ 
fold  improvement  in  execution  time.  The  lack  of  this 
optimization  in  our  mobile  phone  experiments  may  con¬ 
tribute  to  the  reduced  performance  that  we  observed. 

In  future  work,  we  will  port  the  C  interpreter  and 
KSS  12  system  to  Android  and  run  the  experiment  with 
that  execution  system.  Since  overhead  appears  to  be  tied 
to  Android’s  Dalvik  Virtual  Machine  (DVM),  running 
programs  natively  should  reduce  overhead  and  hence  re- 
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Function 

CPU  (s) 

Network  (s) 

CPU  (s) 

Network  (s) 

Generator 

Evaluator 

16384-bit  Comp. 

163.  ±0.5% 

12.  ±  3% 

142.  ±0.5% 

68.  ±  1% 

128-bit  Sum 

5.8  ±8.2% 

1.  ±30% 

5.6  ±  8% 

3.  ±20% 

256-bit  Sum 

7.3  ±5.0% 

1.  ±30% 

6.  ±  5% 

4.  ±  20% 

1024-bit  Sum 

16. ±3.1% 

2.  ±20% 

16.  ±  3% 

6.4  ±  7% 

64-bit  Mult. 

63.3  ±0.5% 

1.  ±  10% 

66.3  ±0.6% 

5.  ±10% 

128-bit  Mult. 

257.  ±0.2% 

3.8  ±  5% 

280.  ±0.3% 

12.  ±  6% 

3x3  Matrix  Mult. 
5x5  Matrix  Mult. 
8x8  Matrix  Mult. 


76.9  ±0.4%  12.  ±  2% 

352.  ±0.3%  49.  ±  2% 

1,588. ±0.1%  82. ±  3% 


82.0 ±0.5%  8.5  ±  4% 

371.  ±0.3%  32.  ±  4% 

1,550.  ±0.1%  120.  ±  1% 


Table  8:  Execution  results  from  the  phone  interpreter  using  the  HEKM  execution  system  on  two  Galaxy  Nexus  phones. 
Times  are  averages  of  50  samples,  with  95%  confidence  intervals. 


Function 

CPU  (s) 

Network  (s) 

CPU  (s) 

Network  (s) 

Generator 

Evaluator 

16384-bit  comp. 

3900  ±  3% 

76  ±  4% 

2820  ±  2% 

1200  ±  10% 

128-bit  sum 
256-bit  sum 

1024-bit  sum 

23.  ±  2% 
63.0  ±0.4% 

260  ±  10% 

21  ±  2% 

10  ±  20% 
16  ±  6% 

33.3  ±0.5% 
49.  ±  6% 
187.  ±  2% 

11.2  ±0.2% 
27.  ±  4% 

100  ±  40% 

128-bit  mult. 
256-bit  mult. 

192.  ±0.3% 
637.  ±0.5% 

47.2  ±0.6% 
160  ±  1% 

168.  ±0.4% 
577.  ±0.3% 

70.1  ±  1% 
210  ±  2% 

Table  9:  Online  running  time  in  the  malicious  model  for  several  circuits.  Times  are  averaged  over  50  samples,  with 
95%  confidence  intervals. 


duce  the  performance  differential  between  the  phone  and 
PC  environments.  Additionally,  the  KSS12  system  uses 
more  efficient  cryptographic  primitives,  potentially  fur¬ 
ther  improving  performance. 

7  Related  Work 

Compiler  approaches  to  secure  two-party  computation 
have  attracted  significant  attention  in  recent  years.  The 
TASTY  system  presented  by  Henecka  et  al.  [11]  com¬ 
bines  garbled  circuit  approaches  with  homomorphic  en¬ 
cryption,  and  includes  a  compiler  that  emits  circuits  that 
can  be  used  in  both  models.  As  with  Fairplay  and 
KSS12,  TASTY  requires  functions  to  be  described  in  a 
domain-specific  language.  The  TASTY  compiler  per¬ 
forms  optimizations  on  the  abstract  syntax  tree  for  the 
function  being  compiled.  Kruger  et  al.  developed  an  or¬ 
dered  BDD  compiler  to  test  the  performance  of  their  sys¬ 
tem  relative  to  Fairplay  [19].  Mood  et  al.  focused  on 
compiling  secure  functions  on  mobile  devices  with  the 
PALC  system,  which  involved  a  modification  to  the  Fair¬ 
play  compiler  [23], 

Recently,  a  compiler  approach  based  on  bounded 
model  checking  was  present  by  Holzer  et  al.  [12],  In  that 


work,  the  CBMC  system  [5]  was  used  to  construct  cir¬ 
cuits,  which  were  then  rewritten  to  have  fewer  non-XOR 
gates.  This  approach  had  several  advantages  over  pre¬ 
vious  approaches,  most  prominent  being  that  functions 
could  be  described  in  the  widely  used  C  programming 
language,  and  that  the  use  of  CBMC  allows  for  more 
advanced  software  engineering  techniques  to  be  applied 
to  secure  computation  protocols.  Like  KSS12,  however, 
this  approach  unrolls  all  loops  (up  to  some  fixed  number 
of  iterations),  and  converts  a  high  level  description  di¬ 
rectly  to  a  boolean  circuit  which  must  then  be  optimized. 

In  addition  to  SFE,  work  on  efficient  compilers  for 
proof  systems  has  also  been  presented.  Almeida  et  al. 
developed  a  zero-knowledge  proof  of  knowledge  com¬ 
piler  for  E-protocols,  which  converts  a  protocol  specifi¬ 
cation  given  in  a  domain-specific  language  into  a  pro¬ 
gram  for  the  prover  and  the  verifier  to  run  [1],  Setty 
et  al.  presented  a  system  for  verifiable  computation  that 
uses  a  modification  of  the  Fairplay  compiler,  which  com¬ 
putes  a  system  of  quadratic  constraints  instead  of  boolean 
circuits,  and  emits  executables  for  the  prover  and  veri¬ 
fier  [28,  29],  Our  system  is  somewhat  similar  to  these 
approaches,  in  that  the  circuit  representation  we  present 
can  be  viewed  as  a  program  that  is  executed  by  the  par- 
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ties  in  the  SFE  system;  however,  our  approach  is  unique 
in  its  handling  of  control  flow  and  iterative  constructs. 

Closely  related  to  our  work  is  the  Sharemind  sys¬ 
tem  [3, 14],  which  uses  secure  computation  as  a  building 
block  for  privacy-preserving  distributed  applications.  As 
in  our  approach,  the  circuits  used  in  the  secure  compu¬ 
tation  portions  of  Sharemind  are  not  fully  unrolled  until 
the  protocol  is  actually  run.  Functions  in  Sharemind  are 
described  using  a  domain-specific  language  called  Se- 
creC.  Although  there  has  been  work  on  static  analysis 
for  SecreC  [26],  the  SecreC  compiler  does  not  perform 
automatic  optimizations.  By  contrast,  our  approach  is  fo¬ 
cused  on  allowing  circuit  optimizations  at  the  bit-level  to 
occur  without  having  to  unroll  an  entire  circuit. 

Kerschbaum  has  presented  work  on  automatically  op¬ 
timizing  secure  computation  at  the  protocol  level,  with 
an  approach  based  on  term  and  expression  rewriting  [15, 
16].  This  approach  is  based  on  maximizing  the  use  of  of¬ 
fline  computation  by  inferring  what  each  party  can  com¬ 
pute  without  knowledge  of  the  other  party’s  input,  and 
does  not  treat  the  underlying  secure  computation  primi¬ 
tives  as  a  black  box.  It  therefore  requires  additional  work 
to  remain  secure  in  the  malicious  model.  Our  techniques 
could  conceivably  be  combined  with  Kerschbaum’s  to  re¬ 
duce  the  overhead  of  online  components. 

8  Future  Work 

Our  compiler  can  conceivably  read  any  bytecode  repre¬ 
sentation  as  input;  one  immediate  future  direction  is  to 
write  translations  for  the  instructions  of  another  byte¬ 
code  format,  such  as  LLVM  or  the  JVM,  which  would 
allow  functions  to  be  expressed  in  a  broader  range  of 
languages.  Additionally,  we  believe  that  our  techniques 
could  be  combined  with  Sharemind,  by  having  our  com¬ 
piler  read  the  bytecode  for  the  Sharemind  VM  and  com¬ 
pute  optimized  PCF  files  for  cases  where  garbled  circuit 
computations  are  used  in  a  Sharemind  protocol. 

The  PCF  format  does  not  convey  high-level  informa¬ 
tion  about  data  operations  or  types.  Such  information 
may  further  reduce  the  size  of  the  circuits  that  are  com¬ 
puted.  Static  analysis  of  such  information  by  compilers 
has  been  widely  studied,  and  it  is  possible  that  our  com¬ 
piler  could  be  extended  to  support  further  reductions  in 
the  sizes  of  circuits  emitted  by  the  PCF  interpreter.  High- 
level  information  about  data  structures  could  also  be  used 
to  improve  the  generation  of  circuits  prior  to  optimiza¬ 
tion,  using  techniques  recently  presented  by  Evans  and 
Zahur  [6], 

Our  system  and  techniques  can  likely  be  generalized  to 
the  multiparty  case,  and  to  other  representations  of  func¬ 
tions,  such  as  arithmetic  circuits.  This  would  require  sig¬ 
nificant  changes  to  the  optimization  strategies  and  goals 
in  our  compiler,  but  fewer  changes  would  be  necessary 


for  the  PCF  interpreter.  Similar  modifications  to  support 
homomorphic  encryption  systems  are  also  possible. 

9  Conclusion 

We  have  presented  an  approach  to  compiling  and  stor¬ 
ing  circuits  for  secure  computation  systems  that  requires 
substantially  lower  computational  resources  than  previ¬ 
ous  approaches.  Empirical  evidence  of  the  improve¬ 
ment  and  utility  of  our  approach  is  given,  using  a  vari¬ 
ety  of  functions  with  different  circuit  sizes  and  control 
flow  structures.  Additionally,  we  have  presented  a  com¬ 
piler  for  secure  computation  that  reads  bytecode  as  an  in¬ 
put,  rather  than  a  domain-specific  language,  and  have  ex¬ 
plored  the  challenges  associated  with  such  an  approach. 
We  also  presented  interpreters,  which  evaluate  our  new 
language  on  both  PCs  and  phones. 

The  code  for  the  compiler,  PCF  interpreters,  and  test 
cases  will  be  available  on  the  authors’  website. 
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A  PCF  Semantics 

The  PCF  file  format  consists  of  a  header  section  that  de¬ 
clares  the  input  size,  followed  by  a  list  of  operations  that 
are  divided  into  subroutines.  At  runtime,  these  opera¬ 
tions  manipulate  the  internal  state  of  the  PCF  interpreter, 
causing  gates  to  be  emitted  when  necessary.  The  inter¬ 
nal  state  of  the  PCF  interpreter  consists  of  an  instruction 
pointer,  a  call  stack,  an  array  of  wire  values,  and  an  ar¬ 
ray  of  pointers.  The  pointers  are  positive  integers.  Wire 
values  are  0,  1,  or  _L,  where  _L  represents  a  value  that  de¬ 
pends  on  input  data,  which  is  supplied  by  the  code  that 
invokes  the  interpreter.  Each  position  in  the  wire  table 
can  be  treated  as  a  stack. 

Each  PCF  instruction  can  take  up  to  3  arguments.  The 
instructions  and  their  semantics  are  as  follows: 

CLABEL/SETLABELC  Appears  only  in  the  header, 
used  for  setting  the  input  size  for  each  party.  CLA- 
BEL  declares  the  bit  width  of  a  value,  SETLA- 
BELC  sets  the  value. 

FUNCTION  Denotes  the  beginning  of  a  subroutine. 
When  the  subroutine  is  called,  the  instruction 
pointer  is  set  to  the  position  following  this  instruc¬ 
tion. 

GADGET  Denotes  a  branch  target 
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BRANCH  Takes  two  arguments:  a  target,  declared  with 
GADGET,  and  a  location  in  the  wire  table.  In  the 
wire  value  is  0,  the  instruction  pointer  is  set  to  the 
instruction  following  the  target.  If  the  wire  value  is 
1,  the  instruction  pointer  is  incremented.  If  the  wire 
value  is  _L,  evaluation  halts  with  an  error. 

FUNC  Calls  a  subroutine,  pushing  the  current  instruc¬ 
tion  pointer  onto  the  call  stack. 

PUSH  Pushes  a  copy  of  the  wire  value  at  a  specified 
position  onto  the  stack  at  that  position. 

POP  Pops  a  stack  at  a  specified  position.  If  there  is  only 
one  value  on  that  stack,  evaluation  halts  with  an  er¬ 
ror. 

ALICEIN32/BOBIN32  Fetches  32  input  bits  from  one 
party,  beginning  at  a  specified  bit  position  in  that 
party’s  input.  The  bit  position  is  specified  by  an 
array  of  32  values  in  the  wire  table.  If  any  of  the 
values  is  _L,  evaluation  halts  with  an  error.  The  input 
values  will  all  have  the  value  _L,  and  will  be  stored 
in  the  wire  table  at  positions  0  through  3 1 . 

SHIFT  OUT  Outputs  a  single  bit  for  a  given  party 

RETURN  Return  from  a  subroutine.  The  instruction 
pointer  is  repositioned  to  the  value  popped  from  the 
top  of  the  call  stack. 

STORECONSTPTR  Sets  a  value  in  the  pointer  table 

OFFSETPTR  Adds  a  value  to  a  pointer,  specified  by  an 
array  of  32  wire  values  starting  at  a  position  in  the 
wire  table.  If  any  value  in  the  array  is  _L,  evaluation 
halts  with  an  error. 

PTRTOWIRE  Saves  a  pointer  value  as  a  32  bit  un¬ 
signed  integer.  Each  of  the  bits  is  pushed  onto  the 
stack  at  a  location  in  the  wire  table. 

PTRTOPTR  Copies  a  value  from  one  position  in  the 
pointer  table  to  another. 

CPY 121  Copy  a  wire  value  from  a  position  specified  by 
a  pointer  to  a  statically  specified  position. 

CPY32  Copy  a  wire  value  from  a  statically  specific  po¬ 
sition  to  a  position  specified  by  a  pointer. 

go, ogo, tgi, ogi,i  Compute  a  gate  with  the  specified  truth 
table  on  two  input  values  from  the  wire  table,  with 
output  stored  at  a  specified  position.  Logic  simpli¬ 
fication  rules  are  applied  when  one  or  both  of  the 
input  values  is  _L.  If  no  simplification  is  possible, 
then  the  output  will  be  _L  and  the  interpreter  will 
emit  a  gate.  This  is  used  for  both  local  computa¬ 
tions  such  as  updating  a  loop  index,  and  for  com¬ 
puting  the  gates  used  by  the  protocol. 


A.l  Example  PCF  Description 

Below  is  an  example  of  a  PCF  file.  It  iterates  over  a  loop 
several  times  times,  XORing  the  two  parties’  inputs  with 
a  bit  from  the  internal  state. 

GADGET:  main 
CLABEL  ALICE INLENGTH  32 
CLABEL  BOBINLEGNTH  32 
CLABEL  xxx  32 

SETLABELC  ALICE INLENGTH  128 

SETLABELC  ALICE INLENGTH  128 

FUNCTION:  main 

1111  32  0  0 

0000  33  0  0 

0000  34  0  0 

0000  35  0  0 

GADGET :  L 

0110  36  35  34 

0001  35  36  36 

0110  36  34  33 

0001  34  36  36 

0110  36  33  32 

0001  33  36  36 

ALICEINPUT32  0  0 

0001  36  0  0 

BOBINPUT32  0  0 

0001  37  0  0 

0110  38  37  36 

0110  39  33  38 

SHIFT  OUT  ALICE  39 

BRANCH  L  35 

RETURN  xxx 
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Abstract — 1 

Digital  signatures  provide  assurance  and  trust  in  almost 
all  aspects  of  today’s  electronic  communications  from  SSL 
certificates  to  software  signing  to  email.  For  applications 
that  process  many  signed  messages  at  once,  batch  verifi¬ 
cation  is  a  tempting  way  to  increase  throughput,  since  it 
is  a  method  for  saving  on  computation  time  by  processing 
many  signatures  together. 

This  is  a  challenge,  because  human  design  error  has 
been  a  problem  historically  in  batch  verification  and  yet 
it  is  desirable  to  have  a  large  set  of  signature  schemes  with 
their  batch  verifiers  to  choose  from  to  take  advantage  of 
various  features  and  as  a  hedge  against  security  flaws. 

We  address  this  by  presenting  AutoBatch,  an  automated 
tool  for  generating  batch  verification  code  from  the  code  of 
a  signature  scheme.  While  prior  works  suggested  generic 
techniques  for  batch  verification,  to  our  knowledge,  this 
is  the  first  work  to  systematically  identify  when  these 
techniques  are  applicable  and  apply  them.  Moreover,  we 
argue  that  this  process  preserves  the  unforgeability  of  the 
original  scheme.  AutoBatch  can  handle  any  pairing-based 
signature  scheme,  including  variants  of  signatures,  such 
as  identity-based  and  ring. 

The  techniques  behind  AutoBatch  and  its  implementa¬ 
tion  are  described  herein  with  performance  measurements 
for  the  output  of  AutoBatch  on  several  existing  signature 
schemes.  The  conversion  process  executes  quickly  and  the 
resulting  batch  savings  is  significant. 

We  believe  that  AutoBatch  is  a  valuable  cryptographic 
design,  proof  and  implementation  tool  and,  moreover,  that 
it  opens  up  a  new  direction  in  the  larger  landscape  of 
computer-aided  cryptography. 

I.  Introduction 

Digital  signatures  are  fundamental  to  establishing 
trust  in  today’s  electronic  communications.  For  ap¬ 
plications  where  devices  are  asked  to  process  many 
certificates  and  signed  messages,  several  prior  works 
focused  on  batch  verification.  In  batch  verification,  a 
batch  of  signatures  are  processed  together  according  to  a 

1  This  document  is  a  special  courtesy  copy  created  for  the  DARPA 
PROCEED  administrators  of  a  work  in  progress  which  was  partially 
funded  by  the  Defense  Advanced  Research  Projects  Agency  (DARPA) 
and  the  Air  Force  Research  Laboratory  (AFRL)  under  contract 
FA8750-1 1-2-021 1.  It  is  not  intended  for  public  distribution.  Applying 
to  all  authors,  the  views  expressed  are  those  of  the  authors  and  do  not 
reflect  the  official  policy  or  position  of  the  Department  of  Defense  or 
the  U.S.  Government. 


special  algorithm  to  save  on  the  overhead.  It  is  desirable 
to  have  batch  verifiers  for  many  signature  schemes,  to 
take  advantage  of  their  various  properties  and  as  a  hedge 
against  a  security  flaw  being  found  in  any  one  scheme. 
Unfortunately,  the  lesson  of  the  past  fifteen  years  is  that 
designing  batch  verifiers  is  hard  and  error  prone. 

For  instance,  in  1994,  an  interactive  batch  verifier  for 
DSA  presented  in  an  early  version  of  [32]  was  broken 
by  Lim  and  Lee  [28].  In  1995  Laih  and  Yen  proposed 
a  new  method  for  batch  verification  of  DSA  and  RSA 
signatures  [25],  but  the  RSA  batch  verifier  was  broken 
five  years  later  by  Boyd  and  Pavlovski  [8].  In  1998,  two 
batch  verification  techniques  were  presented  for  DSA 
and  RSA  [19],  [20]  but  both  were  later  broken  [8], 
[23],  [24].  The  same  year,  Bellare,  Garay  and  Rabin 
took  the  first  systematic  look  at  batch  verification  [4] 
and  presented  three  generic  methods  for  batching  mod¬ 
ular  exponentiations,  one  of  which  was  called  the 
small  exponents  test.  Unfortunately,  in  2000,  Boyd  and 
Pavlovski  [8]  published  attacks  against  various  batching 
schemes  which  were  using  the  small  exponents  test 
incorrectly.  In  2003  and  2004,  several  batch  verification 
schemes  based  on  bilinear  maps  (a.k.a.,  pairings)  were 
proposed  [12],  [37],  [38],  [39]  but  all  were  later  broken 
by  Cao,  Lin  and  Xue  [11],  In  2006,  a  method  was 
proposed  for  identifying  invalid  signatures  in  RSA-type 
batch  signatures  [27],  but  it  was  also  flawed  [35], 

These  examples  highlight  that  the  design  of  batch 
verifiers  can  be  challenging  and  that  human  error  has 
historically  been  a  problem  in  this  area.  Even  when 
general  frameworks  for  designing  schemes  have  been 
made  available  [4],  they  have  often  been  misapplied  [8], 

A.  Our  Contributions 

We  address  this  by  presenting  AutoBatch,  an  auto¬ 
mated  tool  that  transforms  a  digital  signature  scheme 
into  an  optimized  batch  verification  program.  To  our 
knowledge,  this  is  the  first  such  attempt  to  remove 
the  human  element,  as  much  as  possible,  from  the 
batch  verification  design  and  implementation  process. 
The  algorithm  behind  AutoBatch  is  a  combination  of 
batching  techniques,  including  the  small  exponents  test 
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from  [4],  the  bilinear  equation  substitutions  in  [15],  the 
testing  of  bilinear  group  membership  and  a  divide-and- 
conquer  approach  to  finding  invalid  signatures.  While 
the  majority  of  these  ideas  are  drawn  from  prior  work, 
unlike  prior  work,  we  are  able  to  automatically  identify 
when  they  are  applicable  and  automatically  apply  them 
to  the  verification  equation  in  a  consistent  and  secure 
way.  We  also  introduce  new  logic  for  altering  the 
behavior  of  the  batching  algorithm  based  on  its  input 
size  or  past  input. 

Importantly,  the  way  in  which  we  combine  these 
techniques  and  optimizations  preserves  the  unforgeabil¬ 
ity  of  the  original  scheme.  Specifically,  with  all  but 
a  negligible  probability,  the  batch  verifier  will  accept 
a  batch  S  of  signatures  if  and  only  if  every  s  £  S 
would  have  been  accepted  by  the  individual  verification 
algorithm.  To  provide  transparency,  AutoBatch  also 
produces  a  machine -generated  PDF  document  written 
in  LaTeX  that  specifies  each  technique  applied  and 
provides  a  proof  that  security  holds. 

AutoBatch  can  handle  various  flavors  of  signatures, 
as  we  illustrate  with  tests  on  identity-based  and  ring 
signatures.  AutoBatch  exclusively  accepts  pairing-based 
schemes.  Given  that  the  pairing  setting  offers  low  band¬ 
width  solutions,  this  is  consistent  with  our  overall  goal 
of  keeping  cryptographic  overhead  low. 

We  believe  AutoBatch  is  a  tool  with  many  applica¬ 
tions,  assisting  both  scheme  designers  and  practitioners. 
It  removes  the  human  element  from  a  cryptographic  de¬ 
sign  task  that  appears  to  be  easier  for  machines  to  nav¬ 
igate.  It  concentrates  what  human  experts  must  verify 
to  AutoBatch  itself  and  its  proof  of  security.  Moreover, 
it  makes  meaningful  progress  toward  the  larger  goal  of 
reducing  security  errors  through  computer-aided  design 
and  implementation  tools. 

B.  Overview  of  Our  Approach 

We  present  a  detailed  explanation  of  AutoBatch  in 
§111.  In  this  section  and  in  Figure  1  we  provide  a  brief 
overview  of  the  techniques.  At  a  high  level,  AutoBatch 
is  designed  to  analyze  a  scheme,  extract  the  signature 
verification  equation,  and  derive  working  code  for  a 
batch  verifier.  This  involves  three  distinct  components: 

1)  A  Code  Parser,  which  retrieves  the  verification 
equation  and  variable  types  from  some  existing 
scheme  implementation.  This  process  naturally 
assumes  that  the  scheme  has  been  implemented 
within  certain  constraints,  which  we  discuss  later 
in  the  paper.  Given  such  an  implementation,  the 
Parser  obtains  the  signature  verification  equation 
and  encodes  it  into  an  intermediate  representation 
called  Scheme  Description  Language  (SDL). 


2)  A  Batcher,  which  takes  as  input  an  SDL  file 
describing  a  signature  verification  equation.  The 
Batcher  applies  a  series  of  rules  to  optimize  the 
equation  and  thus  derive  a  new  equation  for  a 
batch  verifier.  The  output  of  this  equation  is  sec¬ 
ond  SDL  file  containing  the  individual  and  batch 
equations,  along  with  an  analysis  of  the  batcher’s 
estimated  running  time.  The  Batcher  optionally 
outputs  human-readable  LaTeX  file  containing  a 
security  proof  for  the  batch  verifier. 

3)  A  Code  Generator,  which  takes  the  output  of  the 
Batcher  and  generates  working  source  code  to  im¬ 
plement  the  batch  verifier.  Beyond  simply  imple¬ 
menting  the  verification  equation,  the  Generator 
adds  a  series  of  additional  components,  including 
group  element  membership  checks,  a  recursive 
divide-and-conquer  process  to  handle  batches  that 
contain  invalid  signatures,  and  additional  logic 
to  identify  cases  where  individual  verification  is 
likely  to  outperform  batch  verification. 

There  are  two  usage  scenarios  for  AutoBatch.  In  the 
first  case,  a  user  already  has  a  working  implementation 
of  a  (non-batched)  signature  scheme,  and  proceeds  via 
the  steps  above.  However,  if  the  user  does  not  have  a 
working  implementation,  a  second  usage  of  AutoBatch 
allows  the  user  to  skip  the  Code  Parsing  phase  of 
the  process,  and  begin  with  a  hand-coded  SDL  file. 
Since  SDL  files  are  human-readable  ASCII-based  files 
containing  a  mathematical  representation  of  the  scheme, 
some  developers  may  prefer  to  implement  new  schemes 
directly  in  this  language,  which  is  agnostic  to  the 
final  programming  language  that  will  be  used  for  the 
implementation. 

Although  the  techniques  behind  Autobatch  can  be 
applied  to  many  languages  and  development  environ¬ 
ments,  our  implementation  is  based  on  Charm  [1], 
Charm  is  a  Python-based  rapid  prototyping  framework 
created  by  Akinyele,  Green  and  Rubin  that  provides 
infrastructure  for  developing  advanced  cryptographic 
schemes.  Charm  implements  all  high  performance  op¬ 
erations  (e.g.,  bilinear  group  operations)  in  native  C 
code  using  libraries  such  as  MIRACL  [33].  By  using 
Charm  we  are  able  to  obtain  many  of  the  performance 
advantages  of  C  code,  while  taking  advantage  of  the 
features  offered  by  an  interpreted  language.  One  such 
advantage  is  that  AutoBatch  verifiers  may  be  generated 
at  runtime  and  executed  dynamically  when  they  are 
needed  by  an  application. 

C.  Related  Work 

Computer-aided  tools  to  assist  cryptographers  has 
long  been  a  goal  of  high  importance.  Recently,  the  best 
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Figure  1.  The  flow  of  AutoBatch  is  illustrated  above.  The  input  is  a  signature  scheme,  comprised  of  key  generation,  signing  and  verification 
algorithms,  coded  in  Python.  The  Parsing  Engine  extracts  from  this  code  the  verification  equations  and  classifies  each  element  involved,  e.g., 
an  element  of  the  public  parameters,  public  key,  signature  or  message  space.  This  output  is  passed  in  an  SDL  representation  of  the  signature 
scheme  to  the  Batcher.  The  Batcher  applies  the  techniques  and  optimizations  from  Section  III  to  produce  an  SDL  representation  of  a  batch 
verification  algorithm  together  with  some  performance  estimates.  It  also  outputs  a  proof  of  security  (as  a  PDF  written  in  LaTeX)  that  explains, 
line  by  line,  each  technique  applied  and  its  security  justification.  Finally,  the  Code  Generator  produces  executable  Python  code  implementing 
the  batching  verifier,  as  well  as  a  loop  over  the  individual  verification  algorithm  to  use  as  a  comparison.  The  Code  Generator  can  be  set  with 
different  flags  to  offer  further  optimize  the  batching  code,  such  as  beginning  a  few  levels  into  the  recursive  divide-and-conquer  procedure  when 
expecting  batches  with  a  moderate  number  of  invalid  signatures. 


paper  award  at  CRYPTO  2011  was  given  to  Barthe, 
Gregoire,  Heraud  and  Zanella  Beguelin  [3]  for  their 
invention  of  EasyCrypt,  an  automated  tool  for  gen¬ 
erating  security  proofs  of  cryptographic  system  from 
proof  sketches.  The  reader  is  referred  to  this  work  for 
a  summary  of  prior  efforts  to  automate  the  verification 
of  cryptographic  security  proofs. 

In  1989,  batch  cryptography  was  introduced  by 
Fiat  [16]  for  a  variant  of  RSA.  In  addition  to  the 
batching  work  mentioned  before,  we  provide  a  few 
notes.  Shacham  and  Boneh  presented  a  modified  version 
of  Fiat’s  batch  verifier  for  RSA  to  improve  the  efficiency 
of  SSF  handshakes  on  a  busy  server  [34].  Shacham, 
Fynn  and  Boneh  provided  a  single-signer  batch  verifier 
for  their  BFS  signatures  [6],  Camenisch,  Hohenberger 
and  Pedersen  [10]  gave  multiple-signer  batch  verifiers 
for  the  Waters  identity-based  signatures  [36]  and  a 
novel  construction.  Ferrara,  Green,  Hohenberger,  and 
Pedersen  outlined  some  techniques  for  batching  pairing- 
based  signatures  and  also  showed  how  to  batch  verify 
other  types  of  signatures,  such  as  group  and  ring  sig¬ 
natures  [15].  Blazy,  Fuchsbauer,  Izabachene,  Jambert, 
Sibert  and  Vergnaud  [5]  applied  batch  verification  tech¬ 
niques  to  the  Groth-Sahai  zero-knowledge  proof  system 
as  well  as  group  signatures  and  anonymous  credential 
systems  relying  on  them,  obtaining  significant  savings. 

Faw  and  Matt  describe  methods  for  identifying  in¬ 
valid  signatures  in  a  batch  [26],  [29],  [30]. 


II.  Background 

A.  Signatures 

Definition  2.1  (A  Digital  Signature  Scheme ):  A  dig¬ 
ital  signature  scheme  is  a  tuple  of  probabilistic 
polynomial-time  algorithms  (Gen,  Sign,  Verify)  as: 

1)  Gen(lA)  -A  (pk,sk):  the  key  generation  algo¬ 
rithm  takes  as  input  the  security  parameter  1A  and 
outputs  a  pair  of  keys  ( pk ,  sk). 

2)  Sign(sfc, to)  — >  a:  the  signing  algorithm  takes  as 
input  a  secret  key  sk  and  a  message  to  from  the 
message  space  and  outputs  a  signature  a. 

3)  Verify (pA:,  m,  a)  — ►  {0,1}:  the  verification  algo¬ 
rithm  takes  as  input  a  public  key  pk,  a  message 
m  and  a  purported  signature  er,  and  outputs  a  bit 
indicating  the  validity  of  the  signature. 

A  scheme  is  correct  if  for  all  Gen(l^)  — ►  ( pk,sk ),  the 
algorithm  Verify(p/c,  m,  Sign(sfc,  to))  =  1. 

Goldwasser,  Micali  and  Rivest  [17]  defined  a  scheme 
to  be  unforgeable  as  follows:  Fet  Gen(l^)  — »  ( pk,sk ). 
Suppose  (to,  <t)  is  output  by  a  probabilistic  polynomial¬ 
time  adversary  with  access  to  a  signing  oracle  Osk{-) 
and  input  pk.  Then  the  probability  that  to  was  not 
queried  to  Osk(')  and  yet  Verify (pk,m,cr)  =  1  is 
negligible  in  t. 

In  this  work,  we  explore  signature  schemes  with  two 
additional  properties,  which  we  informally  review: 

1)  Identity-Based  Signatures:  The  Gen  algorithm 
is  executed  by  a  master  authority  who  publishes 
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pk  and  uses  sk  to  generate  signing  keys  for  users 
according  to  their  public  identity  string,  such  as 
an  email  address.  To  verify  a  signature  on  a  given 
message,  one  only  needs  to  have  the  pk  of  the 
master  authority  and  the  public  identity  string  of 
the  purported  signer. 

2)  Ring  Signatures:  The  signature  is  associated  with 
a  group  of  users,  where  verification  shows  that 
at  least  one  member  of  the  group  signed  the 
message,  but  it  is  difficult  to  tell  whom. 

B.  Batch  Verification 

In  this  paper,  we  will  not  be  concerning  ourselves 
much  with  the  traditional  definitions  of  unforgeability. 
Rather  we  are  interested  in  designing  batch  verification 
algorithms  that  accept  a  set  of  signatures  if  and  only 
if  each  signature  would  have  been  accepted  by  its 
verification  algorithm  individually.  Thus,  if  a  scheme  is 
unforgeable,  then  our  batching  algorithm  will  preserve 
this  property.  No  more,  no  less. 

Specifically,  we  consider  the  case  where  we  want  to 
quickly  verify  a  set  of  signatures  on  possibly  different 
messages  by  possibly  different  signers.  The  input  is 
{(fi,mi,cri), . . . ,  {tn,mn,on)},  where  f,  specifies  the 
verification  key  against  which  Oi  is  purported  to  be  a 
signature  on  message  rrii.  It  is  important  to  understand 
that  here  one  or  more  signers  may  be  maliciously 
colluding  against  the  batch  verifier. 

We  recall  the  definition  of  Bellare,  Garay  and  Ra¬ 
bin  [4]  as  extended  by  Camenisch,  Hohenberger  and 
Pedersen  [10]  to  deal  with  multiple  signers. 

Definition  2.2  ( Batch  Verification  of  Signatures): 

Let  £  be  the  security  parameter.  Suppose 
(Gen,  Sign,  Verify)  is  a  signature  scheme, 
k,  n  €  poly{£),  and  (pk1,  sk i), . . . ,  ( pkk ,  skk)  are 
generated  independently  according  to  Gen(lf).  Let 
PK  =  {pfcl5 . . .  ,pkk}.  Then  we  call  probabilistic 
Batch  a  batch  verification  algorithm  when  the  following 
conditions  hold: 

•  If  pkt.  £  PK  and  Verify (pkt.,mi,<Ji)  =  1  for  all 
i  £  [1,  n],  then 

Batch ((pfc4l ,  mi,  <Ti), . . . ,  ( pktn,mn,an ))  =  1. 

•  If  pkt.  £  PK  for  all  i  £  [l,n]  and 

Verify (pkt.,m.j,Oj)  =  0  for  some  j  £  [l,n],  then 
Batch((pfctl ,  777-1,  (Ji),  ■  •  ■  >  (pkt„  >  mm  °n))  =  0 

except  with  probability  negligible  in  £, 
taken  over  the  randomness  of  Batch. 

Definition  B.l  generalizes  beyond  signatures  to  ap¬ 
ply  to  any  keyed  scheme,  or  combination  of  keyed 
schemes,  with  a  verification  algorithm.  This  includes 
zero-knowledge  proofs,  verifiable  random  functions. 


and  variants  of  regular  signatures,  such  as  identity- 
based,  attribute-based,  ring,  group,  aggregate,  etc.  In¬ 
deed,  when  the  individual  verification  procedure  in¬ 
volves  evaluating  a  single  pairing  equation,  then  apply¬ 
ing  the  small  exponents  test  with  security  parameter  A 
to  the  product  of  these  equations  results  in  a  pairing- 
based  batch  verifier  that  accepts  an  invalid  batch  with 
probability  at  most  2~x  [15], 

The  above  definition  requires  that  signing  keys  be 
generated  honestly.  In  practice,  users  could  register  their 
keys  and  prove  some  necessary  properties  of  the  keys 
at  registration  time  [2], 

C.  Algebraic  Setting  and  Group  Membership 

Bilinear  Groups:  We  recall  some  of  the  basics  of 
our  algebraic  setting  as  discussed  in  [10].  Let  BSetup 
be  an  algorithm  that,  on  input  the  security  parameter  I  , 
outputs  the  parameters  for  a  bilinear  map  (also  called  a 
pairing)  as  ( q ,  g ,  G,  G t,  e),  where  G  and  G t  are  groups 
of  prime  order  q  £  0(2f).  The  efficient  mapping  e  : 
G  x  G  — >  G t  is  both:  ( bilinear )  for  all  g  £  G  and 
a,b  £-  Zq,  e(ga,gb)  =  e(g,g)ab;  and  ( non-degenerate ) 
if  g  generates  G,  then  e(g1g)  yf  1. 

The  above  bilinear  map  is  called  a  symmetric  bilinear 
map.  A  more  general  version  of  the  bilinear  map  is  the 
asymmetric  bilinear  map  e  :  Gi  x  G2  —>  G t,  where  Gi 
and  G2  are  distinct  groups,  possibly  without  efficient 
isomorphisms  between  them.  We  use  this  setting  in  our 
implementations  because  it  allows  for  the  most  compact 
representations  in  Gi,  as  we  explain  in  Section  IV. 

Testing  Membership  in  Bilinear  Groups:  When 
batching  a  group  of  signatures,  it  is  critical  to  test 
that  the  elements  of  each  signature  are  members  of 
the  appropriate  algebraic  group.  Indeed,  Boyd  and 
Pavlovski  [8]  demonstrated  efficient  attacks  on  batching 
algorithms  for  DSA  signature  verification  which  omitted 
a  subgroup  membership  test. 

In  this  paper,  we  must  test  membership  in  bilinear 
groups.  We  require  that  elements  of  purported  signatures 
are  members  of  G  and  not,  say,  members  of  E( Fp)\G. 
Determining  whether  some  data  represents  a  point  on 
a  curve  is  easy.  The  question  is  whether  it  is  in  the 
correct  subgroup.  Assume  we  have  a  bilinear  map  e  : 
Gi  x G2  G t  and  want  to  test  membership  in  Gi.  (Gi 
will  contain  the  smallest  group  elements,  so  signature 
elements  will  almost  exclusively  come  from  Gi.) 

If  the  order  of  Gi  is  a  prime  q,  one  option  is  to 
verify  that  an  element  y  is  in  Gi  by  checking  that 
yq  mod  q  =  1  [10].  While  one  might  worry  that  this 
extra  work  diminishes  the  batching  savings,  it  is  not  a 
problem  in  practice  for  pairing-based  schemes,  since  the 
cost  for  a  single  exponentiation  is  considerably  less  than 
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the  cost  for  computing  a  pairing.  This  has  been  verified 
experimentally  before  by  Ferrara  et  al.  [15]  and  our  tests 
confirm  this. 

III.  The  Techniques  behind  AutoBatch 

In  this  section  we  summarize  the  techniques  used  to 
programatically  generate  batch  verifiers  from  a  standard 
signature  implementation.  A  highlevel  abstraction  was 
provided  in  Figure  1.  We  now  give  the  details.  The 
AutoBatch  toolchain  begins  with  a  Charm-Python  im¬ 
plementation  of  a  signature,  and  then  proceeds  as: 

1.  Parse  the  program  to  extract  the  verification 
equation.  The  first  phase  of  the  toolchain  analyzes  the 
implemented  scheme  to  extract  the  signature  verification 
equation2  as  well  as  the  datatypes  of  the  parameter  and 
signature  elements.  An  advantage  of  using  Python  for 
our  implementations  is  that  our  tools  may  leverage  var¬ 
ious  capabilities  that  are  built  into  Python.  Specifically, 
we  use  introspection  to  obtain  variable  types,  and  we 
traverse  the  Python  Abstract  Syntax  Tree  (AST)  to  parse 
the  verification  equation.  The  output  of  this  process  is  an 
intermediate  representation  of  the  signature  verification 
equation  in  Scheme  Description  Language  (SDL).  An 
example  Python  input  and  its  corresponding  SDL  output 
is  presented  in  Figure  2. 

2.  Apply  batching  techniques  and  optimize  the  veri¬ 
fication  equation.  We  next  apply  a  set  of  techniques 
designed  to  convert  the  extracted  signature  verification 
equation  into  a  batch  verifier.  These  tools  drawn  from 
the  summary  in  [15]  re-arrange  the  verification  equa¬ 
tion  by  combining  pairing  equations  and  re-arranging 
the  components  to  minimize  the  number  of  expensive 
pairing  operations.  To  prevent  known  attacks,  we  apply 
the  small  exponents  test  of  Bellare,  Garay  and  Rabin  [4], 
and  optimize  the  resulting  equation  to  ensure  that  all 
signature  elements  are  in  the  smallest  group  (typically, 
Gi).  The  output  of  this  phase  is  a  modified  SDL  file,  and 
(optionally)  a  human-readable  proof  that  the  resulting 
equation  is  a  batch  verifier. 

3.  Evaluate  the  capabilities  of  the  batch  verifier. 
Given  the  optimized  batching  equation  produced  in 
the  previous  step,  we  estimate  the  performance  of 
the  verifier  under  various  conditions.  This  is  done  by 
counting  the  operations  in  the  verifier,  and  deriving  a 

2To  be  clear,  our  Parser  only  handles  extraction  for  schemes 
with  a  single  verification  equation.  This  is  only  a  gentle  restriction 
for  two  reasons.  First,  many  equations  can  be  coalesced  into  a 
single  equation  using  the  combination  step  from  [15].  Moreover,  the 
AutoBatch  process  can  be  started  at  any  stage,  so  one  can  start  with  an 
SDL  representation  of  a  signature  scheme  with  multiple  verification 
equations  and  proceed  automatically  from  there. 


runtime  estimate  based  on  the  expected  cost  of  each 
mathematical  operation  (e.g.,  pairing,  exponentiation, 
multiplication).  The  cost  of  each  operation  is  determined 
via  a  set  of  diagnostic  tests  conducted  when  the  library 
is  initialized.3 

4.  Generate  code  for  the  resulting  batch  verifier. 
Finally,  we  invert  the  procedure  of  step  1  to  generate 
a  working  verifier  implemented  in  Charm-Python.  This 
verifier  implements  the  SDL-specified  batch  verification 
equation  as  well  as  the  individual  verification  equation. 
Based  on  the  calculations  of  the  previous  step,  the 
generated  code  embeds  logic  to  automatically  determine 
which  verifier  is  most  appropriate  for  a  given  dataset 
(individual  or  batch).  Additionally,  the  generated  code 
embeds  a  recursive  divide-and-conquer  strategy  to  han¬ 
dle  cases  where  batch  verification  fails  due  to  invalid 
signatures.  A  fragment  of  generated  code  is  shown  in 
the  rightmost  panel  of  Figure  2. 

We  note  that  processing  can  begin  at  any  point  in  the 
above  process.  For  example,  one  might  begin  with  a 
hand-coded  SDL  representation  of  a  signature  scheme, 
and  proceed  directly  from  step  2.  We  will  now  describe 
each  the  above  steps  in  detail. 

A.  Code  Parsing 

The  Code  Parsing  engine  extracts  meaning  from  a 
Charm-Python  implementation  of  a  signature  scheme. 
It  produces  a  resulting  SDL  file  that  contains  the  data 
types  and  verification  equation  for  the  signature.  This 
process  is  facilitated  by  two  aspects:  first.  Charm  [1] 
provides  a  generic  class  interface  for  signature  schemes. 
This  greatly  constrains  the  code  we  have  to  work  with, 
meaning  that  we  only  have  to  focus  on  Charm-compliant 
schemes.  Secondly,  we  are  assisted  by  the  Python  inter¬ 
preter,  which  grants  programatic  access  to  the  Python 
Abstract  Syntax  Tree  via  the  compiler  .  ast  module. 

Code  parsing  consists  of  the  following  stages.  First, 
we  parse  the  entire  signature  scheme  file  into  a  Python 
AST  node.  We  refer  to  this  as  the  root  node.  Next,  we 
identify  the  AST  node  of  the  signature  verify])  method. 
We  then  use  heuristics  to  identify  one  comparison  in 
this  function  that  is  fundamentally  responsible  for  the 
signature  verification  process. 

From  this  point,  we  next  build  a  map  of  variable 
names,  types,  structure,  and  operations.  We  do  this  by 
visiting  all  assignment  statements  in  the  code  using 
Python’s  AST  Node  Visitor  class.  For  each  assignment, 

3  Obviously  these  experiments  are  very  specific  to  the  machine  and 
curve  parameters  on  which  they  are  run.  Hence,  we  re-run  these 
experiments  whenever  the  library  is  initialized  with  a  given  set  of 
parameters. 
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name  :=  bis 
signers  :=  one  or  many 

BEGIN  ::  types 
sig  :=  G1 
M  :=  str 
g  :=  G2 
pk  :=  G2 
h  :=G1 
END  ::  types 

BEGIN  ::  constant 
9.  Pk 

END  ::  constant 

BEGIN  ::  precompute 
h  :=  H(M,  G1) 

END  ::  precompute 

BEGIN  ::  signature 
h,  sig 

END  ::  signature 

verify  :={  e(h,  pk)  ==  e(sig,  g) } 


Python  Input  Intermediate  SDL  Python  output  (fragment) 


class  BLS(PKSig): 

def _ init _ (self): 

global  group 

group  =  PairingGroup(MNT160) 

def  keygen(self,  secparam): 
g  =  group.  random(G2) 
x  =  group. random(ZR) 
g  x  =  g  **  x 
pk  =  {  'gAx':g_x,  'g':g, 
'identity':str(g_x), 
'secparam':secparam  } 
sk  =  {  'x':x  } 
return  (pk,  sk) 

def  sign(self,  x,  msg): 
sig  =  group. hash(msg,  G1)  **  x 
return  sig 

def  verify(self,  pk,  sig,  msg): 
h  =  group.hash(msg,  G1) 
if  pair(h,  pk['gAx"])  ==  pair(sig,  pk['g']): 

return  True 
return  False 


#  Choose  deltas  for  small  exponents  test 
for  siglndex  in  range(0,  numSigs): 

deltaz[siglndex]  =  prng_bits(group,  80) 

#  Initialize  dot  products 
dotA_prod  =  group.  init(GI) 
dotB_prod  =  group.  init(GI) 

#  Precompute  dot  products  that  can  be 

#  cached  between  runs  of  divide-and-conquer 
for  z  in  range(0,  N): 

#  group  membership  checks 

#  ...  variables  calculated  over  sigs. . . 

#  batch  verification  check 

if  pair(dotA_prod  ,  pk)  ==  pair(dotB_prod,  g): 

return  True 
else: 

#  divide  and  conquer  (recurse  on  first  half) 
verifySigsRecursive(  group,  dotA_cache, 

dotB_cache,  start  =  i,  stop  =  N  /  2  ) 

#  recurse  on  second  half 
verifySigsRecursive(  group,  dotA_cache, 

dotB_cache,  start  =  N/2+1 ,  stop  =  N  ) 


Figure  2.  The  Boneh-Lynn-Shacham  (BLS)  signature  scheme  [6]  at  various  stages  in  the  AutoBatch  toolchain.  At  the  left,  an  initial  Charm- 
Python  implementation  of  the  scheme.  In  the  center,  an  SDL  representation  of  the  same  scheme,  programmatically  extracted  by  the  Parsing 
Engine.  At  right,  a  fragment  of  the  resulting  batch  verifier  generated  after  applying  the  Batcher  and  Code  Generator. 


we  check  the  properties  of  that  assignment  using  a 
further  set  of  heuristics,  which  we  store  in  a  database. 
If  we  determine  that  a  given  assignment  is  relevant, 
we  extract  certain  information  about  it.  We  use  this 
information  to  identify  any  operations  that  are  relevant 
to  the  verification  equation,  even  if  they  are  spread 
throughout  the  file. 

We  also  use  our  map  to  determine  the  type  of  each 
variable  referenced.  To  obtain  this,  we  apply  known 
rules  to  infer  type.  For  example,  we  know  that  certain 
hash  calls  indicate  an  element  of  Gi,  a  pairing  indicates 
an  element  in  G t,  random  element  generation  calls 
typically  indicate  the  type  of  element  being  generated, 
and  so  on.4  Our  database  currently  includes  signatures 
for  the  following  types: 

1)  Python’s  lambda  functions,  which  may  be  used  to 
compute  dot-product  functionality. 

2)  All  pairings  and  their  parameters  and  types. 

3)  All  hashes  and  their  parameters  and  types. 

4)  All  Python  dictionaries,  their  key  names,  their 
value  names,  and  their  types.  Charm  makes  ex- 

4We  believe  that  this  approach  may  also  be  useful  in  the  future 
for  static  checking  and  formal  verification  of  dynamically-typed 
cryptographic  implementations. 


tensive  use  of  this  data  structure,  so  this  is  partic¬ 
ularly  important. 

5)  All  constant  numbers  and  strings. 

If  the  assignment  expression  does  not  match  any  of 
our  signatures,  we  perform  a  recursive  traversal  on  its 
elements  to  determine  if  any  of  its  sub-elements  fit  one 
of  our  signatures.  If  we  find  a  match,  we  return  that 
signatures  information. 

This  process  is  not  perfect.  It  makes  certain  assump¬ 
tions  about  the  structure  of  an  implementation,  and 
therefore  is  highly  dependent  on  the  quality  of  our 
heuristic  rules.  However,  the  more  code  we  examine, 
the  more  powerful  our  inference  becomes. 

Finally,  we  transform  the  verify  equation  into  an  SDL 
file  that  the  Batcher  understands.  This  requires  several 
straightforward  transformations  of  the  verify  equation, 
to  produce  a  simple  bilinear-map  based  representation. 
In  addition,  we  prepend  a  list  of  all  constants,  precom¬ 
puted  values,  variable  names  and  types  to  the  file. 

B.  Batching  and  Optimization 

Given  an  SDL  file  containing  the  verification  equation 
and  variable  times,  the  Batcher  applies  a  series  of  opti¬ 
mizations  to  the  verification  equation  in  order  to  derive 
an  efficient  batch  verifier.  Many  of  these  techniques 
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are  drawn  from  previous  works  [10],  [15],  However, 
unlike  previous  works  we  are  able  to  programmatically 
identify  when  they  are  applicable,  and  apply  them 
to  the  verification  equation  in  a  consistent  way.  The 
Batcher  assumes  that  the  input  will  be  a  collection  of 
77  signatures,  possibly  on  different  messages  and  public 
keys  (or  identities).  To  construct  a  batch  verifier,  the 
Batcher  first  combines  all  instances  into  one  equation 
using  the  small  exponents  test.  Technique  1.  Next,  it 
optimizes  the  resulting  equation  using  Techniques  2-4. 

The  order  in  which  Techniques  2—4  are  applied  varies 
from  scheme  to  scheme.  Our  batcher  tries  various  or¬ 
derings  based  on  heuristics,  which  examine  the  equation 
and  attempt  to  estimate  which  techniques  will  result  in  a 
successful  batch.  In  some  cases  a  single  technique  must 
be  applied  multiple  times,  generally  with  one  or  more 
different  techniques  used  in  between.  For  some  com¬ 
plex  schemes,  we  may  specify  some  guidance  on  the 
ordering  manually  to  improve  performance.  Resolving 
this  is  an  open  problem  for  our  techniques. 

Technique  1:  Combine  equations.  Assume  we  are  given 
77  instances  that  can  be  verified  using  the  individual 
verification  equation.  We  then  combine  all  instances  into 
one  equation  by  applying  the  Combination  Step  of  [15], 
which  employs  as  a  subroutine  the  small  exponents  test 
from  [4],  This  results  in  a  single  verification  equation. 
The  correctness  of  the  resulting  equation  requires  that 
all  elements  be  in  the  correct  subgroup,  i.e.,  that  group 
membership  has  already  been  checked.  AutoBatch  en¬ 
sures  that  this  check  will  be  explicitly  conducted  in  the 
final  batch  verifier  program. 

As  to  the  security  of  this  step,  suppose  we  use 
security  parameter  A  in  the  small  exponents  test.  Then 
Ferrara  et  al.  [15,  Theorem  3.2]  prove  that  this  equation 
will  verify  if  and  only  if  all  individual  equations  verify, 
except  with  probability  at  most  2~x.  By  default  in 
AutoBatch,  we  set  A  =  80. 

Technique  2:  Move  exponents  into  the  pairing.  When 
a  pairing  of  the  form  e(gi,hi)Si  appears,  move  the 
exponent  <5,  into  e().  Since  elements  of  Gi  and  G2 
are  usually  smaller  than  elements  of  Gt,  this  gives  a 
noticeable  speedup  when  computing  the  exponentiation. 

Replace  e(gi,hi)Si  with  e(gsii  ,hf) 

Wherever  possible,  we  move  the  exponent  into  the 
group  with  the  lowest  exponentiation  cost.  We  identify 
this  group  based  on  a  series  of  operation  microbench¬ 


marks  that  run  automatically  at  code  initialization.5 

Technique  3:  Combine  pairings  with  common  elements. 
When  two  or  more  pairings  share  a  common  first  or 
second  element,  they  can  be  combined.  For  example: 

Replace  e(a,g)  ■  e(b,g)  with  e(ab,g) 

As  Ferrara  et  al.  note  [15],  in  rare  cases  it  can 
be  useful  to  apply  this  technique  in  reverse:  splitting 
a  single  pairing  into  two  pairings,  to  allow  for  more 
efficient  batch  verification.  E.g.,  this  can  be  applied  to 
the  ring  signature  scheme  due  to  Boyen  [9]  in  order  to 
next  apply  the  technique  below. 

Technique  4:  Optimize  the  Waters  Hash.  A  variety 
of  bilinear  signature  schemes  employ  a  hash  function 
by  Waters  [36],  which  can  be  generalized  [31],  [13], 
Assume  the  identity  is  a  fc-bit  string  V  =  V\V2  ■  ■  -vz 
where  each  u,  is  a  short  string.  The  hash  function  is 
evaluated  as  v!  n!=j  UT  ■ 

When  batching  77  equations  containing  the  Waters 
hash,  one  will  often  end  up  with  something  of  the  form 
UUe(9j,UU<ij)-  This  can  be  rewritten  to  make 
the  number  of  pairings  independent  of  the  number  of 
equations  one  wants  to  batch. 

rj  z  z  rj 

Replace  e(gj,  u. ",J)  with  e(  gf0^ ,  uf) 

j  =  1  2—1  2=1  j  =  1 

C.  The  Security  of  AutoBatch 

At  this  point  in  the  narration,  we  take  a  short  break 
from  our  description  of  how  AutoBatch  works  to  argue 
that  that  batching  and  optimization  techniques  applied  in 
the  previous  section  preserve  the  security  of  the  original 
signature  scheme,  up  to  a  negligible  probability  of  error. 

Theorem  3.1  (Security  of  AutoBatch):  Let  A  be  the 
security  parameter  used  in  the  small  exponents  test  dur¬ 
ing  Technique  1.  Then  the  batch  verification  algorithm 
resulting  from  an  application  of  the  above  techniques,  as 
is  done  in  AutoBatch,  is  a  pairing-based  batch  verifier 
that  accepts  an  invalid  batch  with  probability  at  most 
2-\. 

Proof:  The  truth  of  this  theorem  after  the  initial 
and  only  application  of  Technique  1  follows  directly 
from  the  proof  of  this  step  in  [15,  Theorem  3.2],  This 
step  introduces  a  T  x  probability  of  error.  After  this 
point,  we  apply  Techniques  2-4  in  arbitrary  order  and 

5For  many  common  elliptic  curves,  this  is  the  Gi  base  group. 
However,  in  some  curves  the  groups  Gi  and  G2  have  similar  operation 
costs;  this  may  give  us  some  flexibility  in  modifying  the  equation. 
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We  begin  with  the  original  verification  equation. 

e(fe,  pk)  =  e(sig.g) 

(1) 

Step  1:  Combined  Equation: 

V  *1 

II  e(A*,pfc)  -  II  e(s».9--,0) 

2~1  2-1 

(2) 

Step  2:  Apply  the  small  exponents  test,  using  exponents 

i5i, . .  .Sn  6n  Z,: 

He^j.pA:)4'  -  H  e(sig:,g)5‘ 

2-1  2-1 

(3) 

Step  3:  Move  the  exponent(s)  into  the  pairing  (tech- 

niquc  2): 

2-1  2-1 

(4) 

Step  4:  Combine  pairings  with  common  1st  or 

element.  Reduce  N  pairings  to  1  (technique  3): 

2nd 

e(  1 1  A4' ,  pk)  =  e(  JJ  mg,' , g) 

2=1  2=1 

(5) 

Figure  3.  A  fragment  of  the  machine-generated  security  proof  of 
a  single-signer  batch  verifier  for  the  Boneh-Lynn-Shacham  (BLS) 
signature  scheme  [6].  An  early  portion  of  the  proof  asserted  that  a 
group  membership  test  would  be  done  prior  to  checking  the  final 
equation  and  defined  h  to  be  the  hash  of  the  message. 

potentially  multiple  times.  Each  of  these  techniques 
involve  substituting  one  equation  or  value  for  an  equiv¬ 
alent  formulation  of  that  equation  or  value  and  thus 
the  equation  output  by  our  Batcher  is  equivalent  to  the 
equation  output  after  Technique  1.  ■ 

D.  Analysis  and  Machine-Generated  Security  Proofs 

Once  the  Batcher  has  produced  a  final  equation  for 
the  batch  verifier,  it  counts  the  number  of  operations 
required  as  a  function  of  the  batch  size.  These  opera¬ 
tions  include  point  operations,  pairings,  hashes,  as  well 
as  random  element  generation.  It  then  combines  this  op¬ 
eration  count  with  a  database  of  average  operation  times 
that  were  measured  at  library  initialization.  The  result¬ 
ing  calculation  allows  it  to  determine  the  “crossover 
point”,  i.e.,  the  batch  size  where  batch  verification 
becomes  more  efficient  than  individual  verification. 

The  Batcher  produces  both  an  SDL  file  and,  option¬ 
ally,  a  human-readable  proof  of  security  for  the  resulting 
batch  verifier.  This  proof  is  a  LaTeX  file  that  includes 
the  individual  and  batch  verification  equations,  with  an 
enumeration  of  the  various  steps  used  to  convert  the 


former  into  the  latter.  This  proof  is  designed  to  give 
users  confidence  in  the  correctness  of  the  Batcher’s 
output.  One  example  of  such  a  proof  for  the  single- 
signer  batch  verification  of  the  BLS  signatures  [6]  is 
presented  in  Ligure  3.  The  resulting  batching  equation 
is  the  same  as  the  one  proposed  by  [6]. 

A  full  machine-generate  proof  appears  in  Appendix  B 
for  the  batch  verification  of  the  HW  signatures  [22], 
which  is  a  novel  contribution  of  this  work. 

E.  Code  Generation 

The  output  of  the  Batcher  is  a  batch  verification  equa¬ 
tion  encoded  in  Scheme  Description  Language  (SDL). 
This  file  defines  all  of  the  datatypes  for  the  signature, 
message  and  public  key  (or  identity  and  public  param¬ 
eters  in  the  case  of  an  identity-based  signature).  The 
Code  Generator  converts  this  SDL  representation  into  a 
useable  Python  signature  class  that  can  operate  on  real 
batch  inputs. 

The  Code  Generator  is  essentially  a  mirror  of  the 
Code  Parser.  However,  its  design  is  substantially  sim¬ 
pler,  since  there  is  less  ambiguity  in  the  layout  of  an 
SDL  description.  It  translates  the  individual  and  batch 
verification  equations  into  Python  code,  and  wraps  them 
with  the  following  additional  logic  components: 

1)  Group  membership  tests.  Lor  each  element  in 
the  signature  (and  optionally  the  public  key,  if 
the  user  requests)6  the  membership  of  the  group 
is  tested  using  an  exponentiation.  Section  II-C 
discusses  the  importance  and  details  of  this  test. 

2)  Pre-computation.  Several  values  often  will  be 
re-used  within  a  verification  equation.  When  this 
happens,  the  batch  verifier  can  pre-compute  cer¬ 
tain  results  once,  rather  than  needlessly  compute 
them  several  times. 

3)  Technique  selection.  Lor  relatively  small  batch 
sizes,  it  may  be  more  efficient  to  bypass  the  batch 
verifier  and  simply  verify  the  signatures  using  the 
individual  verification  function.  Lor  this  reason, 
our  Code  Generator  generates  this  function  as 
well  (the  output  of  the  Batcher  contains  both 
functions),  and  adds  logic  to  programmatically 
choose  between  batch  and  individual  verification 
when  the  batch  size  is  below  a  certain  threshold 
automatically  determined  in  the  Analysis  phase. 

4)  Invalid  signature  detection.  To  handle  the  pres¬ 
ence  of  invalid  signatures  in  a  batch,  our  batch 
verifier  code  includes  a  recursive  divide-and- 
conquer  strategy  to  recover  from  a  batching  fail- 

6In  many  applications  we  can  assume  that  the  public  keys  are 
trusted,  thus  we  can  omit  group  membership  testing  on  these  values. 
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ure  (see  e.g,.  [15]  for  a  discussion  of  this).  On 
failure,  this  verifier  divides  the  signature  collec¬ 
tion  into  two  halves  and  recurses  by  repeating 
verification  on  each  halve  until  all  of  the  invalid 
signatures  have  been  identified. 

IV.  Implementation  and  Performance  Details 

A.  Experimental  Setup 

To  evaluate  the  performance  of  our  techniques  we 
implemented  them  as  part  of  the  Charm  prototyping 
framework  [1].  Charm  is  a  Python-based  cryptographic 
prototyping  framework,  and  provides  native  for  bilinear- 
map  based  crypto  and  other  useful  primitives,  e.g.,  hash¬ 
ing  and  serialization.  We  used  a  version  of  Charm  that 
implements  all  bilinear  group  operations  using  the  C- 
based  MIRACL  library  [33] . 7  The  necessary  MIRACL 
calls  are  accessed  from  within  our  Python  code  via  the 
C  module  interface. 

To  determine  the  performance  of  our  system  in  isola¬ 
tion,  we  first  conducted  a  number  of  experiments  on 
various  components  of  our  code.  First,  we  used  the 
code  extraction  component  to  convert  several  Python 
signature  implementations  into  our  intermediate  “SDL” 
representation.  Next,  we  applied  our  batcher  to  the  SDL 
result  in  order  to  obtain  an  optimized  equation  for 
a  batch  verifier.  We  then  applied  our  code  generator 
to  convert  this  representation  into  a  functioning  batch 
verifier  program,  which  we  applied  to  various  test  data 
sets. 

Hardware  configuration.  For  consistent  results  we  ran 
all  of  our  experiments  on  a  single  hardware  platform: 
a  2  x  2.66  GHz  6-Core  Intel  Xeon  Macintosh  Pro 
running  MacOS  version  10.7.2  with  12GB  of  RAM. 
We  ran  all  of  our  tests  within  a  single  thread,  and 
thus  used  resources  from  only  a  single  core  of  the 
Intel  processor.  We  instantiated  all  of  our  cryptographic 
implementations  using  a  160-bit  MNT  elliptic  curve 
provided  with  MIRACL. 

B.  Signature  Schemes  used  as  Test  Cases 

We  ran  our  experiments  using  three  signature 
schemes,  three  identity-based  signature  schemes  and 
one  identity-based  ring  signature  scheme,  as  summa¬ 
rized  in  Figure  4.  All  of  these  schemes  are  pairing-based 
schemes.  (See  Section  II  for  the  definitions  of  these 
signature  types  and  the  background  on  a  pairing.)  These 

7The  version  of  Charm  we  used  (.30)  has  not  been  officially 
released,  but  can  be  found  in  the  Charm  github  repository  at 
www.charm-crypto.com.  It  uses  MIRACL  5.5.4  for  bilinear  group 
operations. 


schemes  were  selected  because  they  represent  some  of 
the  shortest  and  most  practical  schemes  in  the  literature. 

The  batch  verification  algorithm  for  the  CDH-based 
scheme  due  to  Hohenberger  and  Waters  [22]  is,  to 
our  knowledge,  the  first  batching  algorithm  for  this 
scheme  and  it  was  machine-generated  by  AutoBatch. 
Prior  batch  verifiers  were  known  for  the  remaining 
schemes  (see  [15]  for  a  summary)  and  we  note  that 
our  machine -generated  verifiers  match  their  efficiency. 

C.  Batch  Verification  Time:  Microbenchmarks 

To  evaluate  the  overall  efficiency  of  our  approach,  we 
implemented  several  pairing-based  signature  schemes 
in  Charm  and  applied  our  techniques  to  extract  an 
SDL-based  intermediate  representation  of  the  scheme’s 
verification  equation;  derive  an  optimized  batch  verifier 
for  the  scheme;  and  generate  a  new  Python  program 
implementing  the  batch  verifier.  We  measured  the  pro¬ 
cessing  time  for  each  of  the  above  steps.  Our  timings, 
averaged  over  five  runs,  are  presented  in  Figure  5. 

To  obtain  our  microbenchmarks,  we  ran  AutoBatch 
on  several  exemplary  bilinear  signature  schemes,  in¬ 
cluding  the  BLS  [6],  CHP  [10]  and  HW  [22]  signature 
schemes,  the  Hess  [21]  and  Waters  [36]  identity-based 
signatures  and  the  CYH  ring  signature  [14].  We  then 
experimented  with  these  schemes  at  different  batch 
sizes,  to  evaluate  their  raw  performance.  The  results  are 
presented  in  Figure  6. 

Each  graph  shows  the  average  per-signature  verifi¬ 
cation  time  for  a  batch  of  p  signatures,  with  rj  in¬ 
creasing  from  1  to  100.  We  conducted  these  tests  by 
first  generating  a  collection  of  //  keypairs  and  random 
messages,8  then  computing  a  valid  signature  over  each 
message.  We  fed  each  collection  to  the  batch  verifier. 
ID-based  signatures  were  handled  in  a  similar  manner, 
although  we  substituted  random  identities  in  place  of 
keys.  For  the  CYH  ring  signature,  we  constructed  a 
group  of  twenty  signing  keys  to  construct  a  twenty 
member  ring.  In  each  case,  we  averaged  our  results  over 
20  experimental  runs  and  computed  verification  time 
per  signature  by  dividing  the  total  batching  time  by  the 
number  of  signatures  batched. 

D.  Batch  Verification  in  Practice 

Several  previous  works  have  considered  the  implica¬ 
tion  of  having  invalid  signatures  in  a  batch,  e.g.,  [26], 
[15],  [29],  [30].  For  the  most  part,  these  works  estimated 
raw  signature  verification  times  under  various  condi¬ 
tions,  but  did  not  model  the  implications  of  these  results 
for  building  real  systems.  To  evaluate  how  signature 

8  We  used  160-byte  random  strings  for  each  message. 
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Scheme 

Model  Ind- Verify  Batch- Verify  Techniques-Order 

Signatures 

Boyen-Lynn-Shacham  (BLS)  [7]  (same  signer) 

RO 

2*7 

2 

2,3 

Camenisch-Hohenberger-Pedersen  (CHP)  [10]  (same  time  period) 

RO 

3  V 

3 

2,3 

Hohenberger- Waters  (HW)  [22]  (same  signer) 

plain 

2  V 

4 

2,3 

ID-based  Signatures 

Hess  [21] 

RO 

2  V 

2 

2,3 

Cha-Cheon  (ChCh)  [12] 

RO 

2r? 

2 

2,3 

Waters  [36] 

plain 

3  V 

z  +  3 

3,2,4, 3 

ID-based  Ring  Signatures 

Chow-Yiu-Hui  (CYH)  [14] 

RO 

2  V 

2 

2,3 

Figure  4.  Digital  Signature  Schemes  used  as  test  cases  in  AutoBatch.  RO  stands  for  random  oracle.  For  the  verification,  we  count  the  total 
number  of  pairings  needed  to  process  77  valid  signatures,  i.e.,  the  best  case  for  batch  verificaiton.  For  the  Waters  signatures,  we  set  z  =  5.  The 
final  columns  indicates  the  order  of  the  techniques  from  Section  III  that  AutoBatch  recognized  as  applicable  and  applied  to  obtain  the  resulting 
batch  verifier. 


Process 

BLS  /  CHP  /  HW  /  Hess  /  ChCh  /  Waters  /  CYH 
(ms) 

Parse  input 

67.5 

Batch/optimize 

133.3 

Generate  code 

83.2 

Total 

284.0ms 

Figure  5.  Micro  benchmark  results:  average  time  required  by  the  Parser,  Batcher,  and  Code  Generator  to  process  a  variety  of  signature  schemes. 
Batcher  time  also  includes  generating  the  proof  and  estimating  cross  over  point  between  individual  and  batch  verification. 


batching  might  work  in  real  life,  we  constructed  a 
simulation  to  determine  the  resilience  of  our  techniques 
to  various  denial  of  service  attacks  launched  by  an 
adversary. 

Basic  Model.  For  this  experiment,  we  simulated  a  server 
that  verifies  incoming  signed  messages  read  from  a 
network  connection.  We  believe  that  this  might  be  a 
reasonable  model  for  a  busy  server-side  TLS  endpoint 
using  client  authentication,  for  example,  or  for  a  vehicle- 
to-vehicle  communications  base  station. 

Our  server  is  designed  to  process  as  many  signatures 
as  possible,  and  is  limited  only  by  its  computational 
resources.9  Signatures  are  drawn  off  of  the  “wire”  and 
grouped  into  batches,  with  each  batch  size  representing 
the  expected  number  of  signatures  that  can  be  verified 
in  one  second.  Initially  this  number  is  simply  a  guess, 
which  is  adjusted  upwards  or  downwards  based  on  the 
time  required  to  verify  each  batch. 10  In  practice,  this 
approach  can  lead  to  some  transient  errors  (batches 
that  require  significantly  more  or  less  than  one  sec 
on  to  evaluate)  when  the  initial  guess  is  wrong,  or 
when  conditions  change.  In  normal  usage,  however,  this 
approach  converges  on  an  appropriate  batch  size  within 

"This  models  a  server  that  either  delays,  drops  or  redirects  the 
signatures  that  it  cannot  handle  ( e.g .,  via  load  balancing). 

10The  adjustment  is  handled  in  a  relatively  naive  way:  the  server 
simply  computes  the  next  batch  size  by  extrapolating  based  on  its 
time  to  compute  the  previous  batch. 


1-2  seconds. 

1 )  Basic  DoS  Attacks:  A  major  concern  when  using 
a  batch  verifier  is  the  possibility  of  service  denial  or 
degradation,  resulting  from  the  presence  of  some  invalid 
signatures  in  the  batch.  As  described  in  §111,  each  of 
our  generated  batch  verifiers  incorporates  a  recursive 
divide-and-conquer  strategy  for  identifying  these  invalid 
signatures.  In  practice,  however,  this  recursion  comes  at 
a  price;  the  presence  of  even  a  small  number  of  invalid 
signatures  can  seriously  degrade  the  performance  of  a 
batcher. 

To  measure  this,  we  simulated  an  adversary  who 
injects  a  fraction  of  invalid  signatures  into  the  server’s 
input  stream.  We  assume  that  these  signatures  are  well- 
mixed  with  the  remaining  valid  signatures.11  Within 
a  single  experimental  run,  the  adversary  tries  various 
attack  strategies,  including  no  attack,  a  gradual  increase 
in  the  number  of  invalid  signatures,  and  sudden  bursts 
of  invalid  signatures.  In  all  cases  we  limited  the  fraction 
of  invalid  signatures  received  by  the  verifier  to  15%  of 
the  overall  signature  stream. 

Given  this  adversary,  we  measured  the  verifier’s 
throughput.  The  adversary  injects  no  invalid  signatures 
for  the  first  25  seconds  of  the  experiment,  then  gradually 
ramps  up  its  output  until  the  number  of  invalid  sig¬ 
natures  received  by  the  verifier  reaches  approximately 

1 1  In  practice,  this  is  not  a  strong  assumption,  as  a  server  can  simply 
randomize  the  order  of  the  signatures  it  receives. 
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MNT160 


MNT160 


MNT160 


BLS  (batched)  ■ 

25  L  BLS  (individual) 


Number  of  signatures 
MNT160 


50  - 1 - 1 - 1 - 1 - 

CHP  (batched)  - 

CHP  (individual)  »»' 

40  - 


E 

10 


0  - 1 - 1 - 1 - 1 - 

20  40  60  80  100 

Number  of  signatures 


MNT160 


20  40  60  80 

Number  of  signatures 


F 


40  - 

20  - 

0  — 


WATERS  (batched)  ■ 
WATERS  (individual)  ■ 


40  60 

Number  of  signatures 


Figure  6.  Signature  scheme  microbenchmarks  for  BLS  (same  signer),  CHP  (same  period)  and  HW  (same  signer)  signatures,  Hess  and  Waters 
IBS,  and  CYH  ring  signature  (20  signer  ring).  Per-signature  times  were  computed  by  dividing  total  batch  verification  time  by  the  number  of 
signatures  verified.  Note  that  in  the  BLS  and  HW  cases,  all  signatures  are  formulated  by  the  same  signer  (as  for  certificate  generation),  while 
for  CHP  each  signature  was  produced  by  a  different  signer  but  with  a  special  restriction  that  they  be  issued  in  the  same  time  period.  All  other 
schemes  are  without  such  restrictions.  Individual  verification  times  are  included  for  comparison. 


15%.  At  approximately  55  seconds  into  the  experiment, 
the  adversary  switches  to  long  bursts  of  invalid  signa¬ 
tures.  This  measures  the  verifier’s  ability  to  recover  from 
a  short,  bursty  attack.  These  strategies  are  by  no  means 
a  thorough  catalog  of  the  types  of  attack  that  a  verifier 
might  experience;  rather,  our  effort  represents  simple 
experimentation  with  a  few  basic  attack  shapes. 

A  countermeasure.  To  handle  extended  DoS  attacks,  we 
also  experimented  by  adding  some  simple  DoS  coun¬ 
termeasures  within  our  batching  algorithm.  Our  basic 
countermeasure  uses  knowledge  of  previous  batches  to 
estimate  the  likely  number  of  invalid  signatures  that  will 
occur  in  the  next  batch.  Based  on  this  information,  the 
verifier  can  either  (a)  switch  to  individual  verification, 
in  cases  where  recursive  batch  verification  is  expected 
to  underperform,  or  ( b )  optionally  skip  some  phases  of 
the  recursive  batch  verification  process. 

For  case  (b),  at  each  phase  of  the  recursive  batch 
verifier  we  estimate  the  probability  that  the  batch  veri¬ 
fication  will  fail,  and  skip  the  verification  process  when¬ 
ever  that  probability  exceeds  a  threshold  ( e.g .,  3/4).  For 
example,  when  we  process  a  batch  of  i)  signatures,  if 
we  anticipate  that  there  will  be  even  1  invalid  signature 
in  the  batch,  then  verification  of  the  whole  batch  is 
unnecessary  (i.e.,  it  should  fail).  Thus  we  can  avoid  the 
work  of  verifying  this  batch,  and  instead  move  directly 
to  the  recursive  case  as  though  verification  had  failed. 


We  repeat  this  check  at  each  phase  of  the  process  where 
the  batch  size  >  1. 

Analysis  of  results.  We  tested  the  batch  verifier  with 
and  without  the  above  countermeasures.  Our  results  are 
presented  in  Figure  7.  We  observe  several  things.  First, 
though  our  recursive  process  is  able  to  deal  with  invalid 
signatures,  throughput  is  quite  sensitive  to  even  small 
numbers  of  invalid  signatures  in  the  input  stream.  How¬ 
ever,  when  comparing  our  batch  verification  throughput 
to  the  individual  verification  throughput,  we  note  that 
even  under  a  significant  attack  batch  verification  dra¬ 
matically  outperforms  individual  verification. 

Thus,  while  an  attacker  is  able  to  reduce  verifier 
throughput,  the  verifier  still  remains  quite  efficient  com¬ 
pared  to  the  individual  verification  case.  In  other  words, 
we  are  a  “victim  of  our  own  success”;  since  batching  so 
dramatically  increases  throughput  in  the  all-valid  case, 
the  drop  in  throughput  caused  by  invalid  signatures 
makes  the  verifier  seem  relatively  inefficient,  even  while 
it  still  outperforms  individual  verification. 

The  impact  of  our  countermeasures  is  less  obvi¬ 
ous.  Examining  the  raw  numbers  closely,  we  notice 
a  marginal  improvement  when  the  rate  of  invalid  sig¬ 
natures  is  steady,  or  grows  slowly.  However,  this  is 
offset  by  a  slightly  slower  return  to  normal  throughput 
when  an  attack  ends  suddenly.  We  also  note  that  even 
at  these  levels,  the  adversary  is  not  able  to  push  us 
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Without  Countermeasures 


Cumulative  Time  (ms) 
With  Countermeasures 


Cumulative  Time  (ms) 


Figure  7.  Simulated  service  denial  attacks  against  a  batch  verifier  (BLS  signatures,  single  signer).  The  top  chart  considers  a  standard  batch 
verifier,  and  the  bottom  chart  shows  the  performance  of  a  batch  verifier  that  employs  countermeasures.  In  each  graph,  the  black  line  (left  scale) 
indicates  the  throughput  of  the  batch  verifier  measured  in  signatures/second.  The  gray  line  (right  scale)  represents  the  average  fraction  of  invalid 
signatures  that  the  adversary  is  able  to  inject  into  the  stream.  Note  that  in  both  experiments,  the  adversary  varies  this  fraction  between  0%  and 
15%  using  a  consistent  process.  Finally,  for  comparison,  the  dashed  line  shows  the  comparable  throughput  of  an  individual  verifier. 


into  territory  where  individual  verification  becomes  a 
better  strategy.  Given  how  poorly  the  individual  verifier 
performs  relative  to  batch  verification,  we  hypothesize 
that  this  countermeasure  will  not  be  very  useful  in 
practice. 

While  there  is  no  magic  bullet  when  it  comes  to  batch 
verification  of  signatures,  we  believe  that  these  results 
are  interesting,  and  that  system  designers  may  want  to 
take  them  into  account.  At  a  minimum,  designers  should 
build  systems  to  tolerate  large  swings  in  verification 
throughput  when  an  attack  is  present. 

V.  Conclusion 

Batch  verification  holds  great  promise  for  applica¬ 
tions  where  short  signatures  are  a  design  requirement, 
yet  high  signature  throughput  is  required.  Where  pre¬ 
vious  works  constructed  batch  verifiers  by  hand  and 
on  a  per-scheme  basis,  we  have  presented  an  approach 
that  can  programmatically  apply  batching  techniques  to 
a  large  class  of  bilinear  signature  schemes,  including 


schemes  that  do  not  yet  exist.  We  believe  that  this  ap¬ 
proach  will  make  it  possible  for  implementers  to  rapidly 
determine  which  schemes  can  be  batched  efficiently. 
Moreover,  it  will  help  to  eliminate  errors  that  arise 
when  human  beings  attempt  to  manually  perform  such 
optimizations. 

This  work  leaves  several  open  problems.  On  the 
implementation  side,  the  latest  versions  of  the  MIRACL 
library  include  an  elegant  new  interface  for  efficiently 
computing  “multipairings”  (efficient  products  of  multi¬ 
ple  bilinear  pairings).  Since  Charm  does  not  currently 
provide  an  API  to  this  new  functionality,  we  did  not 
include  it  in  our  optimizations.  We  hope  to  rectify  this 
in  future  versions. 

We  also  believe  that  there  is  much  to  be  done  in  mak¬ 
ing  batch  verifiers  more  resilient  to  invalid  signatures, 
and  therefore  more  useful  in  practice.  Our  work  is  a 
first  step  in  this  direction.  We  hope  that  future  work  will 
implement  alternative  techniques  for  recognizing  invalid 
signatures  in  a  batch,  such  as  those  considered  by  of 
Law  and  Matt  [26],  [29],  [30],  along  with  additional 
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countermeasure  strategies  for  responding  to  service  de¬ 
nial  attacks. 

Additionally,  we  leave  open  the  problem  of  automat¬ 
ically  batching  other  types  of  pairing-based  equation, 
including  Groth-Sahai  proofs  [18],  Substantial  work 
has  been  conducted  in  this  direction  by  Blazy  et  al. 
[5],  We  believe  that  these  techniques  may  be  extended 
to  the  automated  setting.  Finally,  a  future  batching 
system  might  even  be  capable  of  batching  many  distinct 
signature  or  proof  types  together. 
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Appendix  A. 

Machine-Generated  Batch  Verification 
Equations 

In  Figure  8,  we  provide  the  final  batch  verification 
equations  output  by  AutoBatch  for  each  of  the  signature 
schemes  tested. 

Appendix  B. 

A  MACHINE-GENERATED  PROOF  OF  SECURITY 

The  following  proof  was  automatically  generated  by 
the  Batcher  while  processing  of  the  HW  signature 
scheme  [22 ].  It  has  been  edited  to  fit  the  two  column 
format.  This  execution  was  restricted  to  signatures  on 
a  single  signing  key. 

A.  Definitions 

This  document  contains  a  proof  that  HW. Batch  Verify 
is  a  valid  batch  verifier  for  the  signature  scheme  HW. 
Let  g,  A,  U ,  V,  D,  w,  z,  h  be  values  drawn  from  the  key 
and/or  parameters,  and  M,  or ,  cr2 ,  r,  i  represent  a  mes¬ 
sage  (or  message  hash)  and  signature.  The  individual 
verification  equation  HW. Verify  is: 

? 

e(vi  ,g)  = 

UM  ■  Vr  ■  D  •  e(cr2ls^\  w)  •  e(cr2\  z)  •  e(cr2,  h) 

Let  ij  be  the  number  of  signatures  in  a  batch,  and 
Si,...6v  Gr  be  a  set  of  random  exponents  cho¬ 
sen  by  the  verifier.  The  batch  verification  equation 
HW.  Batch  Verify:  is: 

v 

Z=1 

.  £>£2=1  Sz  . 

e(II  ^M'Sz,w)  ■  e(]J  a2lz'Sz,z)  ■  e(fj  a2szz,h) 

Z—l  Z—l  Z—l 

We  will  now  formally  define  a  batch  verifier  and  demon¬ 
strate  that  HW.BatchVerify  is  a  secure  batch  verifier  for 
the  HW  signature  scheme. 

Definition  B.l  (Pairing-based  Batch  Verifier):  Let 
BSetup(lT)  — ►  (q,  g,G,Gr,e).  For  each  j  G  [1, 77], 
where  77  G  poly(r),  let  be  a  generic  pairing-based 
claim  and  let  Verify  be  a  pairing  based  verifier. 
We  define  pairing-based  batch  verifier  for  Verify  a 
probabilistic  poly(r)-time  algorithm  which  outputs 
accept  if  X(d)  holds  for  all  j  G  [1, 77]  whereas  it  outputs 
reject  if  X^'P  does  not  hold  for  any  j  G  [1,77]  except 
with  negligible  probability. 

Theorem  B.2:  HW.BatchVerify  is  a  batch  verifier  for 
the  HW  signature  scheme. 
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Scheme 

Signatures 

BLS  [7]  (same  signer) 

CHP  [10]  (same  time  period) 
HW  [22]  (same  signer) 


ID-based  Signatures 

Hess  [21] 

ChCh  [12] 

Waters  [36] 


ID-based  Ring  Signatures 

CYH  [14] 


Batch  Verification  Equation  output  by  AutoBatch 


e(riz=i  hs/,pk)  =  e(riz=i  siglz,g ) 
e(YTz=i  si9zz ,  g)  =  e(a,  YTZ=1  pk5/ )  •  e(h,  YTZ=1  pkbzz'5z ) 
edlLi0-! Sz*>9)  =  U^='Mz'Sz  ■  V^=irz'5z  ■ 

•<nt,  <r£M-s‘,w)  ■  ewu  V2iz-Sz,z)  •  e(n;=1 


e(n:=i  =  e(UU pKz  Sz,Ppub)  ■  u:=1  Si5/ 
e(UU  S2lz  ,g2)  =  e(Unz=1  (Siz  ■  pk“z  )Sz ,  Ppub ) 
e(UVz=i  Si5/, 92)  •  e(UVz=1  S25/,u\t)  ■  nL  eiYYLl  S-2/'k"z  •  S3*x 
_ ■e{YYUSz5/,U2')  =  A^=iSz _ 


e(nLi nU •  pkyy  z,p)  =  e(n:=i  s5/ , 9) 


Ui) 


Figure  8.  These  are  the  final  batch  verification  equations  output  by  AutoBatch.  Due  to  space,  we  do  not  include  the  full  schemes  or  further 
describe  the  elements  of  the  signature  or  our  shorthand  for  them,  such  as  setting  h  =  H ( M )  in  BLS.  However,  a  reader  could  retrace  our  steps 
by  applying  the  techniques  in  Section  m  to  the  original  verification  equation  in  the  order  specified  in  Figure  4. 


B.  Proof 

Proof:  Via  a  series  of  steps,  we  will  show  that 
if  HW  is  a  secure  signature  scheme,  then  BatchVerify 
is  a  secure  batch  verifier.  Recall  our  batch  verification 
software  will  perform  a  group  membership  test  to  ensure 
that  each  group  element  of  the  signature  is  a  member  of 
the  proper  subgroup,  so  here  will  we  assume  this  fact. 
We  begin  with  the  original  verification  equation. 

? 

e(or,g)  = 

UM  ■  Vr  ■  D  ■  e(cr2s^\w)  ■  e{a2,  z)  •  e(cr2,  h)  (1) 


Step  1:  Combined  Equation: 

f[e(alz,g)  =  f[UMz-Vrz-D 

Z=1  Z= 1 

■  e(a2^M,w)  ■  e(a2lf,z)  ■  e(a2z,h ) 

Step  2:  Apply  the  small  exponents  test,  using  exponents 

Si,  .  .  .  Sy  E.R  ^ lq . 

f[(e(vlx,g))s-  =  n  UM'-S*  •  n  V*-4«  f[DSz 

Z  =  1  Z—l  Z—l  z=  1 

n  (e{<72?M,w))s*  ■  ntew,#  • 

Z—l  Z—l  Z=1 

Step  3:  Move  the  exponent(s)  into  the  pairing  (tech¬ 


nique  2): 

n  i->3) = n  uMm'Sm  ■  n •  n  °Sz 

Z—l  Z  —  1  Z  =  1  Z  —  l 

’ll  e(a2^M'Sz,w)  ■  e{a2l/Sz , z)  ■  e(a2s/,h)  (3) 

Z—l  Z—l  Z—l 

Step  4:  Combine  pairings  with  common  1st  or  2nd 
element.  Reduce  N  pairings  to  1  (technique  3): 

e(f[  >  9 )  =  U ^  Mz~5z  ■  rz~Sz  ■  /)>:’' 4 

Z=1 

e(II  V2iM'Sz,w)  ■  e(]J  a2l/5z,z)  •  e(P[  cr2s/,h)  (4) 

Z—l  Z—l  Z  =  1 

Steps  1  and  2  form  the  Combination  Step  in  [15],  which 
was  proven  to  result  in  a  secure  batch  verifier  in  [15, 
Theorem  3.2],  We  observe  that  the  remaining  steps  are 
merely  reorganizing  terms  within  the  same  equation. 
Hence,  the  final  verification  equation  (4)  is  also  batch 
verifier  for  HW.  ■ 


(2) 
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Abstract 

We  present  a  new  approach  for  creating  chosen  ciphertext  secure  encryption.  The  focal  point 
of  our  work  is  a  new  abstraction  that  we  call  Detectable  Chosen  Ciphertext  Security  (DCCA). 
Intuitively,  this  notion  is  meant  to  capture  systems  that  are  not  necessarily  chosen  ciphertext 
attack  (CCA)  secure,  but  where  we  can  detect  whether  a  certain  query  CT  can  be  useful  for 
decrypting  (or  distinguishing)  a  challenge  ciphertext  CT*. 

We  show  how  to  build  chosen  ciphertext  secure  systems  from  DCCA  security.  We  motivate 
our  techniques  by  describing  multiple  examples  of  DCCA  systems  including  creating  them  from 
1-bit  CCA  secure  encryption  —  capturing  the  recent  Myers-shelat  result  (FOCS  2009).  Our 
work  identifies  DCCA  as  a  new  target  for  building  CCA  secure  systems. 


1  Introduction 

A  central  goal  of  public  key  cryptography  is  to  design  encryption  systems  that  are  secure  against 
chosen  ciphertext  attacks.  Public  key  encryption  systems  that  are  chosen  ciphertext  attack  (CCA) 
secure  are  robust  against  powerful  adversaries  that  are  able  to  leverage  interaction  with  a  decryptor. 
Such  an  attacker  is  modeled  by  allowing  him  to  query  for  the  decryption  of  any  ciphertext  except 
a  challenge  ciphertext  for  which  he  is  trying  to  break.  This  includes  ciphertexts  derived  from  the 
challenge  ciphertext1.  Due  to  its  robustness  against  powerful  attackers,  chosen  ciphertext  security 
has  become  the  accepted  goal  for  building  secure  encryption.  For  this  reason,  building  chosen 
ciphertext  secure  systems  has  been  a  central  pursuit  of  cryptographers  for  over  twenty  years  and 
we  have  seen  many  distinct  approaches  to  achieving  CCA  security. 

*  Sponsored  by  the  Defense  Advanced  Research  Projects  Agency  (DARPA)  and  the  Air  Force  Research  Laboratory 
(AFRL)  under  contract  FA8750-11-2-0211,  the  Office  of  Naval  Research  under  contract  N00014-11-1-0470,  a  Microsoft 
Faculty  Fellowship  and  a  Google  Faculty  Research  Award.  Applying  to  all  authors,  the  views  expressed  are  those  of 
the  authors  and  do  not  reflect  the  official  policy  or  position  of  the  Department  of  Defense  or  the  U.S.  Government. 

'Sponsored  by  a  Microsoft  Research  Ph.D.  Fellowship. 

'  Supported  by  NSF  CNS-0915361  and  CNS-0952692,  AFOSR  Grant  No:  FA9550-08-1-0352,  DARPA  PROCEED, 
DARPA  N11AP20006,  Google  Faculty  Research  award,  the  Alfred  P.  Sloan  Fellowship,  and  Microsoft  Faculty  Fel¬ 
lowship,  and  Packard  Foundation  Fellowship. 

1We  use  “CCA”  and  “CCA2”  interchangeably  in  this  paper. 
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Early  pioneering  work  in  chosen  ciphertext  security  [24,  14,  27]  introduced  the  technique  of  lever¬ 
aging  Non-Interactive  Zero  Knowledge  Proofs  (NIZKs)  [5]  to  build  CCA-secure  encryption  systems 
from  chosen  plaintext  secure  encryption  systems.  Roughly,  a  NIZK  is  used  to  prove  that  a  ciphertext 
is  “well-formed”  or  legal.  Later  Cramer  and  Shoup  [12,  13]  introduced  the  first  practical  CCA- 
secure  systems  that  were  built  on  specific  number  theoretic  assumptions  such  as  Decisional  Diffie 
Heilman.  These  techniques  implicitly  embed  a  certain  form  of  designated  verifier  Non-Interactive 
Zero  Knowledge  proofs  in  them.  More  recently,  different  methods  for  building  chosen  ciphertext 
security  from  Identity-Based  Encryption  [7]  and  Lossy  Trapdoor  Functions  [26]  have  emerged.  In 
addition,  Myers  and  shelat  [23]  described  general  methods  for  amplifying  CCA  encryption  of  1  bit 
to  many  bits. 

In  this  work,  we  introduce  a  new  approach  to  obtaining  chosen  ciphertext  secure  systems.  The 
focal  point  of  our  work  is  a  new  abstraction  that  we  call  Detectable  Chosen  Ciphertext  Security 
(DCCA).  Intuitively,  this  notion  is  meant  to  capture  systems  that  are  not  necessarily  CCA  secure, 
but  where  we  can  detect  whether  a  certain  query  CT  can  be  useful  for  decrypting  (or  distinguishing) 
a  challenge  ciphertext  CT*. 

A  system  that  is  DCCA  secure  will  be  associated  with  a  boolean  function  F  that  takes  in  three 
inputs:  a  public  key  pk,  a  challenge  ciphertext  CT*  and  a  query  ciphertext  CT.  The  function  will 
output  1  if  the  query  CT  is  “dangerous”  for  the  an  attacker  wishing  to  distinguish  CT*.  A  DCCA 
secure  system  must  have  the  following  two  properties  stated  here  informally: 

•  Unpredictability  Without  seeing  CT*  it  should  be  hard  to  find  a  ciphertext  CT  such  that 
E(PK,  CT*,  CT)  =  1.  In  other  words,  an  attacker  must  first  see  a  challenge  ciphertext  in 
order  to  discover  a  dangerous  query  for  it. 

•  Indistinguishability  The  system  will  be  secure  under  a  detectable  chosen  ciphertext  attack 
if  the  attacker  is  limited  to  decryption  queries  of  ciphertexts  CT  where  F(pfc,CT*,CT)  =  0 
for  challenge  ciphertext  CT*.  I.e.  the  system  is  CCA  secure  if  the  attacker  does  not  make 
dangerous  queries. 

The  goal  of  our  work  will  be  to  construct  fully  chosen  ciphertext  secure  systems  from  detectable 
CCA-secure  systems.  We  first  motivate  this  goal  by  observing  multiple  DCCA  systems  that  natu¬ 
rally  occur: 

•  Many  bit  encryption  from  1-bit  CCA  Suppose  we  have  a  1-bit  CCA-secure  system  and 
we  wish  to  encrypt  multiple  bits  by  concatenating  multiple  1-bit  encryptions  together.  The 
resulting  system  is  no  longer  chosen  ciphertext  secure,  but  is  DCCA  secure.  The  detecting 
function  F  is  1  iff  any  of  the  1-bit  ciphertext  components  between  CT*  and  CT  are  equal. 
This  scenario  is  akin  to  the  problem  of  showing  that  bit  encryption  is  complete  considered  by 
Myers  and  shelat  [23],  where  they  worried  about  such  “quoting”  attacks. 

•  Tag-Based  Encryption  Systems  MacKenzie,  Reiter  and  Yang  [22]  and  Kiltz  [20]  define 
a  tag-based  encryption  scheme  as  an  encryption  scheme  that  takes  in  an  additional  “tag” 
parameter  on  encryption  and  decryption.  The  security  game  allows  an  attacker  to  make 
decryption  queries  with  any  tag  parameter  t.  except  for  the  tag  t*  that  the  challenge  ciphertext 
is  encrypted  under.  Several  examples  of  tag-based  schemes  exist.  Kiltz  [20]  gave  a  direct 
construction  from  the  linear  assumption.  The  CCAl-secure  encryption  variant  of  the  Canetti, 
Halevi  and  Katz  [7]  construction  where  the  tag  is  an  IBE  identity  is  an  additional  example. 
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One  can  also  view  the  CCAl-secure  variant  of  Peikert  and  Waters  [26]  as  a  tag-based  scheme, 
where  the  tag  is  the  “branch”  in  an  all-but-one  encryption  scheme. 

Most  of  the  above  examples  of  tag-based  encryption  can  be  proven  selectively  secure,  where 
an  attacker  must  commit  to  the  tag  of  the  challenge  ciphertext  before  seeing  the  public  key. 
However,  if  we  are  willing  to  utilize  complexity  leveraging  arguments,  we  can  argue  that  these 
are  adaptively  secure.  In  addition,  the  CHK-lite  transformation  will  be  an  adaptively  secure 
tag-based  scheme  if  used  with  an  adaptively  secure  Identity-Based  Encryption  system. 

We  observe  that  adaptively-secure  tag-based  encryption  immediately  gives  rise  to  DCCA- 
secure  encryption.  A  ciphertext  of  the  DCCA-secure  system  consists  of  a  random  tag  t 
plus  a  tag-based  encryption  of  the  message  under  the  tag  t.  Decryption  follows  analogously 
and  the  function  F  simply  tests  if  two  ciphertexts  have  the  same  tag.  Unpredictability 
follows  from  having  a  large  tag  space.  Although  it  is  already  possible  to  transform  tag-based 
encryption  into  CCA-secure  encryption  using  a  strongly  unforgeable  signature  [20],  these 
examples  demonstrate  natural  DCCA  systems.  We  detail  this  argument  in  Appendix  D. 

•  “Sloppy”  CCA  Encryption  One  can  envision  that  in  practice  an  encryption  system  is 
CCA  secure,  but  an  implementation  of  it  is  not  due  to  certain  nuances.  For  instance,  suppose 
a  number  theoretic  library  had  a  slack  bit  in  its  representation  of  group  elements  (e.g.  a  bit 
that  was  always  supposed  to  be  0,  but  if  set  to  1  does  not  affect  any  computations.)  A  CCA 
attacker  could  exploit  this  weakness  in  an  implementation,  however,  it  is  possible  that  the 
system  would  still  be  DCCA  secure.  Thus,  one  might  use  our  techniques  as  a  hedge  against 
such  problems.  This  is  somewhat  analogous  to  recent  work  [2]  on  applying  deterministic 
encryption  as  a  hedge  against  faulty  random  bit  generation. 

In  addition  to  the  examples  listed  above,  we  believe  that  it  is  useful  to  identify  DCCA  security  as 
a  new  “target”  for  achieving  chosen  ciphertext  security. 

Overview  of  Our  Techniques  We  now  give  an  overview  of  our  construction  and  proof.  Our 
construction  will  build  a  chosen  ciphertext  secure  system  from  three  components:  a  chosen  plaintext 
secure  system,  1-bounded  CCA-secure  system  2,  and  a  detectable  CCA-secure  system.  Since  DCCA 
security  (trivially)  implies  CPA,  and  we  can  build  1-bounded  CCA  from  CPA  encryption  [25,  11,  10], 
it  follows  that  all  components  are  realizable  from  DCCA  as  a  building  block. 

A  public  key  from  our  system  consists  of  three  components.  An  “inner”  public  key  PK;n  which 
is  a  DCCA  public  key  and  two  “outer”  keys  PKa,  PK#  respectively  from  1-bounded  CCA  and  CPA 
secure  systems.  To  encrypt  a  message  M,  one  first  chooses  the  randomness  va,i"b  to  be  used  for 
the  outer  encryptions  and  then  encrypts  the  tuple  (rA,TB,  M)  under  the  inner  (detectable)  key  to 
compute  an  inner  ciphertext  CT;n.  Next,  the  encryption  algorithm  encrypts  CTjn  under  the  outer 
public  key  PKa  using  randomness  rn  to  get  CTn-  It  then  analogously  creates  CT b  as  the  encryption 
of  CTin  under  key  PK#  and  randomness  re •  The  output  ciphertext  is  CT  =  (CTa,  CT#). 

The  structure  of  our  ciphertexts  is  that  the  two  outer  ciphertexts  both  encrypt  the  same  message 
—  the  inner  ciphertext.  This  ciphertext  itself  encrypts  the  message  and  the  randomness  used  to 
create  the  outer  ciphertexts.  Thus,  the  outer  ciphertexts  indirectly  encrypt  their  own  randomness.  3 

2 A  1-bounded  CCA-secure  encryption  system  is  secure  against  one  chosen  ciphertext  query. 

3This  construction  implicitly  assumes  that  the  length  of  the  random  string  needed  for  encryption  is  dependent 
only  on  the  security  parameter  and  is  independent  (or  at  least  smaller  than)  the  message  size  of  the  outer  ciphertexts. 
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The  decryption  algorithm  will  receive  CT  =  (CT^CTg)  and  first  decrypt  CT^  to  get  CT-n  and 
decrypt  this  to  get  (r^n/,  AT7)  using  the  appropriate  secret  keys.  Finally,  it  will  check  that  the 
ciphertext  is  well  formed  by  itself  encrypting  CT-n  under  PKa5  PK_b  and  the  respective  randomness 
r/  ,  i"b'  and  validating  that  the  output  matches  CT^  and  CT b  before  accepting  M’  as  the  message. 
Our  encryption  system  has  elements  both  of  the  Naor-Yung  [24]  two  key  method  for  our  two  outer 
keys  and  the  Myers-shelat  [23]  method  of  embedding  outer  randomness  in  inner  ciphertexts. 

Security  of  our  system  depends  on  the  premise  that  no  attacker  is  able  to  learn  the  message 
encrypted  in  the  inner  ciphertext.  This  will  follow  from  the  Detectable  CCA  security  if  we  are 
able  to  guarantee  that  an  attacker  is  unable  to  make  any  ciphertext  queries  CT^CT#  where  the 
decryption  of  CT^,  denoted  CTin,  is  related  to  the  inner  component  of  our  challenge  ciphertext  CT*n 
according  to  to  the  DCCA  function  F.  Intuitively,  we  hope  to  achieve  this  from  the  combination 
of  two  features  of  our  system.  First,  the  1-bounded  CCA  security  of  PKn  will  (hopefully)  make  it 
difficult  to  create  an  encryption  under  PK^  related  to  CT*n.  Second,  the  embedded  randomness 
will  allow  us  to  check  that  ciphertexts  are  well  formed  and  thus  answer  multiple  ciphertext  queries 
under  the  Naor-Yung  two  key  type  manner. 

The  trickiness  in  proving  security  lies  with  the  embedded  randomness  which  is  a  two-edge  sword. 
On  one  hand,  forcing  the  attacker  queries  to  embed  randomness  allows  a  reduction  algorithm  to 
decrypt  if  it  knows  either  one  of  the  two  outer  keys.  On  the  other  hand,  it  is  not  clear  how 
such  a  reduction  can  create  valid  ciphertexts  while  playing  the  1-bounded  CCA  game,  since  a 
reduction  algorithm  will  not  know  the  randomness  rA  to  embed.  Thus,  this  circularity  creates 
a  fundamental  barrier  similar  to  difficulties  encountered  in  attempts  to  create  trapdoor  functions 
from  encryption  [15]. 

We  deal  with  this  by  arguing  security  in  an  indirect  way  that  steps  around  this  barrier.  We  first 
define  a  security  game  specific  to  our  construction  called  nested  indistinguishability.  In  this  game, 
an  attacker  will  receive  a  public  key  and  is  allowed  to  make  decryption  queries.  The  attacker  at 
some  point  submits  a  single  message  M.  The  challenger  will  flip  a  coin  z.  If  z  =  0,  the  challenger 
creates  a  valid  encryption  of  Af;  otherwise,  if  z  =  1  the  challenger  creates  a  encryption  where  the 
innermost  message  is  all  0’s  —  it  neither  includes  the  message  nor  the  embedded  randomness.  The 
attacker  continues  to  make  decryption  queries  (other  than  the  challenge  ciphertext)  and  wins  if  it 
is  successfully  able  to  guess  z.  It  follows  that  if  no  attacker  is  successful  in  this  game,  then  our 
system  is  chosen  ciphertext  secure. 

To  prove  security  of  this  nested  indistinguishability  game,  we  begin  by  defining  a  “bad  event”. 
The  bad  event  is  defined  to  be  when  the  attacker  submits  a  query  (CT^CT#)  such  that  CT^  / 
CT^  where  CT^  is  from  the  challenge  ciphertext  and  the  decryption  of  CT/i  gives  a  ciphertext 
that  is  related  to  the  inner  challenge  ciphertext  according  to  F.  If  we  can  argue  that  such  bad 
events  only  occur  with  negligible  probability,  then  security  of  the  nested  indistinguishability  game 
follows  straightforwardly  from  DCCA  security. 

The  crux  of  our  proof  is  how  we  eliminate  the  possibility  of  a  bad  event.  We  do  so  in  an  indirect 
manner.  We  begin  by  arguing  this  event  cannot  happen  in  the  case  where  z  =  1,  which  is  where 
all  0’s  are  encrypted  and  the  randomness  is  not  embedded.  In  this  case,  we  get  the  best  of  both 
worlds.  We  are  able  to  require  that  the  attacker’s  queries  have  the  randomness  embedded  in  them, 

We  can  justify  this  assumption  with  the  common  technique  of  using  a  seed  to  a  (variable  length)  Pseudo  Random 
Generator  (PRG)  as  the  input  to  each  encryption  algorithm.  The  PRG  can  then  extend  the  randomness  to  whatever 
length  is  required  by  the  underlying  encryption  system.  By  using  this  justified  assumption  in  our  definitions,  we  are 
able  to  simplify  the  presentation  of  our  construction  and  proofs.  In  contrast,  Myers  and  shelat  [23]  explicitly  carry 
the  PRG  technique  through  their  exposition.  This  choice  gives  our  exposition  and  proof  an  advantage  in  simplicity. 
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so  that  we  can  check  ciphertext  well-formedness,  however,  the  challenge  ciphertext  is  not  required 
to  embed  the  outer  randomness.  We  argue  that  the  bad  event  does  not  happen  by  applying  a  set 
of  hybrid  experiments.  First,  we  change  CT^  to  be  an  encryption  of  all  l’s.  Next,  we  change  the 
decryption  algorithm  to  decrypt  using  the  secret  key  for  PKg.  Finally,  we  change  CT^  to  be  an 
encryption  of  all  l’s.  In  each  experiment  we  argue  that  the  chance  of  a  bad  event  must  be  very 
close  to  that  of  the  prior  experiment.  For  the  last  step  we  leverage  the  1-bounded  CCA  property 
of  the  first  component.  Finally,  we  note  that  in  the  last  experiment  the  probability  of  a  bad  event 
is  negligible  since  the  inner  challenge  ciphertext  CT*n  is  replaced  by  all  l’s  and  is  not  even  present. 

One  interesting  question  is  why  is  1-bounded  CCA  security  needed  for  the  PK4  since  at  the 
last  step  in  the  proof  we  can  use  the  secret  key  SKb  to  execute  decryption.  While  this  is  true,  it  is 
actually  possible  for  the  bad  event  to  occur  on  a  malformed  ciphertext  that  will  not  decrypt.  We 
need  the  1-bounded  CCA  property  to  detect  the  occurrence  of  the  bad  event  in  this  case  during 
the  security  reduction. 

We  are  not  able  to  argue  the  lack  of  a  bad  event  in  a  similar  manner  for  the  z  =  0  (embed¬ 
ded  randomness)  case  due  to  the  aforementioned  circularity  problems.  Instead,  we  can  infer  this 
from  the  lack  of  event  in  the  z  =  1  case  along  with  DCCA  security.  To  prove  this,  we  can  create 
an  algorithm  that  plays  the  DCCA  indistinguishability  game  while  simulating  the  nested  indistin- 
guishability  game  to  the  attacker.  The  simulator  will  choose  the  outer  keys  and  outer  randomness 
for  the  challenge  ciphertext  itself.  It  submits  the  message  and  outer  randomness  as  one  inner  mes¬ 
sage  and  the  0’s  string  as  another.  Then  it  will  be  able  to  decrypt  all  ciphertext  queries  until  a 
bad  event  happens  using  its  keys  in  addition  to  the  DCCA  decryption  oracle.  Once  a  bad  event 
query  is  made  though,  it  is  stuck.  However,  it  need  not  go  any  further!  The  fact  that  the  attacker 
was  able  to  create  a  bad  event  at  all  must  mean  that  the  message  and  randomness  were  embedded. 
It  can  then  break  the  DCCA  distinguishing  game.  Thus,  we  can  infer  that  the  bad  event  happens 
with  negligible  probability  in  either  case.  The  remainder  of  the  proof  follows  straightforwardly. 

Comparison  to  Myers-shelat  Myers  and  shelat  [23]  showed  how  to  achieve  many-bit  chosen 
ciphertext  security  from  1-bit  chosen  ciphertext  security  and  motivated  us  to  explore  the  notion 
of  detectability.  They  created  a  system  using  an  inner /outer  structure  where  the  inner  ciphertext 
encrypted  the  outer  random  coins.  Their  inner  scheme,  built  from  1-bit  CCA,  is  what  they  call 
“unquoteable”  secure.  Their  concept  is  roughly  analogous  to  a  specific  instance  of  a  DCCA  scheme. 
Encryptions  of  many-bit  messages  are  concatenations  of  1-bit  encryptions;  the  system  is  chosen 
ciphertext  secure  as  long  as  queries  do  not  copy  a  1-bit  ciphertext  component  of  the  underlying 
scheme.  For  the  outer  scheme,  they  use  a  notion  of  security  that  is  an  amalgam  of  unquoteability 
and  non-malleability.  Their  outer  construction  follows  a  specific  adaptation  of  the  Choi  et.  al.  [10] 
methods  applied  to  the  1-bit  primitive.  (No  two  key  structure  is  used.)  Their  proof  relies  on 
defining  quoting  attacks  on  both  the  inner  and  outer  layers  and  then  establishing  a  certain  order 
that  outer  quoting  attacks  must  happen  before  inner  quoting  attacks. 

We  believe  our  methods  offer  benefits  in  terms  of  generality,  simplicity,  and  efficiency.  First, 
our  general  notion  of  Detectable  Chosen  Ciphertext  Security  can  be  realized  by  multiple  systems. 
These  include  the  1-bit  to  many-bit  examples,  the  tag-based  encryption  class  and  future  systems 
that  can  leverage  this  as  a  new  target  path  for  creating  CCA  secure  encryption. 

Another  key  difference  is  that  the  outer  layer  of  our  scheme  is  built  from  simple  1-bounded 
CCA  and  CPA-secure  parts.  We  argue  these  provide  simpler  concepts  and  are  easier  to  work  with. 
In  addition,  one  can  instantiate  them  from  any  1-bounded  encryption  system.  For  instance,  we 
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can  apply  any  candidate  1-bounded  CCA-secure  system  and  do  not  need  to  work  through  the  Choi 
et.  al.  [10]  construction.  Instead  we  can  apply  the  1-bounded  CCA  system  of  Cramer  et.  al.  [11], 
which  is  signficantly  more  efficient  and  simpler  than  the  non-malleable  systems  of  either  PSV  [25] 
or  Choi  et.  ah  [10].  We  also  regard  avoiding  a  combination  security  definition  between  1-bounded 
CCA  (or  non-malleability)  and  detection  as  a  benefit  for  simplicity.  This  simplification  will  also 
improve  efficiency  in  the  case  where  there  is  a  candidate  CPA  primitive  that  is  more  efficient  than 
the  candidate  DCCA  primtive,  since  we  can  build  the  1-bounded  scheme  out  of  the  CPA  primitive. 

Our  choice  of  abstractions  and  structure  allow  us  to  have  a  simple  proof.  We  can  eliminate  the 
possibility  of  a  bad  event  using  a  basic  Naor-Yung  two  key  argument.  Then  once  we  are  able  to 
eliminate  this,  the  rest  of  the  proof  follows  in  a  straightforward  manner. 

Why  not  CCA1?  One  intriguing  possibility  is  to  try  to  leverage  our  techniques  to  build  full 
chosen  ciphertext  security  from  CCAl  security.  A  natural  direction  would  be  to  use  a  CCA1  system 
for  the  inner  component  in  place  of  the  detectable  encryption  scheme.  The  intuitive  rationale  would 
be  if  the  outer  keys  are  1-bounded  CCA  or  non-malleable  then  the  queries  produced  by  the  attacker 
should  not  be  related  to  the  inner  challenge  ciphertext  and  thus  CCAl  might  suffice.  Unfortunately, 
we  were  able  to  create  an  attack  oracle  which  breaks  full  CCA  security  in  our  scheme,  yet  does 
not  perturb  the  1-bounded  CCA  or  CCAl  primitives,  giving  evidence  that  this  approach  may  not 
work.  However,  the  oracle  we  use  is  quite  strong  and  “exotic”.  This  suggests  that  there  might  be 
primitives  that  he  somewhere  in  between  DCCA  and  CCAl.  One  interesting  example  is  the  CCA-1 
secure  “Cramer-Shoup  lite”  [12]  cryptosystem.  There  exists  a  malleability  attack  on  a  challenge 
CT*  that  produces  a  query  ciphertext  which  has  the  same  distribution  as  a  fresh  encryption  of 
a  random  message.  Hence  the  CS-lite  system  is  not  CCA  secure.  However,  it  would  be  very 
interesting  and  surprising  if  there  existed  attack  algorithms  that  matched  the  above  oracle. 

We  describe  these  issues  in  more  detail  in  Section  5. 

1.1  Related  Work 

Relaxations  of  CCA  Multiple  relaxations  of  chosen  ciphertext  security  have  been  proposed  in 
the  literature. 

One  interesting  class  of  relaxations  is  the  notion  of  Replayable  Chosen  Ciphertext  Security  [8] 
and  other  similar  works  [30,  1].  These  works  aim  to  capture  the  concept  that  some  malleability 
attacks  might  intuitively  be  benign.  In  particular,  consider  a  cryptosystem  where  an  attacker  is  only 
able  to  maul  a  ciphertext  CT  encrypting  a  message  M  into  a  different  ciphertext  C'  that  encrypts 
the  same  message  M.  If  an  application  (or  user)  makes  all  decisions  based  on  the  decrypted 
plaintexts  as  opposed  to  the  representation  of  the  ciphertext  such  notions  might  be  sufficient. 

The  primary  goal  of  RCCA  is  to  formally  capture  a  form  of  “good  enough”  security  under 
ciphertext  attacks.  In  contrast,  Detectable  CCA  inherently  does  not  have  good  enough  security  on 
its  own.  In  DCCA  systems,  it  may  be  possible  to  maul  ciphertexts  to  be  encryptions  of  different 
messages  or  even  create  attack  ciphertexts  that  each  target  a  single  bit  of  a  target  ciphertext.  Thus, 
our  primary  focus  is  to  create  CCA  security  from  a  fundamentally  less  secure  DCCA  building  block. 

We  observe  that  DCCA  does  not  imply  RCCA.  In  [8],  the  authors  gave  an  example  of  an  RCCA 
scheme  that  could  not  be  publicly  detected.  Conversely,  not  all  DCCA  schemes  will  be  RCCA 
secure.  Our  bit  encryption  instance  serves  as  an  example.  We  also  note  that  [8]  discusses  a  notion 
of  detectability  and  introduces  a  definition  that  combines  replayable  and  detectable  properties.  This 
combined  definition  is  a  particular  instance  of  DCCA.  However,  they  do  not  explore  the  notion  of 
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detectability  in  isolation  or  how  to  build  CCA  security  from  it.  Canetti,  Krawcyzk,  and  Nielsen  [8] 
do  show  how  to  create  CCA  security  from  RCCA  security  using  the  KEM/DEM  framework. 

Finally,  Hofheinz  and  Kiltz  [17]  introduce  a  notion  they  call  Constrained  CCA  security  partic¬ 
ular  to  developing  Key  Encapsulation  Mechanisms.  In  their  definition  an  attacker  must  include  a 
predicate  p  along  with  each  query  ciphertext  CT.  The  challenger  will  only  answer  the  query  if  the 
predicate  evaluated  on  the  decrypted  key  of  the  ciphertext  is  true  and  the  predicate  is  false  for  all 
but  a  negligible  fraction  of  possible  KEM  keys.  While  this  notion  is  weaker  than  CCA  security, 
they  show  that  when  combined  with  a  (symmetric)  authenticated  encryption  scheme,  the  resulting 
system  is  CCA  secure. 

Other  Related  Work  Goldwasser  and  Micali  [16]  gave  the  first  formal  definition  of  security  for 
public  key  encryption  systems.  Naor  and  Yung  [24]  and  Rackoff  and  Simon  [27]  extended  this  to 
include  chosen  ciphertext  attacks. 

Naor  and  Yung  [24]  initiated  the  approach  of  leveraging  NIZKs  to  build  chosen  ciphertext  secu¬ 
rity  by  introducing  their  “two  key”  method.  A  NIZK  would  guarantee  the  integrity  of  the  ciphertext 
by  giving  a  proof  that  the  same  message  was  encrypted  to  two  keys.  While  their  system  gave  security 
against  lunchtime  or  CCA1  attacks,  Dolev,  Dwork  and  Naor  [14]  showed  how  to  achieve  full  CCA2 
security.  In  addition,  they  introduced  the  fundamental  concept  of  non-malleability.  Sahai  [29]  in¬ 
troduced  a  concept  of  simulation  sound  NIZKs  that  could  be  used  to  achieve  CCA  security  through 
the  NY  two  key  structure.  Bellare  and  Sahai  [4]  gave  relations  between  non-malleability  [14]  chosen 
ciphertext  security. 

Since  then,  different  approaches  to  achieving  CCA  security  have  been  proposed.  Cramer  and 
Shoup  [12,  13]  showed  techniques  for  proving  ciphertexts  were  well-structured  and  abstracted  this 
into  projective  hash  functions.  Several  other  novel  cryptosystems  make  use  of  specific  number- 
theoretic  techniques  (e.g.  [20,  9,  18]).  Boneh,  Canetti,  Halevi  and  Katz  [6]  showed  a  generic 
method  of  achieving  chosen  ciphertext  security  from  IBE  systems.  Peikert  and  Waters  [26]  gave  a 
new  avenue  for  achieving  CCA  security  with  the  introduction  of  Lossy  Trapdoor  Functions  (TDFs). 
Notably,  this  gave  the  first  chosen  ciphertext  secure  systems  from  lattice-based  assumptions.  Subse¬ 
quently,  various  refinements  of  weaker  conditions  on  the  trapdoor  functions  were  introduced  [28,  21]. 

The  above  techniques  are  proven  secure  in  the  standard  model.  Bellare  and  Rogaway  [3]  show 
that  in  the  random  oracle  model  chosen  ciphertext  security  can  be  built  from  chosen  plaintext 
security. 

2  Detectable  Chosen  Ciphertext  Security 

In  this  section,  we  define  detectable  chosen  ciphertext  security.  An  encryption  scheme  satisfying 
this  definition  is  called  a  detectable  encryption  system.  Our  discussions  assume  a  familiarity  with 
CPA,  CCA1  and  CCA2  security  as  well  as  bounded  CCA  security  and  non-malleability.  A  reader 
wishing  to  review  these  definitions  can  find  them  in  Appendix  A. 

2.1  Detectable  Encryption 

We  define  a  detectable  encryption  scheme  as  having  the  usual  algorithms  (KeyGen,  Enc,  Dec),  as 
defined  in  Definition  A.l,  together  with  an  efficiently-computable  boolean  function  F.  Informally, 
F  tests  for  a  “detectable”  relationship  between  two  ciphertexts.  The  security  game  will  mirror 
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that  of  CCA2  security,  except  that  decryption  queries  in  the  second  phase  will  not  be  answered  for 
ciphertexts  detectably-related  to  the  challenge  ciphertext.  Our  formal  definition  follows  below. 

Definition  2.1  (Detectable  Encryption  System)  A  detectable  encryption  system  is  a  tuple 
of  probabilistic  polynomial-time  algorithms  (KeyGen,  Enc,  Dec,  F)  such  that: 

1.  (KeyGen,  Enc,  Dec)  satisfy  Definition  A.l,  where  we  sometimes  denote  Enc (pk,m;r)  as  a  de¬ 
terministic  function  of  the  public  key  pk,  the  message  rn  and  randomness  r,  and 

2.  F(pk,  d ,  c)  — >  {0, 1}  :  the  detecting  function  F  takes  as  input  a  public  key  pk  and  two  cipher- 
texts  c'  and  c,  and  outputs  a  bit. 

Correctness  is  the  same  as  a  regular  encryption  system. 

A  detectable  encryption  system  must  have  two  properties,  which  we  now  define. 

Unpredictability  of  the  Detecting  Function  F.  Informally,  given  the  description  of  F  and  a 
public  key  pk,  for  an  unknown  ciphertext  c,  it  should  be  hard  to  find  a  second  ciphertext  d  that  is 
“related”  to  c;  i.e.,  such  that  F(pk,d,c)  =  1.  We  consider  both  a  basic  and  a  strong  formalization. 

Basic  Unpredictability  Experiment.  Consider  the  following  experiment  Expp4re]dIlct  basic(A)  defined 
for  a  detectable  encryption  scheme  II  =  (KeyGen,  Enc,  Dec,  F)  and  an  adversary  A: 

1.  Setup:  KeyGen(lA)  is  run  to  obtain  keys  ( pk ,  sk). 

2.  Queries:  Adversary  A  is  given  pk  and  access  to  a  decryption  oracle  D ec(sk,  •).  The  adversary 
outputs  a  message  m  in  the  message  space  associated  with  pk  and  a  ciphertext  c  in  the 
ciphertext  space  associated  with  pk. 

3.  Challenge:  A  ciphertext  c*  4—  Enc (pk,m)  is  computed. 

4.  Output:  The  output  of  the  experiment  is  defined  to  be  1  if  F(pk,c*,c),  and  0  otherwise. 

We  also  define  a  stronger  variant  Exp|)[e1c[lctstrong(A)  of  the  unpredictability  experiment  where 
the  adversary  is  additionally  given  sk.  We  observe  that  strong  unpredictability  implies  basic  un¬ 
predictability  since  the  adversary  can  simulate  the  decryption  oracle  using  the  secret  key. 

Indistinguishability  of  Encryptions.  Next,  we  formalize  the  confidentiality  guarantee.  Con¬ 
sider  the  following  experiment  Exp'^'f^A)  defined  for  a  detectable  encryption  scheme  II  =  (KeyGen, 
Enc,  Dec,  F)  and  an  adversary  A: 

1.  Setup:  KeyGen(lA)  is  run  to  obtain  keys  (pk,  sk). 

2.  Phase  1:  Adversary  A  is  given  pk  and  access  to  a  decryption  oracle  D ec(sk,  •).  A  outputs  a 
pair  of  messages  mo,  m\  of  the  same  length  in  the  message  space  associated  with  pk. 

3.  Challenge:  A  random  bit  b  {0,1}  is  chosen,  and  then  a  ciphertext  c*  En c(pk,mf)  is 
computed  and  given  to  A.  We  call  c*  the  challenge  ciphertext. 

4.  Phase  2:  A  continues  to  have  access  to  Dec  (sk,-),  but  may  not  request  a  decryption  of  a 
ciphertext  c  such  that  F(pk,c*,c)  =  1.  Finally,  A  outputs  a  bit  b' . 

5.  Output:  The  output  of  the  experiment  is  defined  to  be  1  if  b'  =  b,  and  0  otherwise. 
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Definition  2.2  (Detectable  Chosen  Ciphertext  Security)  A  detectable  encryption  scheme  H  = 
(KeyGen,  Enc,  Dec,  F)  has  an  unpredictable  detecting  function  and  indistinguishable  encryptions 
under  a  detectable  chosen-ciphertext  attack  (or  is  DCCA-secure)  if  for  all  probabilistic  polynomial¬ 
time  adversaries  A  there  exists  a  negligible  function  negl  such  that: 

1.  (F  is  unpredictable:)  Pr[Exp|)[e]d(ct'basic(A)  =  1]  <  negl(X)  and 

2.  (Encryptions  are  indistinguishable:)  Pr[Exp^d]!ft(A)  =  1]  <  \  +  negl(X). 

2.2  Facts  about  DCCA  Security 

For  space  reasons,  we  omit  the  simple  proofs  of  the  first  two  claims.  We  conjecture  that  the 
converse  of  Claim  2.4  is  not  true.  Indeed  if  the  DDH  assumption  holds,  then  the  CCA-1  secure 
Cramer-Shoup  life  system  would  separate  these  two  notions  as  discussed  in  the  introduction. 

Claim  2.3  (CCA2  =>  DCCA)  If  II  =  (KeyGen,  Enc,  Dec)  is  a  CCA2-secure  encryption  scheme, 
then  IF  =  (KeyGen,  Enc,  Dec,  F)  is  a  DCCA-secure  encryption  scheme  where  F  outputs  0  on  all 
inputs  except  those  of  the  form  (-,c,  c). 

Claim  2.4  (DCCA  ==>  CCA1)  If  II  =  (KeyGen,  Enc,  Dec,  F)  is  a  DCCA-secure  encryption  scheme, 
then  IF  =  (KeyGen,  Enc,  Dec)  is  a  CCAl-secure  encryption  scheme. 

We  also  claim  that  one-bit  DCCA-secure  encryption  implies  arbitrary-length  DCCA-secure 
encryption.  Say  II  =  (KeyGen,  Enc,  Dec,  F)  is  a  detectable  encryption  system  with  plaintext  space 
{0, 1}.  We  can  construct  a  new  scheme  II'  =  (KeyGen,  Enc',  Dec ' ,F')  with  plaintext  space  {0, 1}* 
by  defining  Enc'  as  follows: 


Enc'(pA;,  m)  =  Enc (pk,  m i), . . . ,  Enc (pk,  mn ) 

where  m  =  m \  . . .  mn.  The  decryption  algorithm  Dec'  decrypts  each  ciphertext  piece  using  Dec.  The 
function  F'  performs  n2  invocations  of  F.  testing  each  ciphertext  piece  of  C  with  each  ciphertext 
piece  of  C' ,  and  outputting  1  if  any  invocation  of  F  returned  1,  and  0  otherwise. 

Lemma  2.5  (1-bit  DCCA  encryption  implies  arbitrary-length  DCCA  encryption)  Let  II 

and  IF  be  as  above.  If  II  is  DCCA-secure,  then  so  is  II'. 

We  prove  this  lemma  in  Appendix  B. 


3  The  Construction:  CCA2  Security  from  DCCA  Security 

An  overview  of  the  techniques  used  for  our  construction  is  provided  in  Section  1. 


The  Construction  Description  We  now  construct  a  CCA2-secure  public-key  encryption  scheme 
II  =  (KeyGen,  Enc,  Dec)  using  three  building  blocks4: 

4A  1-bounded  CCA-secure  encryption  system  is  secure  if  an  attacker  makes  at  most  one  decryption  query.  One- 
bounded  CCA  security  can  be  constructed  from  CPA  security  [25,  10].  See  Appendix  A.  CPA  security  is  trivially 
implied  by  DCCA  security.  Thus,  there  is  really  only  one  necessary  building  block:  a  DCCA-secure  system. 
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1.  a  DCCA-secure  encryption  scheme,  denoted  Ildcca  =  (KeyGendcca,  EncdCCa)  DeCdcca)  P1). 

2.  a  1-bounded  CCA-secure  encryption  scheme  with  perfect  correctness,  denoted  Ilib-cca  = 
(KeyGenlb_cca,  Encib_Cca)  Decib_cca). 

3.  a  CPA-secure  encryption  scheme  with  perfect  correctness,  denoted  ncpa  =  (KeyGencpa,  Enccpa, 
Deccpa) . 

We  assume  that  the  message  space  of  each  system  is  {0, 1}*  and  that  messages  of  the  form  (x,  y,  z ) 
can  be  uniquely  and  efficiently  encoded  as  strings  in  {0, 1}*,  where  the  encoding  length  is  the  same 
for  all  inputs  of  the  same  length.  We  assume  that  A  bits  will  be  sufficient  randomness  for  the 
encryption  algorithm  of  each  system,  where  1A  is  the  security  parameter.  We  assume  that  IIib_cca 
and  ncpa  have  perfect  correctness  for  decryption.  Finally,  we  assume  that  for  Ildcca  the  ciphertext 
length  is  a  deterministic  function  of  the  security  parameter  and  the  message  length.  We  discuss 
the  justification  behind  these  assumptions  in  Section  B. 

KeyGen(lA)  Run  KeyGendcca(lA)  to  produce  (PK;n,SKin).  Run  KeyGenlb_cca(lA)  to  produce 
(PKa;  SKn).  Run  KeyGencpa(lA)  to  produce  (PKb,  SKb).  Set  the  public  key  as  PK  :=  (PKbl,  PK^, 
PKb)  and  the  secret  key  as  SK  :=  (SKin,  SK^,  SKb). 

Enc(PK,  M)  The  encryption  algorithm  first  chooses  three  random  strings  rjn,  r  a ,  rB  G  {0,  1}a. 
Next,  it  computes  the  ciphertext  CTbl  :=  EncdCCa(PKin,  (ja,  rB,  M);  r;n).  It  then  treats  this  cipher- 
text  as  the  message  and  computes  CT^  :=  Encib_cca(PlN4)  CTjn;  ta)  and  CT B  '■=  Enccpa(PKB,  CT;n; 
re).  Finally,  it  outputs  the  encryption  as  (CTa,CTb). 

Dec(SK,CT)  The  decryption  algorithm  takes  a  ciphertext  CT  :=  (CT^,CTb).  It  decrypts  the 
first  ciphertext  as  CTjn  :=  Decib_cca(SKA,  CT^).  It  then  decrypts  this  output  as  (rA,rB,  M)  := 
DeCdCca(SKin,  CTin).  It  then  checks  that 

CTa  =  Encib_cca(PKn,  CTin;  r a)  and  CTB  =  Enccpa(PKB,  CTin;  rB). 

If  all  checks  pass,  it  outputs  M;  otherwise,  it  outputs  _L. 

4  Proof  of  Security 

We  will  now  argue  that  the  Section  3  construction  is  CCA2  secure,  assuming  the  respective  security 
properties  of  the  underlying  building  blocks.  To  do  so,  it  will  be  easier  to  consider  a  slight  variant 
of  the  CCA2  security  game,  which  we  call  nested  indistinguishability,  where  the  challenger  either 
encrypts  one  of  the  two  challenge  messages  or  encrypts  a  string  of  zeros.  The  experiment  involves 
three  encryption  schemes  and  combines  them  in  the  same  manner  as  our  main  construction. 

Nested  Indistinguishability.  Consider  the  experiment  Exp^j^ca  riib_cca  ncpa(^)  defined  for  de¬ 
tectable  encryption  scheme  Ildcca)  encryption  schemes  nib_cca,  ncpa  and  an  adversary  A: 

1.  Setup:  Run  KeyGendcca,  KeyGenlb_cca  and  KeyGencpa  to  obtain  key  pairs  (PKin,  SKin),  (PK^, 
SK^)  and  (PKb,  SKb)  respectively.  Set  pk  :=  (PK;n,  PK^,  PKb)  and  sk  :=  (SKin,  SK4,  SKb). 
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2.  Phase  1:  Adversary  A  is  given  pk  and  access  to  a  decryption  oracle  Dec(s/c,  •),  which  executes 
the  decryption  algorithm  as  defined  in  Section  3.  A  outputs  a  pair  of  messages  mo,  mi  of  the 
same  length  in  the  message  space  associated  with  pk. 

3.  Challenge:  Randomness  (5,  z  {0,1}  and  rA,rB  {0, 1 } A  are  chosen.  Let  t  denote  the 
length  of  the  encoding  of  (ta,  Lb,  mff).  Then  compute: 

CT*  ,=  f  Encdcca(PKin,  (rA,rB,m/3))  if  2  =  0; 
in'  \Encdcca(PKin,00  ifz  =  l. 

Next  compute  CT^  :=  Enclb-Cca(PKA,  CT*n;  ta)  and  CTjg  :=  Enccpa(PKs,  CT*n;  rB).  Return 
to  A  the  ciphertext  CT*  :=  (CT^,CT^). 

4.  Phase  2:  A  continues  to  have  access  to  Dec(sA:,  •),  but  may  not  request  a  decryption  of  the 
challenge  ciphertext  CT*.  Finally,  A  outputs  a  bit  z' . 


5.  Output:  The  output  of  the  experiment  is  defined  to  be  1  if  z'  =  z,  and  0  otherwise. 

Definition  4.1  (Nested  Indistinguishability)  A  tuple  of  systems  (ndcca,  IIib_cca,  ncpa)  has 
nested  indistinguishable  encryptions  under  a  chosen-ciphertext  attack  if  for  all  probabilistic  polynomial¬ 
time  adversaries  A  there  exists  a  negligible  function  negl  such  that: 

Pr[ExP!4,sneddcca,nlb_cca.ncpa(A)  =  !]  <  j  +  ne^(A)- 

It  is  important  to  observe  that  the  nested  indistinguishability  experiment  combines  IIdcca,  Ifib-cca, 
ncpa  in  exactly  the  same  manner  as  the  Section  3  construction.  When  z  =  1,  it  encrypts  “properly” 
and  when  z  =  0,  it  encrypts  all  zeros. 

With  a  goal  of  proving  CCA2  security,  our  main  task  is  to  argue  that  our  Section  3  construction 
provides  nested  indistinguishability.  To  do  this,  we  must  first  establish  that  a  certain  event  does 
not  happen,  except  with  negligible  probability.  We  define  this  event  as  follows. 

Definition  4.2  (The  Bad  Query  Event)  Let  IIdcca;  Ilib-cca?  and  Ifcpa  be  the  schemes  parame¬ 
terizing  the  experiment  Expnested .  Let  PK*n  be  the  public  key  output  by  running  KeyGendet  during  the 
course  of  the  experiment.  We  say  that  a  bad  query  event  has  occurred  during  an  execution  of  this 
experiment  if  in  Phase  2 ,  the  adversary  A  makes  a  decryption  query  of  the  form  CT  :=  (CTa,  CT B ) 
such  that 

•  (Query  inner  is  “ related ”  to  challenge  inner:)  F(PKjn,  CT}n,  Decib-Cca(SKJ4,  CTa))  =  1,  and 

•  (Query  ciphertext  differs  from  challenge  ciphertext  in  first  half):  CT^  CT^. 

where  CT*  :=  (CT^,CT^)  is  the  challenge  ciphertext  and  CT^  is  an  encryption  o/CT*n.  We  note 
that  this  event  is  well  defined  in  both  the  cases  where  z  =  0  and  z  =  1. 


4.1  Proof  that  Bad  Query  Event  Does  Not  Happen 

Claim  4.3  (No  Bad  Query  Event  when  z  =  1  (all  zeros  encrypted))  Suppose  that  IIdcca  is 
DCCA  secure,  IRb-cca  is  1-bounded  CCA  secure,  and  IIcpa  is  CPA  secure,  all  with  perfect  cor¬ 
rectness.  Then  for  all  probabilistic  polynomial-time  adversaries  A,  during  a  run  of  experiment 
ExPAndcca,nib-cca,nCpa(^)  with  z  =  1,  a  bad  query  event  does  not  take  place  except  with  negligible 
probability  in  A  where  the  probability  is  taken  over  the  coins  of  the  adversary  and  the  experiment. 

Proof.  We  proceed  via  a  series  of  hybrids.  Let  BQE  denote  a  bad  query  event. 
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Step  1:  Pr[BQE  in  Nested]  ~  Pr[BQE  in  Right-Erased]  from  CPA-security  of  ncpa.  We 
first  define  a  variation  of  the  nested  indistinguishability  experiment  with  z  =  1,  which  we  call  the 
right-erased  experiment.  In  this  experiment,  CT^  is  formed  as  CT^  :=  Enccpa(PK_B,  lfc;re)  where 
k  denotes  the  length  of  CT*n.  CT^  is  formed  the  same  as  in  the  nested  indistinguishability  exper¬ 
iment  with  z  =  1.  We  suppose  there  exists  a  PPT  adversary  A  for  the  nested  indistinguishability 
experiment  which  causes  the  bad  query  event  to  occur  with  non-negligibly  different  probability  in 
the  usual  experiment  with  z  =  1  compared  to  the  right-erased  experiment.  We  construct  a  PPT 
algorithm  B  which  violates  the  CPA-security  of  ncpa. 

B  is  given  PKb.  B  then  runs  KeyGendcca  and  KeyGenlb_cca  for  itself  to  produce  PKin,  SKjn  and 
PK^jSKyi  respectively.  It  gives  A  pk  =  (PKjn,  PK^,  PK#).  B  can  simulate  the  decryption  oracle 
Dec(sA;,  •)  for  A  by  running  the  usual  decryption  algorithm  (note  that  this  does  not  require  SK#). 

The  adversary  A  outputs  a  pair  of  messages  mo,  mi  of  the  same  length  in  the  message  space 
associated  with  pk.  B  chooses  G  {0, 1}A  and  computes  CT*n  =  Encdcca(PKm,  (p),  where  l  is 
the  length  of  the  encoding  of  {ta,  ta,  mo).  It  then  computes  CT^  =  Encib-cca(PIC4,  CTfn;  rjC)-  It 
submits  CT*n  and  lk  to  its  challenger  as  its  two  messages.  It  receives  CT^  as  the  ciphertext.  It 
gives  CT*  :=  (CT^,  CT£)  to  A. 

To  respond  to  remaining  decryption  queries  A  makes,  B  runs  the  usual  decryption  algorithm 
(after  checking  that  the  query  is  not  equal  to  the  challenge  ciphertext).  In  addition,  B  checks  for  the 
bad  query  event  by  first  checking  if  CTyi  A  CT^  and  then  computing  F(PK;n,  CT*n,  Decib_cca(SK/i, 
CT^)).  We  recall  that  B  generated  SKa,PKa  for  itself,  so  it  can  compute  Decib_cca(SK(4,  CT4). 

If  CT^  is  an  encryption  of  CT*n,  then  B  has  properly  simulated  the  usual  experiment  with  z  =  1. 
If  it  is  instead  an  encryption  of  lfc,  then  B  has  properly  simulated  the  right-erased  experiment.  We 
note  that  the  bad  query  event  occurs  in  the  simulation  if  and  only  if  it  is  detected  by  B. 

We  let  e  denote  the  probability  that  the  bad  query  event  occurs  in  the  usual  experiment  with 
z  =  1  and  5  denote  this  probability  in  the  right-erased  experiment.  We  suppose  e  —  8  is  positive  and 
non- negligible  (the  opposite  case  is  analogous).  Now,  if  B  detects  the  bad  query  event,  it  guesses 
that  CT^  is  an  encryption  of  CT*n.  Otherwise,  it  guesses  the  opposite.  £>’ s  probability  of  guessing 
correctly  in  the  CPA  security  game  for  IIcpa  is  then  equal  to  |  +  ^(1  —  5)  =  \  +  \{e  —  5).  The 
quantity  e  —  5  is  non- negligible,  so  B  violates  the  CPA-security  of  IIcpa.  Hence  we  may  conclude 
that  the  probability  of  the  bad  query  event  happening  in  the  usual  experiment  with  z  =  1  is  the 
same  (up  to  a  negligible  difference)  as  the  probability  of  the  bad  query  event  happening  in  the 
right-erased  experiment  for  any  PPT  adversary. 

Step  2:  Pr[BQE  in  Pull-Erased]  is  negligible  from  the  unpredictability  of  the  detecting 
function  of  ndcca.  We  now  define  an  additional  variation  of  the  experiment,  which  we  call  the  full- 
erased  experiment.  This  is  like  the  right-erased  experiment,  except  that  CT]^  is  also  an  encryption 
of  lk,  instead  of  an  encryption  of  CT*n.  We  claim  that  in  the  full-erased  experiment,  the  bad  query 
event  can  only  occur  with  negligible  probability.  To  see  this,  we  suppose  we  have  a  PPT  adversary 
A  which  causes  the  bad  query  event  to  occur  with  non-negligible  probability  in  the  full-erased 
experiment.  We  will  build  a  PPT  adversary  B  for  the  basic  unpredictability  experiment  which 
violates  unpredictability  of  the  detecting  function  for  ndcca. 

B  is  given  PK;n  and  access  to  a  decryption  oracle  Dec(SKjn,-).  It  runs  KeyGenlb_cca  and 
KeyGencpa  for  itself  to  produce  PK^jSK^  and  PK#,SKb.  It  gives  (PK;n,  PK^,  PK#)  to  A.  B 
can  simulate  the  decryption  oracle  for  A  using  SK4  and  its  own  decryption  oracle.  A  outputs 
mo,  mi.  B  then  computes  CT^  =  Encib_cca(PK^,  lfc)  and  CT^  =  Enccpa(PKs,  lfc)  and  gives 
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CT*  =  (CT^,  CTg)  to  A.  We  let  q  denote  the  number  of  Phase  2  queries  made  by  A.  B  can  respond 
to  these  queries  as  before.  B  chooses  a  random  i  E  {1, 2, . . . ,  q}  and  a  random  bit  b  E  {0, 1}.  It  takes 
the  ith  Phase  2  query  of  A,  denoted  by  (CT^,CTg),  and  computes  CT-n  =  Decib-CCa(SK,4,  CT^). 

It  submits  m-b  and  CT-n  to  its  challenger.  Then,  the  distribution  of  c*  =  EncdCCa(PKm,  mb)  in  the 
basic  unpredictability  experiment  is  precisely  the  distribution  of  CT*n.  Hence,  the  bad  query  event 
for  query  i  corresponds  to  an  output  of  1  for  basic  unpredictability  experiment.  Thus,  if  the  bad 
query  event  occurs  with  some  non-negligible  probability  e,  B  will  cause  an  output  of  1  in  the  basic 
unpredictability  experiment  with  probability  at  least  which  is  non-negligible. 

Step  3:  Pr[BQE  in  Right-Erased]  ~  PrfBQE  in  Full-Erased]  from  the  1-bounded  CCA 
security  of  nm-cca-  We  now  return  to  considering  a  PPT  adversary  A  in  the  right-erased  ex¬ 
periment.  We  let  q  denote  the  number  of  Phase  2  queries  made  by  A.  We  suppose  that  A  causes 
the  bad  query  event  with  non-negligible  probability.  Then  there  exists  some  index  i  E  {1, . . . ,  q} 
such  that  A  causes  the  bad  query  event  to  occur  with  non-negligible  probability  on  its  ith  Phase 
2  query.  In  other  words,  if  there  exists  a  PPT  adversary  A  for  which  the  bad  query  event  occurs 
with  non-negligible  probability  in  the  right-erased  experiment,  then  for  each  value  of  the  security 
parameter,  there  exists  an  index  i  such  that  A  causes  the  BQE  to  occur  on  its  ith  Phase  2  query 
with  non-negligible  probability.  We  note  that  for  any  i,  the  probability  that  A  causes  the  BQE  to 
occur  on  its  ith  Phase  2  query  in  the  full-erased  experiment  is  negligible,  as  we  proved  above. 

We  fix  such  an  i,  and  we  define  a  PPT  algorithm  B  which  violates  the  1-bounded  CCA  security 
of  n^)-)_cca-  B  receives  PK^  from  its  challenger.  It  runs  KeyGendcca  and  KeyGencpa  for  itself  to 
produce  PKin,SK;n  and  PKb,SK#.  It  gives  (PK;n,  PK^,  PK#)  to  A  as  the  public  key. 

B  simulates  the  decryption  oracle  for  A  as  follows.  Upon  receiving  a  ciphertext  (CT^,  CTb),  B 
decrypts  CT b  using  Deccpa  with  SK#,  and  we  let  CT;n  denote  the  output.  It  then  decrypts  CTin  us¬ 
ing  Decdcca  with  SKin,  and  parses  the  output  as  ta,  re,  M.  It  checks  if  CT^  =  Encxb-cca^kQp  CT;n; 
va)  and  if  CT#  =  Enccpa(PKs,  CT;n;  re).  If  both  checks  pass,  it  outputs  M.  Else,  it  outputs  _L. 

We  claim  that  this  matches  the  output  of  the  usual  decryption  algorithm,  even  though  B  is 
first  decrypting  CT^  instead  of  CT^-  To  see  this,  note  that  the  outputs  are  clearly  the  same 
whenever  Dec1b_CCa(CTJ4,  SK^)  =  Deccpa(CTB,  SK#).  Whenever  these  are  unequal,  both  de¬ 
cryption  methods  will  output  _L.  This  is  because  CTyi  =  Encib-Cca(PKyl,  CT;n;  ta)  and  CT#  = 
Enccpa(PKJB,CTin;rB)  imply  that  Decib-cca(CT4,  SKa)  =  CTin  =  Deccpa(CTB,  SKb).  (Recall 
here  that  we  have  assumed  nib-CCa  and  ncpa  have  perfect  correctness.) 

At  some  point,  A  outputs  mo,  m\.  B  forms  CT*n  =  Encdcca(PKin,  (r)  and  CT^  =  Enccpa(PKs,  lk). 
It  outputs  the  messages  CT*n  and  lfc  to  its  challenger,  and  receives  a  ciphertext  which  it  sets  as  CT^. 

It  gives  the  ciphertext  (CT^,  CT^)  to  A.  It  can  then  respond  to  A’s  Phase  2  decryption  queries  in 
the  same  way  as  before.  When  it  receives  the  ith  Phase  2  query  of  A,  denoted  by  (CT^CT^),  B 
checks  for  the  bad  query  event  by  first  checking  if  CT^  ^  CT^  and  if  so,  submitting  CT^  as  its  one 
decryption  query  to  its  decryption  oracle  for  PKa-  It  can  compute  F(PKin,  CT*n,  Dec(SKA>  CT^)). 
This  equals  1  if  and  only  if  the  bad  query  event  has  occurred  for  query  i,  and  in  this  case  B  guesses 
that  CT^  is  an  encryption  of  CT*n.  Otherwise,  B  guesses  the  opposite. 

We  observe  that  when  CT^  is  an  encryption  of  CT*n,  then  B  has  properly  simulated  the  right- 
erased  experiment,  and  when  CT^  is  an  encryption  of  0k ,  then  B  has  properly  simulated  the  full- 
erased  experiment.  We  let  e  denote  the  non-negligible  probability  that  A  causes  the  bad  query  event 
to  occur  on  (Phase  2)  query  i  in  the  right-erased  experiment,  and  we  let  5  denote  the  corresponding 
probability  for  the  full-erased  experiment.  We  know  that  5  must  be  negligible,  therefore  e  —  5  is 
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positive  and  non-negligible.  The  probability  that  B  guesses  correctly  is:  \  (1  —  5)  +  l  ^  (e  —  6) , 
so  B  achieves  a  non-negligible  advantage  in  the  1-bounded  CCA  security  game  for  nib_cca. 

Thus,  it  must  be  the  case  that  for  all  PPT  algorithms  A.  the  BQE  occurs  with  only  negligible 
probability  in  the  right-erased  experiment,  and  hence  also  in  the  nested  experiment  with  z  =  1.  □ 

Claim  4.4  (No  Bad  Query  Event  when  z  =  0  (real  message  encrypted))  As  a  consequence 
of  Claim  f.3  and  the  DCCA  security  o/nbcca,  it  holds  that  for  all  probabilistic  polynomial-time  ad¬ 
versaries  A,  during  a  run  of  experiment  Exp^ndcCa,nlb_Cca,nCpa(^)  w'dh  z  =  0,  a  bad  query  event 
does  not  take  place  except  with  negligible  probability  in  A  where  the  probability  is  taken  over  the 
coins  of  the  adversary  and  the  experiment. 

Proof.  In  Claim  4.3,  we  established  that  bad  query  events  happen  with  at  most  negligible  probability 
when  z  =  1.  We  will  use  this  fact  to  argue  that  they  cannot  happen  much  more  frequently  when 
z  =  0.  Suppose  to  the  contrary  that  there  exists  a  PPT  adversary  A  that  forces  bad  query  events  to 
happen  with  non-negligible  probability  e  when  z  =  0.  We  create  an  PPT  adversary  B  who  interacts 
with  A  in  a  run  of  the  nested  indistinguishability  experiment  to  break  the  DCCA  security  of  nbcca 
with  detecting  function  F  with  probability  negligibly-close  to  \  +  |  as  follows: 

1.  Setup:  B  obtains  PKin  from  the  Exp'ndlst  challenger.  It  runs  KeyGenlb_cca  to  obtain  (PIC4,  SK^) 
and  KeyGencpa  to  obtain  (PKg,SKg). 

2.  Phase  1:  B  gives  to  A  the  public  key  PK  =  (PKin,  PKa>  PK_b).  When  A  queries  the  decryption 
oracle  on  CT,  B  can  simulate  the  normal  decryption  algorithm  using  SK^  and  the  phase  1 
oracle  Dec(SKin,  •).  Eventually,  A  outputs  a  pair  of  messages  mo, mi. 

3.  Challenge:  Choose  random  jd  e  {0,1}  and  rA,rB  £  {0, 1}A-  Send  to  the  Expmdlst  challenger 
the  messages  Mq  =  (rA,fB,mp)  and  M \  =  0lM°l,  and  obtain  from  this  challenger  the  cipher- 
text  CT*n.  Compute  CT^  :=  Encib_cca(PK,4,  CT*n;  rA)  and  CT*B  :=  Enccpa(PKs,  CT*n;  rB). 
Return  CT*  :=  (CT^CT^)  to  A. 

4.  Phase  2:  When  A  queries  the  decryption  oracle  on  CT  :=  (CT^CTs),  compute  CT;n  :  = 
Declb_cca(SKA,CTA).  If 

(a)  Case  1  (a  bad  query  event):  CT^  7 -  CT^  and  yet  F(PKbl,  CT*n,  CTjn)  =  1,  then  abort 
and  output  the  bit  0. 

(b)  Case  2  (partial  match  with  challenge):  CT  a  =  CT^,  then  return  _L  to  A. 

Otherwise,  query  the  phase  2  oracle,  Dec(SKin,  ■),  to  decrypt  CT;n,  and  return  its  response 
to  A. 

5.  Output:  When  A  outputs  a  bit,  B  echos  the  bit  as  its  output. 

Analysis.  We  begin  our  analysis  by  arguing  that  B  correctly  answers  all  decryption  queries 
except  when  it  aborts.  First,  we  show  that  a  partial  match  with  the  challenge,  causing  the  _L 
response  in  Case  2,  is  correct  because  that  query  must  be  invalid.  Since  a  decryption  query  on 
the  challenge  is  forbidden  by  the  experiment,  if  CT^  =  CT^,  then  CT#  /  CTg.  However,  we 
argue  that  this  must  be  an  invalid  ciphertext,  i.e.,  one  on  which  the  main  construction’s  decryption 
algorithm  would  return  _L.  We  see  this  as  follows.  Since  decryption  is  deterministic,  we  have 
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T  :=  Decib-cca(SKA,  CTA)  =  Decib-ccatSK^,  CT^)  and  (rA,rB,m)  :=  Decdcca(SKin,  T).  By  the 
checks  enforced  by  the  main  construction’s  decryption  algorithm,  there  is  only  one  “second  half” 
that  matches  CT^  =  CT^,  that  is  Enccpa(PKe,  T;  rB).  Since  the  challenge  is  a  valid  ciphertext, 
CT^  must  be  this  value  and  CTB  must  cause  an  error. 

When  neither  Case  1  or  Case  2  applies  in  phase  2,  the  inner  decryption  query  will  succeed  since 
the  ciphertext  is  not  detectably  related  to  the  challenge.  This  allows  B  to  respond  correctly. 

When  a  bad  query  event  occurs  in  Phase  2,  B  cannot  query  Expmdlst’s  decryption  oracle  to 
decrypt  the  ciphertext.  At  first  glance,  one  seems  stuck.  However,  we  assumed  bad  query  events 
happen  only  when  z  =  0  with  all  but  negligible  probability.  Thus,  B  can  guess  that  A  thinks  z  =  0, 
which  corresponds  to  Mo  being  encrypted  in  our  reduction.  Thus,  B  can  abort  and  guess  0  at  this 
point. 

When  B  aborts,  it  causes  the  Expmdlst  experiment  to  output  1  with  high  probability.  When 
B  does  not  abort,  it  causes  Exp'ndlst  experiment  to  output  1  with  probability  2 .  Since  B  aborts 
with  non-negligible  probability  e  when  z  =  0,  then  B  causes  the  experiment’s  output  to  be  1  with 
probability  non- negligibly  greater  than  .  □ 

4.2  Putting  the  Proof  of  the  Main  Theorem  Together 

Theorem  4.5  (Main  Construction  is  Nested  Indistinguishable)  Our  main  construction  in 
Section  3,  comprised  of  the  three  building  blocks  ndcca,  n^-ccai  ncpa,  has  nested  indistinguishable 
encryptions  under  a  chosen-ciphertext  attack  under  the  assumptions  that  ndcca  is  DCCA  secure, 
Ifib-cca  is  1-bounded  CCA  secure,  and  ncpa  is  CPA  secure,  all  with  perfect  correctness. 

Proof  of  Theorem  4.5  is  given  in  Appendix  C.  The  crux  of  the  argument  is  that  bad  query  events 
do  not  happen  (except  with  negligible  probability).  This  was  already  established  in  Claims  4.3  and 
4.4.  Armed  with  this  fact,  we  can  prove  the  nested  indistinguishability  of  the  main  construction 
based  on  the  indistinguishability  property  of  the  DCCA-security  of  ndcCa-  The  reduction  and  its 
analysis  are  similar  to  those  in  the  proof  of  Claim  4.4.  5 

The  following  corollary  follows  from  Theorem  4.5.  Informally,  if  the  adversary  cannot  distinguish 
an  encryption  of  a  message  from  an  encryption  of  zeros,  then  she  also  cannot  distinguish  between 
the  encryptions  of  two  different  messages. 

Corollary  4.6  (Main  Construction  is  CCA2  Secure)  Our  main  construction  in  Section  3, 
comprised  of  the  three  building  blocks  ndcCa>  Ifib-ccaj  ncpa,  is  CCA2  secure  under  the  assumptions 
that  ndcCa  is  DCCA  secure,  nm-cca  is  1-bounded  CCA  secure,  and  ncpa  is  CPA  secure,  all  with 
perfect  correctness. 

5  Why  not  use  CCA1? 

We  now  consider  using  an  arbitrary  CCAl-secure  scheme  in  place  of  the  DCCA-secure  scheme  in 
our  construction  in  Section  3.  To  give  intuition  about  why  we  believe  this  approach  fails  in  general 

5We  note  that  we  alternatively  could  have  merged  the  proofs  of  Claim  4.4  and  Theorem  4.5.  However,  we  chose  to 
keep  the  bad  event  analysis  separate  for  pedagogical  purposes  at  the  expense  of  some  redundancy  in  the  description 
of  the  related  reductions. 


15 

Approved  for  Public  Release;  Distribution  Unlimited. 

790 


to  provide  a  CCA2-secure  scheme,  we  define  the  following  oracle.  This  oracle  enables  a  CCA2 
attack  on  the  construction,  without  appearing  to  break  the  CCA1  security  of  the  inner  scheme  or 
the  1-bounded  CCA  security/CPA  security  of  the  outer  schemes. 

Oracle  The  oracle  takes  in  the  public  key  (consisting  of  the  three  public  keys  for  the  three 
building  blocks)  and  a  ciphertext  CT.  It  runs  the  decryption  algorithm  of  the  construction  on  CT. 
If  the  decryption  algorithm  outputs  a  message  M,  then  the  oracle  runs  the  encryption  algorithm 
to  produce  a  new  ciphertext  CT  encrypting  M.  If  the  decryption  algorithm  outputs  T  (indicating 
that  the  ciphertext  was  malformed),  the  oracle  encrypts  a  string  of  0’s  of  the  appropriate  length  to 
produce  the  new  ciphertext  CT.  (The  length  of  the  0  string  is  chosen  so  that  the  inner  ciphertext 
has  the  same  size  as  CTjn  for  CT.)  The  oracle  outputs  CT. 

A  Chosen  Ciphertext  Attack  on  the  System.  Using  the  oracle,  an  attacker  can  violate  the 

CCA2  security  of  the  construction  as  follows.  Upon  receiving  the  challenge  ciphertext  CT*,  the 

'  * 

attacker  sends  this  to  the  oracle  to  obtain  a  ciphertext  CT  encrypting  the  same  message.  Since 
CT  /  CT  ,  it  can  query  CT  to  its  decryption  oracle  in  the  CCA2  security  game.  It  receives  the 
message,  thereby  violating  security. 

Why  Security  of  the  Underlying  Primitives  Remains.  Intuitively,  the  oracle  should  only 
be  useful  to  an  attacker  who  still  has  access  to  the  decryption  oracle  in  the  security  game.  This  does 
not  violate  CCA1  security  of  the  inner  scheme,  since  in  the  CCA1  security  game  the  attacker  loses 
access  to  the  decryption  oracle  completely  after  receiving  the  challenge  ciphertext.  It  is  important 
to  note  here  that  the  oracle’s  output  does  not  give  away  whether  the  ciphertext  it  received  was 
malformed.  The  oracle  also  does  not  break  the  1-bounded  CCA  and  CPA  security  guarantees  of 
the  outer  encryption  schemes,  because  even  though  the  attacker  may  use  its  one  query  for  the  1- 
bounded  CCA-secure  scheme  after  seeing  the  challenge  ciphertext,  it  will  not  know  the  randomness 
used  in  the  challenge  encryption,  and  hence  cannot  create  from  it  a  well-formed  ciphertext.  Since 
the  oracle  runs  the  usual  decryption  algorithm  which  checks  that  the  ciphertext  is  well-formed,  it 
will  not  be  useful  to  the  attacker  attempting  to  break  security  of  the  outer  schemes. 

Open  Questions.  This  oracle  is  quite  strong,  and  this  leaves  some  remaining  questions.  First, 
might  there  be  a  useful  notion  between  CCA1  security  and  DCCA  security  for  the  inner  building 
block  that  would  suffice  for  the  outer  scheme  to  imply  CCA2  security  for  our  construction?  Also, 
it  would  be  interesting  to  construct  a  more  concrete  counterexample  to  CCA2  security  for  our 
construction  with  a  CCAl-secure  inner  scheme. 
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A  Background  on  Security  Definitions  for  Encryption 

There  is  a  rich  body  of  literature  on  how  to  formalize  the  confidentiality  guarantee  of  encryption 

as  we  discussed  in  Section  1.1.  We  define  several  of  these  concepts  here. 

First,  we  recall  the  algorithms  comprising  an  encryption  system. 

Definition  A.l  (Encryption  System)  An  encryption  system  is  a  tuple  of  probabilistic  polynomial¬ 
time  algorithms  (KeyGen,  Enc,  Dec)  such  that: 

1.  KeyGen(lA)  — >  ( pk,sk ):  the  key  generation  algorithm  takes  as  input  the  security  parameter 
1A  and  outputs  a  pair  of  keys  ( pk ,  sk). 
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2.  Er\c(pk,  m)  — >  c:  the  encryption  algorithm  takes  as  input  a  public  key  pk  and  a  message 
m  from  some  underlying  plaintext  space  and  outputs  a  ciphertext  c.  Enc  is  a  probabilistic 
algorithm,  although  we  will  sometimes  cast  it  as  a  deterministic  algorithm  with  an  explicit 
random  input,  r,  by  writing 

c  :=  En c(pk,  m;  r). 

3.  Dec(sA;,  c)  — >  mu  the  decryption  algorithm  takes  as  input  a  secret  key  sk  and  a  ciphertext  c, 
and  outputs  a  message  m  or  a  special  symbol  _L  denoting  failure.  Wlog,  we  assume  that  this 
algorithm  is  deterministic  and  write  m  :=  Dec(sfc,c). 

For  the  system  to  be  correct,  we  require  that  Dec(sk,Er\c(pk,m))  =  m,  except  with  negligible 
probability  over  ( pk,sk )  output  by  KeyGen(lA)  and  any  randomness  used  by  Enc. 

CCA  Security  Experiment.  We  now  recall  the  definition  of  CCA  Security.  Consider  the 
following  experiment  Exp^an(A)  defined  for  public-key  encryption  scheme  II  =  (KeyGen,  Enc,  Dec) 
and  an  adversary  A: 

1.  Setup:  KeyGen(lA)  is  run  to  obtain  keys  (pk,  sk). 

2.  Phase  1:  Adversary  A  is  given  pk  and  access  to  a  decryption  oracle  Dec(sA;,  •).  The  adversary 
outputs  a  pair  of  messages  mo ,  m\  of  the  same  length  in  the  message  space  associated  with 
pk. 

3.  Challenge:  A  random  bit  b  <—  {0,1}  is  chosen,  and  then  a  ciphertext  c*  En c(pk,mb)  is 
computed  and  given  to  A.  We  call  c*  the  challenge  ciphertext. 

4.  Phase  2:  A  continues  to  have  access  to  Dec(sfc,  •)  provided  he  does  not  request  a  decryption 
of  c*.  Finally,  A  outputs  a  bit  b' . 

5.  Output:  The  output  of  the  experiment  is  defined  to  be  1  if  b'  =  b ,  and  0  otherwise. 

Definition  A. 2  (CCA  Security  [27])  A  public-key  encryption  scheme  II  =  (KeyGen,  Enc,  Dec) 
has  indistinguishable  encryptions  under  a  chosen-ciphertext  attack  ( or  is  CCA-secure )  if  for  all 
probabilistic  polynomial-time  adversaries  A  there  exists  a  negligible  function  negl  such  that: 

Pr[Exp3:an(A)  =  1]  <  ^  +  negl(X). 

We  also  consider  the  following  variants  of  the  above  definition: 

1.  Chosen  Plaintext  Attack  (CPA)  Security  [16]:  same  as  above,  except  that  A  is  not 
given  access  to  the  decryption  oracle  in  phase  1  or  phase  2. 

2.  Lunchtime  or  CCA1  Security  [24]:  same  as  above,  except  that  A  is  not  given  access  to 
the  decryption  oracle  in  phase  2. 

3.  g-Bounded  CCA  Security  [11]:  same  as  above,  except  that  the  total  number  of  decryption 
queries  made  by  A  in  phase  1  and  phase  2  is  at  most  q.  In  this  work,  we  will  use  1-bounded 
CCA  (a.k.a.,  “one-time  CCA”)  security,  where  A  can  make  a  single  decryption  query. 
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Realizations  We  note  that  CPA  security  implies  1-bounded  CCA  security  [25,  11,  10].  Actually, 
the  above  works  allow  for  a  stronger  notion  of  one  parallel  query  of  many  ciphertexts.  This  is 
related  to  the  notion  of  non- malleability  [14,  4], 

B  Plaintext,  Randomness  and  Ciphertext  Spaces 

For  this  paper,  we  assume  that  detectable  schemes  allow  arbitrary-length  messages  and  that  the 
encryption  randomness  will  always  be  of  the  length  of  the  security  parameter  and  therefore  inde¬ 
pendent  of  the  message  length.  We  also  assume  that  the  ciphertext  size  is  a  deterministic  function 
of  the  security  parameter  and  the  message  length. 

This  will  be  useful  for  a  property  of  our  systems  where  we  will  implicitly  encrypt  our  own 
randomness  by  having  it  nested  inside  of  another  ciphertext.  Having  short  randomness  is  actually 
more  important  for  the  one-time  CCA-secure  schemes  used  as  a  building  block  in  our  construction, 
but  we  argue  generally  that  this  is  not  a  limiting  assumption  for  encryption  schemes  here. 

We  justify  our  main  assumptions  with  two  lemmas. 

First,  we  use  Lemma  2.5,  which  asserts  that  one-bit  DCCA-secure  encryption  implies  arbitrary- 
length  DCCA-secure  encryption.  Recall  the  construction.  Say  n  =  (KeyGen,  Enc,  Dec,  F)  is  a 
detectable  encryption  system  with  plaintext  space  {0, 1}.  We  can  construct  a  new  scheme  IT  = 
(KeyGen,  Enc',  Dec',F')  with  plaintext  space  {0, 1}*  by  defining  Enc'  as  follows: 

Enc '(pk,  m)  =  Enc (pk,  m i), . . . ,  Enc (pk,  mn) 

where  m  =  m\  . . .  mn.  The  decryption  algorithm  Dec7  decrypts  each  ciphertext  piece  using  Dec.  The 
function  F'  performs  n2  invocations  of  F.  testing  each  ciphertext  piece  of  C  with  each  ciphertext 
piece  of  C ,  and  outputting  1  if  any  invocation  of  F  returned  1,  and  0  otherwise.  We  now  prove 
Lemma  2.5. 

Proof.  Recall  that  our  construction  defined  the  function  F'  to  perform  n 2  invocations  of  F,  testing 
each  ciphertext  piece  of  C  with  each  ciphertext  piece  of  C' ,  and  outputting  1  if  any  invocation  of 
F  returned  1,  and  0  otherwise.  Clearly  F'  is  efficiently  computable  if  F  is. 

Unpredictability  of  F'.  We  suppose  there  exists  a  PPT  adversary  A  that  causes  the  output 
of  the  basic  unpredictability  experiment  with  R  to  be  1  with  non-negligible  probability  e.  We 
construct  a  PPT  adversary  B  against  the  basic  unpredictability  experiment  with  n.  The  experiment 
for  B  begins  by  a  run  of  KeyGen  producing  pk,  sk.  B  is  given  pk  and  access  to  a  decryption  oracle 
Dec(sk,-).  It  gives  pk  to  A.  To  simulate  a  decryption  oracle  for  A,  B  takes  a  ciphertext  query 
from  A  in  the  form  c\, ...  ,cn  and  separately  queries  each  of  ci, . . . , cn  to  its  decryption  oracle.  It 
returns  the  ordered  n-tuple  of  replies  to  A. 

When  A  outputs  a  message  m  =  m\ . . .  rrip.  and  a  ciphertext  ci, . . . ,  q,  B  chooses  two  random 
indices  i  £  [k],  j  £  \t]  and  outputs  rrii,Cj.  The  experiment  then  proceeds  to  the  challenge  phase, 
computing  c*  <—  En c(pk,m.i).  This  is  distributed  identically  to  the  ith  piece  of  the  challenge 
ciphertext  that  would  be  created  in  the  experiment  for  A.  We  let  K  and  L  be  polynomial-size 
bounds  such  that  A  chooses  k  <  K  and  l  <  L  with  all  but  negligible  probability.  Then  the 
probability  that  the  outcome  of  £>’ s  is  1  is  negligibly  close  to  Afp- 

To  see  this,  we  consider  simulating  the  full  experiment  for  A  by  also  computing  c*,  •£-  En c(pk,  mp) 
for  all  i'  A  *•  We  note  that  when  A  succeeds,  there  must  be  some  indices  i*,j*  such  that 
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F(pk,  Cj*,  Enc(pk,  mi*))  =  1.  Fixing  all  the  randomness  except  for  the  choice  of  i,j  by  B,  B 
will  now  succeed  in  its  experiment  as  long  as  it  chooses  i  =  i*  and  j  =  j*:  this  occurs  with 
probability  which  is  >  with  all  but  negligible  probability.  We  note  that  the  choices  of  i.  j 
by  B  are  made  independently  of  all  other  random  choices  occurring  in  this  simulated  experiment 
for  A.  Hence,  B  causes  the  output  of  the  basic  unpredictability  experiment  with  n'  to  be  1  with 
non-negligible  probability.  We  note  that  the  same  proof  (with  trivial  adjustments)  works  for  the 
strong  unpredictability  experiment. 

Indistinguishability  of  Encryptions.  It  remains  to  show  a  PPT  adversary  must  have  a  neg¬ 
ligible  advantage  in  the  indistinguishability  of  encryptions  experiment.  We  suppose  there  exists  a 
PPT  adversary  A  that  causes  the  output  of  the  indistinguishability  of  encryptions  experiment  with 
n7  to  equal  1  with  probability  non-negligibly  greater  than  f .  We  construct  a  PPT  adversary  B  for 
the  indistinguishability  of  encryptions  experiment  with  n.  We  employ  a  hybrid  argument.  We  let 
k  denote  an  upper  bound  of  the  length  of  the  messages  mo ,  m\  produced  by  A  as  its  output  for 
Phase  I  of  the  experiment.  We  then  define  experiments  1  through  k  as  follows.  Each  experiment  i 
is  like  the  indistinguishability  of  encryptions  experiment  except  for  how  the  challenge  ciphertext  is 
created.  In  experiment  i,  the  first  i  —  1  pieces  of  the  ciphertext  are  created  by  encrypting  the  first 
i  —  1  bits  of  mo,  the  ith  piece  is  created  by  encrypting  the  ith  bit  of  mb,  and  the  remaining  pieces 
are  encryptions  of  the  bits  of  m\,  starting  from  the  i  +  1  bit.  The  output  of  each  experiment  is  still 
defined  to  be  1  when  b  =  b' . 

We  observe  that  there  must  exist  some  i*  such  that  A  causes  the  output  of  experiment  i*  with 
n;  to  be  1  with  probability  non-negligibly  greater  than  ^ .  The  experiment  for  B  begins  by  a  run 
of  KeyGen  producing  pk,  sk.  B  is  given  pk  and  access  to  a  decryption  oracle  Dec(sA;,  •).  It  forwards 
pk  to  A.  To  simulate  a  decryption  oracle  for  A,  B  takes  a  ciphertext  query  from  A  in  the  form 
ci, . . . ,  cn  and  separately  queries  each  of  ci, . . . ,  cn  to  its  decryption  oracle.  It  returns  the  ordered 
n-tuple  of  replies  to  A. 

A  produces  two  messages  mo,  mi  of  the  same  length  in  the  message  space  associated  with  pk. 
B  produces  the  ciphertext  c*  as  follows.  It  encrypts  the  first  i*  —  1  bits  of  mo  to  form  the  first 
i*  —  1  pieces  of  c* ,  and  submits  the  i*th  bits  of  mo,  mi  as  its  messages  to  the  challenger  for  the 
indistinguishability  of  encryptions  experiment  for  n.  It  uses  the  ciphertext  it  receives  in  return  as 
the  i*  piece  of  c* .  It  forms  the  remaining  pieces  by  encrypting  the  final  bits  of  mi,  (starting  from 
the  i*  +  1  bit).  It  gives  c*  to  A. 

A  may  continue  to  make  decryption  queries,  as  long  as  none  of  the  pieces  of  these  queries  are 
“related”  to  pieces  of  c*  in  the  sense  defined  by  F  (this  is  just  a  restatement  of  the  definition 
for  F').  This  restriction  allows  B  to  simulate  the  decryption  oracle  on  these  queries  as  before,  by 
submitting  them  separately  to  its  own  decryption  oracle.  Finally,  A  will  output  a  bit  b' ,  which  B 
copies  as  its  own  output.  This  will  equal  b  with  probability  non-negligibly  greater  than  |,  since  A 
accomplishes  this  in  experiment  i*.  □ 

Next,  we  rely  on  the  common  trick  of  replacing  the  randomness  for  encryption  with  the  output  of 
a  pseudorandom  generator.  Thus  the  “real”  randomness  needed  for  encryption  is  just  a  seed  of  the 
length  of  the  security  parameter.  Say  n  =  (KeyGen,  Enc,  Dec,  F)  is  a  detectable  encryption  system 
with  randomness  s  of  length  (.  =  £(X),  where  A  is  the  security  parameter  and  £  is  a  polynomial. 
Let  G  :  {0, 1}A  — >  {0, 1}^A)  be  a  pseudorandom  generator;  if  pseudorandom  generators  exist, 
then  such  a  pseudorandom  generator  must  exist  [19,  p.  76].  We  can  construct  a  new  scheme 
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IT  =  (KeyGen7,  Enc7,  Dec,  F)  with  randomness  s'  of  length  A.  The  first  step  of  KeyGen7  and  Erie7  is 
to  run  t  :=  G(s').  Then  they  operate  exactly  as  KeyGen  and  Enc  using  the  appropriate  bits  of  t. 

Lemma  B.l  (Short  Randomness  is  Sufficient)  Let  II  and  II'  be  as  above.  If  II  is  DCCA- 

secure,  then  so  is  II7 . 

We  omit  the  straightforward  proof  of  the  above  lemma.  It  expands  in  the  obvious  way  to  CPA 
and  CCA2  -secure  systems. 

Finally,  we  assume  that  the  ciphertext  size  can  be  considered  a  deterministic  function  of  the  se¬ 
curity  parameter  and  message  length.  Informally,  the  length  of  the  ciphertext  cannot  be  predictably 
related  to  the  message  value ,  because  this  would  break  the  indistinguishability  of  encryptions  prop¬ 
erty.  It  is  possible  that  some  systems  might,  for  example,  have  variable-length  ciphertexts  by 
appending  a  variable-length  random  string  to  the  end  of  the  encryption.  However,  we  focus  our 
attention  on  schemes  that  do  not  allow  this. 


C  Proof  of  Theorem  4.5  (Main  Construction  is  Nested  Indistin¬ 
guishable) 

Proof.  Given  that  bad  query  events  occur  with  only  negligible  probability,  we  use  this  fact  to  prove 
the  nested  indistinguishability  of  our  main  construction  based  on  the  indistinguishability  property 
of  the  DCCA-security  of  Hdcca. 

The  Reduction  Algorithm.  Let  1A  be  the  security  parameter.  Suppose  there  exists  a  PPT 
adversary  A  that  causes  the  output  of  the  nested  experiment  with  the  main  construction  to  output  1 
with  probability  ^  +  e.  We  construct  a  PPT  adversary  B  against  the  indistinguishability  experiment 
of  the  DCCA  security  of  Hdcca  with  detecting  function  F. 

1.  Setup:  H  obtains  PKin  from  the  Exp'ndlst  challenger.  It  runs  KeyGenlb_cca  to  obtain  (PIC4,  SIC4) 
and  KeyGencpa  to  obtain  (PKb,SK#). 

2.  Phase  1:  B  gives  to  A  the  public  key  PK  =  (PKin,  PKa>  PK_b).  When  A  queries  the  decryption 
oracle  on  CT,  B  can  simulate  the  normal  decryption  algorithm  using  SK^  and  the  phase  1 
oracle  Dec(SKin,  •).  Eventually,  A  outputs  a  pair  of  messages  mo, mi. 

3.  Challenge:  Choose  random  /3  £  {0,1}  and  r  a ,  v b  £  {0, 1}A-  Send  to  the  Expmdlst  challenger 
the  messages  Mq  =  (r a,  t and  M \  =  0lM°l,  and  obtain  from  this  challenger  the  cipher- 
text  CT*n.  Compute  CT{  :=  Encib_cca(PK,4,  CT*n;  rA)  and  CTg  :=  Enccpa(PKs,  CT*n;  rB). 
Return  CT*  :=  (CT^CT^)  to  A. 

4.  Phase  2:  When  A  queries  the  decryption  oracle  on  CT  :=  (CT^CTs),  compute  CT;n  :  = 
Declb_cca(SKA,CT4).  If 

(a)  Case  1  (a  bad  query  event):  CT^  A  CT^  and  yet  F(PKin,  CT*n,  CTjn)  =  1,  then  abort 
and  take  a  random  guess. 

(b)  Case  2  (partial  match  with  challenge):  CT  a  =  CT^,  then  return  _L  to  A. 

Otherwise,  query  the  phase  2  oracle,  Dec(SKin,  •),  to  decrypt  CT;n,  and  return  its  response 
to  A. 
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5.  Output:  When  A  outputs  a  bit,  B  echoes  the  bit  as  its  output. 

Analysis.  We  begin  our  analysis  by  arguing  that  B  correctly  answers  all  decryption  queries  except 
when  it  aborts.  Through  Claims  4.3  and  4.4,  we  have  already  established  that  a  bad  query  event, 
causing  the  abort  in  Case  1,  happens  with  only  negligible  probability  assuming  that  Ildcca  is  DCCA 
secure,  Il^-cca  is  1-bounded  CCA  secure,  and  ncpa  is  CPA  secure. 

Next,  we  show  that  a  partial  match  with  the  challenge,  causing  the  _L  response  in  Case  2,  is 
correct  because  that  query  must  be  invalid.  Since  a  decryption  query  on  the  challenge  is  forbidden 
by  the  experiment,  if  CTyi  =  CT^,  then  CTg  /  CT^.  However,  we  argue  that  this  must  be  an 
invalid  ciphertext,  i.e. ,  one  on  which  the  main  construction’s  decryption  algorithm  would  return 
_L.  We  see  this  as  follows.  Since  decryption  is  deterministic,  we  have  T  :=  Decib-CCa(SK4,  CT^)  = 
Decib-ccalSK^,  CT^)  and  :=  DecdCCa(SKin,  T).  By  the  checks  enforced  by  the  main 

construction’s  decryption  algorithm,  there  is  only  one  “second  half”  that  matches  CT^  =  CT^, 
that  is  Enccpa(PKs,  T;  rs).  Since  the  challenge  is  a  valid  ciphertext,  CT^  must  be  this  value  and 
CT b  must  cause  an  error. 

When  neither  Case  1  or  Case  2  applies  in  phase  2,  the  inner  decryption  query  will  succeed  since 
the  ciphertext  is  not  detectably  related  to  the  challenge.  This  allows  B  to  respond  correctly. 

Finally,  B  causes  all  inputs  to  A  to  have  the  same  distribution  as  the  nested  experiment.  When 
B  aborts,  it  causes  the  Expmdlst  experiment  to  output  1  with  probability  P.  When  B  does  not  abort, 
all  decryption  queries  are  answered  correctly  and  this  causes  the  Exp'ndlst  experiment  to  output  1 
with  probability  ^  +  e.  Since  B  does  not  abort  with  high  probability,  if  e  is  non-negligible,  then  B 
causes  the  experiment’s  output  to  be  1  with  probability  non-negligibly  greater  than  □ 

D  Detectable  CCA  from  (Adaptive)  Tag-Based  Encryption 

MacKenzie,  Reiter  and  Yang  [22]  define  a  tag-based  encryption  scheme  as  an  encryption  scheme 
that  takes  in  an  additional  “tag”  parameter  on  encryption  and  decryption.  We  recall  this  definition. 

Consider  the  following  experiment  Exp1^  atag  cca(A)  defined  for  a  tag-based  encryption  scheme 
n  =  (TBKeyGen,  TBEnc,  TBDec)  and  an  adversary  A: 

1.  Setup:  TBKeyGen(lA)  is  run  to  obtain  keys  ( pk,sk ). 

2.  Phase  1:  Adversary  A  is  given  pk  and  access  to  a  decryption  oracle  TBDec(st’,  •,  •).  A  outputs 
a  pair  of  messages  mo,  mi  of  the  same  length  in  the  message  space  associated  with  pk  and  a 
target  tag  t*  from  the  tag  space. 

3.  Challenge:  A  random  bit  b  {0, 1}  is  chosen,  and  then  a  ciphertext  c*  <—  TBEnc(p/c,  t* ,  mb) 
is  computed  and  given  to  A.  We  call  c*  the  challenge  ciphertext. 

4.  Phase  2:  A  continues  to  have  access  to  TBDec(s/c,  •,  •),  but  may  not  request  a  decryption  of 
a  ciphertext  with  tag  t  such  that  t  ^  t*.  Finally,  A  outputs  a  bit  b' . 

5.  Output:  The  output  of  the  experiment  is  defined  to  be  1  if  b'  =  b ,  and  0  otherwise. 

Definition  D.l  (Adaptive  Tag-Based  Security)  A  tag-based  encryption  scheme  H  =  (TBKeyGen 
TBEnc,  TBDec)  has  indistinguishable  encryptions  under  a  tag-based  chosen-ciphertext  attack  if  for 
all  probabilistic  polynomial-time  adversaries  A  there  exists  a  negligible  function  negl  such  that: 

Pr[ExPAn  : atag_cca(A)  =  1]  <  *  +  negl(X). 
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Kiltz  [20]  considered  a  selective  variant  of  this  definition  where  the  target  tag  t*  used  in  the 
challenge  ciphertext  must  be  output  by  the  adversary  before  the  public  key  is  created. 

We  now  show  that  any  tag-based  scheme  satisfying  Definition  D.l  gives  rise  to  a  DCCA-secure 
system.  Let  II  =  (TBKeyGen,  TBEnc,  TBDec)  be  a  tag-based  encryption  system  with  tag  space  T. 
We  create  a  detectable  encryption  system,  II'  =  (KeyGen,  Enc,  Dec,  F),  as: 

1.  KeyGen(lA)  :  Run  TBKeyGen(lA)  and  output  the  resulting  key  pair. 

2.  Enc(p&,m)  :  Select  a  random  tag  t  T  and  compute  d  <—  TBEnc (pk,t,m).  Output  the 
ciphertext  c  :=  (t,d). 

3.  Dec(sfc,c)  :  Parse  c  as  (t,d).  Output  the  result  of  TBDec(s/c,  t,  d). 

4.  F(pk,c,c')  :  Parse  c  as  (t,d)  and  c'  as  (t' ,d').  Output  1  if  t  =  t'  and  0  otherwise. 

Lemma  D.2  (DCCA  from  Tag-Based  Encryption)  If  II  is  an  adaptively-secure  tag-based  sys¬ 
tem  according  to  Definition  D.l  with  an  exponentially -large  tag  space  T,  then  II'  is  a  DCCA-secure 
detectable  system  according  to  Definition  2.2. 

Proof.  This  proof  involves  two  parts.  First,  we  argue  that  the  detecting  function  F  is  unpredictable. 
In  the  basic  unpredictability  game,  the  adversary  must  fix  a  tag  t  6  T  as  part  of  the  ciphertext 
c.  After  this  is  fixed,  the  challenger  chooses  a  random  tag  t*  £  T  for  the  challenge  ciphertext. 
The  detecting  function  F  outputs  1,  causing  the  experiment  to  output  1,  if  and  only  if  t  =  t*. 
This  happens  with  probability  exactly  1/|T|.  Since  we  conditioned  that  T  is  exponentially-large 
in  the  security  parameter,  we  can  conclude  that  the  adversary  causes  the  basic  unpredictability 
experiment  to  output  1  will  only  negligible  probability. 

Second,  we  argue  that  the  encryptions  of  II'  are  indistinguishable  under  a  detectable  chosen 
ciphertext  attack.  Suppose  this  is  false  and  there  exists  a  PPT  adversary  A  with  probability  1/2 
plus  a  non-negligible  advantage  e,  then  we  use  this  adversary  to  construct  a  PPT  adversary  B  for 
the  tag-based  experiment  as  follows.  B  passes  the  public  key  pk  to  A.  When  A  makes  a  decryption 
query  on  ciphertext  c  :=  (t.  d),  B  passes  this  query  to  its  decryption  oracle  with  tag  t  and  ciphertext 
d  and  returns  the  answer.  When  A  outputs  a  pair  of  messages  mo,  mi,  B  chooses  a  random  t*  £  T 
and  outputs  (mo,  mi,  t*).  The  tag-based  challenger  responds  with  a  ciphertext  c*  :=  (t*,d*),  which 
B  passes  to  A.  When  A  makes  a  decryption  query  it  must  obey  the  detecting  predicate  F  which  is 
defined  to  forbid  any  ciphertext  c  :=  (f,  d)  such  that  t  =  t* ,  thus  B  will  be  able  to  pass  the  query  on 
to  its  decryption  oracle  and  return  the  answer.  When  A  outputs  a  bit,  B  outputs  the  same  bit.  It 
is  straightforward  to  see  that  B  is  able  to  simulate  the  DCCA  game  for  A  exactly  and  will  succeed 
in  the  tag-based  experiment  with  probability  1/2  +  e,  thereby  breaking  the  security  of  II.  □ 
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Abstract 

Traditional  definitions  of  encryption  security  guarantee  secrecy  for  any  plaintext  that  can  be  computed 
by  an  outside  adversary.  In  some  settings,  such  as  anonymous  credential  or  disk  encryption  systems, 
this  is  not  enough,  because  these  applications  encrypt  messages  that  depend  on  the  secret  key.  A 
natural  question  to  ask  is  do  standard  definitions  capture  these  scenarios?  One  area  of  interest  is  n- 
circular  security  where  the  ciphertexts  E(pk1,  sk2),  E(pk2,  sks),  . . . ,  E(pkn_1,  skn),  E(pkn,  ski)  must  be 
indistinguishable  from  encryptions  of  zero.  Acar  et  al.  (Eurocrypt  2010)  provided  a  CPA-secure  public 
key  cryptosystem  that  is  not  2-circular  secure  due  to  a  distinguishing  attack. 

In  this  work,  we  consider  a  natural  relaxation  of  this  definition.  Informally,  a  cryptosystem  is  n-weak 
circular  secure  if  an  adversary  given  the  cycle  E(pkl7  sfe),  E(pk2,  S&3), . . . ,  E(pkn_l,  sk„),  E(pkn,  ski) 
has  no  significant  advantage  in  the  regular  security  game,  (e.g.,  CPA  or  CCA)  where  ciphertexts  of 
chosen  messages  must  be  distinguished  from  ciphertexts  of  zero.  Since  this  definition  is  sufficient  for 
some  practical  applications  and  the  Acar  et  al.  counterexample  no  longer  applies,  the  hope  is  that 
it  would  be  easier  to  realize,  or  perhaps  even  implied  by  standard  definitions.  We  show  that  this  is 
unfortunately  not  the  case:  even  this  weaker  notion  is  not  implied  by  standard  definitions.  Specifically, 
we  show: 

•  For  symmetric  encryption,  under  the  minimal  assumption  that  one-way  functions  exist,  n-weak 
circular  (CPA)  security  is  not  implied  by  CCA  security,  for  any  n.  In  fact,  it  is  not  even  implied 
by  authenticated  encryption  security,  where  ciphertext  integrity  is  guaranteed. 

•  For  public-key  encryption,  under  a  number-theoretic  assumption,  2-weak  circular  security  is  not 
implied  by  CCA  security. 

In  both  of  these  results,  which  also  apply  to  the  stronger  circular  security  definition,  we  actually  show 
for  the  first  time  an  attack  in  which  the  adversary  can  recover  the  secret  key  of  an  otherwise- secure 
encryption  scheme  after  an  encrypted  key  cycle  is  published.  These  negative  results  are  an  important 
step  in  answering  deep  questions  about  which  attacks  are  prevented  by  commonly-used  definitions  and 
systems  of  encryption.  They  say  to  practitioners:  if  key  cycles  may  arise  in  your  system,  then  even  if  you 
use  CCA-secure  encryption,  your  system  may  break  catastrophically;  that  is,  a  passive  adversary  might 
be  able  to  recover  your  secret  keys. 

Keywords:  Encryption,  Definitions,  Circular  Security,  Counterexamples 


1  Introduction 

Encryption  is  one  of  the  most  fundamental  cryptographic  primitives.  Most  definitions  of  encryption  secu¬ 
rity  [21,  18,  34]  follow  the  seminal  notion  of  Goldwasser  and  Micali  which  guarantees  indistinguislrability  of 
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encryptions  for  messages  chosen  by  the  adversary  [21].  However,  Goldwasser  and  Micali  wisely  warned  to 
be  careful  when  using  a  system  proven  secure  within  this  framework  on  messages  that  the  adversary  cannot 
derive  himself. 

Over  the  past  several  years,  there  has  been  significant  interest  in  designing  schemes  secure  against  key- 
dependent  message  attacks ,  e.g.,  [15,  11,  30,  3,  26,  28,  13,  14,  5,  2],  where  the  system  must  remain  secure  even 
when  the  adversary  is  allowed  to  obtain  encryptions  of  messages  that  depend  on  the  secret  keys  themselves. 
In  this  work,  we  are  particularly  interested  in  circular  security  [15].  A  public-key  cryptosystem  is  n-circular 
secure  if  the  ciphertexts  E(pk±,  sfo),  E(pk2,  ska),  •  •  • ,  E(pkn_1,  skn),  E(pkn,  ski),  as  well  as  ciphertexts  of 
chosen  messages,  cannot  be  distinguished  from  encryptions  of  zero,  for  independent  key  pairs.  Either  by 
design  or  accident,  these  key  cycles  naturally  arise  in  many  applications,  including  storage  systems  such  as 
BitLocker  [13],  anonymous  credentials  [15],  the  study  of  “axiomatic  security”  [30,  3]  and  more.  See  [13]  for 
a  discussion  of  the  applications. 

Until  recently,  few  positive  or  negative  results  regarding  circular  security  were  known  outside  of  the 
random  oracle  model.  On  one  hand,  no  n-circular  secure  cryptosystems  were  known  for  n  >  1.  On  the  other 
hand,  no  counterexamples  existed  for  n  >  1  to  separate  the  definitions  of  circular  and  CPA  security;  that 
is,  as  far  as  anyone  knew  the  CPA-security  definition  already  captured  circular  security  for  any  cycle  larger 
than  a  self-loop. 

Recently,  this  gap  has  been  closing  in  two  ways.  On  the  positive  side,  several  circular-secure  schemes 
have  been  proposed  [13,  5,  14].  The  focus  of  the  current  work  is  on  negative  results  -  namely,  investigating 
whether  standard  notions  of  encryption  are  “safe”  for  circular  applications. 

In  2008,  Bonelr,  Halevi,  Hamburg  and  Ostrovsky  proved,  by  counterexample,  that  one-way  security 
does  not  imply  circular  security  [13].  Recently,  Acar,  Beleniky,  Bellare  and  Cash  [2]  proved  that,  under  an 
assumption  in  bilinear  groups,  CPA-security  does  not  imply  circular  security. 

Our  Results  We  narrow  this  gap  even  further  by  studying  the  extent  to  which  standard  definitions  (e.g., 
CPA,  CCA)  imply  a  weak  form  of  circular  security.  Our  results  are  primarily  negative. 

1.  Relaxing  the  Circular  Security  Notion.  Perhaps  the  current  formulation  of  circular  security  is  “too 
strong” ;  that  is,  perhaps  there  is  a  relaxed  notion  of  this  definition  which  simultaneously  satisfies  many 
practical  applications  and  yet  is  also  already  captured  by  standard  security  notions.  This  is  an  area  worth 
investigating.  We  begin  by  proposing  a  natural  relaxation  called  weak  circular  security  where  the  adversary 
is  handed  an  encrypted  cycle  E(pk1,  sA^),  E(pk2,  sk 3),  . . . ,  E(pkn_i,  skn ),  E(pkn,  ski)  along  with  the  public 
keys  and  then  proceeds  to  play  the  CPA  or  CCA  security  game  as  normal  (where  these  ciphertexts  are  also 
off-limits  for  the  decryption  oracle).  We  stress  here  that  the  encrypted  cycle  is  always  generated  as  described, 
and  is  never  changed  to  encryptions  of  zero.  This  definition  is  intriguing,  and  perhaps  of  independent  interest, 
for  two  reasons. 

First,  the  Acar  et  al.  [2]  counterexample  does  not  apply  to  it.  That  construction  uses  the  bilinear  map 
to  test  whether  a  sequence  of  ciphertexts  contain  a  cycle  or  zeros.  Here  the  adversary  knows  he’s  getting  an 
encrypted  cycle,  but  then  must  extract  some  knowledge  from  this  that  helps  him  distinguish  two  messages 
of  his  choosing. 

Second,  this  definition  appears  sufficient  for  some  practical  settings.  Using  a  weak  circular  secure  encryp¬ 
tion  scheme,  Alice  and  Bob  could  exchange  keys  with  each  other  over  an  insecure  channel  knowing  that:  (1) 
Eve  can  detect  that  they  did  so,  but  (2)  Eve  cannot  learn  anything  about  their  other  messages.  Similarly,  an 
adversary  scanning  over  a  user’s  BitLocker  storage  may  detect  that  her  drive  contains  an  encrypted  cycle,  but 
cannot  read  anything  on  her  drive.  In  an  anonymous  credential  system  of  Camenisch  and  Lysyanskaya  [15], 
a  user  has  multiple  keys.  To  participate  in  the  system,  the  user  must  encrypt  them  in  a  cycle,  provide 
this  cycle  to  the  other  users,  and  prove  that  she  has  done  this  correctly.  Then,  if  she  shares  one  key,  she 
automatically  shares  all  her  keys.  In  their  application,  detection  of  a  cycle  is  actually  desirable,  provided 
that  subsequent  encryptions  remain  secure. 

2.  Symmetric-Key  Counterexamples.  In  the  symmetric  setting,  we  show  that  standard  notions  do  not 
imply  n-circular  security  for  any  positive  n.  Specifically,  given  any  n  >  1,  we  show  how  to  construct  a 
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secure  authenticated  encryption  scheme  (which  is  necessarily  CCA-secure;  see  Section  2)  that  is  not  n-weak 
circular  secure,  under  the  minimal  assumption  that  secure  authenticated  encryption  schemes  exist,  which 
are  equivalent  to  one-way  functions. 

The  main  technical  ingredient  in  our  counterexample  is  a  lemma  showing  that  it  is  provably  hard  for  an 
adversary  to  compute  an  encrypted  key  cycle  itself,  assuming  that  the  symmetric  scheme  under  attack  is  a 
secure  authenticated  encryption  scheme  (or  CCA  secure).  We  stress  that  this  lemma  does  not  hold  if  the 
encryption  scheme  is  only  CPA  secure. 

Our  lemma  gives  us  leverage  in  constructing  a  counterexample  because  it  means  the  adversary  is  given 
strictly  more  power  in  the  weak  circular  security  game  than  in  the  standard  security  game.  Specifically,  the 
adversary  is  given  an  encrypted  key  cycle  in  the  weak  circular  security  game  that  it  could  not  have  computed 
itself,  and  we  design  a  scheme  to  help  such  an  adversary  without  affecting  regular  security. 

3.  Public-Key  Counterexamples.  We  show  that  neither  CPA  nor  CCA-security  imply  (even)  weak  circular 
security  for  cycles  of  size  2.  That  is,  we  show  secure  systems  that  are  totally  compromised  when  the 
independently-generated  ciphertexts  E(pkA,  skB)  and  E(pkB,  skA)  are  released.  This  is  a  difficult  task, 
because  the  system  must  remain  secure  if  either  one,  but  only  one,  of  these  ciphertexts  are  released.  Moreover, 
this  counterexample  requires  new  ideas.  We  cannot  use  the  common  trick  in  self-loop  counterexamples  that 
test  if  the  message  is  the  secret  key  corresponding  to  the  public  key,  since  there  is  no  way  for  the  encryption 
algorithm  with  public  key  pkA  to  distinguish,  say,  skB  from  any  other  valid  message.  Specifically,  we  show 
that: 

If  there  exists  an  algebraic  setting  where  the  Symmetric  External  Diffie-Hellman  1  (SXDH)  assumption 
holds,  then  there  exists  a  CPA-secure  cryptosystem  which  is  not  2-weak  circular  secure.  The  proposed  scheme 
is  particularly  interesting  in  that  it  breaks  catastrophically  in  the  presence  of  a  2-cycle  —  revealing  the  secret 
keys  of  both  users. 

Moreover,  if  simulation-sound  non-interactive  zero-  knowledge  (NIZK)  proof  systems  exist  for  NP  and 
there  exists  an  algebraic  setting  where  the  Symmetric  External  Diffie-Hellman  (SXDH)  assumption  holds, 
then  there  exists  a  CCA-secure  cryptosystem  which  is  not  2-weak  circular  secure.  This  is  also  the  first 
separation  of  CCA  security  and  (regular)  circular  security. 

These  results  deepen  our  understanding  of  how  to  define  “secure”  encryption  and  which  practical  attacks 
are  captured  by  the  standard  definitions.  They  also  provide  additional  justification  for  the  ongoing  effort, 
e.g.  [13,  14,  5],  to  develop  cryptosystems  which  are  provably  circular  secure. 

1.1  Related  Work 

In  2001,  Camenisch  and  Lysyanskaya  [15]  introduced  the  notion  of  circular  security  and  used  it  in  their 
anonymous  credential  system  to  discourage  users  from  delegating  their  secret  keys.  They  also  showed  how 
to  construct  a  circular-secure  cryptosystem  from  any  CPA-secure  cryptosystem  in  the  random  oracle  model. 
Independently,  Abadi  and  Rogaway  [1]  and  Black,  Rogaway,  Shrimpton  [11]  introduced  the  more  general  no¬ 
tion  of  key-dependent  message  (KDM)  security,  where  the  encrypted  messages  might  depend  on  an  arbitrary 
function  of  the  secret  keys.  Black  et  al.  showed  how  to  realize  this  notion  in  the  random  oracle  model. 

Halevi  and  Krawczyk  [26]  extended  the  work  of  Black  et  al.  to  look  at  KDM  security  for  deterministic 
secret-key  functions  such  as  pseudorandom  functions  (PRFs),  tweakable  blockciplrers,  and  more.  They  give 
both  positive  and  negative  results,  including  some  KDM-secure  constructions  in  the  standard  model  for  PRFs. 
In  the  symmetric  setting,  Hofheinz  and  Unruh  [28]  showed  how  to  construct  circular-secure  cryptosystems  in 
the  standard  model  under  relaxed  notions  of  security.  Backes,  Pfitzmann  and  Scedrov  [7]  presented  stronger 
notions  of  KDM  security  (some  in  the  random  oracle  model)  and  discussed  the  relationships  among  these 
notions. 

1The  SXDH  assumption  states  that  there  is  a  bilinear  setting  e  :  Gi  X  G2  — >  G t  where  the  Decisional  Diffie-Hellman  (DDH) 
assumption  holds  in  both  Gi  and  G2.  It  has  been  extensively  studied  and  used  e.g.,  [20,  38,  31,  12,  8,  6,  23,  9,  24],  perhaps 
most  notably  as  a  setting  of  the  Groth-Sahai  NIZK  proof  system  [24], 
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In  the  public-key  setting,  Boneh,  Halevi,  Hamburg  and  Ostrovsky  [13]  presented  the  first  cryptosystem 
which  is  simultaneously  CPA-secure  and  n-circular-secure  (for  any  n )  in  the  standard  model,  based  on 
either  the  DDH  or  Decision  Linear  assumptions.  As  mentioned  earlier,  Boneh  et  al.  [13]  also  proved,  by 
counterexample,  that  one-way  security  does  not  imply  circular  security.  One-way  encryption  is  a  very 
weak  notion,  which  informally  states  that  given  (pk,  E(pk,m)),  the  adversary  should  not  be  able  to  recover 
m.  Given  any  one-way  encryption  system,  they  constructed  a  one-way  encryption  system  that  is  not  n- 
circular  secure  (for  any  n).  Their  system  generates  two  key  pairs  from  the  original  and  sets  PK  =  pk1  and 
SK  =  (ski,  S&2)-  A  message  (mi,  m2)  is  encrypted  as  (mi,  £’(pfc1,  m2)).  In  the  event  of  a  2-cycle,  the  values 
En c(pkA,  sks)  =  (sks,i,  E(pkA  1,  sks,2))  and  Enc (pkB,skA)  =  (skA,i,  E(pkB1,  skA,2))  provide  the  critical 
secret  key  information  (skB,i,  skA,i )  in  the  clear. 

Subsequently,  Applebaum,  Cash,  Peikert  and  Sahai  [5]  adapted  the  circular-secure  construction  of  [13] 
into  the  lattice  setting.  Camenisch,  Chandran  and  Shoup  [14]  extended[13]  to  the  first  cryptosystem  which  is 
simultaneously  CCA-secure  and  n-circular-secure  (for  any  n)  in  the  standard  model,  by  applying  the  “double 
encryption”  paradigm  of  Naor  and  Yung  [33].  (Interestingly,  we  use  this  same  approach  in  Section  4.4  to 
extend  our  public-key  counterexample  from  CPA  to  CCA  security.) 

Haitner  and  Holenstein  [25]  recently  provided  strong  impossibility  results  for  KDM-security  with  respect  to 
1-key  cycles  (a.k.a.,  self-loops.)  They  study  the  problem  of  building  an  encryption  scheme  where  it  is  secure  to 
release  E(k ,  g(k ))  for  various  functions  g.  First,  they  show  that  there  exists  no  fully-black-box  reduction  from 
a  KDM-secure  encryption  scheme  to  one-way  permutations  (or  even  some  families  of  trapdoor  permutations) 
if  the  adversary  can  obtain  encryptions  of  g(k),  where  g  is  a  poly(n)-wise  independent  hash  function.  Second, 
there  exists  no  reduction  from  an  encryption  scheme  secure  against  key-dependent  messages  to,  essentially, 
any  cryptographic  assumption,  if  the  adversary  can  obtain  an  encryption  of  g(k)  for  an  arbitrary  g,  as  long 
as  the  security  reduction  treats  both  the  adversary  and  the  function  g  as  black  boxes.  These  results  address 
the  possibility  of  achieving  strong  single-user  KDM-security  via  reductions  to  cryptographic  assumptions. 
The  results  in  this  paper  study  a  version  of  KDM  security  that  is  in  one  sense  weaker  -  we  only  allow  a 
narrow  class  of  functions  g  -  but  also  stronger  because  it  considers  multiple  users.  Our  results  also  address 
a  different  question  regarding  KDM  security.  We  study  whether  or  not  KDM  security  is  always  implied 
by  regular  security  while  Haitner  and  Holenstein  study  the  possibility  of  achieving  strong  single-user  KDM 
security  via  specialized  constructions. 

Most  closely  related  to  our  work,  Acar  et  al.  [2]  demonstrated  both  public  and  private  key  encryption 
systems  that  are  provably  CPA-secure  and  yet  also  demonstrably  not  2-circular  secure.  Their  counterexample 
does  not  apply  to  CCA  or  weak  circular  security. 

Subsequent  to  the  original  posting  of  this  work,  Rothblum  [36]  studied  the  circular  security  of  bit  encryp¬ 
tion.  In  particular,  using  n-linear  maps,  for  large  n,  where  DDH  is  assumed  hard  in  every  pre-image  group, 
he  constructs  a  CPA  (or  CCA)  secure  bit-encryption  scheme  that  is  not  circular  secure;  that  is,  where  it  is 
not  “safe”  to  encrypt  the  secret  key  sk  bit-by-bit  using  the  corresponding  public  key  pk.  This  approach  is 
conceptually  similar  to  extending  either  the  Acar  et  al.  [2]  or  our  2-circular  counterexample  in  Section  4  to 
an  n-circular  counterexample  using  n-linear  maps.  Unfortunately,  there  are  no  candidate  implementations 
for  n-linear  maps  where  n  >  2  and  even  the  discrete  logarithm  problem  is  believed  to  be  hard  in  one  of  the 
pre-image  groups.  Thus,  it  remains  an  open  problem  to  resolve  these  two  fascinating  questions  relating  to 
circular  security. 

There  is  also  a  relationship  to  recent  work  on  leakage  resilient  and  auxiliary  input  models  of  encryption, 
which  mostly  falls  into  the  “self-loop”  category.  In  leakage  resilient  models,  such  as  those  of  Akavia,  Gold- 
wasser  and  Vaikuntanathan  [4]  and  Naor  and  Segev  [32],  the  adversary  is  given  some  function  h  of  the  secret 
key,  not  necessarily  an  encryption,  such  that  it  is  information  theoretically  impossible  to  recover  sk.  The 
auxiliary  input  model,  introduced  by  Dodis,  Kalai  and  Lovett  [17],  relaxes  this  requirement  so  that  it  only 
needs  to  be  difficult  to  recover  sk. 

Self-Loops  In  sharp  contrast  to  all  n  >  2,  the  case  of  1-circular  security  is  fairly  well  understood.  A 
folklore  counterexample  shows  that  CPA-security  does  not  directly  imply  1-circular  security.  Given  any 
encryption  scheme  (G,E,D),  one  can  build  a  second  scheme  (G,E',D')  as  follows:  (1)  E'(pk,m )  outputs 
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IND-CPA(n,  A,  A) 
b  <—  {0, 1} 

( pk,sk )  <—  KeyGen(lA) 
(mo,  mi,  z)  <-  Ai(pk) 
y  <—  Enc(pfc,  mb) 
b  <-  M(y,z) 

Output  ( b  =  b) 


AE(n,  A,  A) 
fo  ^  {0, 1} 

K  <r-  KeyGen(lA) 

b  <r~  A£K’b<-','i’T>‘<-b<-'\l>') 

Output  (6  =  b). 


Figure  1:  Experiments  for  Definitions  2.1  and  2.3. 


E(pk,m) ||0  if  m  ^  sk  and  m||l  otherwise,  (2)  D’(sk,c\\b)  outputs  D(sk,m)  if  b  =  0  and  sk  otherwise.  It 
is  easy  to  show  that  if  ( G,E,D )  is  CPA-secure,  then  (G,E’,D')  is  CPA-secure.  When  E'(pk,sk)  =  sfc||l  is 
exposed,  then  there  is  a  complete  break.  Conversely,  given  any  CPA-secure  system,  one  can  build  a  1-circular 
secure  scheme  in  the  standard  model  [13]. 

2  Definitions  of  Security 

A  public-key  encryption  system  II  is  a  tuple  of  algorithms  (KeyGen,  Enc,  Dec),  where  KeyGen  is  a  key- 
generation  algorithm  that  takes  as  input  a  security  parameter  A  and  outputs  a  public/secret  key  pair  ( pk ,  sk); 
Enc (pk,m)  encrypts  a  message  m  under  public  key  pk;  and  Dec(sfc,c)  decrypts  ciphertext  c  with  secret  key 
sk.  A  symmetric-key  encryption  system  is  a  public-key  encryption  system,  except  that  it  always  outputs 
pk  =  _L,  and  the  encryption  algorithm  computes  ciphertexts  using  sk,  i.e.  by  running  Enc(sfc,m).  In  the 
symmetric  case  we  will  sometimes  write  K  instead  of  sk.  As  in  most  other  works,  we  assume  that  all 
algorithms  implicitly  have  access  to  shared  public  parameters  establishing  a  common  algebraic  setting. 

Our  definitions  of  security  will  associate  a  message  space,  denoted  M ,  with  each  encryption  scheme. 
Throughout  this  paper,  we  assume  that  the  space  of  possible  secret  keys  output  by  KeyGen  is  a  subset  of  the 
message  space  M  and  thus  any  secret  key  can  be  encrypted  using  any  public  key.  For  symmetric  encryption 
schemes  we  will  always  have  M  C  {0, 1}*. 

By  v(k)  we  denote  some  negligible  function,  i.e.,  one  such  that,  for  all  c  >  0  and  all  sufficiently  large  k, 
v(k)  <  l/kc.  We  abbreviate  probabilistic  polynomial  time  as  PPT. 

2.1  Standard  Security  Definitions 

Public-key  encryption  We  recall  the  standard  notion  of  indistinguishability  of  encryptions  under  a 
chosen-plaintext  attack  due  to  Goldwasser  and  Micali  [21]. 

Definition  2.1  (IND-CPA)  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  public-key  encryption  scheme  for  the  message 
space  M .  For  b  €  {0, 1},  A  =  (Ai,A2)  and  A  €  N,  let  the  random  variable  IND-CPA(II,  A,  A)  be  defined  by 
the  probabilistic  algorithm  described  on  the  left  side  of  Figure  1.  We  denote  the  IND-CPA  advantage  of  A  by 
Adv^Ip(4(A)  =  2  •  Pr[IND-CPA(II,  A,  A)  =  1]  —  1.  We  say  that  II  is  IND-CPA  secure  */  Adv'fJ’^A)  is  negligible 
for  all  PPT  A. 

We  also  consider  the  indistinguishability  of  encryptions  under  chosen-ciphertext  attacks  [33,  34,  18]. 

Definition  2.2  (IND-CCA)  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  public-key  encryption  scheme  for  the  message 
space  M .  Let  the  random  variable  IND-CCA(II,  A,  A)  be  defined  by  an  algorithm  identical  to  IND-CPA(II,  A,  A) 
above,  except  that  both  A\  and  A 2  have  access  to  an  oracle  D ec(sk,  •)  that  returns  the  output  of  the  decryp¬ 
tion  algorithm  and  A 2  cannot  query  this  oracle  on  input  y.  We  denote  the  IND-CCA  advantage  of  A  by 
Adv^^dA)  =  2  •  Pr[IND-CCA(II,  A,  A)  =  1]  —  1.  We  say  that  II  is  IND-CCA  secure  */Advdd(A)  is  negligible 
for  all  PPT  A. 
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IND-CIRC-CPAn(n,„4,  A) 

b^{  0,1} 

For  i  =  1  to  n: 

(pk^skf)  <—  KeyGen(lA) 
If  b  =  1  then 

y  <—  EncCycle(pk,  sk) 
Else 

y  t—  EncZero(pk,  sk) 
Al(pk,y) 

Output  ( b  =  b) 


IND-WCIRC-CPAn(II,„4,A) 

For  i  =  1  to  n: 

(pk^ski)  <—  KeyGen(lA) 
y  «—  EncCycle(pk,  sk) 
(j,mo,mi,z)  <r-  »4i(pk,  y) 
y  <-  Enc (pkj,mb) 
b  <-  ^2(j/,2) 

Output  (6  =  6) 


EncCycle(pk,  sk) 

For  i  =  1  to  n 

Vi  t  Enc(pA:i,  sk^moo  n)_j_i) 
Output  y 

EncZero(pk,  sk) 

For  i  =  1  to  n 

yi  <r-  Enc(p/ci,  0^si:<imod  n)+1') 

Output  y 


Figure  2:  Experiments  for  Definitions  2.4  and  2.5.  Each  is  defined  with  respect  to  a  message  space  M, 
and  we  assume  that  mo,  mi  £  M  always.  We  write  pk,  sk,  and  y  for  (pk1, . . . , pkn),  (ski, . . . ,  skn)  and 
{yi,  ■  ■  ■ ,Vn )  respectively. 


Symmetric-key  authenticated  encryption  We  recall  the  definition  of  secure  authenticated  (symmetric- 
key)  encryption  due  to  [35],  except  that  we  will  not  require  pseudorandom  ciphertexts.  Bellare  and  Nam- 
prempre  [10]  showed  that  AE  implies  IND-CCA,  and  is  in  fact  strictly  stronger.  For  our  counterexample,  we 
target  this  very  strong  definition  of  security  in  order  strengthen  our  results  by  showing  that  even  this  does 
not  imply  weak  circular  security. 

Definition  2.3  (AE)  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  symmetric-key  encryption  scheme  for  the  message 
space  M.  Let  the  random  variable  AE(II,^4,  A)  be  defined  by  the  probabilistic  algorithm  described  on  the 
right  side  of  Figure  1.  In  the  experiment,  the  oracle  takes  as  input  a  pair  of  equal-length  messages 

(mo,  mi)  and  computes  Enc(A',  mb).  The  oracle  Fff  b(-)  takes  as  input  a  ciphertext  c  and  computes  Dec(AT,  c) 
ifb=  1  and  always  returns  _L  ifb  =  0.  The  adversary  is  not  allowed  to  submit  any  ciphertext  to  D^bi')  ^ a t 
was  previously  returned  by  £) fb(‘i  ')•  denote  the  AE  advantage  of  A  by  Adv^  ^(A)  =  2  •  Pr[AE(II,  A,  A)  = 

1]  —  1.  We  say  that  II  is  AE  secure  if  Adv^.^(A)  is  negligible  for  all  PPT  A. 

2.2  Circular  Security  Definitions 

We  next  give  definitions  for  circular  security  of  public-key  and  synnnetric-key  encryption.  These  definitions 
are  variants  of  the  Key-Dependent  Message  (KDM)  security  notion  of  Black  et  al.  [11].  By  restricting  the 
adversary’s  power,  we  make  it  significantly  harder  for  us  to  devise  a  counterexample  and  thus  prove  a  stronger 
negative  result.2 

Definition  2.4  (IND-CIRC-CPA")  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  public-key  encryption  scheme  for  the 
message  space  M.  For  b  €  {0, 1},  integer  n  >  0,  adversary  A  and  A  €  N,  let  the  random  variable 
IND-CIRC-CPAn(II,  A,  A)  be  defined  by  the  probabilistic  algorithm  on  the  left  side  of  Figure  2.  We  denote  the 
IND-CIRC-CPA"  advantage  of  A  by 

Adv“cpa(A)  =  2  •  Pr[IND-CIRC-CPA"(II,yt,  A)  =  1]  -  1. 

We  say  that  II  is  IND-CIRC-CPA"  secure  if  Adv[)^rc"cpa(A)  is  negligible  for  all  PPT  A. 

One  could  augment  this  definition  by  modifying  the  IND-CIRC-CPA"  experiment  to  allow  for  a  challenge 
“left-or-right”  query  as  in  IND-CPA.  While  this  is  a  quite  natural  modification,  it  only  strengthens  the 
definition,  and  we  are  interested  in  studying  the  weakest  notions  for  which  we  can  give  a  separation.  Next 
we  give  a  definition  of  weak  circular  security  of  public-key  encryption. 

2If  we  allowed  the  adversary  to  obtain  encryptions  of  any  affine  function  of  the  secret  keys,  as  is  done  in  [26,  13],  then  we 
could  devise  a  trivial  counterexample  where  the  adversary  uses  1-cycles  to  break  the  system. 
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Definition  2.5  (IND-WCIRC-CPA")  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  public-key  encryption  scheme  for 
the  message  space  M .  For  b  £  {0, 1},  integer  n  >  0,  adversary  A  and  A  £  N,  let  the  random  variable 
IND-WCIRC-CPA"(II,  A,  A)  be  defined  by  probabilistic  algorithm  on  the  center  of  Figure  2.  We  denote  the 
IND-WCIRC-CPA"  advantage  of  A  by 

Adv”^circ'cpa(A)  =  2  •  Pr[IND-WCIRC-CPA"(II,  A,  A)  =  1]  -  1. 

We  say  that  II  is  IND-WCIRC-CPA"  secure  if  the  function  Adv))"^clrc"cpa(A)  is  negligible  for  all  PPT  A. 

Finally,  we  give  a  definition  of  weak  circular  security  for  symmetric  encryption.  We  will  abuse  notation 
and  also  call  this  IND-WCIRC-CPA"  security,  since  it  will  be  clear  from  the  context  whether  or  not  we  mean 
public-key  and  symmetric-key. 

Definition  2.6  (IND-WCIRC-CPA")  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  symmetric-key  encryption  scheme  for 
the  message  space  M.  For  b  £  {0, 1},  integer  n  >  0,  adversary  A  and  A  £  N,  let  IND-WCIRC-CPA" (II,  A,  A) 
be  defined  by  the  following  probabilistic  algorithm: 

IND-WCIRC-CPA])  (II,  A,  A) 
b  «—  {0, 1} 

For  i  =  1  to  n: 

I\i  -s—  KeyGen(lA) 
y  ■£-  EncCycle(K) 

b<- A*"* y) 

*  ? 

Output  (b  =  b) 

We  denote  the  IND-WCIRC-CPA"  advantage  of  A  by 

Advn)yiCirC’Cpa(A)  =  2  '  Pr[IND-WCIRC-CPA"(II,  A,  A)  =  1]  -  1. 

We  say  that  II  is  IND-WCIRC-CPA"  secure  if  AdvO"™lrc"cpa(A)  is  negligible  for  all  PPT  A. 

Discussion  In  both  the  IND-CPA  and  IND-CIRC-CPA  notions,  the  adversary  must  distinguish  an  encryption 
(or  encryptions)  of  a  special  message  from  the  encryption  of  zero.  This  choice  of  the  message  zero  is  arbitrary. 
We  keep  it  in  the  statement  of  our  definition  to  be  consistent  with  [13];  however,  it  is  important  to  note, 
for  systems  such  as  ours  where  zero  is  not  in  the  message  space,  that  zero  can  be  replaced  by  any  constant 
message  for  an  equivalent  definition.  Acar  et  al.  [2]  use  an  equivalent  definition  where  zero  is  replaced  by  a 
fresh  random  message. 

We  will  not  need  to  define  a  notion  of  security  to  withstand  circular  and  chosen-ciphertext  attacks,  because 
we  are  able  to  show  a  stronger  negative  result.  In  Section  4.4,  we  provide  an  IND-CCA-secure  cryptosystem, 
which  is  provably  not  IND-CIRC-CPA-secure.  In  other  words,  we  are  able  to  devise  a  peculiar  cryptosystem: 
one  that  withstands  all  chosen-ciphertext  attacks,  and  yet  breaks  under  a  weak  circular  attack  which  does 
not  require  a  decryption  oracle. 


EncCycle(K) 

For  i  =  1  to  n 

Vi  t  EncfAT^,  K(imo d  n)  +  l) 
Output  y 

Enc(j,  TOp,  mi) 

Return  Enc(A)j,  to?,) 


3  Counterexample  for  Symmetric  Encryption 

Encryption  Scheme  IIae  Let  II'e  =  (KeyGen',  Enc',  Dec')  be  a  secure  authenticated  encryption  scheme. 
To  simplify  our  results,  we  assume  that  KeyGen,(lA)  outputs  a  uniformly  random  key  K  in  {0, 1}A,  that  the 
message  space  M’  =  {0,1}*,  and  that  ciphertexts  output  by  En c'(K,m)  are  always  in  {0,  1}p(ItoD,  where 
p  is  some  polynomial  that  depends  on  A.  We  also  assume  that  the  first  A  bits  of  a  ciphertext  are  never 
equal  to  K.  All  of  these  assumptions  can  be  removed  via  straightforward  and  standard  modifications  to  our 
arguments  below. 
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Fix  a  positive  integer  n.  We  now  construct  our  counterexample  scheme,  denoted  IIae  = 
We  will  take  KeyGen  =  KeyGen',  i.e.,  nae  also  uses  keys  randomly  chosen  from  {0, 1}A 
of  nae  will  consist  of  M  =  {0, 1}A  U  {0,  1}"p(a),  bit  strings  of  length  either  A  or  np( A), 
and  Dec  are  defined  as  follows. 

Enc(A',  to) 

If  lsCycle(A',  to)  then 
Output  A'  ||  to 
Else 

Output  Enc'(A,  to) 


Dec(A7  c) 

If  c  =  A  ||  to  then 
Output  TO 
Else 

Output  Dec' (A,  c) 

Decryption  is  always  correct.  This  follows  from  our  assumption  that  Enc'  will  never  output  a  ciphertext  that 
contains  K  as  a  prefix.  We  first  establish  the  AE  security  of  our  scheme. 

Theorem  3.1  Encryption  scheme  IIae  is  AE  secure  whenever  II'e  is  AE  secure. 

(Pi'oof  in  Appendix  A. 2.) 

The  proof  proceeds  by  showing  that  computing  an  encrypted  key-cycle  during  the  AE  game  is  equivalent  to 
recovering  the  secret  key.  From  there  we  can  reduce  the  security  of  IIae  to  II'e  easily. 

Curiously,  Theorem  3.1  is  no  longer  true  if  one  replaces  AE  security  with  a  symmetric  version  of  IND-CPA 
security  for  both  IIae  and  II' e.  Namely,  some  type  of  chosen-ciphertext  security  is  required  on  II' e  to  prove 
even  chosen-plaintext  security  of  nae.  Intuitively,  this  is  because  it  might  be  possible  for  an  adversary  to 
compute  an  encrypted  key-cycle  on  its  own  if  the  scheme  is  only  I ND- CPA-secure,  but  not  if  the  scheme  is 
AE  -secure.  In  fact,  the  work  of  Boneh  et  al.  [13]  gives  an  explicit  example  of  a  scheme  where  the  adversary 
can  compute  a  cycle  himself. 

The  Attack  We  now  show  that  IIae  is  not  circular-secure  for  cycles,  even  in  a  weak  sense. 

Theorem  3.2  IIae  is  not  IND-WCIRC-CPA"  secure. 

Proof.  We  give  an  explicit  adversary  A  that  has  advantage  negligibly  close  to  1.  The  adversary  takes  as 
input  the  encrypted  key-cycle  y  in  the  IND-WCIRC-CPA"  game.  It  queries  Enc(l, Too, TOi),  where  mg  =  y 
and  toi  is  a  random  message  of  the  same  length.  Let  y  be  the  ciphertext  returned  by  the  oracle. 

At  this  point,  there  are  many  ways  to  proceed;  perhaps  the  simplest  is  to  observe  that  the  length  of 
y  depends  on  the  challenge  bit  b.  This  is  because,  if  b  =  0,  then  m0  =  y  was  encrypted,  resulting  in 
y  =  A  ||  y,  which  is  A  +  np( A)  bits  long.  If  b  =  1  then  y  was  computed  by  running  Enc'(A',  Toi),  which  will 
bep(|TOi|)  =  p(np( A))  bits  long  if  lsCycle(A",  mi)  returns  false.  Thus,  as  long  as  lsCycle(A",  Toi)  returns  false, 
A2  can  compute  the  value  of  b  by  measuring  y' s  length. 

But  why  should  lsCycle(A',  toi)  return  false?  This  follows  from  the  AE  security  of  II'e.  Let  us  parse  toi 
into  (ci, . . . ,  c„),  where  each  c*  €  {0, 1}^(A)  is  random.  When  lsCycle(A',  Toi)  returns  true,  it  must  be  that 
Dec'(A^, Ci)  did  not  return  J_.  But  if  this  happens,  then  we  can  construct  an  adversary  to  break  the  AE 
security  of  II'e.  The  adversary  simply  queries  2?“ b(-)  at  a  random  point,  observes  if  it  returns  T  or  not,  and 
outputs  b  =  0  or  1  depending  on  this  observation.  □ 

We  note  that  we  could  design  an  encryption  scheme  that  does  not  have  this  type  of  ciphertext-length 
behavior  by  giving  a  different  attack  that  abuses  the  fact  that  K  is  present  in  the  ciphertext  in  one  case, 
but  not  the  other.  We  have  chosen  to  present  the  attack  this  way  for  simplicity  only. 
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lsCycle(A7  to) 

If  |to|  yf  np{ A) 

Return  false 
Parse  m  as  (ci, . . . ,  cn ) 

K-2  i -  Dec' (A, ci) 

For  i  =  2  to  n 

Ajmodn-f-l  t  Dec  (Aj,  cf) 
Return  (A'i  =  K) 


■■  (KeyGen,  Enc,  Dec). 
The  message-space 
The  algorithms  Enc 
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4  Counterexamples  for  Public-Key  Encryption 

4.1  Preliminaries  and  Algebraic  Setting 

Bilinear  Groups  We  work  in  a  bilinear  setting  where  there  exists  an  efficient  mapping  function  e  : 
Gi  x  G2  — >  G t  involving  groups  of  the  same  prime  order  p.  Two  algebraic  properties  required  are  that:  (1)  if  g 
generates  Gi  and  h  generates  G2,  then  e(g ,  h )  y  1  and  (2)  for  all  a,  b  £  Zp,  it  holds  that  e(ga ,  hb)  =  e{g1  h)ab. 


Decisional  Diffie-Hellman  Assumption  (DDH)  Let  G  be  a  group  of  prime  order  p  £  0(2A).  For  all 
PPT  adversaries  A ,  the  following  probability  is  1/2  plus  an  amount  negligible  in  A: 


Pr 


Zq  <—  G;  a,  b  £-  Zp;  z\  <—  gab;  d  ■£-  {0, 1}; 
d!  <-  A(g,ga,gb,zd)  :  d  =  d! 


Strong  External  Diffie-Hellman  Assumption  (SXDH):  Let  e  :  Gi  x  G2  — >•  G t  be  bilinear  groups.  The 
SXDH  assumption  states  that  the  DDH  problem  is  hard  in  both  Gi  and  in  G2.  This  implies  that  there  does 
not  exist  an  efficiently  computable  isomorphism  between  these  two  groups.  The  SXDH  assumption  appears 
in  many  prior  works,  such  as  [20,  38,  31,  12,  8,  6,  23,  9,  24,  2]. 


Indistinguishability  and  Pseudorandom  Generators 

Definition  4.1  (Indistinguishability)  Two  ensembles  of  probability  distributions  and  {Pfc}fceN 

with  index  set  N  are  said  to  be  computationally  indistinguishable  if  for  every  polynomial- size  circuit  family 
{Dfcjfcgpj)  there  exists  a  negligible  function  v  such  that 

|Pr  [x  <-  Xk  :  Dk(x)  =  1]  -  Pr  [y  <-  Yk  :  Dk(y)  =  1]| 
is  less  than  v(k).  We  denote  such  sets  {-Xfc}keN  ~  {bcjfceN- 

Definition  4.2  (Pseudorandom  Generator  [29])  Let  Ux  denote  the  uniform  distribution  over  {0, 1}X. 
Let  £(•)  be  a  polynomial  and  let  G  be  a  deterministic  polynomial-time  algorithm  such  that  for  any  input 
s  £  {0, 1}",  algorithm  G  outputs  a  string  of  length  £(n).  We  say  that  G  is  a  pseudorandom  generator  if  the 
following  two  conditions  hold: 

•  (Expansion:)  For  every  n,  it  holds  that  £(n)  >  n. 

•  (Pseudorandomness:)  For  every  n,  «  {s  <—  Un  :  G(s)}„. 

The  constructions  of  Section  4.2  use  a  PRG  where  the  domain  of  the  function  is  an  exponentially-sized 
cyclic  group. 


4.2  Encryption  Scheme  ncpa 

We  now  describe  an  encryption  scheme  ncpa  =  (KeyGen,  Enc,  Dec).  It  is  set  in  asymmetric  bilinear  groups 
e  :  Gi  x  G2  — >  Gt  of  prime  order  p  where  we  assume  that  the  groups  Gi  and  G2  are  distinct  and  that  the 
DDH  assumption  holds  in  both.  We  assume  that  a  single  set  of  group  parameters  (e,p,  Gi,  G2,  Gt,  g,  h), 
where  Gi  =  (g),  G2  =  (h),  will  be  shared  across  all  keys  generated  at  a  given  security  level  and  are  implicitly 
provided  to  all  algorithms. 

The  message  space  is  M  =  {0, 1}  x  Z*  x  Z*.  Let  encode  :  M  — >  {0,  l}fG)  ancj  decode  :  {0,  l}fG)  ^4 
denote  an  invertible  encoding  scheme  where  £(A)  is  the  polynomial  length  of  the  encoded  message.  Let 
F  :  G t  —>  {0, be  a  pseudorandom  generator  secure  under  the  Decisional  Diffie  Heilman  assumption. 
(Recall  that  pseudorandom  generators  can  be  constructed  from  any  one-way  function  [27].) 
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KeyGen(lA).  The  key  generation  algorithm  selects  a  random  bit  j3  ■<—  {0, 1}  and  random  values  ai,  02  •<—  Z*. 
The  secret  key  is  set  as  sk  =  (/3,ai,a2).  We  note  that  sk  €  AT  The  public  key  is  set  as: 


pk 


(0,  e{g,  h)ai ,  <?°2)  €  {0,1}  x  GT  x  Gi  if  /3  =  0 
(1, e(g, h)ai,ha2)  €  {0, 1}  x  <&T  x  G2  if  (3  =  1. 


Encrypt(pfc,  M).  The  encryption  algorithm  parses  the  public  key  pk  =  (/3,Yi,Y2),  where  Y2  may  be  in  Gi 
or  G2  depending  on  the  structure  of  the  public  key,  and  message  M  =  (a,mi,m2)  €  M.  Note  that 
mi  and  m2  cannot  be  zero,  but  these  values  can  be  easily  included  in  the  message  space  by  a  proper 
encoding. 

Select  random  r  t—  and  R  f—  G t-  Set  I  =  F(R )  ®  encode(M). 

Output  the  ciphertext  C  as: 


Of,  R-Y{,  Y2rm2  ■  gmi ,  I) 
(hr ,  R-Y{,  Yfm2  ,  I) 


ii  /3  =  0; 
if  /3  =  1. 


We  note  that  in  the  first  case,  C  £  Gi  x  G t  x  Gi  x  {0, 1}^A),  while  in  the  second  deG2x  G t  x  G2  x 

{0,1}^). 

Decrypt(sfc,  C).  The  decryption  algorithm  parses  the  secret  key  sk  =  (/ 3 ,  Oi,  a2)  and  the  ciphertext  C  =  (Ci, 
C2,  C3,  C4).  Next,  it  computes: 


R  = 


{C2/e{Ci,h))ai 
(C2/ e(g,  Ci))ai 


if  P  =  0; 
if  f3=  1. 


Then  it  computes  M'  =  F(R)  ®  C4  G  {0, and  outputs  the  message  M  =  decode(AG). 


Discussion  Like  the  circular-secure  scheme  of  Boneh  et  al.  [13],  the  above  cryptosystem  is  a  variation  on 
El  Garnal  [19].  It  is  a  practical  system,  which  on  first  glance  might  be  somewhat  reminiscent  of  schemes  the 
readers  are  used  to  seeing  in  the  literature.  The  scheme  includes  a  few  “artificial”  properties:  (1)  placing 
a  public  key  in  either  Gi  or  G2  at  random  and  (2)  the  fact  that  the  ciphertext  value  C3  is  unused  in  the 
decryption  algorithm.  We  will  shortly  see  that  these  features  are  “harmless”  in  a  semantic-security  sense, 
but  very  useful  for  recovering  the  secret  keys  of  the  system  in  the  presence  of  a  two  cycle.  While  it  is 
not  unusual  for  counterexamples  to  have  artificial  properties  (e.g.,  [16,  22]),  we  can  address  these  points  as 
well.3  In  Appendix  C,  we  show  that  property  (1)  can  be  removed  by  doubling  the  length  of  the  ciphertext. 
For  property  (2),  we  observe  that  many  complex  protocols  such  as  group  signatures  (e.g.,  [12])  combine 
ciphertexts  with  other  components  that  are  unused  in  decryption  but  are  quite  important  to  the  protocol 
as  a  whole.  Thus,  we  believe  our  counterexample  is  not  that  far  fetched.  It  is  possible  that  such  an  attack 
could  exist  on  one  of  today’s  commonly-used  encryption  algorithms. 

We  first  show  that  ncpa  meets  the  standard  notion  of  CPA  security. 

Theorem  4.3  Encryption  scheme  ncpa  is  IND-CPA  secure  under  the  Decisional  Diffie- Heilman  Assumption 
in  Gi  and  G2  (SXDH). 

The  proof  is  given  in  Appendix  B.  It  is  relatively  standard  and  involves  repeated  applications  of  the  DDH 
assumption  and  PRG  security. 

3  While  our  scheme  is  different  from  that  of  Acar  et  al.  [2],  that  scheme  also  has  similar  artificial  properties  such  as  the 
presence  of  values  that  are  not  used  in  decryption. 
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4.3  The  Attack 


Despite  being  I ND- CPA-secure,  cryptosystem  ncpa  is  not  even  weakly  circular  secure  for  2-cycles.  Specifically, 
given  a  circular  encryption  of  two  keys,  we  show  that  an  adversary  can  distinguish  another  ciphertext  with 
advantage  1/2.  Our  adversary  actually  does  much  more  than  this:  with  probability  1/2  over  the  coins  used 
in  key  generation,  it  can  recover  both  secret  keys. 

This  is  the  first  circular  attack  that  allows  the  adversary  to  recover  the  secret  keys.  (In  Appendix  C,  we 
discuss  how  to  improve  these  probabilities  to  almost  1.)  Our  attack  combines  elements  of  both  ciphertexts 
in  an  attempt  to  recover  sk  A  ,  which  can  then  be  used  to  decrypt  the  first  ciphertext  and  obtain  skB.  It  is 
counterintuitive  that  this  is  possible,  given  that  it  is  easy  to  see  that  IND-CPA-security  guarantees  that  it  is 
safe  for  one  of  them  to  send  their  message. 

Theorem  4.4  ncpa  is  not  IND-WCIRC-CPA2-secwe. 


Proof.  We  give  PPT  adversary  A  =  (Ai,  A2)  such  that  Advj//“cl/j~cpa(A)  is  equal  to  1/2.  Since  IND-WCIRC-CPA 
security  requires  that  this  advantage  be  negligible,  this  attack  breaks  security.  The  adversary  proceeds  as 
follows.  The  first  stage  of  the  adversary,  Ai,  obtains  the  two  public  keys,  which  we  will  write  as  pkA  and 
pkB,  and  an  encrypted  cycle,  which  we  will  write  as  (CA,CB). 

If  both  keys  have  /3  =  0  or  /3  =  1  (call  this  event  E{),  the  adversary  aborts  and  instructs  the  second  stage 
(A2)  to  output  a  random  bit.  Since  the  two  keys  are  independently  generated  by  the  challenger,  this  event 
will  occur  with  probability  exactly  1/2.  Below  we  will  condition  on  E\  not  happening,  and  wlog  assume 
that  pkA  =  (0  ,e(g,h)ai,ga2)  and  pkB  =  (1,  e(g,  h)bl ,  hb2).  The  corresponding  secret  keys  skA  =  (0,  ai,a2), 
skB  =  (1,  b  1, 62)  are  not  known  to  the  adversary. 

We  write  the  given  ciphertexts  CA  =  (ca,i,  ca,2>  ca,3,  ca,4)  and  CB  =  (cb,i,  Cb, 2,  cb, 3,  Cba)-  Ai  will 
output  two  arbitrary  distinct  messages,  and  request  that  the  challenge  use  pkA.  For  the  state  passed  to  A2, 
it  now  computes: 


X  :—  Cb, 2  • 


e(CA,l,  Cb,3) 
e(CA, 3j  Cb,i) 


A\  sets  skA  =  decoders, 4  ©  F(X))  and  passes  this  with  the  challenge  messages  as  state  to  _42. 

A 2  receives  a  ciphertext  y  and  the  passed  state.  It  parses  skA  as  a  secret  key  for  ncpa  and  computes 
Dec(skA,  y),  and  tests  if  this  is  equal  to  either  of  the  challenge  messages.  If  so,  it  outputs  the  corresponding 
bit.  Otherwise  it  outputs  a  random  bit. 

Let’s  explore  why  this  test  works.  Write  CA  =  En c(pkA:  skB)  and  CB  =  Enc {pkB,  skA ).  Then: 


Ca  =  (ca,i,  ca,2j  ca,3>  ©m) 

=  ( gr ,  R  ■  e(g,  h)rai ,  gra2b2+bl ,  F(R)  ©  encode(sfcs)) 
Cb  =  (cb, I,  cb, 21  cb, 3>  cs, 4) 

=  ( hs ,  S  ■  e(g,  h)sbl,hsa2b2,F(S)  ©  encode(sfcA)) 


for  some  r,  s  £  and  R,  S  £  &t-  Then  we  have  that: 


r  e(cA,i,CB,3)  _  c  ,  ,sSbl  e(gr,hsa2b2) 

B’2' e(cA,3,CB,i)  ’  '  ‘  e{gra2b2+bphs) 


=  S  ■  e(g,  h)sbl 


rsa,2b2 


=  s. 


e(g,h)rsa^b 2  •  e{g1h)sb  1 

Thus,  A\  recovers  skA  =  skA  as  decoders, 4  ©  F(S)),  and  A 2  will  correctly  guess  bit  b  in  this  case. 
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Write  b  for  the  output  of  _42-  We  have 


a  i  2-wcirc-cpa 
AdviW 


(A) 


2  Pr[6  =  b]  -  1 

2(Pr[6  =  b\E\]  Pr[£^i]  + 

Pr[6  =  6|-.S1]Pr[-.£;1])  -  1 
2(1 -1/2 +  1/2- 1/2) -1 
1/2 


This  completes  the  proof. 


□ 


4.4  Extension:  A  Counterexample  for  CCA  Security 

We  show  that  there  exists  an  IND-CCA-secure  cryptosystem,  which  suffers  a  complete  break  when  Alice  and 
Bob  trade  secret  keys  over  an  insecure  channel;  i.e. ,  transmit  the  two-key  cycle  E(pkA,  skB )  and  E(pkB,  skA )• 
Our  construction  follows  the  “double-encryption”  approach  to  building  IND-CCA  systems  from  IND-CPA 
systems  as  pioneered  by  Naor  and  Yung  [33]  and  refined  by  Dolev,  Dwork  and  Naor  [18]  and  Sahai  [37].  Our 
building  blocks  will  be: 


1.  The  I ND- CPA-secure  cryptosystem  ncpa  =  ( G ,  E,  D )  from  Section  4.  Let  E(pk ,  m;  r)  be  the  encryption 
of  to  under  public  key  pk  with  randomness  r. 


2. 


An  adaptively  non-malleable  non-interactive  zero-knowledge  (NIZK)  proof  system  with  unpredictable 
simulated  proofs  and  uniquely  applicable  proofs  for  the  language  L  of  consistent  pairs  of  encryptions, 
defined  as: 


f  (e0,ei,Co,Ci)  :  3m,  r0,  rq  €  {0, 1}*  s.t.  1 

\  cq  =  E(eo,m;r0)  and  ci  =  E(ei,m-,ri)  J 


A  proof  system  for  L  can  be  realized  under  relatively  mild  assumptions,  such  as  the  difficulty  of  factoring 
Blum  integers  (e.g.,  [37]).  One  complication  is  that  the  secret  keys  for  this  cryptosystem  now  change  and 
the  construction  must  be  adapted  accordingly,  so  that  the  secret  key  can  still  be  recovered  by  the  adversary 
during  a  circular  attack.  We  show  that  this  is  possible. 


5  Conclusion  and  Open  Problems 

In  this  work,  we  presented  a  natural  relaxation  of  the  circular  security  definition,  which  may  prove  interesting 
for  positive  results  in  its  own  right.  We  demonstrated  that  its  guarantees  are  not  already  captured  by  standard 
definitions  of  encryption.  To  do  this,  we  presented  symmetric  and  public-key  encryption  systems  that  are 
secure  in  the  IND-CPA  and  IND-CCA  sense,  but  fail  catastrophically  in  the  presence  of  an  encrypted  cycle. 
This  provides  the  first  answer  to  the  foundational  question  on  whether  IND-CCA-security  captures  (weak  or 
regular)  circular  security  for  all  cycles  larger  than  self-loops.  In  either  case,  it  does  not. 

Our  work  leaves  open  the  interesting  problem  of  finding  a  public-key  counterexample  for  cycles  of  size 
>  3.  Secondly,  while  our  symmetric  counterexample  depended  only  on  the  existence  of  AE-secure  symmetric 
encryption,  our  public-key  counterexample,  like  that  of  Acar  et  al.  [2],  required  a  specific  bilinear  map 
assumption.  It  would  be  highly  interesting  to  find  a  counterexample  assuming  only  that  IND-CPA-  or 
IND-CCA  -secure  systems  exist. 

Finally,  we  observe  that  our  public- key  counterexample  contains  a  novel  and  curious  property  -  certain 
combinations  of  independently  generated  ciphertexts  trigger  the  release  of  their  underlying  plaintext.  From 
Rabin’s  A-OT  system  to  DH-DDH  gap  groups,  the  cryptographic  community  has  a  strong  history  of  turning 
such  oddities  to  an  advantage.  If  we  view  a  cryptosystem  with  this  property  as  a  new  primitive,  what  new 
functionalities  can  be  realized  using  it? 
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A  Security  Proof  for  nae 

A.l  Security  against  Key  Recovery  Attacks 

It  will  simplify  our  results  to  use  the  following  concept  of  key  recovery  security,  which  is  implied  by  AE 
security. 

Definition  A.l  (KR)  Let  II  =  (KeyGen,  Enc,  Dec)  be  a  symmetric-key  encryption  scheme  for  the  message 
space  M.  Let  the  random  variable  KR(II,A,  A)  be  defined  by  the  following  probabilistic  algorithm: 

KR(H,  A  A) 

I\  <—  KeyGen(lA) 

£<_.A#(-),®S(0(  lA) 

Output  ( K  =  K). 

Here  the  oracle  £]/r(-)  takes  as  input  a  message  m  €  M  and  returns  En c(K,m),  and  the  oracle  takes 

as  input  a  ciphertext  and  returns  Dec(/\,  c). 

We  denote  the  KR  advantage  of  A  by 

Advn^(A)  =  Pr[KR(n,  A,  A)  =  1]. 

We  say  that  II  is  KR  secure  if  Advn^(A)  is  negligible  for  all  PPT  A. 

We  will  use  the  following  theorem  below.  The  proof  is  standard. 

Theorem  A. 2  Any  AE-secure  symmetric-key  encryption  scheme  is  also  KR -secure. 

A. 2  Proof  of  Security  for  System  IIae 

Theorem  A. 3  Encryption  scheme  IIae  is  AE  secure  whenever  II'e  is  AE  secure. 

Proof.  We  prove  the  theorem  by  giving  a  reduction  to  the  AE  security  of  II' e.  We  proceed  by  describing  a 
pair  of  hybrid  games,  where  the  first  Hq  is  defined  to  be  the  AE  experiment  from  Definition  2.3  with  nae, 
and  the  second  is  a  modified  experiment  that  will  be  seen  to  be  essentially  equivalent  to  the  AE  experiment 
with  n'e. 

We  denote  the  hybrids  Ho,  Hi,  and  define  them  as  follows: 

Ho:  The  AE  experiment  with  IIae. 

Hi:  Exactly  as  in  H0,  except  that  the  oracles  f  j/e6(-,  •)  and  b(')  use  modified  versions  of  the  algo¬ 
rithms  Enc  and  Dec  which  ignore  their  “If”  statements  and  proceed  directly  the  “Else”  clause. 

Fix  some  PPT  adversary  A,  and  let 

Adv^(A)  =  2Pr[Hi(A,A)  =  1]  -  1 

for  i  =  0, 1.  Then  we  have 

Adv^(A)  =  Adv^(A),  (1) 

which  is  negligible  by  assumption.  Next  we  relate  Adv^°(A)  and  Adv^(A). 
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Lemma  A. 4  For  all  PPT  adversaries  A, 

Adv”°(A)-AdvJ(A)<ei(A)  (2) 

for  some  negligible  function  e\. 

Proof.  Suppose  to  the  contrary  that  a  PPT  adversary  A  exists  that  violates  (2).  Using  A  we  construct  an  PPT 
adversary  B  such  that  Adv^f/  g(A)  is  non-negligible  which  contradicts  the  AE  security  II' e  by  Theorem  A. 2. 

The  adversary  B  has  access  to  two  oracles  in  the  KR  experiment  with  II' e ,  £]^r(-)  and  B  will  run 

A,  which  expects  the  two  oracles  £j(?b(-,  in  the  AE  experiment  with  IIae. 

B  starts  by  selecting  b  A-  {0, 1}  and  initializing  a  list  L  to  be  empty.  B  then  runs  A,  simulating  queries 
to  £|?b(-,  •)  and  as  follows: 

££eib(m0,mi) 

UseCycle(TOb) 

Return  5^(mb) 

UseCycle(  x ) 

If  |  a:  |  np{ A)  then 

Return 

Parse  x  as  (ci, . . . ,  cn) 

K2  <-  ©£(Cl) 

For  i  =  2  to  n 

l^imod  ji+1  ^  Dec  (A),Cj) 

Add  K\  to  L 

When  A  halts,  B  selects  and  outputs  K  at  random  from  L. 

Before  moving  on,  let  us  intuitively  explain  how  B  is  simulating  the  game.  We  have  implemented  the 
oracle  simulation  so  that  B  assumes  that  the  “If”  statements  in  both  oracles  do  not  ever  pass,  and  indeed  it 
properly  simulates  both  hybrids  as  long  as  this  is  case.  It  keeps  track  of  the  keys  induced  by  the  queries  of 
A  which  might  have  caused  an  “If”  statement  to  pass,  and  afterwards  it  chooses  a  random  one  and  hopes  it 
was  the  first  such  query. 

Let  E  be  the  event  that  A  queries  either  £jfb(-,  •)  or  2?“b(-)  at  a  point  that  causes  their  “If”  statements 
to  evaluate  to  true.  It  is  apparent  that  Hq  and  Hi  are  identical  unless  E  occurs,  so  we  have 

Adv^°  (A)  -  AdvJ(A)  <  Pr[£], 

Conditioned  on  E  occurring,  we  have  that  I\  is  equal  to  I\  (where  K  was  chosen  in  the  KR  experiment)  with 
probability  1  /Q,  where  Q  is  (polynomial)  number  of  queries  issued  by  A.  This  follows  from  the  fact  that  B 
perfectly  simulates  Ho  until  the  first  query  that  triggers  the  event  E.  Thus,  B  recovers  the  secret  key  with 
probability  at  least  Adv^,  g(A)  =  Pr [E\/Q.  But  this  is  negligible  by  the  assumption  that  II' e  is  AE-secure 
and  hence  KR-secure,  which  bounds  Pr[U]  by  a  negligible  function.  □ 

Lemma  A. 5  For  every  PPT  adversary  A 

Advane,e^(A)=Adv»1(A).  (3) 

Proof.  This  lemma  follows  by  the  observation  that  in  Hi,  A  is  interacting  with  oracles  that  are  functionally 
identical  to  those  in  AE(II'e,  A,  A).  The  only  difference  is  in  the  message  space  restriction  in  H1;  which  is  a 
strict  subset  of  those  allowed  in  AE(II'e,  A,  A).  □ 

Finally,  we  observe  that  Adv^,  g(A)  is  negligible  by  assumption.  Combining  this  observation  with  (1), 
(2)  and  (3)  proves  the  theorem.  □ 


Pj Zb(c) 

If  b  =  0  then 
Return  _L 
Else 

Parse  c  as  K  ||  m 
Add  K  to  L 
Return  T,|)'(c) 
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B  Security  Proof  for  System  ncpa 


We  first  recall  Theorem  4.3. 

Theorem  B.l  Encryption  scheme  ncpa  is  IND-CPA  secure  under  the  Decisional  Diffie- Heilman  Assumption 
in  Gi  and  G 2  (SXDH). 

Proof.  To  show  that  scheme  ncpa  meets  security  Definition  2.1,  suppose  PPT  adversary  A  =  (^1,^2)  has 
advantage  e  in  the  IND-CPA(IIcpa,  A,  A)  experiment.  Let  ip(-)  be  some  polynomial  function  that  will  be 
determined  in  the  proof.  Using  a  series  of  hybrid  games  we  show  that  if  all  PPT  adversaries  have  negligible 
advantage  t\  in  solving  the  DDH  problem  in  Gi  or  G2  and  advantage  ip( e\ )  at  distinguishing  the  PRG  F 
(secure  under  DDH)  from  a  random  function,  then  e  is  bounded  by  the  negligible  value  4ei  +  2ip(ei). 

In  all  hybrids,  the  adversary  plays  the  IND-CPA  game  with  a  challenger.  The  public  key  is  distributed 
normally,  but  the  structure  of  the  challenge  ciphertext  differs  between  the  hybrids.  Let  CT  =  (Ci,  C2,  C3,  C4) 
denote  the  challenge  ciphertext  computed  in  IND-CPA  and  let  R2  £-  G t,  R3  Gi  (if  (3  =  0)  or  R3  i—  G2 
(if  (3  =  1)  and  R4  <—  {0, 1}!04!  be  randomly  chosen.  The  hybrids  are  as  follows: 

Hn:  The  challenge  ciphertext  is  CT  =  (Ci,  C2,  C3,  C4). 

Hi:  The  challenge  ciphertext  is  CTi  =  (Ci,  f?2,  C3,  C4). 

H2:  The  challenge  ciphertext  is  CT2  =  (Ci,  f?2,  R3,  C4). 

H3:  The  challenge  ciphertext  is  CT3  =  (Ci,  f?2,  R3,  Ri)- 


We  will  write  Adv^(A)  to  denote  the  advantage  of  A  in  Hj,  i.e.,  2Pr[H,(Al,A)  =  1]  —  1.  By  definition, 
the  ciphertext  in  H0  is  as  in  IND-CPA(ncpa,  A,  A),  while  the  challenge  ciphertext  in  hybrid  H3  information- 
theoretically  hides  the  plaintext.  We  argue  that  under  the  DDH  assumption  in  Gi  and  G2,  for  all  PPT  A, 
we  have 

AdvJ  -  Adv^3  <  2d  +  V»(d).  (4) 

It  remains  to  observe  that,  by  definition, 

Adv^°(A)  =  IND-CPA(ncpa,_4,  A),  (5) 

and 

Adv^3  (A)  =  0  (6) 

because  the  adversary’s  output  is  independent  of  the  bit  b  it  is  trying  to  guess. 

We  now  turn  to  proving  (4).  We  start  by  bounding  the  difference  in  advantage  between  Hn  and  Hi. 


Lemma  B.2  For  all  PPT  A  =  (Ai,A2),  if  the  DDH  assumption  holds  in  Gi  and  G2,  then 

Adv^1  (A)  —  Adv^°  (A)  <  d. 

Pi'oof.  Let  (e,p,  Gi, G2,  Gy, 5  =  (Gi ),h  =  (G2))  be  the  common  parameters.  Suppose  for  contradiction  that 
an  adversary  A  violates  the  inequality  in  the  lemma.  Then,  we  construct  an  adversary  A!  that  decides  the 
DDH  problem  in  Gi  or  G2  with  advantage  e' .  A'  works  as  follows. 


1.  Sample  a  bit  f3  <—  {0, 1}. 

2.  Obtain  a  DDH  problem  instance: 

r  = 

3.  Sample  v  4—  Z*. 

4.  Set  the  public  key  as: 


C g,ga,gb,G)eGi 
(h,ha,h\H)  g  G| 


ii  13  =  0; 
if  p  =  1. 


(0,  e{g\  h),gv)  G  {0, 1}  x  GT  x  G,  if  0  =  0; 
(1,  e(g,  ha),hv)  G  {0,  1}xGtxG2  if  (3  =  1. 
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5.  Run  Ai(pk)  to  produce  a  tuple  ( M0,Mi,z ).  Parse  M0  as  (a,  rrii,  m2). 

6.  Sample  R  G-  G t  and  set  I  <—  F(R)  ®  encode(M0). 

7.  Set  the  challenge  ciphertext  as: 


C  = 


(g\  R  ■  e(G,  h),  (gbym*  ■  gm\  I) 
(hb,  R-e(g,H),  (hbym>  ,  I) 


if  P  =  0; 

if  p  =  1. 


Note  that  in  the  first  case,  C  G  Gi  x  G t  x  Gi  x  {0, 1  while  in  the  second  case  C  G  G2  x  G t  x 
G2x{0,1}^a). 

8.  Run  A2(C,z)  and  output  whatever  it  outputs. 

We  argue  that  when  P  is  a  proper  DDH  instance,  A!  perfectly  simulates  the  experiment  Ho.  The 
distribution  of  keys  and  encryption  values  are  exactly  as  they  should  be.  When  P  is  not  a  DDH  instance.  A' 
perfectly  simulates  the  experiment  Hi.  The  only  impacted  ciphertext  part  is  C2,  where  the  proper  public 
key  information  has  been  replaced  by  a  random  value.  Thus,  Ah’s  advantage  in  solving  DDH  in  Gi  or  G2 
will  be  .  Under  the  DDH  assumption  in  Gi,G2,  e'  <  ei.  □ 


Lemma  B.3  For  all  PPT  A  =  (Ai,A2),  if  the  DDH  assumption  holds  in  Gi  and  G2,  then 

Adv^2(A)  -  Adv^(A)  <  Cl. 

Proof.  Suppose  adversary  A  =  {A\,  A2)  violates  the  lemma.  Then,  we  construct  an  adversary  A!  that  decides 
the  DDH  problem  in  Gi  or  G2  with  advantage  e'  as  follows.  Let  (e,p,  Gi,  G2,  Gt,  g  =  (Gi ),h  =  (G2))  be 
the  common  parameters.  A!  works  as  follows: 

1.  Sample  a  bit  /?  {0, 1}. 

2.  Obtain  a  DDH  problem  instance: 


P  = 


(g,ga,gb,G)e  Gf 
(h,ha,hb,H)  G  G| 


if  P  =  0; 


if  p  =  1. 


3.  Sample  v  <—  Z*. 

4.  Set  the  public  key  as: 


pk 


(0,  e(g,  h)v,ga)  G  {0,  1}xGtxGi  if  /3  =  0; 
(1,  e{g,  h)v,  ha )  G  {0,  1}xGtxG2  if  0  =  1. 


5.  Run  Ai(pk)  to  produce  a  tuple  (M0,  Mi,  z).  Parse  M0  as  (a,  mi,  m.2). 

6.  Sample  R,  R2  4—  G t  and  set  I  <—  F(R)  ®  encode(M0). 

7.  Set  the  challenge  ciphertext  as: 


C  = 


l gb ,  R2,  G“2  •  gmi ,  I) 

(. hb ,  R2 ,  Fm2  ,  I) 


if  P  =  0; 


if  /3  =  1. 


8.  Run  A2(C,z)  and  output  whatever  it  outputs. 

When  r  is  a  proper  DDH  instance,  A'  perfectly  simulates  experiment  Hi.  When  P  is  not  a  DDH  instance, 
A!  perfectly  simulates  experiment  H2.  The  only  impacted  ciphertext  part  is  C3,  where  the  proper  public  key 
information  has  been  replaced  by  a  random  value.  Thus,  Ah’s  advantage  in  solving  DDH  in  Gi  or  G2  will 
be  e'.  Under  the  DDH  assumption  in  Gi,G2,  e'  <  e±.  □ 


Lemma  B.4  For  all  PPT  A  =  (Ai,  A2)  if  F  is  secure  under  the  DDH  assumption  in  Gi,G2  then 

AdvJ(A)-Adv^(A)  <^(ei)- 
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Proof.  Let  (e,p,  Gi,G2,Gt,  9  =  (Gi),/i  =  (G2))  be  the  common  parameters.  Note  that  in  our  construction, 
F  has  domain  G t  and  range  {0,  l}^Ab4  Let  us  suppose  that  adversary  A  =  (Ai ,  A2)  violates  the  lemma. 
Then,  we  construct  an  adversary  A!  that  breaks  the  security  of  the  PRG  F  with  advantage  e'.  A'  accepts  as 
input  a  value  /'  sampled  from  ensemble  Eb  where  E0  =  {R  G t  ■  F(R)} E\  =  {U^\)}\  and  b  €  {0, 1} 
and  operates  as  follows: 


1.  Compute  (pk,  sk)  f—  KeyGen(lfc)  and  parse  pk  =  (0,Y\,  Y2). 

2.  Run  Ai(pk)  to  produce  a  tuple  (M0,  Mi,  z). 

3.  Sample  r  t—  Zp,  R2  t—  G t  and  R3  «—  Gi  (if  0  =  0)  or  R3  «—  G2  (if  0  =  1).  Set  I  f—  /'  ®  encode(Mo). 
Compute  the  challenge  ciphertext  as  follows: 


C  = 


( 9r ,  R2,  R3,  I) 
( hr ,  R2,  R:i,  I) 


if  0  =  0; 
if  0=  1. 


4.  Run  A2(C,z)  and  output  whatever  it  outputs. 


If  /'  is  sampled  from  distribution  Eq  then  A!  perfectly  simulates  H2.  If  /'  is  sampled  from  the  uniform 
distribution  Ei,  then  /'  ©  encode(Afo)  is  uniformly  distributed  in  {0,  l}dA)  and  A!  perfectly  simulates  H3. 
Additionally,  R  is  independent  of  the  adversary’s  view.  Thus  AMs  advantage  in  distinguishing  the  two 
distributions  will  be  e'.  Under  the  DDH  assumption,  we  have  e'  <  ip(e  1).  □ 

We  complete  the  proof  of  the  theorem  by  combining  (4),  (5),  (6),  and  Lemmas  B.2,  B.3,  and  B.4.  □ 


C  An  Alternative  Counterexample  for  CPA  Security 

As  mentioned  in  Section  4,  one  “artificial”  feature  of  the  cryptosystem  ncpa  is  that  the  KeyGen  algorithm 
randomly  embeds  the  public  key  into  either  Gi  or  G2  with  probability  1/2  and  then  the  group  setting  of  the 
ciphertext  also  differs  depending  on  the  public  key.  We  know  of  no  deployed  cryptosystems  that  alternate  the 
setting  of  keys  in  such  a  manner.  Some  readers  might  hope  that  this  property  renders  our  result  inapplicable 
to  the  domain  of  “practical”  cryptosystems,  i.e.,  to  assume  that  cryptosystems  with  a  single,  defined  key 
and  ciphertext  structure  are  immune  to  the  concerns  we  note  here.  We  must  disappoint  these  readers. 

Below  we  propose  an  alternative  I ND- CPA-secure  scheme  II' pa  that  does  not  exhibit  this  “group  switching” 
feature,  and  yet  still  breaks  catastrophically  in  the  face  of  a  2-cycle.  Indeed,  this  result  is  even  stronger  than 
that  of  Section  4  since  it  permits  an  adversary  to  win  the  IND-CIRC-CPA  game  with  a  higher  probability. 
II'pa  has  keys  and  ciphertexts  that  are  twice  the  length  of  those  in  ncpa. 

Construction  n(pa  Cryptosystem  II'pa  =  (KeyGen',  Enc',  Dec')  uses  ncpa  =  (KeyGen,  Enc,  Dec)  as  a  build¬ 
ing  block.  As  before  we  assume  that  a  single  set  of  bilinear  group  parameters  will  be  shared  across  all  keys 
generated  at  a  given  security  level  and  are  implicitly  provided  to  all  algorithms.  Let  M  be  the  message  space 
of  ncpa.  Then  the  message  space  for  II(.pa  is  M'  =  M  x  M.  We  define  the  system  as  follows. 

KeyGen'(lA).  The  key  generation  algorithm  runs  KeyGen  repeatedly  to  obtain  pk1}  ski  and  pk2 ,  sA;2  where 
pkx  =  (0,  - ,  - )  and  pk2  =  (l,-,-).5  The  public  key  is  set  as  pk  =  (pk1,pk2),  and  the  secret  key  as 
sk  =  (ski,  sk2). 

Encrypt' (pk,  M).  The  encryption  algorithm  parses  the  public  key  pk  =  (pkl,pk2),  and  message  M  = 
(mi,m2)  €  M! .  Output  the  ciphertext  C  as: 

C  =  (Enc (pk1,rri2),  En c(pk2,  mi)) 

4Although  this  specification  differs  slightly  from  Definition  4.2,  this  specific  construction  can  be  constructed  from  traditional 
PRGs  using  standard  techniques. 

5This  can  be  accomplished  probabilistically  by  repeatedly  calling  KeyGen  and  discarding  redundant  keypairs;  alternatively 
the  KeyGen  algorithm  can  be  trivially  modified  to  produce  the  needed  keys  in  only  two  calls. 
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Decrypt'(sfc,  C).  The  decryption  algorithm  parses  the  secret  key  sk  =  (ski,sk2)  and  the  ciphertext  C  = 
(CUC2).  Next,  it  computes: 


M  =  (Dec(sfc2,  C2),  Dec(sA,'i,  Ci)) 


Correctness  follows  trivially  from  the  correctness  of  ncpa . 

Theorem  C.l  Encryption  scheme  II'pa  is  IND-CPA  secure  under  the  Decisional  Diffie- Heilman  Assumption 
in  Gi  and  G 2  (SXDH). 


Attack  on  IND-CIRC-CPA  Security  The  above  scheme  breaks  completely  for  2-key  cycles. 

Theorem  C.2  Encryption  scheme  II'pa  is  not  IND-CIRC-CPA  secure  for  cycles  of  length  2. 

Proof  sketch.  To  show  that  scheme  II'pa  is  not  IND-CIRC-CPA-secure  for  key  cycles  of  length  two,  we  recall 
the  attack  of  Section  4.3.  As  in  that  attack,  we  assume  that  the  adversary  receives  CA  =  Enc(pkA,  sks) 
and  Cb  =  Enc (pkB,skA)  or  two  encryptions  of  a  fixed  message,  and  must  distinguish  which.  Unlike  that 
attack,  we  do  not  abort  based  on  the  structure  of  the  public  keys.  Instead  we  receive  pkA  =  ( pkA  ± ,pkA  2), 
pkB  =  {p^b  liP^B  2)1  Ca  =  (Ca ,1, 6(4,2)  and  Cb  =  (Cb,i,Cb,2)-  Now,  there  are  two  options.  Either: 

1.  C a ,  1  =  Enc{pkA  i,skB, 2)  and  Cb, 2  =  Enc(pfcB2,  skA,i)  and 
CA, 2  =  Enc(pkA  2,  skB,i)  and  Cb,i  =  Enc(pkB jl7  skA,2)',  or 

2.  CA,  1  =  Enc{pkA  1,012)  and  Cb, 2  =  En c(pkB  2,  ol  1)  and 
CA,2  =  En c(pkA  2,  «i)  and  Cb,  1  =  En c(pkB  1,0(2) 

for  any  fixed  (04,  a2)  G  M!  as  dehned  by  Definition  2.4. 

If  we  are  in  case  1,  then  we  simply  apply  the  exact  attack  from  Section  4.3  twice  to  the  pairs  ( CA  \ ,  CB)2) 
and  (Ca,2,Cb,i)  to  recover  both  secret  keys  in  full  (skA,  1,  skA, 2)  and  (sks,  1,  2)  with  probability  1.  Once 

this  is  done  and  detected,  D  outputs  1. 

If  we  are  in  case  2,  then  let  a.\  =  {■,mi,m2)  and  a 2  =  (-,7711, m2).  Parse  skA,\  =  (0,ai,a2)  and 
sks, 2  =  (1,  b\,  b2)  and  we  have: 

CA,  1  =(CA,1,CA,2,CA,3,CA,4) 

={gr,  R  ■  e(g,  h)rai ,  gra*<+<,F(R)  ©  encode(a2)) 

Cb,  2  =(cs, 1,  cB, 2,  cb, 3i  4) 

=(hs,S  ■  e(g,  h)sbl ,  hsm2b 2 ,  F(S)  ©  encode(ai)) 


for  some  r,  s  €  7LV  and  R,  S  €  Gy.  Then  we  have  that: 


X  :—  Cb,2  • 


e(CA,l,  Cb,3) 
e(CA, 3j  Cb,i) 


=  S  ■  e(g,  h) 


=  S-e(g,h)sb 
(e(g,h)s(m2b2-m 


e(gr,hsm2b2) 

e(gra^m2+mi,hs) 

2aAy 


Now,  D  will  return  1  if  and  only  if  skA  =  decode((F(S')ffiencode(ai))©F(A)).  What  is  the  probability  that 
this  event  occurs?  First,  suppose  that  s(m2b2  —  m'2a2)  mod  0  (event  E{),  which  happens  with  probability 
>  1  —  3/(p  —  1)  =  (p  —  4)/(p  —  1)  for  honest  executions.  Next,  consider  the  values  04,0:2,  s,  S  as  fixed  and 
r  is  the  only  variable.  What  is  the  chance  that  the  challenger’s  random  choice  of  r  will  induce  a  value  X 
such  that  F(X)  =  F(S)  ©  encode(oi)  ©  encode(sfcA)?  First,  we  observe  that  since  s(m2&2  —  m'2a2)  7^  0  and 
r  is  chosen  uniformly  at  random  in  Zp,  then  X  is  also  distributed  uniformly  at  random  in  G t-  Thus,  by  the 
assumption  that  F  is  computationally  indistinguishable  from  a  uniform,  random  function,  D  will  incorrectly 
guess  a  key  cycle  in  this  case  with  probability  at  most  2~e(x)  pjus  a  negligible  amount  z/(A),  where  A  is  the 
security  parameter. 
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Thus,  D’ s  total  probability  of  success  in  this  attack  is: 


Pr[D  wins]  =  Pr[Case  1]  •  Pr[_D  wins  |Case  1] 

+  Pr[Case  2]  •  Pr[D  wins  |Case  2] 

+  '  Pl^D  winS  I-®1!) 


1  _ 
“2  ~ 


>3- 

“4 


(2-^a)  +u(X)) 


for  all  p  >  7 


Of  course,  for  practical  80-bit  or  higher  values  of  p ,  this  probability  is  much  closer  to  1. 


□ 


21 

Approved  for  Public  Release;  Distribution  Unlimited. 

820 


Billion-Gate  Secure  Computation  with  Malicious  Adversaries 


Benjamin  Kreuter 
brk7bx  @  virgin  ia.  edu 
University  of  Virginia 


abhi  shelat 
abhi@virginia.edu 
University  of  Virginia 


Chih-hao  Shen 
cs6zb  @  virgin  ia.  edu 
University  of  Virginia 


Abstract 

The  goal  of  this  paper  is  to  assess  the  feasibility  of 
two-party  secure  computation  in  the  presence  of  a  ma¬ 
licious  adversary.  Prior  work  has  shown  the  feasibil¬ 
ity  of  billion-gate  circuits  in  the  semi-honest  model,  but 
only  the  35k-gate  AES  circuit  in  the  malicious  model, 
in  part  because  security  in  the  malicious  model  is  much 
harder  to  achieve.  We  show  that  by  incorporating  the 
best  known  techniques  and  parallelizing  almost  all  steps 
of  the  resulting  protocol,  evaluating  billion-gate  circuits 
is  feasible  in  the  malicious  model.  Our  results  are  in 
the  standard  model  (i.e.,  no  common  reference  strings 
or  PKIs)  and,  in  contrast  to  prior  work,  we  do  not  use  the 
random  oracle  model  which  has  well-established  theoret¬ 
ical  shortcomings. 

1  Introduction 

Protocols  for  secure  computation  allow  two  or  more  mu¬ 
tually  distrustful  parties  to  collaborate  and  compute  some 
function  on  each  other’s  inputs,  with  privacy  and  correct¬ 
ness  guarantees.  Andrew  Yao  showed  that  secure  two- 
party  protocols  can  be  constructed  for  any  computable 
function  [34],  Yao’s  protocol  involves  representing  the 
function  as  a  boolean  circuit  and  having  one  party  (called 
the  generator )  encrypt  the  circuit  in  such  a  way  that  it 
can  be  selectively  decrypted  by  the  other  party  (called 
the  evaluator)  to  compute  the  output,  a  process  called 
garbling.  In  particular,  oblivious  transfers  are  used  for 
the  evaluator  to  obtain  a  subset  of  the  decryption  keys 
that  are  needed  to  compute  the  output  of  the  function. 

Yao’s  protocol  is  of  great  practical  significance.  In 
many  real-world  situations,  the  inputs  to  a  function  may 
be  too  valuable  or  sensitive  to  share.  Huang  et  al.  ex¬ 
plored  the  use  of  secure  computation  for  biometric  iden¬ 
tification  [14]  in  national  security  applications,  in  which 
it  is  desirable  for  individual  genetic  data  to  be  kept  pri¬ 
vate  but  still  checked  against  a  classified  list.  In  a  similar 


security  application,  Osadchy  et  al.  described  how  face 
recognition  could  be  performed  in  a  privacy-preserving 
manner  [30].  The  more  general  case  of  multiparty  com¬ 
putation  has  already  seen  real-world  use  in  computing 
market  clearing  prices  in  Denmark  [2], 

Yao’s  original  protocol  ensures  the  privacy  of  each 
party’s  input  and  the  correctness  of  the  output  under  the 
semi-honest  model,  in  which  both  parties  follow  the  pro¬ 
tocol  honestly.  This  model  has  been  the  basis  for  sev¬ 
eral  scalable  secure  computation  systems  [4, 10, 12, 13, 
17,22,26],  It  is  conceivable,  however,  that  one  of  the 
parties  may  deviate  from  the  protocol  in  an  attempt  to 
violate  privacy  or  correctness.  Bidders  may  attempt  to 
manipulate  the  auction  output  in  their  favor;  spies  may 
attempt  to  obtain  sensitive  information;  and  a  computer 
being  used  for  secure  computation  may  be  infected  with 
malware.  Securing  against  malicious  participants,  who 
may  deviate  arbitrarily  from  pre-agreed  instructions,  in 
an  efficient  manner  is  of  more  practical  importance. 

There  have  been  several  attempts  on  practical  systems 
with  security  against  active,  malicious  adversaries.  Lin- 
dell  and  Pinkas  presented  an  approach  based  on  garbled 
circuits  that  uses  the  cut-and-choose  technique  [23],  with 
an  implementation  of  this  system  having  been  given  by 
Pinkas  et  al.  [31].  Nielsen  et  al.  presented  the  LEGO+ 
system  [29],  which  uses  efficient  oblivious  transfers  and 
authenticated  bits  to  enforce  honest  behaviors  from  par¬ 
ticipants.  shelat  and  Shen  proposed  a  hybrid  approach 
that  integrates  sigma  protocols  into  the  cut-and-choose 
technique  [33].  The  protocol  compiler  presented  by 
Ishai,  Prabhakaran,  and  Sahai  [16]  also  uses  an  approach 
based  on  oblivious  transfer,  and  was  implemented  by 
Lindell,  Oxman,  and  Pinkas  [21].  In  all  these  cases,  AES 
was  used  as  a  benchmark  for  performance  tests. 

Protocols  for  general  multiparty  computation  with  se¬ 
curity  against  a  malicious  majority  have  also  been  pre¬ 
sented.  Canetti  et  al.  gave  a  construction  of  a  uni¬ 
versally  composable  protocol  in  the  common  reference 
string  model  [5],  The  protocol  compiler  of  Ishai  et  al., 
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mentioned  above,  can  be  used  to  construct  a  multiparty 
protocol  with  security  against  a  dishonest  majority  in  the 
UC  model  [16].  Bendlin  et  al.  showed  a  construction 
based  on  homomorphic  encryption  [1],  which  was  im¬ 
proved  upon  by  Damgard  et  al.  [7];  these  protocols  were 
also  proved  secure  in  the  UC  model,  and  thus  require  ad¬ 
ditional  setup  assumptions.  The  protocol  of  Damgard  et 
al.  (dubbed  “SPDZ”  and  pronounced  “speedz”)  is  based 
on  a  preprocessing  model,  which  improves  the  amortized 
performance.  Damgard  et  al.  presented  an  implementa¬ 
tion  of  their  protocol,  which  could  evaluate  the  function 
(x  x  y)  +  z  in  about  3  seconds  with  a  128  bit  security 
level,  but  with  an  amortized  time  of  a  few  milliseconds. 

This  paper  presents  a  scalable  two-party  secure  com¬ 
putation  system  which  guarantees  privacy  and  correct¬ 
ness  in  the  presence  of  a  malicious  party.  The  system 
we  present  can  handle  circuits  with  hundreds  of  millions 
or  even  billions  of  gates,  while  requiring  relatively  mod¬ 
est  computing  resources.  Our  system  follows  the  Fair- 
play  framework,  allowing  general  purpose  secure  com¬ 
putation  starting  from  a  high  level  description  of  a  func¬ 
tion.  We  present  a  system  with  numerous  technical  ad¬ 
vantages  over  the  Fairplay  system,  both  in  our  compiler 
and  in  the  secure  computation  protocol.  Unlike  previ¬ 
ous  work,  we  do  not  rely  solely  on  AES  circuits  as  our 
benchmark;  our  goal  is  to  evaluate  circuits  that  are  orders 
of  magnitude  larger  than  AES  in  the  malicious  model, 
and  we  use  AES  only  as  a  comparison  with  other  work. 
We  prove  the  security  of  our  protocol  assuming  circular 
2-correlation  robust  hash  functions  and  the  hardness  of 
the  elliptic  curve  discrete  logarithm  problem,  and  require 
neither  additional  setup  assumptions  nor  the  random  or¬ 
acle  model. 

2  Contributions 

Our  principal  contribution  is  to  build  a  high  perfor¬ 
mance  secure  two-party  computation  system  that  inte¬ 
grates  state-of-the-art  techniques  for  dealing  with  ma¬ 
licious  adversaries  efficiently.  Although  some  of  these 
techniques  have  been  reported  individually,  we  are  not 
aware  of  any  attempt  to  incorporate  them  all  into  one  sys¬ 
tem,  while  ensuring  that  a  security  proof  can  still  be  writ¬ 
ten  for  that  system.  Even  though  some  of  the  techniques 
are  claimed  to  be  compatible,  it  is  not  until  everything  is 
put  together  and  someone  has  gone  through  all  the  details 
can  a  system  as  a  whole  be  said  to  be  provably  secure. 

System  Framework  We  start  by  using  Yao’s  garbled 
circuit  [34]  protocol  for  securely  computing  functions 
in  the  presence  of  semi-honest  adversaries,  and  she- 
lat  and  Shen’s  cut-and-choose-based  transformation  [33] 
that  converts  Yao’s  garbled  circuit  protocol  into  one  that 


is  secure  against  malicious  adversaries. 

We  then  modify  the  above  to  use  Ishai  et  al.’s  obliv¬ 
ious  transfer  extension  [15]  that  has  efficient  amortized 
computation  time  for  oblivious  transfers  secure  against 
malicious  adversaries,  and  Lindell  and  Pinkas’  random 
combination  technique  [23]  that  defends  against  selec¬ 
tive  failure  attacks.  We  implement  Kiraz’s  randomized 
circuit  technique  [18]  that  guarantees  that  the  generator 
gets  either  no  output  or  an  authentic  output,  i.e.,  the  gen¬ 
erator  cannot  be  tricked  into  accepting  arbitrary  output. 

Optimization  Techniques  For  garbled  circuit  gener¬ 
ation  and  evaluation,  we  incorporate  Kolesnikov  and 
Schneider’s  free-XOR  technique  that  minimizes  the 
computation  and  communication  cost  for  XOR  gates  in 
a  circuit  [20].  We  also  adopt  Pinkas  et  al.’s  garbled-row- 
reduction  technique  that  reduces  the  communication  cost 
for  k-fan-in  non-XOR  gates  by  1/2*  [31],  which  means 
at  least  a  25%  communication  saving  in  our  system  since 
we  only  have  gates  of  1-fan-in  or  2-fan-in.  Finally,  we 
implement  Goyal  et  al.’s  technique  for  reducing  commu¬ 
nication  as  follows:  during  the  cut-and-choose  step,  the 
check  circuits  are  given  to  the  evaluator  by  revealing  the 
random  seeds  used  to  produce  them  rather  than  the  check 
circuits  themselves  [11].  Combined  with  the  60% -40% 
check-evaluation  ratio  proposed  by  shelat  and  Shen  [33], 
this  technique  provides  a  near  60%  saving  in  communi¬ 
cation.  As  far  as  we  know,  although  these  techniques  ex¬ 
ist  individually,  ours  is  the  first  system  to  incorporate  all 
of  these  mutually-compatible  state-of-the-art  techniques. 

Circuit-Level  Parallelism  The  most  important  new 
technique  that  we  use  is  to  exploit  the  embarrassingly 
parallel  nature  of  shelat  and  Shen’s  protocol  for  achiev¬ 
ing  security  in  the  malicious  model.  Exploiting  this, 
however,  requires  careful  engineering  in  order  to  achieve 
good  performance  while  maintaining  security.  We  paral¬ 
lelize  all  computation-intensive  operations  such  as  obliv¬ 
ious  transfers  or  circuit  construction  by  splitting  the 
generator-evaluator  pair  into  hundreds  of  slave  pairs. 
Each  of  the  pairs  works  on  an  independently  generated 
copy  of  the  circuit  in  a  parallel  but  synchronized  man¬ 
ner  as  synchronization  is  required  for  shelat  and  Shen’s 
protocol  [33]  to  be  secure. 

Computation  Complexity  For  the  computation  time 
of  a  secure  computation,  there  are  two  main  contribut¬ 
ing  factors:  the  input  processing  time  I  (due  to  oblivi¬ 
ous  transfers)  and  the  circuit  processing  time  C  (due  to 
garbled  circuit  construction  and  evaluation).  In  the  semi- 
honest  model,  the  system’s  computation  time  is  simply 
I +C.  Security  in  the  malicious  model,  however,  requires 
several  extra  checks.  In  the  first  instantiation  of  our  sys- 
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tem,  through  heavy  use  of  circuit-level  parallelism,  our 
system  needs  roughly  I  +  2C  to  compute  hundreds  of 
copies  of  the  circuit.  Thus  when  the  circuit  size  is  suf¬ 
ficiently  larger  than  the  input  size,  our  system  (secure  in 
the  malicious  model)  needs  roughly  twice  as  much  com¬ 
putation  time  as  that  needed  by  the  original  Yao  proto¬ 
col  (secure  in  the  semi-honest  model).  This  is  a  tremen¬ 
dous  improvement  over  prior  work  [31,33]  which  needed 
lOOx  more  time  than  the  semi-honest  Yao.  In  the  second 
instantiation  of  our  scheme,  we  are  able  to  achieve  I  +  C 
computation  time,  albeit  at  the  cost  of  moderately  more 
communication  overhead. 

Large  Circuits  In  the  Fairplay  system,  a  garbled  cir¬ 
cuit  is  fully  constmcted  before  being  sent  over  a  net¬ 
work  for  the  other  party  to  evaluate.  This  approach  is 
particularly  problematic  when  hundreds  of  copies  of  a 
garbled  circuit  are  needed  against  malicious  adversaries. 
Huang  et  al.  [13]  pointed  out  that  keeping  the  whole  gar¬ 
bled  circuit  in  memory  is  unnecessary,  and  that  instead, 
the  generation  and  evaluation  of  garbled  gates  could  be 
conducted  in  a  “pipelined”  manner.  Consequently,  not 
only  do  both  parties  spend  less  time  idling,  only  a  small 
number  of  garbled  gates  need  to  reside  in  memory  at  one 
time,  even  when  dealing  with  large  circuits.  However, 
this  pipelining  idea  does  not  work  trivially  with  other  op¬ 
timization  techniques  for  the  following  two  reasons: 

•  The  cut-and-choose  technique  requires  the  gener¬ 
ator  to  finish  constructing  circuits  before  the  coin 
flipping  (which  is  used  to  determine  check  circuits 
and  evaluation  circuits),  but  the  evaluator  cannot 
start  checking  or  evaluating  before  the  coin  flipping. 
A  naive  approach  would  ask  the  evaluator  to  hold 
the  circuits  and  wait  for  the  results  of  the  coin  flip¬ 
ping  before  she  proceeds  to  do  her  jobs.  When  the 
circuit  is  of  large  size,  keeping  hundreds  of  copies 
of  such  a  circuit  in  memory  is  undesirable. 

•  Similarly,  the  random  seed  checking  technique  [11] 
requires  the  generator  to  send  the  hash  for  each  gar¬ 
bled  circuit,  and  later  on  send  the  random  seeds  for 
check  circuits  so  that  the  communication  for  check 
circuits  is  vastly  reduced.  Note  that  the  hash  for  an 
evaluation  circuit  is  given  away  before  the  garbled 
circuit  itself.  However,  a  hash  is  calculated  only  af¬ 
ter  the  whole  circuit  is  generated.  So  the  generation- 
evaluation  pipelining  cannot  be  applied  directly. 

Our  system,  however,  integrates  this  pipelining  idea  with 
the  optimization  techniques  mentioned  above,  and  is  ca¬ 
pable  of  handling  circuits  of  billions  of  gates. 

AES-NI  Besides  the  improvements  by  the  algorith¬ 
mic  means,  we  also  incorporate  the  Intel  Advanced  En¬ 


cryption  Standard  Instmctions  (AES-NI)  in  our  system. 
While  the  encryption  is  previously  suggested  to  be 

Encx,y(Z)  =H[X\ |F)  ®Z 

in  the  literature  [6, 20],  where  H  is  a  2-circular  correla¬ 
tion  robust  function  instantiated  either  with  SHA-1  [13] 
or  SHA-256  [31],  we  propose  an  alternative  that 

Enc^y(Z)  =  AES-256x||y(^)  ©Z, 

where  k  is  the  index  of  the  garbled  gate.  With  the  help 
of  the  latest  instruction  set,  an  AES-256  operation  could 
take  as  little  as  30%  of  the  time  for  SHA-256.  Since  this 
operation  is  heavily  used  in  circuit  operations,  with  the 
help  of  AES-NI  instructions,  we  are  able  to  reduce  the 
circuit  computation  time  C  by  at  least  20%. 

Performance  To  get  a  sense  of  our  improvements,  we 
list  the  experimental  results  of  the  benchmark  function — 
AES — from  the  most  recent  literature  and  our  system. 
The  latest  reported  system  in  the  semi-honest  model  was 
built  by  Huang  et  al.  [13]  and  needs  1.3  seconds  (where 
7=1.1  and  C  =  0.2)  to  complete  a  block  of  secure  AES 
computation.  The  fastest  known  system  in  the  malicious 
model  was  proposed  by  Nielson  et  al.  [29]  and  has  an 
amortized  performance  1 .6  seconds  per  block  (or  more 
precisely,  I  =  19  and  C  =  6  for  54  blocks).  Our  system 
provides  security  in  the  malicious  model  and  needs  1 .4 
(=/  +  2C,  where  /  =  1.0  and  C  =  0.2)  seconds  per  block. 
Note  that  both  the  prior  systems  require  the  full  power 
of  a  random  oracle,  while  ours  requires  a  weaker  crypto¬ 
graphic  primitive,  2-circular  correlation  robust  functions, 
which  was  recently  shown  to  be  sufficient  to  prove  the 
security  of  the  free-XOR  technique.  It  should  also  be 
noted  that  our  system  benefits  greatly  from  parallel  com¬ 
putation,  which  was  not  tested  for  LEGO+. 

Scalable  Circuit  Compiler  One  of  the  major  bottle¬ 
necks  that  prevents  large-scale  secure  computation  is  the 
need  for  a  scalable  compiler  that  generates  a  circuit  de¬ 
scription  from  a  function  written  in  a  high-level  program¬ 
ming  language.  Prior  tools  could  barely  handle  circuits 
with  50,000  gates,  requiring  significant  computational 
resources  to  compile  such  circuits.  While  this  is  just 
enough  for  an  AES  circuit,  it  is  not  enough  for  the  large 
circuits  that  we  evaluate  in  this  paper. 

We  present  a  scalable  boolean  circuit  compiler  that 
can  be  used  to  generate  circuits  with  billions  of  gates, 
with  moderate  hardware  requirements.  This  compiler 
performs  some  simple  but  highly  effective  optimizations, 
and  tends  to  favor  XOR  gates.  The  toolchain  is  flexible, 
allowing  for  different  levels  of  optimizations  and  can  be 
parameterized  to  use  more  memory  or  more  CPU  time 
when  building  circuits. 
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As  a  first  sign  that  our  compiler  advances  the  state 
of  the  art,  we  observe  that  it  automatically  generates  a 
smaller  boolean  circuit  for  the  AES  cipher  than  the  hand- 
optimized  circuit  reported  by  Pinkas  et  al.  [31].  AES 
plays  an  important  role  in  secure  computation,  and  obliv¬ 
ious  AES  evaluation  can  be  used  as  a  building  block  in 
cryptographic  protocols.  Not  only  is  it  one  of  the  most 
popular  building  blocks  in  cryptography  and  real  life  se¬ 
curity,  it  is  often  used  as  a  benchmark  in  secure  com¬ 
putation.  With  the  textbook  algorithm,  the  well-known 
Fairplay  compiler  can  generate  an  AES  circuit  that  has 
15,316  non-XOR  gates.  Pinkas  et  al.  were  able  to  de¬ 
velop  an  optimized  AES  circuit  that  has  11,286  non- 
XOR  gates.  By  applying  an  efficient  S-box  circuit  [3] 
and  using  our  compiler,  we  were  able  to  construct  an 
AES  circuit  that  has  9,100  non-XOR  gates.  As  a  result, 
our  AES  circuit  only  needs  59%  and  81%  of  the  commu¬ 
nication  needed  by  the  other  two,  respectively. 

Most  importantly,  with  our  system  and  the  scalable 
compiler,  we  are  able  to  run  experiments  on  circuits  with 
sizes  in  the  range  of  billions  of  gates.  To  the  best  of 
our  knowledge,  secure  computation  with  such  large  cir¬ 
cuits  has  never  been  run  in  the  malicious  model  before. 
These  circuits  include  256-bit  RSA  (266,150,119  gates) 
and  4095x4095-bit  edit  distance  (5,901,194,475).  As  the 
circuit  size  grows,  resource  management  becomes  cru¬ 
cial.  A  circuit  of  billions  of  gates  can  easily  result  in 
several  GB  of  data  stored  in  memory  or  sent  over  the 
network.  Special  care  is  required  to  handle  these  diffi¬ 
culties. 

Paper  Organization  The  organization  of  this  paper  is 
as  follows.  A  variety  of  security  decisions  and  optimiza¬ 
tion  techniques  will  be  covered  in  Section  3  and  Sec¬ 
tion  4,  respectively.  Then,  our  system,  including  a  com¬ 
piler,  will  be  introduced  in  Section  6  and  Section  5.  Fi¬ 
nally,  the  experimental  results  are  presented  in  Section  6 
followed  by  the  conclusion  and  future  work  in  Section  7. 

3  Techniques  Regarding  Security 

The  Yao  protocol,  while  efficient,  assumes  honest  behav¬ 
ior  from  both  parties.  To  achieve  security  in  the  mali¬ 
cious  model,  it  is  necessary  to  enforce  honest  behavior. 
The  cut-and-choose  technique  is  one  of  the  most  efficient 
methods  in  the  literature  and  is  used  in  our  system.  Its 
main  idea  is  for  the  generator  to  prepare  multiple  copies 
of  the  garbled  circuit  with  independent  randomness,  and 
the  evaluator  picks  a  random  fraction  of  the  received  cir¬ 
cuits,  whose  randomness  is  then  revealed.  If  any  of  the 
chosen  circuits  (called  check  circuits)  is  not  consistent 
with  the  revealed  randomness,  the  evaluator  aborts;  oth¬ 
erwise,  she  evaluates  the  remaining  circuits  (called  eval¬ 


uation  circuits )  and  takes  the  majority  of  the  outputs,  one 
from  each  evaluation  circuit,  as  the  final  output. 

The  intuition  is  that  to  pass  the  check,  a  malicious  gen¬ 
erator  can  only  sneak  in  a  few  faulty  circuits,  and  the 
influence  of  these  (supposedly  minority)  faulty  circuits 
will  be  eliminated  by  the  majority  operation  at  the  end. 
On  the  other  hand,  if  a  malicious  generator  wants  to  ma¬ 
nipulate  the  final  output,  she  needs  to  construct  faulty 
majority  among  evaluation  circuits,  but  then  the  chance 
that  none  of  the  faulty  circuits  is  checked  will  be  negli¬ 
gible.  So  with  the  help  of  the  cut-and-choose  method, 
a  malicious  generator  either  constructs  many  faulty  cir¬ 
cuits  and  gets  caught  with  high  probability,  or  constructs 
merely  a  few  and  has  no  influence  on  the  final  output. 

However,  the  cut-and-choose  technique  is  not  a  cure- 
all.  Several  subtle  attacks  have  been  reported  and  would 
be  a  problem  if  not  properly  handled.  These  attacks  in¬ 
clude  the  generator’s  input  inconsistency  attack,  the  se¬ 
lective  failure  attack,  and  the  generator’s  output  authen¬ 
ticity  attack,  which  are  discussed  in  the  following  sec¬ 
tions.  Note  that  in  this  section,  n  denotes  the  input  size 
and  denotes  the  number  of  copies  of  the  circuit. 

Generator’s  Input  Consistency  Recall  that  in  the  cut- 
and-choose  step,  multiple  copies  of  a  circuit  are  con¬ 
structed  and  then  evaluated.  A  malicious  generator 
is  therefore  capable  of  providing  altered  inputs  to  dif¬ 
ferent  evaluation  circuits.  It  has  been  shown  that  for 
some  functions,  there  are  simple  ways  for  the  gen¬ 
erator  to  extract  information  about  the  evaluator’s  in¬ 
put  [23].  For  example,  suppose  both  parties  agree 
to  compute  the  inner-product  of  their  input,  that  is, 
f([a2,ai,ao\,[b2,bi,bo\)  +  +  aobQ  where  a,- 

and  hj  is  the  generator’s  and  evaluator’s  f-th  input  bit, 
respectively.  Instead  of  providing  [a2,a\,af\  to  all  eval¬ 
uation  circuits,  the  generator  could  send  [1,0,0],  [0, 1,0], 
and  [0,0, 1]  to  different  copies  of  the  evaluation  circuits. 
After  the  majority  operation  from  the  cut-and-choose 
technique,  the  generator  learns  major(/>2,/?i  ,bf),  the  ma¬ 
jority  bit  in  the  evaluator’s  input,  which  is  not  what  the 
evaluator  agreed  to  reveal  in  the  first  place. 

There  exist  several  approaches  to  deter  this  attack. 
Mohassel  and  Franklin  [28]  proposed  the  equality- 
checker  that  needs  O (ns2)  commitments  to  be  computed 
and  exchanged.  Lindell  and  Pinkas  [23]  developed  an 
approach  that  also  requires  Oins2)  commitments.  Later, 
Lindell  and  Pinkas  [24]  proposed  a  pseudorandom  syn¬ 
thesizer  that  relies  on  efficient  zero-knowledge  proofs 
for  specific  hardness  assumptions  and  requires  0(ns) 
group  operations,  shelat  and  Shen  [33]  suggested  the 
use  of  malleable  claw-free  collections,  which  also  uses 
O  {ns)  group  operations,  but  they  showed  that  witness- 
indistinguishability  suffices,  which  is  more  efficient  than 
zero-knowledge  proofs  by  a  constant  factor. 
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In  our  system,  we  incorporate  the  malleable  claw-free 
collection  approach  because  of  its  efficiency.  Although 
the  commitment-based  approaches  can  be  implemented 
using  lightweight  primitives  such  as  collision-resistant 
hash  functions,  they  incur  high  communication  overhead 
for  the  extra  complexity  factor  s,  that  is,  the  number  of 
copies  of  the  circuit.  On  the  other  hand,  the  group-based 
approach  could  be  more  computationally  intensive,  but 
this  discrepancy  is  compensated  again  due  to  the  param¬ 
eter  ,v. 1  Hence,  with  similar  computation  cost,  group- 
based  approaches  enjoy  lower  communication  overhead. 

Selective  Failure  A  more  subtle  attack  is  selective  fail¬ 
ure  [19,28].  A  malicious  generator  could  use  inconsis¬ 
tent  keys  to  construct  the  garbled  gate  and  OT  so  that 
the  evaluator’s  input  can  be  inferred  from  whether  or  not 
the  protocol  completes.  In  particular,  a  cheating  genera¬ 
tor  could  assign  (Kq,Ki)  to  an  input  wire  in  the  garbled 
circuit  while  using  (K(t.  K\ )  instead  in  the  corresponding 
OT,  where  K\  f  K*.  As  a  result,  if  the  evaluator’s  input 
is  0,  she  learns  Kq  from  OT  and  completes  the  evalu¬ 
ation  without  complaints;  otherwise,  she  learns  K '*  and 
gets  stuck  during  the  evaluation.  If  the  protocol  expects 
the  evaluator  to  share  the  result  with  the  generator  at  the 
end,  the  generator  learns  whether  or  not  the  evaluation 
failed,  and  therefore,  the  evaluator’s  input  is  leaked. 

Lindell  and  Pinkas  [23]  proposed  the  random  input  re¬ 
placement  approach  that  involves  replacing  each  of  the 
evaluator’s  input  bits  with  an  XOR  of  s  additional  in¬ 
put  bits,  so  that  whether  the  evaluator  aborts  due  to  a  se¬ 
lective  failure  attack  is  almost  independent  (up  to  a  bias 
of  21-s)  of  her  actual  input  value.  Both  Kiraz  [18]  and 
shelat  and  Shen  [33]  suggested  a  solution  that  exploits 
committing  OTs  so  that  the  generator  commits  to  her  in¬ 
put  for  the  OT,  and  the  correctness  of  the  OTs  can  later 
be  checked  by  opening  the  commitments  during  the  cut- 
and-choose.  Lindell  and  Pinkas  [24]  also  proposed  a  so¬ 
lution  to  this  problem  using  cut-and-choose  OT,  which 
combines  the  OT  and  the  cut-and-choose  steps  into  one 
protocol  to  avoid  this  attack. 

Our  system  is  based  on  the  random  input  replacement 
approach  due  to  its  scalability.  It  is  a  fact  that  the  com¬ 
mitting  OT  or  the  cut-and-choose  OT  does  not  alter  the 
circuit  while  the  random  input  replacement  approach  in¬ 
flates  the  circuit  by  0(sn)  additional  gates.  However, 
it  has  been  shown  that  max(4n,8.s)  additional  gates  suf¬ 
fice  [31].  Moreover,  both  the  committing  OT  and  the  cut- 

1  To  give  concrete  numbers,  with  an  Intel  Core  i5  processor  and 
4GB  DDR3  memory,  a  SHA-256  operation  (from  OpenSSL)  requires 

1,746  cycles,  while  a  group  operation  (160-bit  elliptic  curve  from  the 
PBC  library  with  preprocessing)  needs  322,332  cycles.  It  is  worth- 
mentioning  that  s  is  at  least  256  in  order  to  achieve  security  level  2  80. 
The  gap  between  a  symmetric  operation  and  an  asymmetric  one  be¬ 
comes  even  smaller  when  modem  libraries  such  as  RELIC  are  used 
instead  of  PBC. 


and-choose  OT  require  0{ns)  group  operations,  while 
the  random  input  replacement  approach  needs  only  O(s) 
group  operations.  Furthermore,  we  observe  that  the  ran¬ 
dom  input  replacement  approach  is  in  fact  compatible 
with  the  OT  extension  technique.  Therefore,  we  were 
able  to  build  our  system  which  has  the  group  operation 
complexity  independent  of  the  evaluator’s  input  size,  and 
as  a  result,  our  system  is  particularly  attractive  when  han¬ 
dling  a  circuit  with  a  large  evaluator  input. 

Generator’s  Output  Authenticity  It  is  not  uncommon 
that  both  the  generator  and  evaluator  receive  outputs 
from  a  secure  computation,  that  is,  the  goal  function  is 
f(x,y)  =  (/]  5/2),  where  the  generator  with  input  x  gets 
output  /1,  and  the  evaluator  with  input  y  gets  /2.2  In 
this  case,  the  security  requires  that  both  the  input  and 
output  are  hidden  from  each  other.  In  the  semi-honest 
setting,  the  straightforward  solution  is  to  let  the  gener¬ 
ator  choose  a  random  number  c  as  an  extra  input,  con¬ 
vert  f(x,y)  =  (/i,/2)  into  a  new  function  f*((x,c),y)  = 
(A,  (/1  ®c,/2)),  run  the  original  Yao  protocol  for/*,  and 
instruct  the  evaluator  to  pass  the  encrypted  output  f\  ©  c 
back  to  the  generator,  who  can  then  retrieve  her  real  out¬ 
put  f\  with  the  secret  input  c  chosen  in  the  first  place. 
However,  the  situation  gets  complicated  when  either  of 
the  participants  could  potentially  be  malicious.  In  partic¬ 
ular,  a  malicious  evaluator  might  claim  an  arbitrary  value 
to  be  the  generator’s  output  coming  from  the  circuit  eval¬ 
uation.  Note  that  the  two-output  protocols  we  consider 
are  not  fair  since  the  evaluator  always  learns  her  own  out¬ 
put  and  may  refuse  to  send  the  generator’s  output.  How¬ 
ever,  they  can  satisfy  the  notion  that  the  evaluator  cannot 
trick  the  generator  into  accepting  arbitrary  output. 

Many  approaches  have  been  proposed  to  ensure  the 
generator’s  output  authenticity.  Lindell  and  Pinkas  [23] 
proposed  a  solution  similar  to  the  aforementioned  so¬ 
lution  in  the  semi-honest  setting,  where  the  goal  func¬ 
tion  is  modified  to  compute  f\  ©  c  and  its  MAC  so  that 
the  generator  can  verify  the  authenticity  of  her  output. 
This  approach  incurs  a  cost  of  adding  0{n2)  gates  to 
the  circuit.  Kiraz  [18]  presented  a  two-party  computa¬ 
tion  protocol  in  which  a  zero  knowledge  proof  of  size 
O(s)  is  conducted  at  the  end.  shelat  and  Shen  [33]  sug¬ 
gested  a  signature-based  solution  which,  similar  to  Ki- 
raz’s,  adds  n  gates  to  the  circuit,  and  requires  a  proof  of 
size  0(s  +  n)  at  the  end.  However,  they  observed  that 
witness-indistinguishable  proofs  are  sufficient. 

Lindell  and  Pinkas’  approach,  albeit  straightforward, 
might  introduce  greater  communication  overhead  than 
the  description  function  itself.  We  therefore  employ  the 
approach  that  takes  the  advantages  of  the  remaining  two 
solutions.  In  particular,  we  implement  Kiraz’s  approach 

-Here  f\  and  />  are  short  for  f\ (x,y)  and  fi  ix.  y)  for  simplicity. 
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(smaller  proof  size),  but  only  a  witness-indistinguishable 
proof  is  performed  (weaker  security  property). 

4  Techniques  Regarding  Performance 

Yao’s  garbled  circuit  technique  has  been  studied  for 
decades.  It  has  drawn  significant  attention  for  its  sim¬ 
plicity,  constant  round  complexity,  and  computational  ef¬ 
ficiency  (since  circuit  evaluation  only  requires  fast  sym¬ 
metric  operations).  The  fact  that  it  incurs  high  communi¬ 
cation  overhead  has  provoked  interest  that  has  led  to  the 
development  of  fruitful  results. 

In  this  section,  we  will  first  briefly  present  the  Yao 
garbled  circuit,  and  then  discuss  the  optimization  tech¬ 
niques  that  greatly  reduce  the  communication  cost  while 
maintaining  the  security.  These  techniques  include  free- 
XOR,  garbled  row  reduction,  random  seed  checking,  and 
large  circuit  pre-processing.  In  addition  to  these  original 
ideas,  practical  concerns  involving  large  circuits  and  par¬ 
allelization  will  be  addressed. 

4.1  Baseline  Yao’s  Garbled  Circuit 

Given  a  circuit  that  consists  of  2-fan-in  boolean  gates, 
the  generator  constructs  a  garbled  version  as  follows:  for 
each  wire  w,  the  generator  picks  a  random  permutation 
bit  nw  £  {0,1}  and  two  random  keys  wo,wi  £  {0,  l}*-1. 
Let  Wo  =  wo 1 1 ttw  and  Wx  =  WilK^©  1),  which  are  as¬ 
sociated  with  bit  value  0  and  1  of  wire  w,  respectively. 
Next,  for  gate  g  £  {f\f  :  {0, 1}  x  {0,1}  >->.  {0, 1}}  that 
has  input  wire  x  with  (Xo,X| ,  nx),  input  wire  y  with 
(Yo,Y\,7ty),  and  output  wire  z  with  (Zo,Z\,n:),  the  gar¬ 
bled  truth  table  for  g  has  four  entries: 

fEnc  (Yo®^.  1 1  Yo&Ky ,  ) 

Enc(Yo®jrA. | \Y\®Xy,  Zg(o®Kx,\®ny)) 
Enc(Xi®!rx  11*0®% )  Zg( i® ^,0®%) ) 
Enc(Yie^r  1 1 Y\m7ly ,  Zg{ i®7rv,i®7Tv) ) • 

Enc  (K,m)  denotes  the  encryption  of  message  m  under 
key  K.  Here  the  encryption  key  is  a  concatenation  of  two 
labels,  and  each  label  is  a  random  key  concatenated  with 
its  permutation  bit.  Intuitively,  nx  and  ny  permute  the 
entries  in  GTTg  so  that  for  ix ,  iy  £  {0, 1 },  the  (2 ix  +  iv)-th 
entry  represents  the  input  pair  (ix  ©  nx ,  iy  ©  ny)  for  gate  g, 
in  which  case  the  label  associated  with  the  output  value 
g(ix  ©  Kx.  iy  ©  Tty)  could  be  retrieved.  More  specifically, 
to  evaluate  the  garbled  gate  GTTg,  suppose  X  \  \ bx  and 
Y\\by  are  the  retrieved  labels  for  input  wire  x  and  wire 
y,  respectively,  the  evaluator  will  use  X||&T||F||&V  to  de¬ 
crypt  the  (2 bx  +  by)- th  entry  in  GTTg  and  retrieve  label 
Z\ \bz,  which  is  then  used  to  evaluate  the  gates  at  the  next 
level.  The  introduction  of  the  permutation  bit  helps  to 
identify  the  correct  entry  in  GTTg,  and  thus,  only  one, 
rather  than  all,  of  the  four  entries  will  be  decrypted. 


4.2  Free-XOR 

Kolesnikov  and  Schneider  [20]  proposed  the  free-XOR 
technique  that  aims  for  removing  the  communication 
cost  and  decreasing  the  computation  cost  for  XOR  gates. 

The  idea  is  that  the  generator  first  randomly  picks  a 
global  key  R,  where  R  =  r||l  and  r  £  {0,  1}*_1.  This 
global  key  has  to  be  hidden  from  the  evaluator.  Then 
for  each  wire  w,  instead  of  picking  both  Wo  and  Wi  at 
random,  only  one  is  randomly  chosen  from  {0, 1}*,  and 
the  other  is  determined  by  W/,  =  W\  yk  ©  R.  Note  that 
nw  remains  the  rightmost  bit  of  Wo.  For  an  XOR  gate 
having  input  wire  x  with  (Xo,Xo  ©  R,  nx),  input  wire  y 
with  (TojLo  ©/?,  ny),  and  output  wire  z,  the  generator  lets 
Zo  =  Xo  ©  To  and  Z\  =Zq(BR.  Observe  that 

Xo  ©  Y\  =Xi®Yq=X0®Yq®R  =  Zo®R  =  Zi 
X\  ©  Y\  =Xo®R®Yo®R  =  X0®Yo=Zo. 

This  means  that  while  evaluating  an  XOR  gate,  XORing 
the  labels  for  the  two  input  wires  will  directly  retrieve 
the  label  for  the  output  wire.  So  no  garbled  truth  table 
is  needed,  and  the  cost  of  evaluating  an  XOR  gate  is  re¬ 
duced  from  a  decryption  operation  to  a  bitwise  XOR. 

This  technique  is  only  secure  when  the  encryption 
scheme  satisfies  certain  security  properties.  The  solution 
provided  by  the  authors  is 

Enc(X||F,K)  =H(X\\Y)@Z, 

where  H  :  {0, 1  }2Ar  i— »•  {0,1  }k  is  a  random  oracle.  Re¬ 
cently,  Choi  et  al.  [6]  have  further  shown  that  it  is 
sufficient  to  instantiate  //(•)  with  a  weaker  crypto¬ 
graphic  primitive,  2-circular  correlation  robust  func¬ 
tions.  Our  system  instantiates  this  primitive  with 
H(X\\Y)  =  SHA-256(X||F).  However,  when  AES-NI 
instructions  are  available,  our  system  instantiates  it  with 
Hk(X\\Y)  =  AES-256 (X | \Y,k),  where  k is  the  gate  index. 

4.3  Garbled  Row  Reduction 

The  GRR  (Garbled  Row  Reduction)  technique  suggested 
by  Pinkas  et.  al  [31]  is  used  to  reduce  the  communication 
overhead  for  non-XOR  gates.  In  particular,  it  reduces  the 
size  of  the  garbled  truth  table  for  2-fan-in  gates  by  25%. 

Recall  that  in  the  baseline  Yao’s  garbled  circuit,  both 
the  0-key  and  1-key  for  each  wire  are  randomly  chosen. 
After  the  free-XOR  technique  is  integrated,  the  0-key  and 
1-key  for  an  XOR  gate’s  output  wire  depend  on  input  key 
and  R,  but  the  0-key  for  a  non-XOR  gate’s  output  wire  is 
still  free.  The  GRR  technique  is  to  make  a  smart  choice 
for  this  degree  of  freedom,  and  thus,  reduce  one  entry  in 
the  garbled  truth  table  to  be  communicated  over  network. 

In  particular,  the  generator  picks  (Zo,Z] .  nz)  by  letting 
zg(0mxfl®7iy)  =  f?(X0®^|| F0e%),  that  is,  either  Z0  or  Zx 
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is  assigned  to  the  encryption  mask  for  the  0-th  entry  of 
the  GTTg,  and  the  other  one  is  computed  by  the  equa¬ 
tion  Zb  =  Z\  q/b  CD  R.  Therefore,  when  the  evaluator  gets 
(X0  Xx,Y0  „y),  both  X0  Kx  and  Y0  Ky  have  rightmost  bit 
0,  indicating  that  the  0-th  entry  needs  to  be  decrypted. 
However,  with  GRR  technique,  she  is  able  to  retrieve 
zg(0®7r,,0®^)  by  running  //(•)  without  inquiring  GTTg. 

Pinkas  et  al.  claimed  that  this  technique  is  compatible 
with  the  free-XOR  technique  [31],  For  rigorousness  pur¬ 
poses,  we  carefully  went  through  the  details  and  came 
up  with  a  security  proof  for  our  protocol  that  confirms 
this  compatibility.  The  proof  will  be  included  in  the  full 
version  of  this  paper. 

4.4  Random  Seed  Checking 

Recall  that  the  cut-and-choose  approach  requires  the 
generator  to  construct  multiple  copies  of  the  garbled  cir¬ 
cuit,  and  more  than  half  of  these  garbled  circuits  will 
be  fully  revealed,  including  the  randomness  used  to  con¬ 
struct  the  circuit.  Goyal,  Mohassel,  and  Smith  [11]  there¬ 
fore  pointed  out  an  insight  that  the  evaluator  could  exam¬ 
ine  the  correctness  of  those  check  circuits  by  receiving 
a  hash  of  the  garbled  circuit  first,  acquiring  the  random 
seed,  and  reconstructing  the  circuit  and  hash  by  herself. 

This  technique  results  in  the  communication  overhead 
for  check  circuits  independent  of  the  circuit  size.  This 
technique  has  two  phases  that  straddle  the  coin-flipping 
protocol.  Before  the  coin  flipping,  the  generator  con¬ 
structs  multiple  copies  of  the  circuit  as  instructed  by  the 
cut-and-choose  procedure.  Then  the  generator  sends  to 
the  evaluator  the  hash  of  each  garbled  circuit,  rather  than 
the  circuit  itself.  After  the  coin  flipping,  when  the  eval¬ 
uation  circuits  and  the  check  circuits  are  determined,  the 
generator  sends  to  the  evaluator  the  full  description  of 
the  evaluation  circuits  and  the  random  seed  for  the  check 
circuits.  The  evaluator  then  computes  the  evaluation  cir¬ 
cuits  and  tests  the  check  circuits  by  reconstructing  the 
circuit  and  comparing  its  hash  with  the  one  received  ear¬ 
lier.  As  a  result,  even  for  large  circuits,  the  communi¬ 
cation  cost  for  each  check  circuit  is  simply  a  hash  value 
plus  the  random  seed.  Our  system  provides  that  60%  of 
the  garbled  circuits  are  check  circuits.  As  a  result,  this 
optimization  significantly  reduces  communication  over¬ 
head. 

4.5  Working  with  Large  Circuits 

A  circuit  for  a  reasonably  complicated  operation  can  eas¬ 
ily  consist  of  hundreds  of  millions  of  gates.  For  example, 
a  1023-bit  edit  distance  circuit  has  309,454,016  gates. 
When  circuits  grow  to  such  a  size,  the  task  of  achieving 
high  performance  secure  computation  becomes  challeng¬ 
ing. 


An  (7  +  2C)-time  solution  Our  solution  for  handling 
large  circuits  is  based  on  Huang  et.  al’s  work  [13],  which 
is  the  only  prior  work  capable  of  handling  large  circuits 
(of  up  to  1.2  billion  non-XOR  gates)  in  the  semi-honest 
setting.  Intuitively,  the  generator  could  work  with  the 
evaluator  in  a  pipeline  manner  so  that  small  chunks  of 
gates  are  being  processed  at  a  time.  The  generator  could 
start  to  work  on  the  next  chunk  while  the  evaluator  is  still 
processing  the  current  one.  However,  this  technique  does 
not  work  directly  with  the  random  seed  checking  tech¬ 
nique  described  above  in  §4.4  because  the  generator  has 
to  finish  circuit  construction  and  hash  calculation  before 
the  coin  flipping,  but  the  evaluator  could  start  the  evalua¬ 
tion  only  after  the  coin  flipping.  As  a  result,  the  generator 
needs  a  way  to  construct  the  circuit  first,  wait  for  the  coin 
flipping,  and  send  the  evaluation  circuits  to  the  evaluator 
without  keeping  them  in  memory  the  whole  time.  We 
therefore  propose  that  the  generator  constructs  the  eval¬ 
uation  circuits  all  over  again  after  the  coin  flipping,  with 
the  same  random  seed  used  before  and  the  same  keys  for 
input  wires  gotten  from  OT. 

We  stress  that  when  fully  parallelized,  the  second  con¬ 
struction  of  an  evaluation  circuit  does  not  incur  overhead 
to  the  overall  execution  time.  Although  we  suggest  to 
construct  an  evaluation  circuit  twice,  the  fact  is  that  ac¬ 
cording  to  the  random  seed  checking,  a  check  circuit  is 
already  being  constructed  twice — once  before  the  coin 
flipping  by  the  generator  for  hash  computation  and  once 
after  by  the  evaluator  for  correctness  verification.  As  a 
result,  when  each  generator-evaluator  pair  is  working  on 
a  single  copy  of  the  garbled  circuit,  the  constructing  time 
for  a  evaluation  circuit  totally  overlaps  with  that  for  a 
check  circuit.  We  therefore  achieve  the  overall  computa¬ 
tion  time  7+2C  mentioned  earlier,  where  the  first  C  is  for 
the  generator  to  calculate  the  circuit  hash,  and  the  other 
C  is  either  for  the  evaluator  to  reconstruct  a  check  circuit 
or  for  both  parties  to  work  on  an  evaluation  circuit  in  a 
pipeline  manner  as  suggested  by  Huang  et.  al  [13], 

Achieving  an  (7  +  C)-time  solution  We  observe  that 
there  is  a  way  to  achieve  7  +  C  computation  time,  which 
exactly  matches  the  running  time  of  Yao  in  the  semi- 
honest  setting.  This  idea,  however,  is  not  compatible 
with  the  random-seed  technique,  and  therefore  repre¬ 
sents  a  trade-off  between  communication  and  computa¬ 
tion.  Recall  that  the  generator  has  to  finish  circuit  con¬ 
struction  and  hash  evaluation  before  beginning  coin  flip¬ 
ping,  whereas  the  evaluator  can  start  evaluating  only  af¬ 
ter  receiving  the  coin  flipping  results.  The  idea  is  to  run 
the  coin  flipping  in  the  way  that  only  the  evaluator  gets 
the  result  and  does  not  reveal  it  to  the  generator  until  the 
circuit  construction  is  completed.  Since  the  generator 
is  oblivious  to  the  coin  flipping  result,  she  sends  every 
garbled  circuit  to  the  evaluator,  who  could  then  either 
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evaluate  or  check  the  received  circuit.  In  order  for  the 
evaluator  to  get  the  generator’s  input  keys  for  evaluation 
circuits  and  the  random  seed  for  the  check  circuits,  they 
run  an  OT,  where  the  evaluator  uses  the  coin  flipping  re¬ 
sult  as  input  and  the  generator  provides  either  the  ran¬ 
dom  seed  (for  the  check  circuit)  or  his  input  keys  (for  the 
evaluation  circuit).  After  the  generator  completes  circuit 
construction  and  reveals  the  circuit  hash,  the  evaluator 
compares  the  hash  with  her  own  calculation,  if  the  hashes 
match,  she  proceeds  with  the  rest  of  the  original  protocol. 
Note  that  this  approach  comes  at  the  cost  of  sacrificing 
the  random  seed  checking  technique  and  its  60%  savings 
in  communication. 


Working  Set  Optimization  Another  problem  encoun¬ 
tered  while  dealing  with  large  circuits  is  the  working 
set  minimization  problem.  Note  that  the  circuit  value 
problem  is  log-space  complete  for  P.  It  is  suspected  that 
L  ^  P,  that  is,  there  exist  some  circuits  that  can  be  eval¬ 
uated  in  polynomial  time  but  require  more  than  logarith¬ 
mic  space.  This  open  problem  captures  the  difficulty  of 
handling  large  circuits  during  both  the  construction  and 
evaluation,  where  at  any  moment  there  is  a  set  of  wires, 
called  the  working  set ,  that  are  available  and  will  be  ref¬ 
erenced  in  the  future.  For  some  circuits,  the  working  set 
is  inherently  super-logarithmic.  A  naive  approach  is  to 
keep  the  most  recent  D  wires  in  the  working  set,  where 
D  is  the  upper  bound  of  the  input-output  distance  of  all 
gates.  However,  there  may  be  wires  which  are  used  as 
inputs  to  gates  throughout  the  entire  circuit,  and  so  this 
technique  could  easily  result  in  adding  almost  the  whole 
circuit  to  the  working  set,  which  is  especially  problem¬ 
atic  when  there  are  hundreds  of  copies  of  a  circuit  of 
billions  of  gates.  While  reordering  the  circuit  or  adding 
identity  gates  to  minimize  D  would  mitigate  this  prob¬ 
lem,  doing  so  while  maintaining  the  topological  order  of 
the  circuit  is  known  to  be  an  NP-complete  problem,  the 
graph  bandwidth  problem  [9]. 

Our  solution  to  this  difficulty  is  to  pre-process  the  cir¬ 
cuit  so  that  each  gate  comes  with  a  usage  count.  Our 
system  has  a  compiler  that  converts  a  program  in  high- 
level  language  into  a  boolean  circuit.  Since  the  compiler 
is  already  using  global  optimization  in  order  to  reduce 
the  circuit  size,  it  is  easy  for  the  global  optimizer  to  an¬ 
alyze  the  circuit  and  calculate  the  usage  count  for  each 
gate.  With  this  information,  it  is  easy  for  the  genera¬ 
tor  and  evaluator  to  decrement  the  counter  for  each  gate 
whenever  it  is  being  referenced  and  to  toss  away  the  gate 
whenever  its  counter  becomes  zero.  In  other  words,  we 
keep  track  of  merely  useful  information  and  heuristically 
minimize  the  size  of  the  working  set,  which  is  small  com¬ 
pared  with  the  originial  circuit  size  as  shown  in  Table  1. 


AES  Dot®4  RSA-32  EDT-255 

circuit  size  49,912  460,018  1,750,787  15,540,196 

wrk  set  size  323  711  235  2,829 

Table  1 :  The  size  of  the  working  set  for  various  circuits 

5  Boolean  Circuit  Compiler 

Although  the  Fairplay  circuit  compiler  can  generate  cir¬ 
cuits,  it  requires  a  very  large  amount  of  computational 
resources  to  generate  even  relatively  small  circuits.  Even 
on  a  machine  with  48  gigabytes  of  RAM,  Fairplay  ter¬ 
minates  with  an  out-of-memory  error  after  spending  20 
minutes  attempting  to  compile  an  AES  circuit.  This 
makes  Fairplay  impractical  for  even  relatively  small  cir¬ 
cuits,  and  infeasible  for  some  of  the  circuits  tested  in  this 
project.  One  goal  of  this  project  was  to  have  a  general 
purpose  system  for  secure  computation,  and  so  writing 
application  specific  programs  to  generate  circuits,  a  tech¬ 
nique  used  by  others  [13],  was  not  an  option. 

To  address  this  problem,  we  have  implemented  a  new 
compiler  that  generates  a  more  efficient  output  format 
than  Fairplay,  and  which  requires  far  lower  computa¬ 
tional  resources  to  compile  circuits.  We  were  able  to 
generate  the  AES  circuit  in  only  a  few  seconds  on  a  typi¬ 
cal  desktop  computer  with  only  8GB  of  RAM,  and  were 
able  to  generate  and  test  much  larger  non-trivial  circuits. 
We  used  the  well-known  flex  and  bison  tools  to  generate 
our  compiler,  and  implemented  an  optimizer  as  a  sepa¬ 
rate  tool.  We  also  use  the  results  from  [31]  to  reduce  3 
arity  gates  to  2  arity  gates. 

As  a  design  decision,  we  created  an  imperative,  un¬ 
typed  language  with  static  scoping.  We  allow  code,  vari¬ 
ables,  and  input/output  statements  to  exist  in  the  global 
scope;  this  allows  very  simple  programs  to  be  written 
without  too  much  extra  syntax.  Functions  may  be  de¬ 
clared,  but  may  not  be  recursive.  Variables  do  not  need  to 
be  declared  before  being  used  in  an  unconditional  assign¬ 
ment;  variables  assigned  within  a  function’s  body  that  are 
not  declared  in  the  global  scope  are  considered  to  be  lo¬ 
cal.  Arrays  are  a  language  feature,  but  array  indices  must 
be  constants  or  must  be  determined  at  compile  time.  If 
run-time  determined  indices  are  required  for  a  function, 
a  loop  that  selects  the  correct  index  may  be  used;  this  is 
necessary  for  oblivious  evaluation.  Variables  may  be  ar¬ 
bitrarily  concatenated,  and  bits  or  groups  of  bits  may  be 
selected  from  any  variable  and  bits  or  ranges  of  bits  may 
be  assigned  to;  as  with  arrays,  the  index  of  a  bit  must  be 
determined  at  compile  time,  or  else  a  loop  must  be  used. 
Note  that  loop  variables  may  be  used  as  such  an  index, 
since  loops  are  always  completely  unrolled,  and  there¬ 
fore  the  loop  index  can  always  be  resolved  at  compile 
time.  Additional  language  features  are  planned  as  future 
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work. 

We  use  some  techniques  from  the  Fairplay  compiler 
in  our  own  compiler.  In  particular  we  use  the  single  as¬ 
signment  algorithm  from  Fairplay,  which  is  required  to 
deal  with  assignments  that  occur  inside  of  if  statements. 
Otherwise,  our  compiler  has  several  distinguishing  char¬ 
acteristics  that  make  it  more  resource  efficient  than  Fair¬ 
play.  The  front  end  of  our  compiler  attempts  to  gener¬ 
ate  circuits  as  quickly  as  possible,  using  as  little  memory 
as  possible  and  performing  only  rudimentary  optimiza¬ 
tions  before  emitting  its  output.  This  can  be  done  with 
very  modest  computational  resources,  and  the  intermedi¬ 
ate  output  can  easily  be  translated  into  a  circuit  for  evalu¬ 
ation.  The  main  optimizations  are  performed  by  the  back 
end  of  the  compiler,  which  identifies  gates  that  can  be 
removed  without  affecting  the  output  of  the  circuit  as  a 
whole. 

Unlike  the  Fairplay  compiler,  we  avoided  the  use  of 
hash  tables  in  our  compiler,  using  more  memory-efficient 
storage.  Our  system  can  use  one  of  three  storage  strate¬ 
gies:  memory-mapped  files,  flat  files  without  any  map¬ 
ping,  and  Berkeley  DB.  In  our  tests,  we  found  that  mem¬ 
ory  mapped  files  always  resulted  in  the  highest  perfor¬ 
mance,  but  that  Berkeley  DB  is  only  sometimes  better 
than  direct  access  without  any  mapping. 

In  the  following  sections,  we  describe  these  contribu¬ 
tions  in  more  detail,  and  provide  experimental  results. 

5.1  Circuit  Optimizations 

The  front-end  of  our  compiler  tends  to  generate  ineffi¬ 
cient  circuits,  with  large  numbers  of  unnecessary  gates. 
As  an  example,  for  some  operations  the  compiler  gener¬ 
ates  large  numbers  of  identity  gates  i.e.  gates  whose  out¬ 
puts  follow  one  of  their  inputs.  It  is  therefore  essential 
to  optimize  the  circuits  emitted  by  the  front  end,  particu¬ 
larly  to  meet  our  system’s  overall  goal  of  practicality. 

Our  compiler  uses  several  stages  of  optimization,  most 
of  which  are  global.  As  a  first  step,  a  local  optimiza¬ 
tion  removes  redundant  gates,  i.e.  gates  that  have  the 
same  truth  table  and  input  wires.  This  first  step  operates 
on  a  fixed-size  chunk  of  the  circuit,  but  we  have  found 
that  there  are  diminishing  improvements  as  the  size  of 
this  window  is  increased.  We  also  remove  constant  gates, 
identity  gates,  and  inverters,  which  are  generated  by  the 
compiler  and  which  may  be  inadvertently  generated  dur¬ 
ing  the  optimization  process.  Finally,  we  remove  gates 
that  do  not  influence  the  output,  which  can  be  thought 
of  as  dead  code  elimination.  The  effectiveness  of  each 
optimization  on  different  circuits  is  shown  in  Figure  1. 
The  circuit  that  was  least  optimizable  was  the  edit  dis¬ 
tance  circuit,  being  reduced  to  only  82%  of  its  size  from 
the  front  end,  whereas  the  RSA  signing  and  the  dot  prod¬ 
uct  circuits  were  the  most  optimizable,  being  reduced  to 


roughly  half  of  the  gates  emitted  by  the  front  end. 

Gate  Removal  The  front-end  of  the  compiler  emits 
gates  in  topological  order,  and  similar  to  Fairplay,  our 
compiler  assigns  explicit  identifiers  to  each  emitted  gate. 
To  remove  gates  efficiently,  we  store  a  table  that  maps 
the  identifiers  of  gates  that  were  removed  to  the  previ¬ 
ously  emitted  gates,  and  for  each  gate  that  is  scanned 
the  inputs  are  rewritten  according  to  this  table.  The  ta¬ 
ble  itself  is  then  emitted,  so  that  the  identifiers  of  non- 
removed  gates  can  be  corrected.  This  mapping  process 
can  be  done  in  linear  time  and  space  using  an  appropriate 
key-value  store. 

Removing  Redundant  Gates  Some  of  the  gates  gen¬ 
erated  by  the  front  end  of  our  compiler  have  the  same 
truth  table  and  input  wires  as  previously  generated  gates; 
such  gates  are  redundant  and  can  be  removed.  This  re¬ 
moval  process  has  the  highest  memory  requirement  of 
any  other  optimization  step,  since  a  description  of  ev¬ 
ery  non-redundant  gate  must  be  stored.  However,  we 
found  during  our  experiments  that  this  optimization  can 
be  performed  on  discrete  chunks  of  the  circuit  with  re¬ 
sults  that  are  very  close  to  performing  the  optimization 
on  the  full  circuit,  and  that  there  are  diminishing  im¬ 
provements  in  effectiveness  as  the  size  of  the  chunks  is 
increased.  Therefore,  we  perform  this  optimization  us¬ 
ing  chunks,  and  can  use  hash  tables  to  improve  the  speed 
of  this  step. 

Removing  Identity  Gates  and  Inverters  The  front 
end  may  generate  identity  gates  or  inverters,  which  are 
not  necessary.  This  may  happen  inadvertently,  such  as 
when  a  variable  is  incremented  by  a  constant,  or  as  part 
of  the  generation  of  a  particular  logic  expression.  While 
removing  identity  gates  is  straightforward,  the  removal 
of  inverters  requires  more  work,  as  gates  which  have  in¬ 
verted  input  wires  must  have  their  truth  tables  rewritten. 
There  is  a  cascading  effect  in  this  process;  the  removal  of 
some  identity  gates  or  inverters  may  transform  later  gates 
into  identity  gates  or  inverters.  This  step  also  removes 
gates  with  constant  outputs,  such  as  an  XOR  gate  with 
two  identical  inputs.  Constant  propagation  and  folding 
occur  as  a  side  effect  of  this  optimization. 

Removing  Unused  Gates  Finally,  some  gates  in  the 
circuit  may  not  affect  the  output  value  at  all.  For  this 
step,  we  scan  the  circuit  backwards,  and  store  a  table  of 
live  gates;  we  then  re-emit  the  live  gates  in  the  circuit 
and  skip  the  dead  gates.  Immediately  following  this  step, 
the  circuit  is  prepared  for  the  garbled  circuit  generator, 
which  includes  generating  a  usage  count  for  each  gate. 
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Effectiveness  of  Optimizations 


RSA  Dot  Product  Edit  Distance  AES  AES  w/  better  Sbox 

Circuit 


[  Front  End 

Redundant  Gate  Removal 
» Identity  Gate  Removal 
■  Unused  Gate  Removal 


Figure  1 :  Average  fraction  of  circuits  remaining  after  each  optimization  is  applied  in  sequence.  We  see  that  the  relative 
change  in  circuit  sizes  after  each  optimization  is  dependent  on  the  circuit  itself,  with  some  circuits  being  optimized 
more  than  others. 


Circuit 

DB  (s) 

mmap  (s) 

flat  (s) 

7200RPM  Spinning  Disk  (ext4-fs) 

AES 

4.3  ±0.5% 

1.05  ±1% 

3.48  ±0.3% 

RSA-32 

103  ±0.3% 

24.6  ±0.2% 

78.4  ±0.3% 

Dotf 

32.56±0.1% 

7.1  ±0.3% 

28.37  ±0.1% 

EDT-255 

975  ±0.1% 

240  ±1% 

700  ±0.9% 

Solid-State  Drive 

AES 

3.62±0.3% 

0.86  ±1% 

3. 17  ±0.6% 

RSA-32 

96.5  ±0.2% 

21. 6  ±0.4% 

68.3  ±0.3% 

Dotf 

30.5  ±0.5% 

6.27  ±1% 

25.9  ±0.2% 

EDT-255 

907  ±0.1% 

200  ±0.4% 

590  ±1% 

Amazon  EC2 

AES 

5.56  ±4% 

1.12±0% 

7.11  ±0.3% 

RSA-32 

208  ±0.4% 

45.7  ±3% 

240  ±0.1% 

Dotf4 

46.3  ±0.1% 

9.2  ±0.2% 

60.7  ±  0.2% 

EDT-255 

2500  ±1% 

405  ±0.2% 

2050  ±0.2% 

Circuit  Sizes 

AES 

RSA-32 

Dotf 

EDT-255 

49,912 

1,750,787 

460,018 

15,540,196 

Table  2:  Compile  times  for  different  storage  systems  for 
small  circuits  (sizes  include  input  gates),  using  differ¬ 
ent  storage  media.  Results  are  averaged  over  30  experi¬ 
ments,  with  95%  confidence  intervals.  On  EC2,  a  high- 
memory  quadruple  extra  large  instance  was  used. 


Key- Value  Stores  Unfortunately,  even  though  our 
compiler  is  more  resource  efficient  than  Fairplay,  it  still 
requires  space  that  is  linear  in  the  size  of  the  circuit.  For 
very  large  circuits,  circuits  with  billions  of  gates  or  more, 
this  may  exceed  the  amount  of  RAM  that  is  available. 
Our  compiler  can  make  use  of  a  computer’s  hard  drive  to 
store  intermediate  representations  of  circuits  and  infor¬ 
mation  about  how  to  remove  gates  from  the  circuit.  We 
used  memory-mapped  I/O  to  reduce  the  impact  this  has 
on  performance;  however,  our  use  of  minap  and /truncate 
is  not  portable,  and  so  our  system  also  supports  using  an 
unmapped  file  or  Berkeley  DB.  Our  tests  revealed  that, 
as  expected,  memory-mapped  I/O  achieves  the  highest 
performance,  but  that  Berkeley  DB  is  sometimes  better 
than  unmapped  files  on  high-latency  filesystems.  A  sum¬ 
mary  of  the  performance  of  each  method  on  a  variety  of 
storage  systems  is  shown  in  Table  2. 

Using  the  hard  drive  in  this  manner,  we  were  able 
to  compile  our  largest  circuits.  The  performance  im¬ 
pact  of  writing  to  disk  should  not  be  understated;  a 
several-billion-gate  edit  distance  4095x4095  circuit  re¬ 
quired  more  than  3  days  to  compile  on  an  Amazon  EC2 
high-memory  image,  with  68  GB  of  RAM,  one  third  of 
which  was  spent  waiting  on  I/O.  Note,  however,  that  this 
is  a  one-time  cost;  a  compiled  circuit  can  be  used  in  un¬ 
limited  evaluations  of  a  secure  computation  protocol. 

5.2  Compiler  Testing  Methodology 

We  tested  the  performance  of  our  compiler  using  five  cir¬ 
cuits.  The  first  was  AES,  to  compare  our  compiler  with 
the  Fairplay  system.  We  also  used  AES  with  the  com¬ 
pact  S-Box  description  given  by  Boyar  and  Parelta  [3], 
which  results  in  a  smaller  AES  circuit.  We  used  an  RSA 
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RSA  Size 

Circuit  Size 

Compile  Time  (s) 

Gates/s 

Edit-Dist  Size 

Circuit  Size 

Compile  Time  (s) 

Gates/s 

16 

208,499 

2.6  ±7  % 

80,000 

31x31 

144,277 

1.70  ±0.7% 

84,900 

32 

1,750,787 

21.63=0.4% 

81,100 

63x63 

717,233 

8.56  ±0.7% 

83,800 

64 

14,341,667 

189  ±0.3% 

75,900 

127x127 

3,389,812 

41.7±0.5% 

81,300 

128 

116,083,983 

1810  ±0.3% 

64,100 

255x255 

15,540,196 

200  ±0.4% 

77,700 

Table  3:  Time  required  to  compile  and  optimize  RSA  and  edit  distance  circuits  on  a  workstation  with  an  Intel  Xeon 
5506  CPU,  8GB  of  RAM  and  a  160GB  SSD,  using  the  textbook  modular  exponentiation  algorithm.  Note  that  the 
throughput  for  edit  distance  is  higher  even  for  comparably  sized  circuits;  this  is  because  the  front  end  generates  a  more 
efficient  circuit  without  any  optimization.  Compile  times  are  averaged  over  30  experiments,  with  95%  confidence 
intervals  reported. 


signing  circuit  with  various  toy  key  sizes,  up  to  128  bits, 
to  test  our  compiler’s  handling  of  large  circuits;  RSA  cir¬ 
cuits  have  cubic  size  complexity,  allowing  us  to  generate 
very  large  circuits  with  small  inputs.  We  also  used  an  edit 
distance  circuit,  which  was  the  largest  test  case  used  by 
Huang  et  al.  [13];  unlike  the  other  test  circuits,  there  is  no 
multiplication  routine  in  the  inner  loop  of  this  function. 
Finally  we  used  a  dot  product  with  error,  a  basic  sam¬ 
pling  function  for  the  LWE  problem,  which  is  similar  to 
RSA  in  creating  large  circuits,  but  also  demonstrates  our 
system’s  ability  to  handle  large  input  sizes. 

After  compiling  these  circuits,  we  tested  the  correct¬ 
ness  by  first  performing  a  direct,  offline  evaluation  of  the 
circuit,  and  comparing  the  output  to  a  non-circuit  imlpe- 
mentation.  We  then  compared  the  output  of  an  online 
evaluation  to  the  offline  evaluation.  Additionally,  for  the 
AES  circuit,  we  compared  the  output  of  the  circuit  gener¬ 
ated  by  our  compiler  to  the  output  of  a  circuit  generated 
using  Fairplay.  We  tested  all  three  key-value  stores  on  a 
variety  of  filesystems,  including  a  fast  SSD,  a  spinning 
disk,  and  an  Amazon  EC2  instance  store,  checking  for 
correctness  as  described  above  in  each  case. 

5.3  Summary  of  Compiler  Performance 

Our  compiler  is  able  to  emit  and  optimize  large  circuits 
in  relatively  short  periods  of  time,  less  than  an  hour  for 
circuits  with  tens  of  millions  of  gates  on  an  inexpensive 
workstation.  In  Figure  1  we  summarize  the  effectiveness 
of  the  various  optimization  stages  on  different  circuits; 
in  circuits  that  involve  multiplication  in  finite  fields  or 
modulo  an  integer,  the  identity  gate  removal  step  is  the 
most  important,  removing  more  than  half  of  the  gates 
emitted  by  the  front-end.  The  edit  distance  circuit  is  the 
best-case  for  our  front  end,  as  less  than  1/5  of  the  gates 
that  are  emitted  can  be  removed  by  the  optimizer.  The 
throughput  of  our  compiler  is  dependent  on  the  circuit 
being  compiled,  with  circuits  which  are  more  efficiently 
generated  by  the  front-end  being  compiled  faster;  in  Ta¬ 
ble  3  we  compare  the  generation  of  RSA  circuits  to  edit 
distance  circuits. 


6  Experimental  Results 

In  this  section,  we  give  a  detailed  description  of  our 
system,  upon  which  we  have  implemented  various  real 
world  secure  computation  applications.  The  experimen¬ 
tal  environment  is  the  Ranger  cluster  in  the  Texas  Ad¬ 
vanced  Computing  Center.  Ranger  is  a  blade-based  sys¬ 
tem,  where  each  node  is  a  SunBlade  x6240  blade  run¬ 
ning  a  Linux  kernel  and  has  four  AMD  Opteron  quad- 
core  64-bit  processors,  as  an  SMP  unit.  Each  node  in  the 
Ranger  system  has  2.3  GHz  core  frequency  and  32  GB  of 
memory,  and  the  point-to-point  bandwidth  is  1  GB/sec. 
Although  Ranger  is  a  high-end  machine,  we  use  only  a 
small  fraction  of  its  power  for  our  system,  only  512  out  of 
62,976  cores.  Note  that  we  use  the  PBC  (Pairing-Based 
Cryptography)  library  [25]  to  implement  the  underly¬ 
ing  cryptographic  protocols  such  as  oblivious  transfers, 
witness-indistinguishable  proofs,  and  so  forth.  However, 
moving  to  more  modern  libraries  such  as  RELIC  [32]  is 
likely  to  give  even  better  results,  especially  to  those  cir¬ 
cuits  with  large  input  and  output  size. 

System  Setup  In  our  system,  both  the  generator  and 
the  evaluator  run  an  equal  number  of  processes,  includ¬ 
ing  a  root  process  and  many  slave  processes.  A  root  pro¬ 
cess  is  responsible  for  coordinating  its  own  slave  pro¬ 
cesses  and  the  other  root  process,  while  the  slave  pro¬ 
cesses  work  together  on  repeated  and  independent  tasks. 
There  are  three  pieces  of  code  in  our  system:  the  genera¬ 
tor,  the  evaluator,  and  the  IP  exchanger.  Both  the  genera¬ 
tor’s  and  evaluator’s  program  are  implemented  with  Mes¬ 
sage  Passing  Interface  (MPI)  library.  The  reason  for  the 
IP  exchanger  is  that  it  is  common  to  run  jobs  on  a  cluster 
with  dynamic  working  node  assignment.  However,  when 
the  nodes  are  dynamically  assigned,  the  generator  run¬ 
ning  on  one  cluster  and  the  evaluator  running  on  another 
might  have  a  hard  time  locating  each  other.  Therefore, 
a  fixed  location  IP  exchanger  helps  the  match-up  pro¬ 
cess  as  described  in  Figure  2.  Our  system  provides  two 
modes — the  user  mode  and  the  simulation  mode.  The 
former  works  as  mentioned  above,  and  the  latter  simply 
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spawns  an  even  number  of  processes,  half  for  the  gen¬ 
erator  and  the  other  half  for  the  evaluator.  The  network 
match-up  process  is  omitted  in  the  latter  mode  to  sim¬ 
plify  the  testing  of  this  system. 

To  achieve  a  security  level  of  2“80,  meaning  that  a  ma¬ 
licious  player  cannot  successfully  cheat  with  probability 
better  than  2  80 ,  requires  at  least  250  copies  of  the  gar¬ 
bled  circuit  [33].  For  simplicity,  we  used  256  copies  in 
our  experiments,  that  is,  security  parameters  k  =  80  and 
s  =  256.  Each  experiment  was  run  30  times  (unless  stated 
otherwise),  and  in  the  following  sections  we  report  the 
average  runtime  of  our  experiments. 

IP  server 


the  small  deviation  from  the  theoretical  fraction  40% 
and  30%,  respectively,  is  due  to  certain  implementation 
needs.  Our  compiler  is  designed  to  reduce  the  number  of 
non-XOR  gates.  In  these  four  circuits,  the  ratio  of  non- 
XOR  gates  is  less  than  43%.  So  after  further  applying 
the  Free-XOR  technique,  the  final  communication  is  less 
than  13%  of  that  in  the  baseline  approach. 


non-XOR 

(%) 

Baseline 

(MB) 

RS 

(%) 

GRR 

(%) 

FX 

(%) 

AES 

30.81 

509 

39.97 

30.03 

9.09 

Dotf 

29.55 

4,707 

39.86 

29.91 

8.88 

RSA-32 

34.44 

17,928 

39.84 

29.88 

10.29 

EDT-255 

41.36 

159,129 

39.84 

29.87 

12.36 

Figure  2:  Both  the  generator  and  evaluator  consist  of  a 
root  process  (solid  dot)  and  a  number  of  slave  processes 
(hollow  dots).  The  match-up  works  as  follows:  the  slave 
evaluator  processes  send  their  IP’s  to  the  root  evaluator 
process  (Step  1),  who  then  forwards  them  to  the  IP  ex¬ 
changer  (Step  2).  Next,  the  root  generator  process  comes 
to  acquire  these  IP’s  (Step  3)  and  dispatch  them  to  its 
slaves  (Step  4),  who  then  proceed  to  pair  up  with  one  of 
the  slave  evaluator  processes  (Step  5)  and  start  the  main 
protocol.  The  arrows  show  the  message  flow. 


Table  4:  The  impact  of  various  optimization  techniques: 
The  Baseline  shows  the  communication  cost  for  256 
copies  of  the  original  Yao  garbled  circuit  when  k  =  80; 
RS  shows  the  remaining  fraction  after  Random  Seed 
technique  is  applied;  GRR  shows  when  Garbled  Row  Re¬ 
duction  is  further  applied;  and  FX  shows  when  the  previ¬ 
ous  two  techniques  and  the  Free-XOR  are  applied.  (The 
communication  costs  here  only  include  those  in  the  gen¬ 
eration  and  evaluation  stages.) 


Performance  Gain  by  AES-NI  On  a  machine  with 
2.53  GHz  Intel  Core  i5  processor  and  4GB  1067  MHz 
DDR3  memory,  it  takes  784  clock  cycles  to  run  a  single 
SHA-256  (with  OpenSSF  1.0. Og),  while  it  needs  only 
225  cycles  for  AES-256  (with  AES-NI).  To  measure  the 
benefits  of  AES-NI,  we  use  two  instantiations  to  con¬ 
struct  various  circuits,  listed  in  Table  5,  and  observe  a 
consistent  20%  saving  in  circuit  construction. 3 


Timing  methodology  When  there  is  more  than  one 
process  on  each  side,  care  must  be  taken  in  measuring 
the  timings  of  the  system.  The  timings  reported  in  this 
section  are  the  time  required  by  the  root  process  at  each 
stage  of  the  system.  This  was  chosen  because  the  root 
process  will  always  be  the  longest  running  process,  as 
it  must  wait  for  each  slave  process  to  run  to  completion. 
Moreover,  in  addition  to  doing  all  the  work  that  the  slaves 
do,  the  root  processes  also  perform  the  input  consistency 
check  and  the  coin  tossing  protocol. 


size 

(gate) 

AES-NI 

(sec) 

SHA-256 

(sec) 

Ratio 

(%) 

AES 

49,912 

0.12±  1% 

0.15±  1% 

78.04 

Dotf 

460,018 

1.11  ±0.4% 

1.41±0.5% 

78.58 

RSA-32 

1,750,787 

4.53±0.5% 

5.9±0.8% 

76.78 

EDT-255 

15,540,196 

42.0±0.5% 

57. 6±  1% 

72.92 

Table  5:  Circuit  generation  time  (for  a  single  copy)  with 
different  instantiations  (AES-NI  vs  SHA-256)  of  the  2- 
circular  correlation  robust  function. 


Impacts  of  the  Performance  Optimization  Techniques 

We  have  presented  several  performance  optimization 
techniques  in  Section  4  with  theoretical  analyses,  and 
here  we  demonstrate  their  empirical  effectiveness  in  Ta¬ 
ble  4.  As  we  have  anticipated,  the  Random  Seed  Check¬ 
ing  reduces  the  communication  cost  for  the  garbled  cir¬ 
cuits  by  60%,  and  the  Garbled  Row  Reduction  further 
reduces  by  another  25%.  In  the  RS  and  GRR  columns. 


AES  We  used  AES  as  a  benchmark  to  compare  our 
compiler  to  the  Fairplay  compiler,  and  as  a  test  circuit 

'The  reason  that  saving  500+  cycles  does  not  lead  to  more  improve- 
ments  is  that  this  encryption  operation  is  merely  one  of  the  contributing 
factors  to  generating  a  garbled  gate.  Other  factors,  for  example,  in¬ 
clude  GNU  hash_map  table  insertion  (~  1,200  cycles)  and  erase  (~600 
cycles). 
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for  our  system.  We  tested  the  full  AES  circuit,  as  spec¬ 
ified  in  FIPS-197  [8].  In  the  semi-honest  model,  it  is 
possible  to  reduce  the  number  of  gates  in  an  AES  circuit 
by  computing  the  key  schedule  offline;  e.g.  this  is  one  of 
the  optimizations  employed  by  Huang  et  al.  [13].  In  the 
malicious  model,  however,  such  an  optimization  is  not 
possible;  the  party  holding  the  key  could  attempt  to  re¬ 
duce  the  security  level  of  the  cipher  by  computing  a  ma¬ 
licious  key  schedule.  So  in  our  experiments  we  compute 
the  entire  function,  including  the  key  schedule,  online. 

In  this  experiment,  two  parties  collaboratively  com¬ 
pute  the  function  /  :  (x,y)  i->  (_L,  AESv(y)),  i.e.,  the  cir¬ 
cuit  generator  holds  the  encryption  key  x,  while  the  eval¬ 
uator  has  the  message  y  to  be  encrypted.  At  the  end,  the 
generator  will  not  receive  any  output,  whereas  the  evalu¬ 
ator  will  receive  the  ciphertext  AESv(y). 


Type 

Fairplay 

Ours-A 

Pinkas  et  al. 

Ours-B 

non-XOR 

15,316 

15,300 

11,286 

9,100 

XOR 

35,084 

34,228 

22,594 

21,628 

Table  6:  The  components  of  the  AES  circuits  from  dif¬ 
ferent  sources.  Ours-A  comes  from  the  textbook  AES 
algorithm,  and  Ours-B  uses  an  optimized  S-box  circuit 
from  [3].  (Sizes  do  not  include  input  or  output  wires) 

First  of  all,  we  demonstrate  the  performance  of  our 
compiler  in  Table  6.  We  have  shown  in  Section  5  that 
our  compiler  is  capable  of  large  circuit  generation.  We 
also  found  in  our  experiments  that  our  compiler  produces 
smaller  AES  circuit  than  Fairplay.  Given  the  same  high- 
level  description  of  AES  encryption  (textbook  AES),  our 
compiler  produces  a  circuit  with  a  smaller  gate  count  and 
even  fewer  non-XOR  gates.  When  applying  the  compact 
S-Box  description  proposed  by  Boyar  and  Parelta  [3] 
to  the  high-level  description  as  input  to  our  compiler,  a 
smaller  AES  circuit  than  the  hand-optimized  one  from 
Pinkas  et  al.  is  generated  with  less  effort. 

In  Table  7,  both  the  computational  and  communica¬ 
tion  costs  for  each  main  stage  are  listed  under  the  tradi¬ 
tional  setting,  where  there  is  only  one  process  on  each 
side.  These  main  stages  include  oblivious  transfer,  gar¬ 
bled  circuit  construction,  the  generator’s  input  consis¬ 
tency  check,  and  the  circuit  evaluation.  Each  row  in¬ 
cludes  both  the  computation  and  communication  time 
used.  Note  that  network  conditions  could  vary  from  set¬ 
ting  to  setting.  Our  experiments  run  in  a  local  area  net¬ 
work,  and  the  data  can  only  give  a  rough  idea  on  how  fast 
the  system  could  be  in  an  ideal  environment.  However, 
the  precise  amount  of  data  being  exchanged  is  reported. 

We  notice  in  Table  7  that  the  evaluator  spends  an  un¬ 
reasonable  amount  of  time  on  communication  with  re¬ 
spect  to  the  amount  of  data  to  be  transmitted  in  both 
the  oblivious  transfer  and  circuit  construction  stages. 


Gen 

(sec) 

Eval 

(sec) 

Comm 

(KB) 

OT 

comp 

45.83=0.09% 

34.0±0.2% 

5,516 

comm 

0.1±  1% 

11.93=0.6% 

Gen. 

comp 

comm 

35. 6±  0.5% 

35.63=0.5% 

3 

Inp. 

comp 

- 

1.753=0.2% 

266 

Chk 

comm 

— 

— 

Evl. 

comp 

14. 9±  0.6% 

32.43=0.4% 

28,781 

comm 

18. 2±  1% 

3.23=0.8% 

Total 

comp 

96. 3±  0.3% 

68.03=0.2% 

34,566 

comm 

18. 3±  1% 

50.83=0.4% 

Table  7:  The  95%  two-sided  confidence  intervals  of  the 
computation  and  communication  time  for  each  stage  in 
the  experiment  (x,y)  K >■  (_L,  AES.v(y)). 

This  is  because  the  evaluator  spends  that  time  waiting 
for  the  generator  to  finish  computation-intensive  tasks. 
The  same  reasoning  explains  why  in  the  circuit  evalu¬ 
ation  stage  the  generator  spends  more  time  in  commu¬ 
nication  than  the  evaluator.  This  waiting  results  from 
the  fact  that  both  parties  need  to  run  the  protocol  in  a 
synchronized  manner.  A  generator-evaluator  pair  can¬ 
not  start  next  communication  round  while  any  other  pair 
has  not  finished  the  current  one.  This  synchronization  is 
crucial  since  our  protocol’s  security  is  guaranteed  only 
when  each  communication  round  is  performed  sequen¬ 
tially.  While  the  parallelization  of  the  program  intro¬ 
duces  high  performance  execution,  it  does  not  and  should 
not  change  this  essential  property.  A  stronger  notion 
of  security  such  as  universal  security  will  be  required  if 
asynchronous  communication  is  allowed.  By  using  TCP 
sockets  in  “blocking”  mode,  we  enforce  this  communi¬ 
cation  round  synchronization. 

Note  that  the  low  communication  during  the  circuit 
construction  stage  is  due  to  the  random  seed  checking 
technique.  Also,  the  fact  that  the  generator  spends  more 
time  in  the  evaluation  stage  than  she  traditionally  does 
comes  from  the  second  construction  for  evaluation  cir¬ 
cuits.  Recall  that  only  the  evaluation  circuits  need  to  be 
sent  to  the  evaluator.  Since  only  40%  of  the  garbled  cir¬ 
cuits  (102  out  of  256)  are  evaluation-circuits,  the  ratio  of 
the  generator’s  computation  time  in  the  generation  and 
evaluation  stage  is  35.63:14:92  ~  5:2. 

We  were  unfortunately  unable  to  find  a  cluster  of  hun¬ 
dreds  of  nodes  that  all  support  AES-NI.  Our  experimen¬ 
tal  results,  therefore,  do  not  show  the  full  potential  of 
all  the  optimization  techniques  we  have  proposed.  How¬ 
ever,  recall  that  for  certain  circuits  the  running  time  in 
the  semi-honest  setting  is  roughly  half  of  that  in  the 
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node  # 

4 

16 

64 

256 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

Gen 

Evl 

OT 

12.56±0.1% 

8.41+0.1% 

4.06±0.1% 

2.13±0.2% 

1.96±0.1% 

0.583=0.2% 

0.643=0.1% 

0.193=0.2% 

Gen. 

8.18+0.4% 

- 

1.92±0.7% 

- 

0.49±0.4% 

- 

0.143=  1% 

- 

Inp.  Chk 

- 

0.42±  4% 

- 

0.10+  10% 

- 

- 

- 

- 

Evl. 

3.3±  4% 

7.08±  1% 

0.80±  10% 

1.58±  4% 

0.23+  17% 

0.373=  7% 

0.123=0.5% 

0.053=0.6% 

Inter-com 

4±  5% 

13.2±0.3% 

0.93+  10% 

4.08±0.8% 

0.31  +  20% 

1.983=  1% 

0.113=40% 

0.723=0.2% 

Intra-com 

0.17±  30% 

0.23±  20% 

0.1 8+  8% 

0.25±  6% 

0.453=  20% 

0.483=  15% 

0.343=  30% 

0.343=  30% 

Total  time 

28.3±0.3% 

29.4±0.3% 

7.90±0.5% 

8.17±0.4% 

3.45=1=  2% 

3.443=  2% 

1.43=  10% 

1.33=  9% 

Table  8:  The  average  and  error  interval  of  the  times  (seconds)  running  AES  circuit.  The  number  of  nodes  represents 
the  degree  of  parallelism  on  each  side.  means  that  the  time  is  smaller  than  0.05  seconds.  Inter-com  refers  to  the 
communication  between  the  two  parties,  and  intra-com  refers  to  communication  between  nodes  for  a  single  party. 


malicious  setting.  We  estimate  a  20%  improvement  in 
the  performance  of  garbled  circuit  generation  when  the 
AES-NI  instruction  set  becomes  ubiquitous,  based  on  the 
preliminary  results  presented  above  in  Table  5. 

Table  8  shows  that  the  Yao  protocol  really  benefits 
from  the  circuit-level  parallelization.  Starting  from  Ta¬ 
ble  7,  where  each  side  only  has  one  process,  all  the  way 
to  when  each  side  has  256  processes,  as  the  degree  of  par¬ 
allelism  is  multiplied  by  four,  the  total  time  reduces  into 
a  quarter.  Note  that  the  communication  costs  between  the 
generator  and  evaluator  remain  the  same,  as  shown  in  Ta¬ 
ble  7.  It  may  seem  odd  that  the  communication  costs  are 
reduced  as  the  number  of  processes  increase.  The  real  in¬ 
terpretation  of  this  data  is  that  as  the  number  of  processes 
increases,  the  “waiting  time”  decreases. 

Notice  that  as  the  number  of  processes  increases,  the 
ratio  of  the  time  the  generator  spends  in  the  construc¬ 
tion  and  evaluation  stage  decreases  from  5:2  to  1:1.  The 
reason  is  that  the  number  of  garbled  circuit  each  process 
handles  is  getting  smaller  and  smaller.  Eventually,  we 
reach  the  limit  of  the  benefits  that  the  circuit-level  paral¬ 
lelism  could  possibly  bring.  In  this  case,  each  process  is 
dealing  with  merely  a  single  copy  of  the  garbled  circuit, 
and  the  time  spent  in  both  the  generation  and  evaluation 
stages  is  the  time  to  construct  a  garbled  circuit. 

To  the  best  of  our  knowledge,  completing  an  execution 
of  secure  AES  in  the  malicious  model  within  1.4  seconds 
is  the  best  result  that  has  ever  been  reported.  The  next 
best  result  from  Nielsen  et  al.  [29]  is  1.6  seconds,  and  it 
is  an  amortized  result  (85  seconds  for  54  blocks  of  AES 
encryption  in  parallel)  in  the  random  oracle  model.  This 
is  only  a  crude  comparison,  however;  our  experimental 
setup  uses  a  cluster  computer  while  Nielsen  et  al.  used 
only  two  desktops.  A  better  comparison  would  be  pos¬ 
sible  given  a  parallel  implementation  of  Nielsen  et  al.’s 
system,  and  we  are  interested  in  seeing  how  much  of  an 
improvement  such  an  implementation  could  achieve. 


Large  Circuits  In  this  experiment,  we  run  the  4095- 
bit  edit  distance  circuit,  that  is,  ( x,y )  K ►  (J_,EDT(x,y)), 
where  x,y  G  {0,  l}4095.  In  particular,  we  use  the  7  +  C 
approach,  where  the  computation  time  could  be  roughly 
a  half  of  that  of  the  I +  2C  approach  with  the  price  of  not 
getting  to  use  the  random-seed  technique.  Recall  that  in 
the  7  +  C  approach,  the  generator  and  the  evaluator  con¬ 
duct  the  cut-and-choose  in  a  way  that  the  generator  does 
not  know  the  check  circuits  until  she  finishes  transferring 
all  the  garbled  circuits.  Next,  both  the  parties  run  the 
circuit  generation  and  evaluation  in  a  pipeline  manner, 
where  one  party  is  generating  and  giving  away  garbled 
gates  on  one  end,  and  the  other  party  is  evaluating  and 
checking  the  received  gates  at  the  other  end  at  the  same 
time.  The  results  are  shown  in  Table  9. 


Gen 

Eval 

Comm 

(sec) 

(sec) 

(Byte) 

OT 

19.733=0.5% 

1.13=  6% 

5.263=0.4% 

15.63=0.6% 

1.7  x  10s 

Cut-& 

1.13=0.8% 

- 

6.5  x  107 

Choose 

- 

1.53=  2% 

Gen./Evl. 

24,400±  1% 
4,900±  1% 

14,600±  3% 
14,7003=  2% 

1.8  x  1013 

Inp. 

Chk 

0.63=  20% 

0.43=  40% 

0.603=  20% 

8.5  x  106 

Total 

24,400±  1% 
4,900±  1% 

14,600±  3% 
14,7003=  2% 

1.8  x  1013 

Table  9:  The  result  of  (x,y)  ^  (_L,EDT-4095(x,y)). 
Each  party  is  comprised  of  256  cores  in  a  cluster.  This 
table  comes  from  6  invocations  of  the  system.  Simi¬ 
larly,  the  upper  row  in  each  stage  is  the  computation  time, 
while  the  lower  is  the  communication  time. 

This  circuit  generated  by  our  compiler  has  5.9  billion 
gates,  and  2.4  billion  of  those  are  non-XOR.  It  is  worth 
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mentioning  that,  without  the  random-seed  technique,  the 
communication  cost  shown  in  Table  9  can  also  be  esti¬ 
mated  by  256  x  2.4  x  109  x  3  x  10  =  1.8  x  1013,  since 
256  copies  of  the  garbled  circuits  need  to  be  transferred, 
each  copy  has  2.4  billion  non-free  gates,  each  non-free 
gate  has  three  entries,  and  each  entry  has  k  =  80  bits. 

In  additional  to  showing  that  our  system  is  capable  of 
handling  the  largest  circuits  ever  reported,  we  also  have 
shown  a  speed  in  the  malicious  setting  that  is  comparable 
to  those  in  the  semi-honest  setting.  In  particular,  we  were 
able  to  complete  an  single  execution  of  4095-bit  edit  dis¬ 
tance  circuit  in  less  than  8.2  hours  with  a  rate  of  82,000 
(non-XOR)  gates  per  second.  Note  that  Huang  et  al.’s 
system  is  the  only  one,  to  the  best  of  our  knowledge,  that 
is  capable  of  handling  such  large  circuits  [13];  they  re¬ 
ported  a  rate  of  over  96,000  (non-XOR)  gates  per  second 
for  an  edit-distance  circuit  in  the  semi-honest  setting. 

7  Conclusion 

We  have  presented  a  general  purpose  secure  two  party 
computation  system  which  offers  security  against  mali¬ 
cious  adversaries  and  which  can  efficiently  evaluate  cir¬ 
cuits  with  hundreds  of  millions  and  even  billions  of  gates 
on  affordable  hardware.  Our  compiler  can  generate  large 
circuits  using  fewer  computational  resources  than  simi¬ 
lar  compilers,  and  offers  improved  flexibility  to  users  of 
the  system.  Our  evaluator  can  take  advantage  of  parallel 
computing  resources,  which  are  becoming  increasingly 
common  and  affordable.  As  future  work,  we  plan  further 
improvements  to  our  compiler  and  language,  as  well  as 
experiments  on  systems  other  than  Ranger.  The  source 
code  for  this  system  can  be  downloaded  from  the  au¬ 
thors’  website  (http :  //crypto  .  cs  .  Virginia .  edu/), 
along  with  example  functions,  including  those  describe 
in  this  paper. 
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Abstract.  We  investigate  the  concrete  security  of  black-box  zero-knowledge 
protocols  when  composed  in  parallel.  As  our  main  result,  we  give  essen¬ 
tially  tight  upper  and  lower  bounds  (up  to  logarithmic  factors  in  the 
security  parameter)  on  the  following  measure  of  security  (closely  related 
to  knowledge  tightness):  the  number  of  queries  made  by  black-box  sim¬ 
ulators  when  zero-knowledge  protocols  are  composed  in  parallel.  As  a 
function  of  the  number  of  parallel  sessions,  k ,  and  the  round  complexity 
of  the  protocol,  m,  the  bound  is  roughly  k1^m. 

We  also  construct  a  modular  procedure  to  amplify  simulator-query  lower 
bounds  (as  above),  to  generic  lower  bounds  in  the  black-box  concurrent 
zero-knowledge  setting.  As  a  demonstration  of  our  techniques,  we  give  a 
self-contained  proof  of  the  o(logn/  log  log  n)  lower  bound  for  the  round 
complexity  of  black-box  concurrent  zero-knowledge  protocols,  first  shown 
by  Canetti,  Kilian,  Petrank  and  Rosen  (STOC  2002).  Additionally,  we 
give  a  new  lower  bound  regarding  constant-round  black-box  concurrent 
zero-knowledge  protocols:  the  running  time  of  the  black-box  simulator 
must  be  at  least  nn^lo8n\ 


Keywords:  Zero-Knowledge,  Knowledge  Tightness,  Concrete  Security,  Concur¬ 
rent  Zero-Knowledge  Lower  Bounds. 

1  Introduction 

Zero-knowledge  interactive  proofs,  introduced  by  Goldwasser,  Micali  and  Rackoff 
[GMR89]  are  paradoxical  constructions  allowing  one  player  (called  the  prover) 
to  convince  another  player  (called  the  verifier)  of  the  validity  of  a  mathematical 
statement  x  €  L,  while  providing  no  additional  knowledge  to  the  verifier.  In  addi¬ 
tion  to  being  an  independent  construct  of  interest,  zero-knowledge  have  become 
a  extremely  useful  tool  in  construction  of  numerous  cryptographic  protocols. 

*  Chung  is  supperted  by  a  Simons  Foundation  Fellowship. 
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A  fundamental  question  regarding  zero-knowledge  protocols  is  whether  their 
composition  remains  zero-knowledge.  In  theoretical  constructions  as  well  as  in 
practice,  a  zero- knowledge  protocol  is  sometimes  composed  in  parallel  (to  amplify 
soundness  or  to  improve  efficiency,  for  example).  It  is  well  know  that  the  defini¬ 
tion  of  zero-knowledge  (ZK)  is  not  closed  under  parallel  composition  [GK96b]. 

On  the  other  hand,  we  know  numerous  constructions  of  const  ant- round  zero- 
knowledge  protocols  that  are  secure  when  composed  in  parallel  [FS90,GK96a,Gol02], 
As  a  result,  the  subject  of  ZK  with  respect  to  parallel  composition  is  widely  con¬ 
sidered  closed. 

We  turn  our  attention  to  another  fundamental  question  regarding  zero- knowledge: 
its  knowledge  tightness.  In  its  original  definition,  the  zero-knowledge  property 
is  formalized  by  requiring  that  the  view  of  any  probabilistic  polynomial  time 
(PPT)  verifier  V  in  an  interaction  with  a  prover  can  be  “indistinguishably  re¬ 
constructed”  by  a  PPT  simulator  S  that  interacts  with  no  one.  Since  whatever  V 
“sees”  in  the  interaction  can  be  reconstructed  by  the  simulator,  the  interaction 
does  not  yield  any  knowledge  to  V  that  V  cannot  already  compute  by  itself.  Be¬ 
cause  the  simulator  is  allowed  to  be  an  arbitrary  PPT  machine,  this  traditional 
notion  of  ZK  only  guarantees  that  the  class  of  PPT  verifiers  learn  nothing. 

To  more  concretely  measure  the  knowledge  gained  by  a  particular  verifier, 
Golclreich,  Micali  and  Wigderson  [GMW91]  (see  also  [GolOl])  put  forward  the 
notion  of  knowledge  tightness:  informally,  the  “tightness”  of  a  simulation  is  the 
ratio  of  the  (expected)  running-time  of  the  simulator,  divided  by  the  (worst-case) 
running-time  of  the  verifier.  Thus,  in  a  knowledge-tight  ZK  proof,  the  verifier 
is  expected  to  gain  no  more  knowledge  than  what  it  could  have  computed  in 
time  closely  related  to  its  worst-case  running-time.  In  addition  to  theoretical 
interests,  the  knowledge  tightness  of  a  zero-knowledge  protocol  is  a  helpful  aid 
for  setting  the  security  parameter  in  practice.  It  is  easy  to  check  that  the  origi¬ 
nal  zero-knowledge  protocols  [GMR89,GMW91,Blu86]  all  enjoy  constant  knowl¬ 
edge  tightness.  The  aforementioned  protocols  secure  under  parallel  composition 
[FS90,GK96a,Gol02]  also  enjoy  constant  knowledge  tightness  when  executed  in 
isolation;  however,  when  composed  in  parallel,  the  tightness  of  these  protocols 
seem  increase/loosen  linearly  (sometimes  even  quadratically)  with  respect  to 
the  number  of  parallel  sessions  (based  on  the  currently  known  analysis  of  their 
simulators) ! 

Since  we  do  want  to  execute  zero- knowledge  protocols  in  parallel  (for  instance 
in  the  application  of  secure  multi-party  computation),  a  natural  question  is  to 
ask:  how  does  the  knowledge  tightness  of  a  protocol  vary  when  we  increase  the 
number  of  parallel  repetitions? 

1.1  Our  results 

In  this  work  we  give  essentially  tight  upper  and  lower  bounds  to  the  above 
question.  Our  results  focus  on  black-box  zero-knowledge  and  “simulator  queries”, 
which  we  explain  below. 

Informally,  a  protocol  is  black-box  zero-knowledge  if  there  exists  a  universal 
simulator  S,  called  the  black-box  simulator ,  such  that  S  generates  the  view  of 
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any  adversarial  verifier  V*  if  S  is  given  black-box  access  to  V*.  Essentially  all 
known  constructions  of  zero-knowledge  (with  the  notable  exception  of  [BarOl]) 
and  all  practical  zero-knowledge  protocols  are  black-box  zero-knowledge.  Given 
a  black-box  simulator  S,  we  focus  on  bounding  the  number  of  black-box  queries 
made  by  S  to  a  given  adversarial  verifier  V*\  we  refer  to  this  as  the  simulator- 
query  complexity.  It  is  easy  to  see  that  the  number  of  queries  made  by  a  black¬ 
box  simulator  is  closely  related  to  knowledge  tightness;  in  fact,  for  the  case  of 
constant  round  protocols,  they  are  asymptotically  equivalent. 

We  state  our  main  theorems  below: 

Theorem  1.  Let  n  be  the  security  parameter.  For  any  m  =  m(n),  there  exists  a 
2m  +  7 -round  black-box  zero-knowledge  argument  II  for  all  of  NP  based  on  one¬ 
way  functions,  with  perfect  completeness  and  negligible  soundness  error,  such 
that  for  any  polynomially  bounded  k  =  k{n),  the  parallel  composition  of  k- copies 
of  the  protocol,  IIk ,  remains  black-box  zero-knowledge  with  simulator- query  com¬ 
plexity  0(rnkxlm  log2  n). 

It  is  easy  to  extend  the  above  theorem  to  proofs  assuming  the  existence  of 
collision-resistant  hash-functions.  We  complement  Theorem  1  with  a  lower  bound: 

Theorem  2.  Let  n  be  the  security  parameter,  L  be  a  language,  and  to  =  m(n)  € 
O  (i0^\ogn)  •  Suppose  II  is  a  m{n)-round  black-box  zero-knowledge  argument  for 
L  with  perfect  completeness  and  negligible  soundness  error,  and  suppose  there 
exist  a  polynomially  bounded  k(n)  >  n  such  that  the  parallel  composition  of 
k-copies  of  the  protocol,  LIk ,  remains  black-box  zero-knowledge  with  simulator- 
query  complexity  0(/c1/m/(log2  n)).  Then,  L  e  BPP. 

For  protocols  with  sub-logarithmic  number  of  rounds,  Theorem  1  and  2 
are  tight  up  to  logarithmic  factors  in  the  security  parameter;  essentially,  the 
simulator-query  complexity  is  asymptotically  close  to  kx!m  (in  most  cases,  think 
of  k  as  a  low  polynomial  in  n).  We  mention  that  one  can  achieve  simulator-query 
complexity  0{m)  (independent  of  k )  when  m  =  w(logn). 

Briefly,  our  results  show  that  the  concrete  security  of  constant-round  black¬ 
box  zero-knowledge  protocols  actually  decays  polynomially  in  the  number  of 
parallel  sessions.  Fortunately,  this  decay  can  be  significantly  slowed  if  we  consider 
protocols  with  more  rounds  (even  if  we  simply  use  a  large  constant  to). 

1.2  Related  Works 

While  we  are  unaware  of  any  past  work  that  explicitly  studies  the  knowledge 
tightness  of  parallelized  zero-knowledge  protocols,  there  are  numerous  related 
publications  that  focus  on  the  composition  of  zero-knowledge  protocols,  or  on  the 
concrete  security  of  zero-knowledge  simulator.  Dwork,  Naor  and  Sahai  [DNS04] 
introduces  the  notion  of  concurrent  zero-knowledge  protocols;  these  protocols 
must  stay  zero- knowledge  even  when  composed  arbitrarily  (a  strengthening  over 
parallel  composition).  Micali  and  Pass  [MP06]  introduces  the  notion  of  precision ; 
in  a  precise  zero-knowledge  protocol,  the  running  time  of  the  simulator  should 
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be  closely  related  to  the  running  time  of  the  adversarial  verifier,  on  a  view  by 
view  basis1  (a  strengthening  over  knowledge  tightness). 

Even  with  these  stronger  requirements,  Pandey  et.  al.  [PPS+08]  is  able  to  con¬ 
struct  protocols  that  are  simultaneously  precise  and  (black-box)  concurrent  zero- 
knowledge.  Note  that  our  results  are  incomparable  with  the  result  of  [PPS+08] 
for  many  reasons,  one  of  which  being  that  black-box  concurrent  zero-knowledge 
protocols  require  logarithmically  many  rounds  [CKPR01],  while  our  setting  is 
mainly  interesting  for  sub-logarithmic-round  protocols.  Interestingly,  [PPS+08] 
actually  gives  a  construction  of  a  family  of  precise  concurrent  zero-knowledge 
protocols,  with  trade-offs  between  round-complexity  and  precision,  much  like 
our  observed  trade-off  between  round-complexity  and  knowledge  tightness  for 
the  case  of  parallelized  zero-knowledge. 

1.3  Connection  to  Concurrent  Zero-Knowledge 

We  also  present  a  connection  from  simulator-query  lower  bounds  for  zero-knowledge, 
to  round-complexity  lower  bounds  for  concurrent  zero-knowledge  (cZK).  Due  to 
lack  of  space  we  postpone  the  result  on  Concurrent  Zero-knowledge  to  the  full 
version.  We  briefly  discuss  the  ideas  as  follows. 

We  start  by  describing  the  common  framework  for  all  known  black-box  zero- 
knowledge  lower  bounds  (e.g.,  [KPR98,Ros00,CKPR01,BL02,Kat08,HRS09,PTW09]). 
Let  77  be  a  protocol  for  a  language  L.  To  show  that  77  cannot  be  zero-knowledge 
unless  the  language  L  is  trivial  (i.e.,  L  €  BPP),  we  start  by  constructing  a  de¬ 
cision  procedure  for  L.  Let  S  be  the  black-box  zero-knowledge  simulator  of  77, 
and  let  V*  be  some  “hard  to  simulate”  adversarial  verifier,  and  consider  the 
following  decision  procedure  V:  on  input  x,  V(x)  accepts  if  and  only  if  Sv  ( x ) 
generates  an  accepting  view  of  V*(x).  Usually,  the  completeness  of  V  follows 
easily  from  the  zero-knowledge  property;  to  show  that  T>  is  sound  often  requires 
more  work.  Our  query-complexity  lower  bounds  (Theorem  2)  also  follow  the  same 
framework.  That  is,  we  construct  some  adversarial  verifier  Up*ara  that  schedules 
multiple  sessions  in  parallel,  and  show  that  for  any  zero-knowledge  simulator  S 
with  appropriately  bounded  query-complexity,  if  x  ^  L,  then  Sv para(x)  cannot 
generate  an  accepting  view  of  Upara(:r). 

Inspired  by  the  work  of  Canetti,  Kilian,  Petrank  and  Rosen  [CKPR01],  we 
next  present  a  modular  construction  of  a  concurrent  adversarial  verifier  I7*nc 
whose  purpose  is  to  amplify  query-complexity  lower  bounds  of  more  basic  veri¬ 
fiers.  For  example,  consider  Upara,  an  adversarial  verifier  that  is  restricted  to  par¬ 
allel  composition.  Our  modular  construction  would  take  Upara  as  input,  and  out¬ 
put  an  adversarial  verifier  Uc*nc  =  Uc*nc(Upara)  that,  among  other  things,  nests 
multiple  incarnations  of  Upara  in  a  way  that  takes  full  advantage  of  the  concurrent 
scheduling.  Under  appropriate  parameters,  our  analysis  would  conclude  that  for 
any  zero-knowledge  simulator  S  with  polynomially  bounded  query-complexity, 

1  For  example,  to  achieve  precision  2,  if  the  simulator  S  generates  a  view  of  V*  and 
the  running  time  of  V*  on  that  view  is  T,  then  the  simulator  S  must  have  run  in 
time  2 T. 
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if  x  ()  L,  then  S'Vco"c(a;)  cannot  generate  an  accepting  view  of  I^oncO*-)  (recall 
again  that  this  is  the  key  step  for  most  zero-knowledge  lower  bounds). 

To  demonstrate  our  framework,  we  re-prove  the  result  of  [CKPR01]  —  a 
o(logn/loglog?r)  round-complexity  lower  bound  for  black-box  concurrent  zero- 
knowledge  (the  currently  best  known  round-complexity  lower  bound) ;  we  believe 
the  resulting  analysis  is  quite  clean.  We  also  give  a  second  lower  bound  concern¬ 
ing  constant-round  cZK  protocols: 

Theorem  (Informal) .  Let  L  be  a  non-trivial  language,  and  let  II  be  a  constant- 
round  black-box  concurrent  zero-knowledge  protocol  with  a  potentially  possibly 
super-polynomial  time  simulator.  Then  the  simulator  must  run  in  time  nfi(log;ra). 

Incidentally,  Pass  and  Venkitasubramaniam  [PV08]  do  construct  constant- 
round  black-box  concurrent  zero-knowledge  protocols  for  all  of  N  P  in  the  model 
where  both  the  simulator  and  the  adversarial  verifier  runs  in  quasi-polynomial 
time  nP°iy(i°gn)_ 

We  also  find  our  modular  framework  satisfying  on  a  philosophical  level:  it 
serves  as  an  framework  in  which  lower  bounds  for  restricted  compositions  of 
zero-knowledge  (in  this  example  parallel  composition)  can  be  transformed  into 
lower  bounds  for  zero-knowledge  in  the  fully  concurrent  setting.  A  similar  and 
celebrated  example  occurs  in  the  work  of  Goldreich  [Gol02],  where  it  is  shown 
that  constructions  of  zero- knowledge  protocols  secure  under  parallel  composition 
directly  leads  to  constructions  of  concurrent  zero-knowledge  protocols  secure  in 
the  timing  model. 

2  Preliminaries 

We  use  N  to  denote  the  natural  numbers  {0, 1, . . .},  [n]  to  denote  the  set  {1, ... ,  n}, 
and  \x\  to  denote  the  length  of  a  string  x  €  {0, 1}*.  By  ngl(n),  we  mean  a  function 
negligible  in  n  (i.e.,  1  /n“^^).  We  assume  familiarity  with  indistinguishability. 

Interactive  Protocols.  An  interactive  protocol  17  is  a  pair  of  interactive  Turing 
machines,  (P,V),  where  P  is  probabilistic  polynomial  time  (PPT).  P  is  called 
the  prover,  while  P  is  called  the  verifier.  (P,  V)  (x)  denotes  the  random  variable 
(over  the  randomness  of  P  and  P)  representing  P’s  output  at  the  end  of  the 
interaction  on  common  input  x.  If  additionally  P  receives  auxiliary  input  z ,  we 
write  {P(x),V (x,  z ))  to  denote  P’s  output.  We  assume  WLOG  that  II  starts  with 
a  verifier  message  and  ends  with  a  prover  message,  and  say  II  has  k  rounds  if  the 
prover  and  verifier  each  sends  k  messages  alternately.  A  full  or  partial  transcript 
of  II  is  a  sequence  of  alternating  verifier  and  prover  messages,  . . . ),  where 

v  denotes  verifier  messages  and  p  denotes  prover  messages. 

We  may  compose  an  interactive  proof  in  parallel.  Let  IIk  =  (Pfe,  Vk )  be  the 
parallel  composition  of  k  copies  of  77;  that  is,  each  prover  and  verifier  message 
in  IIk  is  just  concatenation  of  k  independent  copies  of  the  corresponding  message 
in  77.  Upon  completion,  Vk  accepts  if  and  only  if  all  k  sessions  are  accepted  by 
P.  We  note  that  an  adversarial  verifier  may  chose  to  abort  in  one  session  but 
not  another. 
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Zero  Knowledge  Protocols  In  the  setting  of  zero  knowledge,  we  consider  an  adver¬ 
sarial  verifier  that  attempts  to  “gain  knowledge”  by  interacting  with  an  honest 
prover.  An  ?n-session  concurrent  adversarial  verifier  V*  is  a  probabilistic 
polynomial  time  machine  that,  on  common  input  x  and  auxiliary  input  z,  in¬ 
teracts  with  rn(|x|)  independent  copies  of  P  concurrently  (called  sessions);  the 
traditional  stand-alone  adversarial  verifier  is  simply  a  1-session  adversarial  ver¬ 
ifier.  There  are  no  restrictions  on  how  V*  schedules  the  messages  among  the 
different  sessions,  and  V*  may  choose  to  abort  some  sessions  but  not  others.  Let 
Viewy,  (x,  z)  be  the  random  variable  that  denotes  the  view  of  V*  in  an  inter¬ 
action  with  P  (this  includes  the  random  coins  of  V*  and  the  messages  received 
by  V*). 

A  black-box  simulator  S'  is  a  probabilistic  polynomial  time  machine  that 
is  given  black-box  access  to  V*  (written  as  Sv  ).  Formally,  S  fixes  the  random 
coins  r  of  V*  a  priori,  and  S  is  allowed  to  specify  a  valid  partial  transcript 
r  =  (i>i,pi, . . .  ,Pi)  oiV*,  and  query  V*  for  the  next  verifier  message  Here, 
r  is  valid  if  it  is  consistent  with  V* ,  i.e.,  each  verifier  message  Vj  in  r  is  what 
V*  would  have  responded  given  the  previous  prover  messages  pi,  ■  ■  ■  ,Pj-i  and 
the  fixed  random  tape  r.  Note  that  S  is  allowed  to  “rewind”  V*  by  querying  V* 
with  different  partial  transcripts  that  shares  a  common  prefix. 

Intuitively,  an  interactive  proof  is  zero- knowledge  (ZK)  if  the  view  of  any 
stand-alone  (1-session)  adversarial  verifier  V*  can  be  generated  by  a  simulator. 
The  formal  definition  follows. 

Definition  3  (Black-Box  Zero-Knowledge  [GMR89,G094]).  Let  77  = 

(P,V)  be  an  interactive  proof  (or  argument)  for  a  language  L.  77  is  black-box 
zero-knowledge  if  there  exists  a  black-box  simulator  S  such  that  for  every  com¬ 
mon  input  x,  auxiliary  input  z  and  every  (stand-alone)  adversary  V* ,  S^(x,z\x) 
runs  in  time  polynomial  in  \x\,  and  the  ensembles  {Viewy.  (x,  z)}xeL  zS{o  i}*  and 
{S^^z\  x)}xeL,ze{o,iy  are  computationally  indistinguishable  as  a  function  of 


3  Construction 

We  define  a  zero-knowledge  argument  ParallelZK  in  Section  3.1,  and  show 
that  it  satisfies  Theorem  1  in  Section  3.2. 

3.1  The  Protocol 

Our  ZK  argument  ParallelZK  (also  used  in  [PV08,PTV10])  is  a  slight  variant 
of  the  precise  ZK  protocol  of  [MP06],  which  in  turn  is  a  generalization  of  the 
Feige-Shamir  protocol  [FS89].  The  protocol  for  language  7  €  NP  proceeds  in 
three  stages,  given  a  security  parameter  n,  a  common  input  statement  x  £ 
{0, 1}",  and  a  round-parameter  m: 

Stage  Init:  The  verifier  picks  two  random  strings  r*i,r2  £  {0,1}"  and  sends 
their  images  C\  =  f(r i),  C2  =  /(r^)  through  a  one-way  function  /  to  the 
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prover.  The  verifier  then  acts  as  the  prover  in  m  parallel  instances  of  a  4- 
round  witness  indistinguishable  and  special  sound  proof  of  knowledge  (Wl 
and  SS-POK)  of  the  NP  statement  “ci  or  C2  is  in  the  image  set  of  /”  (a 
witness  here  would  be  a  pre- image  of  c\  or  C2).  All  but  the  last  two  messages 
of  each  SS-POK  is  exchanged  in  this  stage;  we  denote  their  partial  transcripts 
by  (c^i .  oi 2,  •  ■  • , 

Stage  1:  m  message  exchanges  occur  in  Stage  1.  In  the  jth  iteration,  the  prover 
sends  ftj ,  a  random  second  last  message  of  the  jth  SS-POK,  and  the  verifier 
replies  with  the  last  message  7 j  of  the  proof.  These  m  iterations  are  called 
slots.  Slot  i  is  convincing  if  the  verifier  produces  an  accepting  proof  (i.e. ,  the 
transcript  (ay,/3j,7j)  is  accepting).  If  there  is  ever  an  unconvincing  slot,  the 
prover  aborts  the  whole  session. 

Stage  2:  The  prover  provides  a  4-round  witness  indistinguishable  proof  of  knowl¬ 
edge  (WI-POK)  of  knowledge  of  the  statement  “x  £  L ,  or  one  of  C\  or  C2  is 
in  the  image  set  of  /” . 

Completeness  and  soundness  follows  directly  from  the  proof  of  Feige  and 
Shamir  [FS89];  in  fact,  the  protocol  is  an  instantiation  of  theirs.  Intuitively,  to 
cheat  in  the  protocol  a  prover  must  “know”  an  inverse  to  c±  or  C2  (because  Stage 
2  is  an  argument  of  knowledge),  which  requires  the  prover  to  invert  the  one-way 
function  /  (its  is  shown  in  [FS90]  that  Stage  Init  and  Stage  1  of  the  protocol 
cannot  aid  the  prover  in  inverting  /).  A  formal  description  of  protocol  ParallelZK 
is  shown  in  Figure  1. 


Common  Input:  an  instance  a;  of  a  language  L  with  witness  relation  Rl- 
Auxiliary  Input  for  Prover:  a  witness  w,  such  that  (x,w)  £  Rl(x). 

Stage  Init: 

V  uniformly  chooses  ri,r2  £  {0,  l}n. 

V  — ►  P:  ci  =  f(ri),c2  =  f{r2). 

V  P:  Exchange  in  parallel  (interactively)  all  but  the  last  two  messages 

of  k  Wl  and  SS-POKs  on  common  input  (ci,c2)  with  respect  to 
the  witness  relation: 

Rl'(ci,c2)  =  {r  :  f{r)  =  ci  or  c2} 

Note  that  V  acts  as  the  prover  in  these  SS-POK’s. 

Stage  1:  For  j  =  1  to  k,  exchange  the  j *  “slot” 

P  — >  V:  The  second  last  message  pj  of  the  jth  SS-POK. 

V  — >  P:  The  last  message  7,  of  the  jth  SS-POK. 

P  aborts  if  (oq, /3j , 7j)  is  not  a  valid  SS-POK. 

Stage  2: 

Pf>  V:a  4-round  computational- Wl  proof  of  knowledge  from  P  to  V  on  common 
input  (ci,c2,*)  with  respect  to  the  witness  relation: 

Rl'vl(ci,c2,x)  =  {(r,w)  :  r  £  RL'(d,c2)  or  w  £  Rl{x)} 


Fig.  1.  ParallelZK:  a  ZK  argument  for  NP  with  round  parameter  m. 
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Remark  4.  We  note  that  here  we  use  multiple  slots  to  improve  the  knowledge 
tightness  of  parallel  zero  knowledge,  whereas  previously,  multiple  slots  was  typi¬ 
cally  used  to  achieve  concurrent  zero  knowledge  and  w(logn)  slots  were  consid¬ 
ered.  In  contrast,  we  show  that  in  the  context  of  parallel  zero  knowledge,  using 
even  constant  number  of  slots  improves  the  knowledge  tightness  significantly.  In¬ 
deed,  both  our  simulation  technique  and  its  analysis  presented  in  the  next  section 
are  new,  where  we  rewind  each  slot  to  resolve  all  sessions  in  parallel  (as  opposed 
to  previous  works  that  focused  on  one  session  at  a  time). 


3.2  The  Simulator 

To  show  that  protocol  77  =  ParallelZK  satisfies  Theorem  1,  given  any  poly- 
nomially  bounded  k  =  k(n ),  we  need  to  construct  a  black-box  zero-knowledge 
simulator  S  =  Sk  for  protocol  IIk  (ParallelZK  repeated  k  times  in  parallel). 
On  a  very  high-level,  our  simulator  follows  that  of  Feige  and  Shamir  [FS90]: 
after  fixing  the  SS-POK  prefixes  in  Stage  Init,  the  simulator  rewinds  one  of  the 
“slots”  in  Stage  1  (the  last  two  messages  of  the  SS-POKs).  If  the  verifier  responds 
with  two  convincing  slots,  the  simulator  uses  the  special-soundness  property  to 
extract  a  “fake  witness”  r  such  that  f(r)  =  C\  or  c-i,  and  uses  this  fake  witness 
to  simulate  Stage  2  of  the  protocol. 

Given  an  adversarial  verifier  V*  (for  protocol  IIk)  and  a  common  input  x  £ 
{0, 1}"  ,  the  simulator  Sv *  (x)  does  the  following: 

1.  The  simulator  S  interacts  with  V* ,  following  the  honest  prover  strategy, 
until  the  end  of  Stage  1.  We  call  this  the  reference  simulation. 

2.  The  simulator  S  attempts  to  resolve  all  k  parallel  sessions  in  the  reference 
simulation  by  extracting  a  fake  witness  r  from  the  SS-POKs  for  each  non¬ 
aborting  session;  aborted  sessions  are  automatically  considered  resolved  (and 
no  fake  witnesses  are  needed).  To  do  so,  S  repeats  the  following  step  (called 
a  rewinding  pass)  as  many  times  as  necessary,  until  all  sessions  are  resolved. 

3.  A  rewinding  pass.  For  each  slot  i,  the  simulator  rewinds  the  reference 
simulation  back  to  the  beginning  of  slot  i,  sends  V*  a  fresh  random  message 
/?(,  and  receives  a  new  reply  j'  (of  course  this  is  done  in  parallel  for  all 
k  sessions).  Note  that  for  each  unresolved  session  j,  S  already  knowns  an 
accepting  transcript  (a*,/ 3i,7*)  of  SS-POK  from  the  reference  simulation. 
If  session  j  does  not  abort  during  slot  i  in  this  rewinding  pass,  then  S 
learns  another  accepting  transcript  (a.;, /3',  7')  of  SS-POK.  In  this  case,  S 
can  resolve  the  session  j  by  extracting  a  fake  witness  using  the  special-sound 
property. 

4.  S  completes  the  reference  simulation  using  extracted  fake  witnesses  to  sim¬ 
ulate  the  Stage  2  proof  (only  needed  in  each  parallel  session  that  did  not 
abort).  S  outputs  the  view  of  V*  on  the  reference  simulation  and  this  com¬ 
pletion. 

For  simplicity,  we  assume  that  for  sessions  that  did  not  abort  in  the  reference 
simulation,  the  extraction  of  fake  witnesses  always  succeeds  whenever  S  receives 
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an  accepting  slot  in  a  rewinding  pass  (i.e.,  we  assume  that  S  never  sends  the 
same  value  for  /3  twice).  This  assumption  can  be  made  without  loss  of  generality 
by  the  following  modifications  of  the  simulation  strategy. 

—  Let  the  simulator  S  performs  at  most  2"  rewinding  passes.  If  there  exist 
any  unsolved  sessions  j  after  2n  rewinding  passes,  S  resolves  the  session  by 
brute  force,  i.e.,  by  directly  inverting  the  one-way  function  /  to  obtain  a  fake 
witness  of  length  n.  This  modification  increases  the  running  time  (but  not 
the  number  of  queries)  of  S  by  at  most  a  poly(n)  factor  (multiplicatively) , 
and  makes  sure  that  S  makes  at  most  poly(2n)  queries  to  V*. 

—  Let  the  final  verifier  challenge  in  the  SS-POK  have  length  \(3\  =  n2.  In  this 
case,  the  probability  of  S  ever  querying  V*  with  the  same  value  of  /3  twice 
is  poly(2")  •  2-"2  =  2-fi(n2),  definitely  negligible  in  n. 

We  now  show  two  lemmas  regarding  S  that  together  shows  that  Paral¬ 
lel  ZK  is  zero-knowledge  when  composed  in  parallel. 

Lemma  5.  S  runs  in  expected  polynomial  time,  and  makes  0(mk1^m  log2  n) 
queries  in  expectation. 

Lemma  6.  On  common  input  x  £  L,  the  output  of  S  is  indistinguishable  from 
the  real  view  of  V* . 

We  defer  the  proof  of  Lemma  5  to  the  next  section,  where  we  bound  the  ex¬ 
pected  number  of  rewinding  passes  before  S  extracts  all  necessary  fake  witnesses. 
We  give  a  sketch  of  Lemma  6  now. 

Proof  (Proof  Sketch).  The  output  of  S  up  to  the  end  of  Stage  1  (i.e.,  the  ref¬ 
erence  simulation)  is  identical  to  the  view  of  V*,  because  S  follows  the  honest 
prover  strategy.  The  output  of  S  in  Stage  2  of  the  protocol  is  computationally 
indistinguishable  from  the  view  of  V*  because  the  Stage  2  proof  is  witness  in¬ 
distinguishable.  Formally,  this  can  be  shown  with  a  hybrid  argument  where  we 
incrementally  exchange  each  of  the  k  parallel  Stage  2  proofs  from  using  “fake  wit¬ 
nesses”  r  such  that  f(r)  =  Ci  or  C2  (the  simulator  strategy),  to  a  real  witnesses 
w  for  x  £  L  (the  honest  prover  strategy). 

3.3  Proof  of  Lemma  5 

In  this  section,  we  prove  Lemma  5  by  bounding  the  expected  number  of  rewinding 
passes  in  an  execution  of  S.  Let  I?  be  a  random  variable  that  denotes  the  number 
of  rewinding  passes.  We  will  show  that: 

E[f?]  =  E[#  rewinding  passes  ]  <  0(k1^m  •  log2  n). 

This  then  implies  Lemma  5  because  outside  of  rewinding  passes,  Sv*(x)  makes 
only  0(m)  queries  to  V*  and  runs  in  polynomial  time. 

Before  presenting  our  analysis  for  the  general  case  of  m  slots,  we  revisit  the 
classical  analysis  for  the  case  of  single  slot  for  intuition. 


Approved  for  Public  Release;  Distribution  Unlimited. 

845 


The  case  of  single  slot.  The  analysis  is  very  simple.  For  every  j  £  [fc],  let  Rj 
denote  the  number  of  rewinding  passes  to  resolve  session  j,  and  let  pj  be  the 
probability  that  session  j  does  not  abort  during  the  single  slot.  Recall  that 
session  j  is  resolved  if  it  aborts  in  the  reference  simulation,  and  otherwise,  the 
simulator  needs  to  rewind  the  slot  several  times  until  session  j  does  not  aborts 
again.  Hence,  the  expected  number  of  rewinding  passes  to  resolve  session  j  is 

E[Rj]  =  (1  —  pj)  ■  0  +  pj  ■  —  =  1. 

Pj 

By  linearity  of  expectation,  the  expected  number  of  rewinding  passes  is 
E[R }  =J2EiRj]  =  k<0(k ■  log2  n). 

3 

We  note  that  the  above  simple  analysis  is  tight.  Consider  the  case  where 
during  the  slot,  each  session  aborts  independently  with  probability  (1  —  1/fc).  It 
is  not  hard  to  see  that  in  this  case,  with  constant  probability,  at  least  one  session 
does  not  abort  during  the  slot,  and  the  simulator  needs  to  rewind  k  times  in 
expectation  to  resolve  the  survival  session.  Therefore,  the  expected  number  of 
rewinding  passes  is  f2(k). 

In  fact,  it  is  instructive  to  note  that  the  following  natural  generalization  of 
the  above  example  is  essentially  the  worse-case  example  for  the  general  case  of 
to  slots:  during  each  slot  i  £  [to],  each  survival  session  j  aborts  independently 
with  probability  (1  —  In  this  case,  each  session  does  not  abort  during  the 

to-  slots  with  probability  (/c_1/m)m  =  1/k,  and  hence  with  constant  probability, 
at  least  one  session  survives  after  m  slots.  Resolving  the  survival  session  requires 
k1/m/m  rewinding  passes  in  expectation,  and  hence  the  expected  number  of 
rewinding  passes  is  f2(k1^m /in). 

We  note  that  although  in  the  above  example,  each  session  aborts  during  each 
slot  independently,  in  general,  the  aborting  probability  of  each  session  at  each 
slot  can  depends  arbitrarily  on  the  history  and  correlated  arbitrarily. 

The  general  case  of  m  slots.  To  analyze  the  expected  number  of  rewinding 
passes,  we  define  the  following  [0,  l]-valued  random  variables  based  on  the  refer¬ 
ence  simulation  generated  in  Step  1.  Let  hi  denote  the  partial  transcript  of  the 
reference  simulation  before  slot  i.  For  every  slot  i  £  [ in}  and  session  j  £  [k] ,  we 
define  random  variable  pij  as  follows. 

—  If  session  j  is  already  aborted  at  the  end  of  slot  i ,  then  we  define  Pij  =  1. 

—  Otherwise,  we  define  pl>3  to  be  the  conditional  probability 

Pij  =  Pr[  session  j  does  not  abort  during  slot  i  \  hi}. 

For  intuition,  Pij  is  essentially  the  probability  that  S  can  resolve  session  j 
by  rewinding  slot  i.  Now  consider  the  best  slot  for  each  session  —  the  slot  with 
the  highest  Pij  value  (this  is  the  slot  that  S  wants  to  rewind).  We  record  this 
value  as 

p*  =  max  pij 
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Note  that  for  a  session  j  that  aborts  in  the  reference  simulation,  we  have  p*  =  1, 
indicating  that  sessions  j  is  already  resolved  and  matching  the  above  intuition. 
Finally,  the  number  of  rewinding  passes  depends  heavily  on  the  worst  session  — 
the  session  with  the  worst  p*  value  (the  “worst  best  slot”).  We  record  this  value 
as  the  critical  probability : 

p*  =  minp*. 
j  J 

To  see  how  the  critical  probability  p*  plays  an  important  role  in  the  expected 
number  of  rewinding  passes,  note  that  on  one  hand,  S  needs  roughly  1  /p*  rewind¬ 
ing  passes  to  resolve  the  worse-case  session;  on  the  other  hand,  the  chance  of 
having  a  reference  simulation  with  small  critical  probability  (say,  p*  <  p)  is  rare 
(at  most  pm ).  Therefore,  to  upper  bound  E[i?],  we  define  the  following  events, 
which  partition  the  probability  space  according  to  the  critical  probability.  For 
every  t  £  N,  let 

def  /  1 

at  ~  \24  •  fc1/™ 

—  Let  A0  be  the  event  that  p*  >  a0  =  k~1!rn ,  and  for  every  t  £  N,  let  At  be 
the  event  that 

Cut  <  Pj  <  CXt- 1- 

Similarly  for  every  session  j  £  [fc] , 

—  Let  Aoj  be  the  event  that  p*  >  a o  =  and  for  every  t  £  N,  let  Atj 

be  the  event  that 

at  <p*  <  at- 1- 

We  can  now  express  the  expectation  of  the  number  of  rewinding  passes  as  follows. 


E[i?]=^Pr[At]-E[i?|At] 

t>  0 

<  Pr[A0]  •  E[R  I  Ao]  +  53  I  53  Pr [AtJ\  ]  -E[R  \  At], 


t> i  \j= 1 


where  the  last  inequality  follows  by  At  C  U jAtj  (which  follows  from  definition). 
We  proceed  to  bound  each  term.  For  Ao,  we  use  trivial  bound  Pr[^40]  <  1.  For 
general  t  >  1  and  every  j  £  [k] ,  we  first  observe  that  when  Atj  happens,  session 
j  does  not  abort  all  of  its  m  slots  in  the  reference  simulation  (since  otherwise, 
p*  =  1).  This  happened  despite  the  fact  that  each  slot  i  in  session  j  in  the 
reference  simulation  could  have  only  survived  (not  aborted)  with  probability 
Pi,j  <at- 1.  Thus, 

Pr^ty]  <  at_1  —  ^2t-i  .  fci/m)  —  •  k' 

and, 

^  1  1 

^  2m(*-1)  •  k  ~  ' 

3=1 
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It  remains  to  bound  E[I?  |  Af] ,  which  is  given  in  the  follow  lennna. 

Lemma  7.  For  every  t  >  0,  we  have 

E[i?  |  At\<0  (V  •  k1/m  •  log2  nj  . 

We  apply  Lemma  7  to  upper  bound  E[I?]  first. 

E[R\  <  E[i?  |  A0]  +  ^2  2m(t-i)  '  I 

t>i  z 

<  O  (t1/m '  los2  »)  +  •£  ■  O  (e/-  •  log2  „) 

t>l 

<  O  (fc1/m  •  log2  n)  . 

This  completes  the  proof  of  Lemma  5. 

Proof  (Proof  of  Lemma  7).  The  event  At  means  that  in  the  reference  simulation, 
for  every  non-aborting  session  j,  there  exists  a  useful  slot  i  £  [m]  such  that 

Pr[  session  j  is  not  aborted  after  slot  i  \  hi]  =  Pij  >  at. 

Therefore,  in  each  rewinding  pass,  the  simulator  S  may  learn  an  (additional) 
accepting  transcript  of  SS-POK  in  session  j  with  probability  at  least  at,  allowing 
it  to  extract  a  fake  witness. 

Fix  a  non- aborting  session  j ,  and  define 


Because  the  rewinding  passes  are  independent,  we  have 

Pr[session  j  is  resolved  after  q  rewinding  passes]  =  1  —  (1  —  at)q  >  1  —  ngl(n). 

Since  there  are  at  most  k  survival  sessions,  by  the  union  bound, 

Pr[all  sessions  are  resolved  after  q  rewinding  passes]  >  1  —  ngl(n). 

In  other  words,  every  q  rewinding  passes  can  solve  all  the  sessions  with  proba¬ 
bility  at  least  1  —  ngl(n).  It  follows  that 

E [R  I  At]  <  (1  -  ngl(n))  •  q  +  ngl(n)  (1  -  ngl(n))  •  2 q  +  ngl(n)2  (1  -  ngl(nj)  -3 q  +  - 
<  O(q)  =  O  (2*  •  k1/m  ■  log2  n)  . 
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4  Lower  Bound 


The  proof  of  Theorem  2  follows  a  well-known  framework  (e.g. ,  [GK96b,CKPR01] ) . 
Let  S  be  a  black-box  zero-knowledge  simulator  for  7Tfc  =  (Pk,Vk)  that  makes 
less  than  q  =  0(k1/m/  log2  n)  queries,  and  let  Vk*  be  a  particular  adversarial 
verifier  to  be  specified  later.  We  define  V,  a  BPP  decision  procedure  for  L  by 
combining  S  and  Vk *:  on  input  instance  x,  T>(x)  accepts  if  and  only  if  Sl  (x) 
outputs  an  accepting  view  of  Vk*  (i.e. ,  all  k  sessions  of  Vk*  accept).  Using  the 
zero-knowledge  property,  it  is  easy  to  show  (see  for  example  [GK96b])  that  if 
the  modified  protocol  IIk*  =  ( Pk ,  Vk*)  is  complete  for  L  (based  on  our  choice 
of  Vk*),  then  V  is  complete  for  L  as  well.  The  main  effort  of  the  proof  is  to 
show  that  T>  is  sound;  this  relies  both  on  the  choice  of  Vk*  and  the  fact  that  S 
makes  less  than  q  queries  to  Vk* .  We  discuss  our  choice  of  Vk*  in  Section  4.1, 
and  analyze  the  soundness  of  V  in  Section  4.2. 

4.1  The  Random  Termination  Verifier  Vk* 

In  this  section,  we  define  a  verifier  Vk*  for  the  parallelized  protocol  with  two 
goals  in  mind:  the  protocol  IIk*  =  (Pk,Vk*)  should  be  complete  (so  that  V 
is  complete),  and  Vk*  should  be  sound  against  any  rewinding  simulator  S  that 
makes  less  than  q  queries  to  Vk*  (so  that  V  is  sound). 

Just  as  [CKPR01],  we  define  Vk*  to  follow  the  honest  verifier  strategy  Vk 
with  one  extra  property:  random  termination.2  Whenever  the  prover  Pk  or  the 
rewinding  simulator  S  makes  a  query  to  Vk* ,  Vk*  determines,  with  independent 
and  fresh  randomness,3  whether  or  not  to  terminate  immediately  and  accept  with 
probability  p  £  [0, 1],  a  parameter  to  be  specified  later;  this  is  done  independently 
for  each  of  the  k  parallel  sessions  (i.e.,  one  session  may  be  terminated  while  other 
sessions  continue).  Due  to  this  independence  between  parallel  sessions,  we  often 
treat  Vk*  as  k  machines,  (V*, . . . ,  V£),  each  responsible  for  making  the  decision 
to  terminate  and  generating  the  verifier  messages  for  one  session.  Note  that 
the  fresh  randomness  is  only  used  to  decide  whether  to  terminate  or  not;  Vk* 
generates  protocol  messages  using  its  default  random  tape  that  is  kept  the  same 
between  rewinds  (as  expected  by  following  the  honest  verifier  strategy). 

Clearly,  IIk*  =  (Pk,Vk*)  is  still  complete.  It  remains  to  show  that  Vk*  is 
“sound”  against  the  rewinding  S;  that  is,  on  input  x  ^  L,  Sv  is  unlikely  to 

2  The  term  “random  termination”  was  first  used  by  Haitner  [Hai09],  but  the  random 
termination  verifier  we  considered  already  appeared  in  the  earlier  work  of  [CKPR01]. 

3  We  use  a  well-known  technique  (see  for  example  [GK96b,CKPR01])  to  generate  fresh 
independent  randomness  on  the  fly  for  each  query  from  the  simulator  S,  despite  the 
fact  that  S  may  rewind  Vk*  between  queries  and  force  Vk*  to  use  the  same  random 
tape.  Let  'H  be  a  family  of  q- wise  independent  hash-functions,  and  let  Vk*  sample 
one  hash-function  h  H  in  the  very  beginning.  Then  whenever  Vk*  receives  a  query 
(from  Pk  or  S),  Vk*  applies  h  to  the  current  protocol  transcript  (the  sequence  of 
messages  exchanged  in  the  protocol  so  far)  and  use  the  output  as  a  fresh  random 
tape.  Since  S  makes  at  most  q  queries  to  Vk* ,  the  output  distribution  of  the  hash- 
function  is  truly  uniformly  random. 
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generate  an  accepting  transcript  of  Vk*.  From  now  on  we  drop  the  common 
input  x  (f  L.  Intuitively,  by  randomly  terminating,  Vk*  can  better  protect  its 
randomness  against  S’s  rewinds  (when  Vk*  terminates,  S  learns  nothing  about 
Vk*’s  fixed  random  tape),  thus  ensuring  soundness.  To  make  this  intuition  more 
concrete,  suppose  for  example  that  S  made  q  queries  Ti, ... ,  rq  to  Vk* ,  and 
without  loss  of  generality  outputs  the  view  of  Vk*  on  a  subset  of  size  m  of  those 
queries4,  T  =  {rq , . . . ,  Tjm}.  Further  suppose  that  there  exists  a  parallel  session 
j  £  [k]  such  that  Vk*  does  not  terminate  on  the  queries  in  T,  but  terminates  on 
all  remaining  queries.  Then  intuitively,  «S”s  rewinding  does  not  help  S  convince 
Vk*  in  session  j,  and  the  soundness  of  the  original  protocol  U  should  imply  that 
Vk*  rejects  with  overwhelming  probability  in  session  j  (and  therefore  rejects 
overall) . 

The  core  of  our  proof  is  to  show  that,  with  high  probability,  for  every  subset 
of  size  m  of  queries  T  =  {rq, . . . ,  r,:m}  made  by  S,  there  exists  a  session  j  £  [k] 
with  overwhelming  probability  such  that  rewinds  are  “not  helpful”  for  session  j 
with  respect  to  T  in  the  above  manner.  We  make  this  possible  by  setting  the 
termination  probability  to  p  =  (1  —  1/q). 

We  now  state  the  formal  lemmas.  Let  n  be  the  security  parameter  and  L  be 
a  language.  Suppose  there  exists  a  m(n )  £  O  ( i0giog  n  )  -round  argument  II  = 
(P,  V)  for  L  with  perfect  completeness  and  negligible  soundness  error.  For  any 
polynomially  bounded  fc(n)  >  n,  let  S'  be  a  black-box  zero-knowledge  simulator 
of  the  parallelized  protocol  IIk  =  ( Pk ,  Vk)  that  makes  at  most 

q  =  k1/m/{  log2  n) 

queries,  and  let  Vk*  be  a  random  termination  verifier  of  the  parallelized  protocol 
with  termination  probability 

(These  parameters  passes  the  following  sanity  checks:  q  is  polynomially  bounded 
and  q  >  m  —  the  simulator  queries  Vk*  at  least  once  for  each  round  of  the 
protocol.  It  is  also  useful  later  to  know  that  ( 9 )  <  qm  <  k.)  Then: 

Lemma  8.  On  input  x  £  L,  V(x)  accepts  with  probability  1,  i.e.,  Sv  (x)  out¬ 
puts  an  accepting  view  ofVk*  with  probability  1. 

TT-fc* 

Lemma  9.  On  input  x  L,  the  pi'obability  that  Sv  (x)  generates  an  accepting 
view  ofVk*  is  negligible,  i.e.,  V  has  negligible  soundness  error. 

We  sketch  the  proof  of  Lemma  8  now,  and  give  the  proof  of  Lemma  9  in  the 
next  section. 

4  Without  loss  of  generality,  we  may  assume  that  before  S  outputs  a  view  of  Vk* , 
S  first  queries  Vk*  with  the  messages  in  the  view  (if  S  hasn’t  already).  This  may 
increase  the  number  of  queries  by  m,  and  thus  weaken  the  resulting  lower  bound 
from  q  to  q  —  m.  Nevertheless,  this  does  not  change  our  lower  bound  since  q  =  w(m) 
in  Theorem  2. 
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Proof  (Proof  Sketch).  Using  the  zero-knowledge  property,  the  output  of  S  is 
indistinguishable  from  the  view  of  Vk*  in  an  execution  with  Pk .  Therefore  it  is 
enough  to  show  that  (Pfc,  Vk*)  ( x )  accepts  with  probability  1.  In  each  parallel 
session  j  £  [k] ,  V*  accepts  by  definition  if  it  decides  to  terminate  in  some  protocol 
round.  Otherwise,  V}*  is  identical  to  V  and  would  still  accept  with  probability  1 
because  the  original  protocol  II  =  (P,  V)  has  perfect  completeness. 

4.2  Soundness  of  T> 

Proof  (Proof  of  Lemma  9).  We  prove  Lemma  9  with  a  reduction.  Suppose  for  the 
sake  of  contradiction  that  S  convinces  Vk*  on  some  input  x  L  with  probability 
more  than  1  fp(n)  for  some  polynomial  p.  Using  S ,  we  construct  a  cheating  prover 
P*  for  the  original  protocol  77  =  (P,  V)  that  convinces  V  with  non-negligible 
probability. 

Before  we  start,  assume  without  loss  of  generality  that  S  makes  exactly  q 
queries,  and  that  before  S  outputs  a  view  of  Vk* ,  S  would  first  query  Vk*  on 
all  previous  messages  in  the  view.  For  technical  convenience,  we  let  Vk*  make 
a  fresh  decision  to  terminate  for  each  query  and  each  session,  even  if  Vk*  has 
already  terminated  previously  in  the  same  session.  I.e.,  regardless  of  history  or 
message  content,  for  each  query  and  each  parallel  session,  Vk*  always  terminates 
independently  with  probability  p. 

Our  P*  is  a  natural  extension  of  the  classic  reduction  of  [GK96b]  —  P* 
guesses  a  session  jo  £  [k]  and  m  indices  To  =  {ii, . . .  ,im}  C  [g]  uniformly  at 
random,  and  interacts  with  an  outside  honest  V  by  internally  simulating  an 
interaction  of  (S,  Vk*)  with  V  embedded  in  session  j0,  queries  t^,  . . .  ,rim  of 
Vk* .  In  comparison,  the  idea  of  guessing  a  random  query  subset  is  exactly  as 
in  [GK96b].  The  difference  is  that  the  reduction  in  [GK96b]  is  for  single  session 
protocols,  and  in  contrast,  we  reduce  from  parallel  protocols  to  single  session 
protocols.  Hence,  our  reduction  P*  guesses  a  random  session  as  well. 

In  more  details,  P*  runs  S  and  Vk*  internally.  It  simulates  k  —  1  sessions  of 
Vk*  honestly  (except  V*o).  When  simulating  V*o,  for  the  zth  S  query  t. P*  first 
simulate  (with  fresh  randomness)  V*(j  ’s  decision  on  termination.  If  V*Q  decides  to 
terminate  but  i  £  T0  or  if  V*Q  does  not  terminate  but  7  ^  T0,  P*  aborts  (in  both 
these  cases,  the  termination  decision  of  V*Q  is  incompatible  with  P*  ’s  choice  of 
queries  to  forward).  If  the  forwarded  queries  (index  set  To)  are  not  “consistent” 
(e.g.,  if  they  query  for  the  same  round  of  the  protocol  more  than  once,  or  the 
query  contains  inconsistent  transcript),  P*  aborts  as  well.  Note  that  if  P*  does 
not  abort,  then  Vk*  is  perfectly  simulated  (even  in  session  j0). 

Now  consider  the  following  best  case  scenario.  Suppose  that  at  the  end  of  the 
simulation,  S  successfully  outputs  an  accepting  view  of  Vk* .  Moreover,  suppose 
that  the  accepting  view  consists  exactly  of  the  queries  in  index  set  To  (this  au¬ 
tomatically  guarantees  that  the  forwarded  queries  are  consistent),  and  suppose 
that  P*  does  not  abort  (i.e.,  termination  decisions  are  compatible  with  the  for¬ 
warded  queries).  Then,  P*  will  have  successfully  convinced  the  outside  honest 
V.  The  rest  of  the  proof  is  devoted  to  show  that  this  best  case  scenario  occurs 
with  noticeable  probability  (roughly  l/(p-  k 2)). 
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Let  T  C  [q]  denote  an  index  set  {ii, . . . ,  im}  of  size  to.  For  an  index  set  T  C  [q] 
and  a  session  j  G  [k],  we  define  A(T,j)  to  be  the  event  that,  on  session  j,  Vk* 
terminates  on  query  r,;  iff  i  (/  T.  Referring  back  to  our  intuition  earlier,  A(T,j) 
denotes  the  event  that  for  session  j,  S’ s  rewinds  are  not  helpful  with  respect  to 
the  queries  indexed  by  T.  If  event  A(T,j)  holds,  and  S  uses  the  queries  indexed 
by  T  to  form  an  accepting  view  of  Vk* ,  and  P*  guesses  both  T0  =  T  and  j0  =  j 
in  the  beginning,  then  P*  will  have  successfully  convinced  the  outside  honest  V . 

We  claim  that  by  the  setting  of  parameters,  we  have 

Pr[VT  C  [q],3j  €  [k]  s.t.  A(T,j)\  >  1  -  ngl(n)  (1) 

where  ngl(n)  denotes  a  negligible  quantity  in  n.  In  words,  with  overwhelming 
probability,  for  every  possible  index  set  T  of  size  m  that  S  may  use  to  output 
a  view  of  Vk*,  there  exists  a  session  j  such  that  P*  may  guess  jo  =  j  and  be 
successful. 

Before  proving  (1),  we  first  use  the  claim  to  show  that  P*  convinces  V  with 
noticeable  probability.  Recall  that  S  outputs  an  accepting  view  of  Vk*  with 
probability  1/p.  By  a  union  bound,  we  have 

Pr[(S'  outputs  accepting  view  of  Pfc*)A(VT  C  [q],3j  €  [k]  s.t.  A(T,j))\  >  (1/p)— ngl(n). 

Note  that  when  the  above  event  holds,  there  exist  a  unique  index  T  of  to  queries 
used  by  S  to  form  an  accepting  view  of  Vk* ,  and  there  exists  a  session  j  €  [fc] 
such  that  A(T,j)  holds.  As  mentioned  earlier,  if  P*  guesses  jo  =  j  and  T0  = 

T  correctly,  P*  will  have  successfully  convinced  V.  Since  P*  guesses  j  and  T 
uniformly  at  random  and  independent  of  the  interaction  between  S  and  Vk* ,  we 
have 


Pr[P*  convinces  V] 

>  Pr^S1  convinces  Vk*)  A  (VT  C  [q],3j  €  [k]  s.t.  A(T,j)) 

A  ( P *  guesses  T  and  j  correctly)] 

>  (1/p  -  ngl(n))  1 

MD  ~P-k2' 

where  in  the  last  line  we  used  ( 9)  <  qm  <  k.  This  contradicts  the  fact  that  17 
has  negligible  soundness  error  and  completes  our  analysis. 

It  remains  to  show  (1).  By  definition,  each  session  j  terminates  on  each  query 
Ti  with  probability  exactly  p,  independent  from  any  other  session  or  query.  Hence, 
for  any  session  j  and  index  set  T  of  size  m,  the  probability  that  event  A(T,j) 
holds  is 

Pr[A(T,  j)]  =  pq~m  ■  (1  —  p)m  >  (l-^  (J)  >^Q.(log2mn)). 

It  follows  that 

Pr[3j  G  [k]  s.t.  A(T,j)\  >  1  -  ^1  -  Q 


(log  2mn) 


>  1  -  e 


—  ^?(log2m  n) 
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Finally,  by  a  union  bound,  we  have 

Pr[VT  C  [q\,3j  e  [k\  s.t.  A(T,j)]  >  1  -  e-«(los2m")  .  >  1  -  ngl(n), 

as  claimed. 

As  with  most  lower  bounds  for  black-box  zero-knowledge,  a  careful  reading 
reveals  that  Theorem  2  also  applies  to  more  liberal  definitions  of  zero-knowledge, 
such  as  £-zero-knowledge  and  zero-knowledge  with  expected  polynomial  time 
simulators.  Additionally,  note  that  the  proof  of  Lemma  9  never  assume  that  S  is 
a  zero-knowledge  simulator,  and  works  just  as  well  for  any  PPT  oracle  machine 
S. 

Remark  10.  By  examining  the  technical  inner  workings  of  the  proof  of  Canetti, 
Kilian,  Petrank  and  Rosen  [CKPR01]  (which  also  uses  a  random  termination 
verifier),  we  discovered  that  part  of  their  analysis  implicitly  presents  a  lower 
bound  for  the  number  of  queries  made  by  black-box  simulators  for  parallel  zero- 
knowledge  protocols.  Compared  with  Theorem  2  and  our  analysis,  the  result  of 
[CKPR01]  establishes  a  weaker  bound  (and  is  arguably  more  complicated);  this 
is  not  surprising,  since  establishing  a  parallel  lower  bound  was  not  their  goal. 

Specifically,  [CKPR01]  implicitly  establishes  a  log w^(k)  lower  bound  on  the 
number  of  simulator  queries,  whereas  we  were  able  to  establish  a  lower  bound  of 
/c1/m/(log2 n).  Nevertheless,  we  believe  that  by  adapting  our  parameters  (which 
may  seem  strange  for  their  setting),  their  analysis  could  be  strengthened  to  match 
our  lower  bounds  (we  have  not  verified  all  the  details,  however). 
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Abstract 

In  tandem  with  recent  progress  on  computing  on  encrypted  data  via  fully  homomorphic 
encryption,  we  present  a  framework  for  computing  on  authenticated  data  via  the  notion  of 
slightly  homomorphic  signatures,  or  P-homonrorphic  signatures.  With  such  signatures,  it  is 
possible  for  a  third  party  to  derive  a  signature  on  the  object  in'  from  a  signature  of  m  as  long  as 
=  1  for  some  predicate  P  which  captures  the  “authenticatable  relationship”  between 
m!  and  m.  Moreover,  a  derived  signature  on  m!  reveals  no  extra  information  about  the  parent 
m. 

Our  definition  is  carefully  formulated  to  provide  one  unified  framework  for  a  variety  of  dis¬ 
tinct  concepts  in  this  area,  including  arithmetic,  homomorphic,  quotable,  redactable,  transitive 
signatures  and  more.  It  includes  being  unable  to  distinguish  a  derived  signature  from  a  fresh 
one  even  when  given  the  original  signature.  The  inability  to  link  derived  signatures  to  their 
original  sources  prevents  some  practical  privacy  and  linking  attacks,  which  is  a  challenge  not 
satisfied  by  most  prior  works. 

Under  this  strong  definition,  we  then  provide  generic  constructions  for  all  univariate  and 
closed  predicates,  and  specific  efficient  constructions  for  a  broad  class  of  natural  predicates  such 
as  quoting,  subsets,  weighted  sums,  averages,  and  Fourier  transforms.  To  our  knowledge,  these 
are  the  first  efficient  constructions  for  these  predicates  (excluding  subsets)  that  provably  satisfy 
this  strong  security  notion. 


‘Supported  by  NSF,  DARPA,  and  AFOSR.  Applying  to  all  authors,  the  views  and  conclusions  contained  in  this 
document  are  those  of  the  authors  and  should  not  be  interpreted  as  representing  the  official  policies,  either  expressed 
or  implied,  of  the  Defense  Advanced  Research  Projects  Agency  or  the  US  government. 

^This  work  has  been  funded  by  the  European  Community’s  Seventh  Framework  Programme  (FP7/2007-2013) 
under  grant  agreement  no.  216483  (PrimeLife). 

^"Supported  by  the  Defense  Advanced  Research  Projects  Agency  (DARPA)  and  the  Air  Force  Research  Laboratory 
(AFRL)  under  contract  FA8750-11-2-0211,  the  Office  of  Naval  Research  under  contract  N00014-11-1-0470,  a  Microsoft 
Faculty  Fellowship  and  a  Google  Faculty  Research  Award. 

^Supported  by  NSF  CNS-0845811  and  TC-1018543,  Defense  Advanced  Research  Projects  Agency  (DARPA)  and 
the  Air  Force  Research  Laboratory  (AFRL)  under  contract  FA8750-11-2-0211,  and  a  Microsoft  New  Faculty  Fellow¬ 
ship. 

^Supported  by  NSF  CNS-0915361  and  CNS-0952692,  AFOSR  Grant  No:  FA9550-08-1-0352,  DARPA  PROCEED, 
DARPA  N11AP20006,  Google  Faculty  Research  award,  the  Alfred  P.  Sloan  Fellowship,  Microsoft  Faculty  Fellowship, 
and  Packard  Foundation  Fellowship. 


Approved  for  Public  Release;  Distribution  Unlimited. 
1 

855 


1  Introduction 


In  tandem  with  recent  progress  on  computing  any  function  on  encrypted  data,  e.g.,  [28,  54,  51],  this 
work  explores  computing  on  unencrypted  signed  data.  In  the  past  few  years,  several  independent 
lines  of  research  touched  on  this  area: 

•  Quoting/redacting:  [53,  34,  1,  41,  31,  18,  17,  19]  Given  Alice’s  signature  on  some  message 
m  anyone  should  be  able  to  derive  Alice’s  signature  on  a  subset  of  m.  Quoting  typically 
applies  to  signed  text  messages  where  one  wants  to  derive  Alice’s  signature  on  a  substring 
of  m.  Quoting  can  also  apply  to  signed  images  where  one  wants  to  derive  a  signature  on  a 
subregion  of  the  image  (say,  a  face  or  an  object)  and  to  data  structures  where  one  wants  to 
derive  a  signature  of  a  subset  of  the  data  structure  such  as  a  sub-tree  of  a  tree. 

•  Arithmetic:  [35,  60,  23,  14,  27,  13,  12,  58]  Given  Alice’s  signature  on  vectors  Vi, . . . ,  vfc  £  F” 

anyone  should  be  able  to  derive  Alice’s  signature  on  a  vector  v  in  the  linear  span  of  vi, _ ,  V&. 

Arithmetic  on  signed  data  is  motivated  by  applications  to  secure  network  coding  [26].  We  show 
that  these  schemes  can  be  used  to  compute  authenticated  linear  operations  such  as  computing 
an  authenticated  weighted  sum  of  signed  data  and  an  authenticated  Fourier  transform.  As  a 
practical  consequence  of  this,  we  show  that  an  untrusted  database  storing  signed  data  (e.g., 
employee  salaries)  can  publish  an  authenticated  average  of  the  data  without  leaking  any 
other  information  about  the  stored  data.  Recent  constructions  go  beyond  linear  operations 
and  support  low  degree  polynomial  computations  [12]. 

•  Transitivity:  [46,  40,  5,  32,  6,  49,  59,  45]  Given  Alice’s  signature  on  edges  in  a  graph  G  anyone 
should  be  able  to  derive  Alice’s  signature  on  a  pair  of  vertices  (it,  v )  if  and  only  if  there  is  a 
path  in  G  from  u  to  v.  The  derived  signature  on  the  pair  ( u ,  v )  must  be  indistinguishable 
from  a  fresh  signature  on  ( u ,  v )  had  Alice  generated  one  herself  [40] .  This  requirement  ensures 
that  the  derived  signature  on  ( u ,  v )  reveals  no  information  about  the  path  from  u  to  v  used 
to  derive  the  signature. 

In  this  paper,  we  put  forth  a  general  framework  for  computing  on  authenticated  data  that 
encompasses  these  lines  of  research  and  much  more.  While  prior  definitions  mostly  contained 
artifacts  specific  to  the  type  of  malleability  they  supported  and,  thus,  were  hard  to  compare  to  one 
another,  we  generalize  and  strengthen  these  disparate  notions  into  a  single  definition.  This  definition 
can  be  instantiated  with  any  predicate,  and  we  allow  repeated  computation  on  the  signatures 
(e.g.,  it  is  possible  to  quote  from  a  quoted  signature.)  During  our  study,  we  realized  that  the 
“privacy”  notions  offered  by  many  existing  definitions  are,  in  our  view,  insufficient  for  some  practical 
applications.  We  therefore  require  a  stronger  (and  seemingly  a  significantly  more  challenging  to 
achieve)  property  called  context  hiding.  Under  this  definition,  we  provide  two  generic  solutions 
for  computing  signatures  on  any  univariate,  closed  predicate;  however,  these  generic  constructions 
are  not  efficient.  We  also  present  efficient  constructions  for  three  problems:  quoting  substrings  in 
Section  5,  a  subset  predicate  in  Section  6,  and  a  weighted  average  over  data  in  Section  7  (which 
captures  weighted  sums  and  Fourier  transforms).  Our  quoting  substring  construction  is  novel  and 
significantly  more  efficient  than  the  generic  solutions.  For  the  problems  of  subsets  and  weighted 
averages,  we  show  somewhat  surprising  connections  to  respective  existing  solutions  in  attribute- 
based  encryption  and  network  coding  signatures. 
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1.1  Overview 


A  general  framework.  Let  M.  be  some  message  space  and  let  2M  be  its  powerset.  Consider 
a  predicate  P  :  2M  x  M.  — >  {0, 1}  mapping  a  set  of  messages  and  a  message  to  a  bit.  Loosely 
speaking  we  say  that  a  signature  scheme  supports  computations  with  respect  to  P  if  the  following 
holds: 


Let  M  C  M.  be  a  set  of  messages  and  let  m!  be  a  derived  message,  namely  m!  satisfies 
P(M,  m!)  =  1.  Then  there  exists  an  efficient  procedure  that  can  derive  Alice’s  signature 
on  m!  from  Alice’s  independent  signatures  on  all  of  the  messages  in  M . 

For  the  quoting  application,  the  predicate  P  is  defined  as  P(M ,  m ')  =  1  iff  m!  is  a  quote  from  the 
set  of  messages  M.  Here  we  focus  on  quoting  from  a  single  message  m  so  that  P  is  false  whenever 
M  contains  more  than  one  component1,  and  thus  use  the  notation  P(m,m')  as  shorthand  for 
P({m},  in').  The  predicate  P  for  arithmetic  computations  is  defined  in  Appendix  A  and  essentially 
says  that  P(  (vi, . . . ,  v*.),  v)  is  true  whenever  v  is  in  the  span  of  Vi, . . . ,  v*.. 

We  emphasize  that  signature  derivation  can  be  iterative.  For  example,  given  a  message-signature 
pair  ( m,a )  from  Alice,  Bob  can  publish  a  derived  message-signature  pair  (m/,cr/)  for  an  m!  where 
P(m,m')  holds.  Charlie,  using  (m/,a/),  may  further  derive  a  signature  a"  on  m" .  In  the  quoting 
application,  Charlie  is  quoting  from  a  quote  which  is  perfectly  fine. 

Security.  We  give  a  clean  security  definition  that  captures  two  properties:  unforgeability  and 
context  hiding.  We  briefly  discuss  each  in  turn  and  give  precise  definitions  in  the  next  section. 

•  Unforgeability  captures  the  idea  that  an  attacker  may  be  given  various  derived  signatures 

(perhaps  iteratively  derived)  on  messages  of  his  choice.  The  attacker  should  be  unable  to 
produce  a  signature  on  a  message  that  is  not  derivable  from  the  set  of  signed  messages  at 
his  possession.  E.g.,  suppose  Alice  generates  ( m,cr )  and  gives  it  to  Bob  who  then  publishes 
a  derived  signature  Then  an  attacker  given  ( m',a ')  should  be  unable  to  produce  a 

signature  on  m  or  on  any  other  message  rn"  such  that  P(m',m ")  =  0. 

•  Context  hiding  captures  an  important  privacy  property:  a  signature  should  reveal  nothing 
more  than  the  message  being  signed.  In  particular,  if  a  signature  on  m!  was  derived  from 
a  signature  on  m,  an  attacker  should  not  learn  anything  about  m  other  than  what  can  be 
inferred  from  rn' .  This  should  be  true  even  if  the  original  signature  on  m  is  revealed.  For 
example,  a  signed  quote  should  not  reveal  anything  about  the  message  from  which  it  was 
quoted,  including  its  length,  the  position  of  the  quote,  whether  its  parent  document  is  the 
same  as  another  quote,  whether  it  was  derived  from  a  given  signed  message  or  generated 
freshly,  etc. 

Defining  context  hiding  is  an  interesting  and  subtle  task.  In  the  next  section,  we  give  a  definition 
that  captures  a  very  strong  privacy  requirement.  We  discuss  earlier  attempts  at  defining  privacy 
following  our  definition  in  Section  2.3;  while  many  prior  works  use  a  similar  sounding  intuition  as 
we  give  above,  most  contain  a  fundamental  difference  to  ours  in  their  formalization. 

We  note  that  notions  such  as  group  or  ring  signatures  [24,  4,  20,  10,  48]  have  considered  the 
problem  of  hiding  the  identity  of  a  signer  among  a  set  of  users.  Context  hiding  ensures  privacy  for 
the  data  rather  than  the  signer.  Our  goal  is  to  hide  the  legacy  of  how  a  signature  was  created. 

1We  leave  it  for  future  work  to  construct  systems  for  securely  quoting  from  two  messages  (or  possibly  more)  as 
defined  next. 
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Efficiency.  We  require  that  the  size  of  a  signature,  whether  fresh  or  derived,  depend  only  on 
the  size  of  the  object  being  signed.  This  rules  out  solutions  where  the  signature  grows  with  each 
derivation. 

Generic  Approaches.  We  begin  with  two  generic  constructions  that  can  be  inefficient.  They 
apply  to  closed,  univariate  predicates,  namely  predicates  P(M ,  rn')  where  M  contains  a  single 
message  (P  is  false  when  \M\  >  1)  and  where  if  P(a,b)  =  P(b,c)  =  1  then  P(a,c )  =  1.  The  first 
construction  uses  any  standard  signature  scheme  S  where  the  signing  algorithm  is  deterministic. 
(One  can  enforce  determinism  using  PRFs  [29].)  To  sign  a  message  m  €  A4,  one  uses  S  to  sign 
each  message  m!  such  that  P(m,  ml)  =  1.  The  signature  consists  of  all  these  signature  components. 
To  verify  a  signature  for  m ,  one  checks  the  signature  component  corresponding  to  the  message 
m.  To  derive  a  signature  m'  from  m ,  one  copies  the  signature  components  for  all  rn"  such  that 
P(m',m")  =  1.  Soundness  of  the  construction  follows  from  the  security  of  the  underlying  standard 
scheme  S  and  context  hiding  from  the  fact  that  signing  in  S  is  deterministic. 

Unfortunately,  these  signatures  may  become  large  consisting  up  to  \M\  signature  components 
-  effecting  both  the  signing  time  and  signature  size.  Our  second  generic  construction  alleviates 
the  space  burden  by  using  an  RSA  accumulator.  The  construction  works  in  a  similar  brute  force 
fashion  where  a  signature  on  m  is  an  accumulator  value  on  all  m!  such  that  P(m.,m')  =  1.  While 
this  produces  short  signatures,  the  time  component  of  both  verification  and  derivation  are  even 
worse  than  the  first  generic  approach.  Thus,  these  generic  approaches  are  too  expensive  for  most 
interesting  predicates.  We  detail  these  generic  approaches  and  proofs  in  Section  4,  where  we  also 
discuss  a  generic  construction  using  NIZK. 

Our  Quoting  Construction.  We  turn  to  more  efficient  constructions.  First,  we  set  out  to 
construct  a  signature  for  quoting  substrings2 ,  which  although  conceptually  simple  is  non-trivial  to 
realize  securely.  As  an  efficiency  baseline,  we  note  that  the  brute  force  generic  construction  of  the 
quoting  predicate  would  result  in  n2  components  for  a  signature  on  n  characters.  So  any  interesting 
construction  must  perform  more  efficiently  than  this.  We  prove  our  construction  selectively  secure.3 
In  addition,  we  give  some  potential  future  directions  for  achieving  adaptive  security  and  removing 
the  use  of  random  oracles. 

Our  construction  uses  bilinear  groups  to  link  different  signature  components  together  securely, 
but  in  such  a  way  that  the  context  can  be  hidden  by  a  re-randomizing  step  in  the  derivation 
algorithm.  A  signature  in  our  system  on  a  message  of  length  n  consists  of  n  lg  n  group  elements; 
intuitively  organized  as  lg  n  group  elements  assigned  to  each  character.  To  derive  a  new  signature 
on  a  substring  of  £  characters,  one  roughly  removes  the  group  elements  not  associated  with  the 
new  substring  and  then  re-randomizes  the  remaining  part  of  the  signature.  This  results  in  a  new 
signature  of  t\gl  group  elements.  The  technical  challenge  consists  in  simultaneously  allowing  re¬ 
randomization  and  preserving  the  “linking”  between  successive  characters.  In  addition,  there  is  a 
second  option  in  our  derive  algorithm  that  allows  for  the  derivation  of  a  short  signature  of  lg  i  group 
elements;  however  the  derive  procedure  cannot  be  applied  again  to  this  short  signature.  Thus,  we 
support  quoting  from  quotes,  and  also  provide  a  compression  option  which  produces  a  very  short 
quote,  but  the  price  for  this  is  that  it  cannot  be  quoted  from  further. 

2  A  substring  of  x\  . .  .xn  is  some  Xi . . .  Xj  where  i,j  £  [1,  n]  and  i  <  j.  We  emphasize  that  we  are  not  considering 
subsequences.  Thus,  it  is  not  possible,  in  this  setting,  to  extract  a  signature  on  “I  like  fish”  from  one  on  “I  do  not 
like  fish”. 

3Following  an  analog  of  [21],  selective  security  for  signatures  requires  the  attacker  to  give  the  forgery  message 
before  seeing  the  verification  key. 
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Computing  Signatures  on  Subsets  and  Weighted  Averages.  Our  final  two  contributions 
are  schemes  for  deriving  signatures  on  subsets  and  weighted  averages  on  signatures.  Rather  than 
create  entirely  new  systems,  we  show  connections  to  existing  Attribute-Based  Encryption  schemes 
and  Network  Coding  Signatures.  Briefly,  our  subset  construction  extends  the  concept  of  Naor  [11] 
who  observed  that  every  IBE  scheme  can  be  transformed  into  a  standard  signature  scheme  by 
applying  the  IBE  KeyGen  algorithm  as  a  signing  algorithm.  Here  we  show  an  analog  for  known 
Ciphertext-Policy  (CP)  ABE  schemes.  The  KeyGen  algorithm  which  generates  a  key  for  a  set  S  of 
attributes  can  be  used  as  a  signing  algorithm  for  the  set  S.  For  known  CP-ABE  systems  [7,  36,  57] 
it  is  straightforward  to  derive  a  key  for  a  subset  S'  of  S  and  to  re-randomize  the  signature/key.  To 
verify  a  signature  on  S  we  can  apply  Naor’s  signature- from-IBE  idea  and  encrypt  a  random  message 
A  to  a  policy  that  is  an  AND  of  all  the  attributes  in  S  and  see  if  the  signature  can  be  used  as  an 
ABE  key  to  decrypt  to  X.  Signatures  for  subsets  have  been  previously  considered  in  [32,  §6.4],  but 
without  context  hiding  requirements.  We  provide  further  details  in  Section  6.  Our  construction  for 
weighted  sums  is  presented  in  Section  7,  where  we  discuss  how  this  applies  to  Fourier  transforms. 

Other  Predicates.  One  can  also  imagine  predicates  P  that  support  more  complex  operations 
on  signed  messages.  One  natural  set  of  examples  are  spreadsheet  operations  such  as  median, 
standard  deviation,  and  rounding  on  signed  data  (satisfying  unforgeability  and  context  hiding). 
Other  examples  include  graph  algorithms  such  as  computing  a  signature  on  a  perfect  matching  in 
a  signed  bipartite  graph. 

2  Definitions 

Definition  2.1  (Derived  messages)  Let  M.  be  a  message  space  and  let  P  :  2M  x  M.  {0, 1}  be 
a  predicate  from  sets  over  M.  and  a  message  in  M.  to  a  bit.  We  say  that  a  message  m!  is  derivable 
from  the  set  M  C  Jvl  if  P(M.  m!)  =  1.  We  denote  by  P*(M)  the  set  of  messages  derivable  from  M 
by  repeated  derivation.  That  is,  let  P°(M)  be  the  set  of  messages  derivable  from  M  and  for  i  >  0 
let  Pl(M)  be  the  set  of  messages  derivable  from  Pt~1(M).  Then  P*(M )  := 

We  define  the  closure  of  P,  denoted  P* ,  as  the  predicate  defined  by  P*(M,m )  =  1  iff  m  £ 
P*(M). 

A  P-homomorphic  signature  scheme  n  for  message  space  Ai  and  predicate  P  is  a  triple  of  PPT 
algorithms: 

KeyGen(lA):  the  key  generation  algorithm  outputs  a  key  pair  ( pk,sk ).  We  treat  the  secret  key 
sk  as  a  signature  on  the  empty  tuple  e  £  At*.  We  also  assume  that  pk  is  embedded  in  sk. 

SignDerive(pfc,  ({<7m}meM,  M),  m' ,  w):  the  algorithm  takes  as  input  the  public  key,  a  set  of  mes¬ 
sages  M  C  M.  and  corresponding  signatures  {am}m£M,  a  derived  message  mf  £  A4,  and  possibly 
some  auxiliary  information  w.  It  produces  a  new  signature  a’  or  a  special  symbol  _L  to  repre¬ 
sent  failure.  For  complicated  predicates  P,  the  auxiliary  information  w  serves  as  a  witness  that 
P(M,m')  =  1.  To  simplify  the  notation  we  often  drop  w  as  an  explicit  argument. 

As  shorthand  we  write  Sign (sk,m)  :=  SignDeri ve(pk,  (sk,e),m.,  ■)  to  denote  that  any  mes¬ 
sage  can  be  derived  when  the  original  signature  is  the  signing  key.  For  a  set  of  messages  M  = 
{mi, . . . ,  nuk}  C  M*  it  is  convenient  to  let  Sign (sk,M)  denote  independently  signing  each  of  the 
k  messages,  namely: 


Sign (sk,M)  :=  (  Sign(s&,  mi), . . . ,  Sign(sfc,  mif)  )  . 
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Verify (pk,m,o):  given  a  public  key,  message,  and  purported  signature  o,  the  algorithm  returns  1 
if  the  signature  is  valid  and  0  otherwise. 

We  assume  that  testing  m  E  A4  can  be  done  efficiently,  and  that  Verify  returns  0  if  m  0  A4. 

Correctness.  We  require  that  for  all  key  pairs  ( sk,pk )  generated  by  KeyGen(ln)  and  for  all 
M  E  M*  and  m!  E  M.  we  have: 

•  if  P(M,m')  =  1  then  SignDerive(pA;,  (Sign (sk,  M),  M),m')  A  _L,  and 

•  for  all  signature  tuples  {<7 m}meM  such  that  o'  <—  SignDerive(pA;,  ({om}m£M,  M),m')  A  _L, 
we  have  Verify (pk,m',o')  =  1. 

In  particular,  correctness  implies  that  a  signature  generated  by  SignDerive  can  be  used  as  an 
input  to  SignDerive  so  that  signatures  can  be  further  derived  from  derived  signatures,  if  allowed 
by  P. 

Derivation  efficiency.  In  many  cases  it  is  desirable  that  the  size  of  a  derived  signature  depend 
only  on  the  size  of  the  derived  message.  This  rules  out  signatures  that  expand  as  one  iteratively 
calls  SignDerive.  All  the  constructions  in  this  paper  are  derivation  efficient  in  this  sense. 

Definition  2.2  (Derivation-Efficient)  A  signature  scheme  is  derivation-efficient  if  there  exists 
a  polynomial  p  such  that  for  all  ( pk ,  sk)  KeyGen(lA),  set  M  C  M*,  signatures  {crm}meM  E- 
Sign (sk,M)  and  derived  messages  m'  where  P(M,m')  =  l,  we  have 

| SignDerive(pA;,  {om}meM ,  M,  rri  )\  =  p( A,  \m!\ ) . 

2.1  Security:  Unforgeability 

To  define  unforgeability,  we  extend  the  basic  notion  of  existential  unforgeability  with  respect  to 
adaptive  chosen- message  attacks  [30] .  The  definition  captures  the  idea  that  if  the  attacker  is  given  a 
set  of  signed  messages  (either  primary  or  derived)  then  the  only  messages  he  can  sign  are  derivations 
of  the  signed  messages  he  was  given.  This  is  defined  using  a  game  between  a  challenger  and  an 
adversary  A  with  respect  to  scheme  If  over  message  space  A4. 

—  Game  Unforg(II,  A,  A,  P): 

Setup:  The  challenger  runs  KeyGen(lA)  to  obtain  ( pk ,  sk)  and  sends  pk  to  A.  The  challenger 
maintains  two  sets  T  and  Q  that  are  initially  empty. 

Queries:  Proceeding  adaptively,  the  adversary  issues  the  following  queries  to  the  challenger: 

•  Sign(m  E  M. ):  the  challenger  generates  a  unique  handle  h,  runs  Sign(sA;,  m)  — >•  a  and  places 
(. h,m,a )  into  a  table  T.  It  returns  the  handle  h  to  the  adversary. 

•  SignDerive(h  =  (hi, . . . ,  h^),  m'):  the  oracle  retrieves  the  tuples  (hi,  at,  mi)  in  T  for  i  = 

1 ,k,  returning  _L  if  any  of  them  do  not  exist.  Let  M  :=  (mi, . . . ,  rrq;)  and  := 

{<7i, . . . ,  <7fc}.  If  P(M,m')  holds,  then  the  oracle  generates  a  new  unique  handle  h! ,  runs 
SignDerive (pfc,  ({<Jm}meM,  M),m!)  — >  o'  and  places  (h',m',o')  into  T,  and  returns  h!  to 
the  adversary. 

•  Reveal(h):  Returns  the  signature  cr  corresponding  to  handle  h,  and  adds  (o' ,m')  to  the  set 

Q- 
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Output:  Eventually,  the  adversary  outputs  a  pair  (ex',  m').  The  output  of  the  game  is  1  (i.e.,  the 
adversary  wins  the  game)  if: 

•  Verify  (pk,m'  ,o')  =  1  and, 

•  let  Af  C  At  be  the  set  of  messages  in  Q  then  =  0  where  P*  is  the  closure  of 

P  from  Definition  2.1. 

Else,  the  output  of  the  game  is  0.  Define  Forg  4  as  the  probability  that  Pr[Unforg(II,  A,  A,  P)  = 

!]■ 

Interestingly,  for  some  predicates  it  may  be  difficult  to  test  if  the  adversary  won  the  game.  For  all 
the  predicates  we  consider  in  this  paper,  this  will  be  quite  easy. 

Definition  2.3  (Unforgeability)  A  P -homomorphic  signature  scheme  II  is  unforgeable  with 
respect  to  adaptive  chosen-message  attacks  if  for  all  PPT  adversaries  A,  the  function  Forg ^  is 
negligible  in  A. 

A  P -homomorphic  signature  scheme  II  is  selective  unforgeable  with  respect  to  adaptive 
chosen-message  attacks  if  for  all  PPT  adversaries  A  who  begin  the  above  game  by  announcing 
the  message  m!  on  which  they  will  forge ,  ForgA  is  negligible  in  A. 

Properties  of  the  definition.  By  taking  P  to  be  the  equality  oracle,  namely  P(x,  y )  =  1  iff 
x  =  y,  we  obtain  the  standard  unforgeability  requirement  for  signatures. 

Notice  that  Sign  and  SignDerive  queries  return  handles,  but  do  not  return  the  actual  signatures. 

A  system  proven  secure  under  this  definition  adequately  rules  out  the  following  attack:  suppose 
(rn,  a)  is  a  message  signature  pair  and  (m! ,  o')  is  a  message-signature  pair  derived  from  it,  namely 
o'  =  SignDerive  (pfc,  o,  m,m').  For  example,  suppose  rn'  is  a  quote  from  m.  Then  given  ( m',o ') 
it  should  be  difficult  to  produce  a  signature  on  m  and  indeed  our  definition  treats  a  signature  on 
m  as  a  valid  forgery. 

The  unforgeability  game  imposes  some  constraints  on  P:  (1)  P  must  be  reflexive,  i.e.  P(m ,  rn)  = 

1  for  all  m  G  M,  (2)  P  must  be  monotone,  i.e.  P(M,  m')  =>  P(M' ,  rn1 )  where  M  C  M' .  It  is  easy  to 
see  that  predicates  that  do  not  satisfy  these  requirements  cannot  be  realized  under  Definition  2.3. 

2.2  Security:  Context  Hiding  (a.k.a.,  Privacy) 

Let  M  be  some  set  and  let  m '  be  a  derived  message  from  M  (i.e.,  P(M,m')  =  1).  Context  hiding 
captures  the  idea  that  a  signature  on  m!  derived  from  signatures  on  M  should  reveal  no  information 
about  M  beyond  what  is  revealed  by  rn! .  For  example,  in  the  case  of  quoting,  a  signature  on  a 
quote  from  m  should  reveal  nothing  more  about  m:  not  the  length  of  m ,  not  the  position  of  the 
quote  in  m,  etc.  The  same  should  hold  even  if  the  attacker  is  given  signatures  on  multiple  quotes 
from  m. 

We  put  forth  the  following  powerful  statistical  definition  of  context  hiding  and  discuss  its  im¬ 
plications  following  the  definition.  We  were  most  easily  able  to  leverage  a  statistical  definition  for 
our  proofs,  although  we  also  give  an  alternative  computational  definition  in  Appendix  A. 

Definition  2.4  (Strong  Context  Hiding)  Let  M  C  At*  and  m '  G  At  be  messages  such  that 
P(M ,  m')  =  1.  Let  ( pk ,  sk)  4—  KeyGen(lA)  be  a  key  pair.  A  signature  scheme  (KeyGen,  SignDerive, 
Verify)  is  strongly  context  hiding  (for  predicate  P)  if  for  all  such  triples  (( pk,  sk),  M,m '),  the  fol¬ 
lowing  two  distributions  are  statistically  close: 

{( sk,{om}m&M  G-  Sign(sAgM),  Sign(sfc,  m!))  } sk  Mm, 

{  ( sk ,  {om}m£M  Sign  (sk,  M ),  SignDerive(pfc,  ({om}meM,  M),  m!)) }  skM,m' 
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The  distributions  are  taken  over  the  coins  of  Sign  and  SignDerive.  Without  loss  of  generality, 
we  assume  that  pk  can  be  computed  from  sk. 

The  definition  states  that  a  derived  signature  on  m! ,  from  an  honestly- generated  original  sig¬ 
nature,  is  statistically  indistinguishable  from  a  fresh  signature  on  m! .  This  implies  that  a  derived 
signature  on  m!  is  indistinguishable  from  a  signature  generated  independently  of  M.  Therefore, 
the  derived  signature  cannot  (provably)  reveal  any  information  about  M  beyond  what  is  revealed 
by  m' .  By  a  simple  hybrid  argument  the  same  holds  even  if  the  adversary  is  given  multiple  derived 
signatures  from  M . 

Moreover,  Definition  2.4  requires  that  a  derived  signature  look  like  a  fresh  signature  even  if  the 
original  signature  on  M  is  known.  Hence,  if  for  example  someone  quotes  from  a  signed  recommen¬ 
dation  letter  and  somehow  the  original  signed  recommendation  letter  becomes  public,  it  would  be 
impossible  to  link  the  signed  quote  to  the  original  signed  letter.  The  same  holds  even  if  the  signing 
key  sk  is  leaked. 

Thus,  Definition  2.4  captures  a  broad  range  of  privacy  requirements  for  derived  signatures. 
Earlier  work  in  this  area  [34,  17,  19,  16]  only  considered  weaker  privacy  requirements  using  more 
complex  definitions.  The  simplicity  and  breadth  of  Definition  2.4  is  one  of  our  key  contributions. 

Definition  2.4  uses  statistical  indistinguishability  meaning  that  even  an  unbounded  adversary 
cannot  distinguish  derived  signatures  from  newly  created  ones.  In  Appendix  A,  we  give  a  definition 
using  computational  indistinguishability  which  is  considerably  more  complex  since  the  adversary 
needs  to  be  given  signing  oracles.  In  the  unbounded  case  of  Definition  2.4  the  adversary  can  simply 
recover  a  secret  key  sk  from  the  public  key  and  answer  its  own  signature  queries  which  greatly 
simplifies  the  definition  of  context  hiding.  All  the  signature  schemes  in  this  paper  satisfy  the 
statistical  Definition  2.4. 

As  mentioned  above,  the  context-hiding  guarantee  applies  to  all  derivations  that  begin  with 
an  honestly-generated  signature.  One  might  imagine  a  scenario  where  a  malicious  signer  creates  a 
signature  that  passes  the  verification  algorithm,  but  contains  a  “watermark”  that  allows  the  signer 
to  detect  if  other  signatures  are  derived  from  it.  To  prevent  such  attacks  from  malicious  signers, 
we  could  alter  the  definition  so  that  indistinguishability  holds  for  any  derivative  that  results  from 
a  signature  that  passed  the  verification  algorithm. 

A  simpler  approach  to  proving  unforgeability.  For  systems  that  are  strongly  context  hiding, 
unforgeability  follows  from  a  simpler  game  than  that  of  Section  2.1.  In  particular,  it  suffices  to 
just  give  the  adversary  the  ability  to  obtain  top  level  signatures  signed  by  sk.  In  Appendix  A,  we 
define  this  simpler  unforgeability  game  and  prove  equivalence  to  Definition  2.3  using  strong  context 
hiding. 

2.3  Related  Work 

Early  work  on  quotable  signatures  [53,  34,  43,  42,  31,  18,  22,  16]  supports  quoting  from  a  single 
document,  but  does  not  achieve  the  privacy  or  unforgeability  properties  we  are  aiming  for.  For 
example,  if  simple  quoting  of  messages  is  all  that  is  desired,  then  the  following  folklore  solution 
would  suffice:  simply  sign  the  Merkle  hash  of  a  document.  A  quote  represents  some  sub-tree  of 
the  Merkle  hash;  so  a  quoter  could  include  enough  intermediate  hash  nodes  along  with  the  original 
signature  in  any  quote.  A  verifier  could  simply  hash  the  quote,  and  then  build  the  Merkle  hash  tree 
using  the  computed  hash  and  the  intermediate  hashes,  and  compare  with  the  original  signature. 
Notice,  however,  that  every  quote  in  this  scheme  reveals  information  about  the  original  source 
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document.  In  particular,  each  quote  reveals  information  about  where  in  the  document  it  appears. 
Thus,  this  simple  quoting  scheme  is  not  context  hiding  in  our  sense. 

The  work  whose  definition  is  closest  to  what  we  envision  is  the  recent  work  on  redacted  signatures 
of  Chang  et  al.  [22]  and  Brzuska  et  al.  [16]  (see  also  Naccache  [44,  p.  63]  and  Boneh-Freeman  [13, 
12]  4).  However,  there  is  a  subtle,  but  fundamental  difference  between  their  definition  and  the 
privacy  notion  we  are  aiming  for.  In  our  formulation,  a  quoted  signature  should  be  indistinguishable 
from  a  fresh  signature,  even  when  the  distinguisher  is  given  the  original  signature.  (We  capture 
this  by  an  even  stronger  game  where  a  derived  signature  is  distributed  statistically  close  to  a  fresh 
signature.)  In  contrast,  the  definitions  of  [22,  16,  13,  12]  do  not  provide  the  distinguisher  with  the 
original  signature.  Thus,  it  may  be  possible  to  link  a  quoted  document  to  its  original  source  (and 
indeed  it  is  in  the  constructions  of  [22,  16,  13,  12]),  which  can  have  negative  privacy  implications. 
Overcoming  such  document  linkage  while  maintaining  unforgeability  is  a  real  technical  challenge. 
This  requires  moving  beyond  techniques  that  use  nonces  to  link  parts  of  messages. 

Indeed,  in  most  prior  constructions,  such  as  [22,  16],  nonces  are  used  to  prevent  “mix-and- 
match”  attacks  (e.g.,  forming  a  “quote”  using  pieces  of  two  different  messages.)  Unfortunately, 
these  nonces  reveal  the  history  of  derivation,  since  they  cannot  change  during  each  derivation 
operation.  Arguably,  much  of  the  technical  difficulty  in  our  current  work  comes  precisely  from  the 
effort  to  meet  our  definition  and  hide  the  lineage.  We  introduce  new  techniques  in  this  work  which 
link  pieces  together  using  randomness  that  can  be  re-randomized  in  controlled  ways. 

Another  line  of  work  studies  computing  on  authenticated  data  by  holders  of  secret  information. 
Examples  include  sanitizable  signatures  [43,  1,  41,  19,  17]  that  allow  a  proxy  to  compute  signatures 
on  related  messages,  but  requires  the  proxy  to  have  a  secret  key,  and  incremental  signatures  [3], 
where  the  signer  can  efficiently  make  small  edits  to  his  signed  data.  In  contrast,  our  proposal  is  more 
along  the  lines  of  homomorphic  encryption  and  Rivest’s  vision  [46],  where  anyone  can  compute  on 
the  authenticated  data. 

3  Preliminaries:  Algebraic  Settings 

Bilinear  Groups  and  the  CDH  Assumption.  Let  G  and  G t  be  groups  of  prime  order  p.  A 
bilinear  map  is  an  efficient  mapping  e:GxG->  G  t  which  is  both:  ( bilinear )  for  all  g  G  G  and 
a,  b  Zp,  e(ga,gb )  =  e(g,g)ab-,  and  ( non-degenerate )  if  g  generates  G,  then  e(g,g)  /  1.  We  will 
focus  on  the  Computational  Diffie-Hellman  assumption  in  these  groups. 

Assumption  3.1  (CDH  [25])  Let  g  generate  a  group  G  of  prime  order  p  e  0(2A).  For  all  PPT 
adversaries  A,  the  following  probability  is  negligible  in  A:  Pr[a,  6, Zp;  z  X—  A(g,  ga,  gb )  :  z  =  gab\. 

4  Generic  Constructions  for  Simple  Predicates 

Let  Al  be  a  finite  message  space.  We  say  that  a  predicate  P  :  Al*  x  Al  — >  {0, 1}  is  a  simple 
predicate  if  the  following  properties  hold: 

4  As  acknowledged  in  Section  2.2  of  Boneh-Freeman  [12],  our  definitional  notion  is  stronger  than  and  predates  the 
“weak  context  hiding”  notion  of  [12].  Indeed,  the  fact  that  [12]  uses  our  framework  lends  support  to  its  generality,  and 
the  fact  that  they  could  not  achieve  our  context  hiding  notion  highlights  its  difficulty.  Their  “weak”  definition,  which 
is  equivalent  to  [16],  only  ensures  privacy  when  the  original  signatures  remain  hidden.  In  their  system,  signature 
derivation  is  deterministic  and  therefore  once  the  original  signatures  become  public  it  is  easy  to  tell  where  the  derived 
signature  came  from.  Our  signatures  achieve  full  context  hiding  so  that  derived  signatures  remain  private  no  matter 
what  information  is  revealed.  This  is  considerably  harder  and  is  not  known  how  to  do  for  the  lattice-based  signatures 
in  Boneh-Freeman. 


Approved  for  Public  Release;  Distribution  Unlimited. 

9 

863 


1 .  P  is  false  whenever  its  left  input  is  a  tuple  of  length  greater  than  1 , 

2.  P  is  a  closed  predicate  (i.e.,  P  is  equal  to  its  closure  P*\  see  Section  2.1.) 

3.  For  all  m  £  Af ,  P(m,  m )  =  1. 

In  this  section,  we  present  and  discuss  generic  approaches  to  computing  on  authenticated  data 
with  respect  to  any  simple  predicate  P.  Note  that  the  quoting  of  substrings  or  subsequences  (i.e., 
redacting)  are  examples  of  simple  predicates. 

We  begin  with  two  inefficient  constructions.  The  first  takes  a  brute  force  approach  that  con¬ 
structs  long  signatures  that  are  easy  to  verify.  The  second  takes  an  accumulator  approach  that 
constructs  shorter  signatures  at  the  cost  of  less  efficient  verification.  We  conclude  by  discussing  the 
limitations  of  a  generic  NIZK  proof  of  knowledge  approach. 

4.1  A  Brute  Force  Construction  From  Any  Signature  Scheme 

Let  (G,  S,  V)  be  a  signature  scheme  with  a  deterministic  signing  algorithm.5  One  can  construct  a 
P- homomorphic  signature  scheme  for  any  simple  predicate  P  as  follows: 

KeyGen(lA)  :  The  setup  algorithm  runs  G(1A)  — >  ( pk ,  sk)  and  outputs  this  key  pair. 

Sign (sk,m  £  At)  :  While  Sign  is  simply  a  special  case  of  the  SignDerive  algorithm,  we  will 
explicitly  provide  both  algorithms  here  for  clarity  purposes. 

The  signature  a  is  the  tuple  ( S(sk,m),U  =  {S(sk,m')  \  m!  £  P°({m})}). 

SignDerive(p/c,  a,  rn,  m')  :  The  derived  signature  is  computed  as  follows.  First  check  that  P(m,  ml) 
1.  If  not,  then  output  _L.  Otherwise,  parse  a  =  (<ti,  . . . ,  ar)  where  cr  corresponds  to  message 
rrii.  If  for  any  i,  V(pk,rrii,  cr)  =  0,  then  output  _L.  Otherwise,  the  signature  is  comprised 
as  the  set  containing  cr  for  all  rrit  such  that  P(m',mi )  =  1.  Again,  by  default,  let  the  first 
sub-signature  of  the  output  be  the  signature  on  rn' . 

Verify (pk,m,a)  :  Parse  a  =  (cr, . . . ,  cr *.).  Output  V{pk,m,a\). 

Efficiency  Discussion  The  efficiency  of  the  above  approach  depends  on  the  message  space  and 
the  predicate  P.  For  instance,  the  brute  force  approach  for  signing  a  message  of  n  characters,  where 
P(m,m')  outputs  1  if  and  only  if  rn'  is  a  substring  of  m,  will  result  in  0(n 2)  sub-signatures  (one 
for  each  of  the  0(n2)  substrings).  If  one  wanted  to  “quote”  subgraphs  from  a  graph,  this  approach 
is  intractable,  as  a  graph  of  n  nodes  will  generate  an  exponential  in  n  number  of  subgraphs. 

Theorem  4.1  (Security  from  Any  Signature)  If  (G,  S,V)  is  a  secure  deterministic  signature 
scheme,  then  the  above  signature  scheme  is  unforgeable  and  context-hiding. 

Proof  of  the  above  theorem  is  rather  straightforward.  The  context-hiding  property  follows  from 
the  uniqueness  of  the  signatures  generated  by  the  honest  signing  algorithms.  The  unforgeability 
property  follows  from  the  fact  that  an  adversary  cannot  obtain  a  signature  on  any  message  not 
derivable  from  those  she  queried  or  one  could  use  this  signature  to  directly  break  the  regular 
unforgeability  of  the  underlying  signature  scheme.  The  correctness  property  is  actually  the  most 
complex  to  verify:  it  requires  the  two  restrictions  on  the  predicate  P  made  above. 

5Given  a  signature  scheme  with  a  probabilistic  signing  algorithm,  one  can  convert  it  to  a  scheme  with  a  determin¬ 
istic  signing  algorithm  by:  (1)  including  a  pseudorandom  function  (PRF)  seed  as  part  of  the  secret  key  and  (2)  during 
the  signing  algorithm,  applying  this  PRF  to  the  message  and  using  the  output  as  the  randomness  in  the  signature. 
Given  any  signature  scheme,  one  can  also  construct  a  PRF. 
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4.2  An  Accumulator-based  Construction 


Assumption  4.2  (RSA  [47])  Let  k  be  the  security  parameter.  Let  a  positive  integer  N  be  the 
product  of  two  random  k-bit  primes  p,  q.  Let  e  be  a  randomly  chosen  positive  integer  less  than  and 
relatively  prime  to  4>{N)  =  (p  —  l)(q  —  1).  Then  no  PPT  algorithm  given  (N,  e)  and  a  random 
y  G  1AN  as  input  can  compute  x  such  that  xe  =  y  mod  N  with  non-negligible  probability. 

Lemma  4.3  (Shamir  [50])  Given  x,y  G  Zn  together  with  a,b  G  Z  such  that  xa  =  yb  and 
gcd(a,  b )  =  1,  there  is  an  efficient  algorithm  for  computing  z  G  Zn  such  that  za  =  y. 

Theorem  4.4  (Prime  Number  Theorem)  Define  tt(x)  as  the  number  of  primes  no  larger  than 
x.  For  x  >  1, 


Consider  the  following  RSA  accumulator  solution  which  supports  short  signatures,  but  the 
computation  required  to  derive  a  new  signature  is  expensive.  Let  P  be  any  univariate  predicate 
with  the  above  restrictions. 

We  now  describe  the  algorithms.  While  Sign  is  simply  a  special  case  of  the  SignDerive 
algorithm,  we  will  explicitly  provide  both  algorithms  here  for  clarity  purposes. 

KeyGen(lA)  :  The  setup  algorithm  chooses  N  as  a  20A-bit  RSA  modulus  and  a  random  value 
a  G  Zat.  It  also  chooses  a  hash  function  Hp  that  maps  arbitrary  strings  to  2A-bit  prime 
numbers,  e.g.,  [33],  which  we  treat  as  a  random  oracle.6  Output  the  public  key  pk  =  ( Hp ,  N,  a) 
and  keep  as  the  secret  key  sk,  the  factorization  of  N. 

Sign (sk,m  G  M)  :  Let  U  =  P°({m})  =  {m!  m!  G  M  and  P(m,m')  =  1}.  Compute  and  output 
the  signature  as 

a  :=  a1/(nu;ev  Hr(uA)  mod  N, 

SignDerive(p/c,  a,  m,  m')  :  The  derivation  is  computed  as  follows.  First  check  that  P(m,m')  =  1. 
If  not,  then  output  _L.  Otherwise,  let  U'  =  P°({?n/}).  Compute  and  output  the  signature  as 

a  :=  (jn^gp-y'-^pbi)  mod  N. 

Thus,  the  signature  is  of  the  form  a1^uieu'  Hp^u^  mod  N. 

Verify (pk,m,a)  :  Accept  if  and  only  if  a  =  o^ui&u  Hp(u^  mod  N  where  U  =  P°(?n). 

Efficiency  Discussion  In  the  above  scheme,  signatures  require  only  one  element  in  Z,*N.  However, 
the  cost  of  signing  depends  on  P  and  the  size  of  the  message  space.  For  example,  computing  an 
Psymbol  quote  from  an  n-symbol  message  requires  0(n(n  —  £))  evaluations  of  Hp()  and  0(n(n  —  £)) 
modular  exponentiations.  The  prime  search  component  of  Hp  will  likely  be  the  dominating  factor. 
Verification  requires  0(£2)  evaluations  of  Hp( )  and  0(£2)  modular  exponentiations,  for  an  Psymbol 
quote.  Thus,  this  scheme  optimizes  on  space,  but  may  require  significant  computation. 

Theorem  4.5  (Security  under  RSA)  If  the  RSA  assumption  holds,  then  the  above  signature 
scheme  is  unforgeable  and  context-hiding  in  the  random  oracle  model. 

We  provide  a  proof  of  above  theorem  by  showing  the  following  lemmas. 

6 We  choose  our  modulus  and  hash  output  lengths  to  obtain  A- bit  security  based  on  the  recent  estimates  of  [52]. 
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Lemma  4.6  (Context-Hiding)  The  homomorphic  signature  scheme  from  §/.£  is  strongly  context¬ 
hiding. 


Proof.  This  property  is  derived  from  the  fact  that  a  signature  on  any  given  message  is  deterministic. 
Let  the  public  key  PK  be  ( Hp,N,a )  and  challenge  be  any  m,m!  where  P(m,m')  =  1.  Let  U  = 
P°(m )  and  U1  =  P°(m').  Observe  that 


Sign(sA;,  m) 
Sign(sfc,  m!) 
SignDerive(p/c,  (a,  m),m  ) 


a  =  af^ueu  hp(u)  mod  TV 
do  =  a1/  nu'6(7'  hp(u  )  mod  TV 
cjUueu-u'  Hv(P)  niod  TV 

'aynueuHP^)]nueu-u'Hp{u) 

af/Ylu'eu'HpW)  mod  TV 


mod  TV 


=  v  o 


Because  Sign (sk,m')  and  SignDerive(p/c,  are  identical,  for  any  adversary  A,  the  prob¬ 

ability  that  A  distinguishes  the  two  is  exactly  1/2,  and  so  the  advantage  in  the  strong  context 
hiding  game  is  0.  □ 

Lemma  4.7  (Unforgeability)  If  the  RSA  assumption  holds,  then  the  Section  f.2  homomorphic 
signature  scheme  is  unforgeable  in  the  Unforg  game  in  the  random  oracle  model. 

Proof.  Our  reduction  only  works  on  certain  types  of  RSA  challenges,  as  in  [33] .  In  particular,  this 
reduction  only  attempts  to  solve  RSA  challenges  ( N,e*,y )  where  e*  is  an  odd  prime.  Fortunately, 
good  challenges  will  occur  with  non-negligible  probability.  We  know  that  e*  is  less  than  and 
relatively  prime  to  <j>(N)  <  TV,  which  implies  it  cannot  be  2.  We  also  know,  by  Theorem  4.4,  that 
the  number  of  primes  that  are  less  than  TV  is  at  least  j^.  Thus,  a  loose  bound  on  the  probability 
of  e*  being  a  prime  is  >  ($j)/N  =  ^ 

Now,  we  describe  the  reduction.  Our  proof  first  applies  Lemma  A. 4,  which  allows  us  to  only 
consider  adversaries  A  that  ask  queries  to  Sign  oracle  in  the  NHU  game.  Moreover,  suppose 
adversary  A  queries  the  random  oracle  Hp  on  at  most  s  unique  inputs.  Without  loss  of  generality, 
we  will  assume  that  all  queries  to  this  deterministic  oracle  are  unique  and  that  whenever  Sign  is 
called  on  message  M ,  then  Hp  is  automatically  called  with  all  unique  substrings  of  M.  Suppose  an 
adversary  A  can  produce  a  forgery  with  probability  e  in  the  NHU  game;  then  we  can  construct 
an  adversary  B  that  breaks  the  RSA  assumption  (with  odd  prime  e*)  with  probability  e/s  minus  a 
negligible  amount  as  follows. 

On  input  an  RSA  challenge  (N,e*,y),  B  proceeds  as  follows: 

Setup  B  chooses  2A-bit  distinct  prime  numbers  ei,  e2, . . . ,  es_i  at  random,  where  all  e*  7^  e*. 
Denote  this  set  of  primes  as  E.  Next,  B  makes  a  random  guess  of  i*  €  [l,s]  and  saves  this  value 
for  later.  Then  it  sets 

a  :=  yn^ei. 

Finally,  B  give  the  public  key  PK  =  (TV,  a)  to  A  and  will  answer  its  queries  to  random  oracle 
Hp  interactively  as  described  below. 
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Queries  Proceeding  adaptively,  B  answers  the  oracle  and  sign  queries  made  by  A  as  follows: 

1.  Hp(x )  :  When  A  queries  the  random  oracle  for  the  jtli  time,  B  responds  with  e*  if  j  =  i*,  with 
ej  if  j  <  i*  and  ej_i  otherwise.  Recall  that  we  stipulated  that  each  call  to  Hp  was  unique. 
Denote  x*  as  the  input  where  Hp(x*)  =  e*. 

2.  Sign(M):  Let  U  =  P°(M).  If  x*  £  U,  then  B  aborts  the  simulation.  Otherwise,  B  calls 
Hp  on  all  elements  of  U  not  previously  queried  to  Hp.  Let  primes(17)  denote  the  set  of 
primes  derived  by  calling  Hp  on  the  strings  of  U.  Then,  it  computes  the  signature  as  a  :  = 

yneis(B  — primes(C/))  e%  mocl  _/\T  anC[  retumS  (M,  (j)  . 

Response  Eventually,  A  outputs  a  valid  message-signature  pair  (A/,  a),  where  M  is  not  a  deriva¬ 
tive  of  an  element  returned  by  Sign.  If  M  was  not  queried  to  Hp  or  if  M  ^  x* ,  then  B  aborts  the 
simulation.  Otherwise,  let  U  =  P°(x*)  —  {re*}  and  primes(f7)  denote  the  set  of  primes  derived  by 
calling  Hp  on  the  strings  of  U.  It  holds  that  a1^ei&primes(~u'>ei  _  yAeieE^primBS(u)e^  —  ae*  m0(]  y\q 
Since  y,cr  £  Z n  and  gcd(e*.  FI,  ,eB-primes(t/)  e«)  =  1  (recall,  they  are  all  distinct  primes),  then 
B  can  apply  the  efficient  algorithm  from  Lemma  4.3  to  obtain  a  value  z  £  Z^r  such  that  ze  =  y 
mod  N.  B  outputs  z  as  the  solution  to  the  RSA  challenge. 

Analysis  We  now  argue  that  any  successful  adversary  A  against  our  scheme  will  have  success 
in  the  game  presented  by  B.  To  do  this,  we  first  define  a  sequence  of  games,  where  the  first 
game  models  the  real  security  game  and  the  final  game  is  exactly  the  view  of  the  adversary  when 
interacting  with  B.  We  then  show  via  a  series  of  claims  that  if  A  is  successful  against  Game  j,  then 
it  will  also  be  successful  against  Game  j  +  1. 

Game  1:  The  same  as  Game  NHU,  with  the  exception  that  at  the  beginning  of  the  game  B 
guesses  an  index  1  <  i*  <  s  and  e*  is  the  response  of  the  i*th  query  to  Hp. 

Game  2:  The  same  as  Game  1,  with  the  exception  that  A  fails  if  any  output  of  Hp  is  repeated. 

Game  3:  The  same  as  Game  2,  with  the  exception  that  A  fails  if  it  outputs  a  valid  forgery  (M,  a) 
where  M  was  not  queried  to  Hp. 

Game  4:  The  same  as  Game  3,  with  the  exception  that  A  fails  if  it  outputs  a  valid  forgery  (A 1,  a) 
where  M  /  x* . 

Notice  that  Game  4  is  exactly  the  view  of  the  adversary  when  interacting  with  B.  We  complete 
this  argument  by  linking  the  probability  of  A’s  success  in  these  games  via  a  series  of  claims.  The 
only  non-negligible  probability  gap  comes  between  Games  3  and  4,  where  there  is  a  factor  1/s  loss. 
Define  Adv_4  [Game  x\  as  the  advantage  of  adversary  A  in  Game  x. 

Claim  4.8  If  Hp  is  a  truly  random  function,  then 

Adv_4 [Game  1]  =  Adv_4 [Game  NHU]. 

Proof.  The  value  e*  was  chosen  independently  at  random  by  the  RSA  challenger,  just  as  Hp  would 
have  done.  □ 
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Claim  4.9  If  Hp  is  a  truly  random  function,  then 


Adv_4  [Game  2]  =  Adv_4  [Game  1] - fPP' 

Proof.  Consider  the  probability  of  a  repeat  occurring  when  s  2A-bit  primes  are  chosen  at  random. 
By  Theorem  4.4,  we  know  that  there  are  at  least  22^/ (2A)  2A-bit  primes.  Thus,  a  repeat  will  occur 
with  probability  <  s/(22^/2A)  =  2s2A/22A,  which  is  negligible  since  s  must  be  polynomial  in  A. 

□ 


Claim  4.10  If  Hp  is  a  truly  random  function,  then 

2A 

Adv_4  [Game  3]  =  Adv_4  [Game  2]  —  ^y. 

Proof.  If  M  was  never  queried  to  Hp,  then  a  can  only  be  a  valid  forgery  if  A  guessed  the  2A-bit 
prime  that  Hp  would  respond  with  on  input  M.  By  Theorem  4.4,  there  are  at  least  22^/2A  such 
primes  and  thus  the  probability  of  A’s  correct  guess  is  at  most  2A/22A,  which  is  negligible.  □ 

Claim  4.11 

.  ,  Adv  4  [Game  31 

Adv_4  [Game  4]  =  - — - I. 

Proof.  At  this  point  in  our  series  of  games,  we  conclude  that  A  forges  on  one  of  the  s  queries  to  Hp 
and  that  1  <  i*  <  s  was  chosen  at  random.  Thus,  the  probability  that  A  forges  on  the  i*th  query 
is  1/s.  □ 

This  completes  our  proof.  □ 


4.3  On  the  Limitations  of  Using  a  Generic  NIZK  Proof  of  Knowledge  Approach 

Another  general  approach  that  one  might  be  tempted  to  try  is  to  use  an  NIZK  [8]  proof  of  knowledge 
system  to  generate  a  signature  on  m'  by  proving  that  one  knows  a  signature  on  some  m  such  that 
P{m ,  m! )  holds.  Unfortunately,  this  approach  has  the  standard  drawback  of  generality  in  that  it 
requires  circuit-based  (non  black-box)  reductions.  In  particular,  the  statements  to  prove  in  non¬ 
interactive  zero- knowledge  require  transforming  the  circuits  of  the  signature  scheme  and  the  quoting 
predicate  into  an  instance  of  Hamiltonian  circuit  or  3-SAT.  Even  if  one  were  to  tailor  an  NIZK  proof 
of  knowledge  for  these  specific  statements  and  therefore  avoid  costly  reductions,  another  problem 
emerges  with  re-quoting.  When  a  quote  is  re-quoted,  then  the  same  process  happens  for  both  the 
original  signature  scheme  circuit,  the  predicate,  and  the  proof  system.  Aside  from  the  inefficiency, 
using  standard  NIZKPoK  systems  would  leak  information  about  the  size  of  the  original  message 
and  quotes,  and  therefore  would  not  satisfy  our  context  hiding  property7. 

7Using  non-interactive  CS-proofs  [39]  in  the  random  oracle  model  may  reduce  the  size  of  the  proof,  but  we  do  not 
know  how  to  avoid  leaking  the  size  of  the  theorem  statement  which  also  violates  the  context  hiding  property. 
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5  A  Powers-of-2  Construction  for  Quoting  Substrings 


We  now  provide  our  main  construction  for  quoting  substrings  in  a  text  document.  It  achieves  the 
best  time/space  efficiency  trade-off  to  our  knowledge  for  this  problem.  We  will  have  two  different 
types  of  signatures  called  Type  I  and  Type  II,  where  a  Type  I  signature  can  be  quoted  down  to 
another  Type  I  or  Type  II  signature.  A  Type  II  signature  cannot  be  quoted  any  further,  but  will 
be  a  shorter  signature.  The  quoting  algorithm  will  allow  us  to  quote  anything  that  is  a  substring 
of  the  original  message.  We  point  out  that  the  Type  I,  II  signatures  of  this  system  conform  to 
the  general  framework  given  in  Section  2.  In  particular,  we  can  view  a  message  M  as  a  pair 
(f,  m)  e  {0, 1},  {0, 1}*.  The  bit  t  will  identify  the  message  as  being  Type  I  or  Type  II  (assume  t  =  1 
signifies  Type  I  signatures)  and  m  will  be  the  quoted  substring.  The  predicate 


P(M  =  (: t,m),M '  =  ( t',m ')) 


1  if  t  =  1  and  m!  is  a  substring  of  m; 
0  otherwise. 


The  bit  t'  will  indicate  whether  the  new  message  is  Type  I  or  II  (i.e.,  whether  the  system  can 
quote  further.)  We  note  that  this  description  allows  an  attacker  to  distinguish  between  any  Type 
I  signature  from  any  Type  II  signature  since  the  “type  bit”  of  the  messages  will  be  different  and 
thus  they  will  technically  be  two  different  messages  even  if  the  substring  components  are  equal. 
For  this  reason  we  will  only  need  to  prove  context  hiding  between  messages  of  Type  I  or  Type  II, 
but  not  across  types.  In  general,  flipping  the  bit  t  will  not  result  in  a  valid  signature  of  a  different 
type  on  the  same  core  message,  because  the  format  will  be  wrong;  however,  moving  from  a  Type  I 
to  a  Type  II  on  the  same  core  message  is  not  considered  a  forgery  since  Type  II  signatures  can  be 
legally  derived  from  Type  I. 

For  presentational  clarity,  we  will  split  the  description  of  our  quoting  algorithm  into  two  quoting 
algorithms  for  quoting  to  Type  I  and  to  Type  II  signatures;  likewise  we  will  split  the  description  of 
our  verification  algorithm  into  two  separate  verification  algorithms,  one  for  each  type  of  signature. 
The  type  of  signature  used  or  created  (i.e.,  bit  t)  will  be  implicit  in  the  description. 

Notation:  We  use  notation  rriij  to  denote  the  substring  of  m  of  length  j  starting  at  position  i. 

Intuition:  We  begin  by  giving  some  intuition.  We  design  Type  I  signatures  that  allow  re-quoting 
and  Type  II  signatures  that  cannot  be  further  quoted,  but  are  ultra-short.  For  an  original  message  of 
length  n,  our  signature  structure  should  be  able  to  accommodate  starting  at  any  position  1  <  i  <  n 
and  quoting  any  length  1  <  i  <  (n  —  i  +  1)  substring.8 

To  (roughly)  see  how  this  works  for  a  message  of  length  n,  visualize  (n  +  1)  columns  with 
(|_lgnj  +2)  rows  as  in  Figure  1.  The  columns  correspond  to  the  characters  of  the  message,  so  if  the 
14-character  message  is  “abcdefghijklmn”  then  there  are  15  columns,  with  a  character  in  between 
each  column.  The  rows  correspond  to  the  numbers  lg  n  down  to  0,  plus  an  extra  row  at  the  bottom.9 
Each  location  in  the  matrix  (except  along  the  bottom-most  row)  contains  one  or  more  out-going 
arrows.  We’ll  establish  rules  for  when  these  arrows  exist  and  where  each  arrow  ends  shortly. 

A  Type  II  quote  will  trace  a  (lgn-f-l)-length  path  on  these  arrows  through  this  matrix  starting 
in  a  row  (with  outgoing  arrows)  of  the  column  that  begins  the  quote  and  ending  in  the  lowest  row 
of  the  first  column  after  the  quote  ends.  The  starting  row  corresponds  to  the  largest  power  of 
two  less  than  or  equal  to  the  length  of  the  desired  quote.  E.g.,  to  quote  “bcdef”,  start  in  row  2 

technically,  our  predicate  P(m,  m!)  will  take  the  quote  from  the  first  occurrence  of  substring  m!  in  m,  but  for 
the  moment  imagine  that  we  allowed  quoting  from  anywhere  in  m. 

the  lowest  row  is  intentionally  not  assigned  a  number.  The  second  lowest  row  is  row  0.  We  do  this  so  that  row 
i  can  correspond  to  a  jump  of  length  21. 
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Llg7VJ+2 

Ug^J+2 


Llg  €J  +2 


•t 

tt 


•t 

«L_ 

<( 

•t 


-e+ 1- 


■  N+l  - 


Type  I  Signature 


-»  “start”  arrow 

“start”  arrow  and 
“one”  arrow  (overlapped) 

■>  “zero”  arrow 


a  path  which  represents 
the  substring  “defgh” 


-t+i- 


Figure  1:  The  top  diagram  represents  a  signature  on  “abcdefghijklmn”  with  length  N  =  14.  Each 
arrow  corresponds  to  some  group  elements  in  the  construction.  Logically,  whenever  the  elements 
corresponding  to  an  arrow  are  included  in  a  quoted  signature,  the  characters  underneath  this  arrow 
are  included  in  the  quoted  message.  The  bold  path  through  the  top  diagram  shows  how  to  construct 
a  Type  II  signature  on  “defgh”;  it  is  very  short,  but  cannot  be  re-quoted.  The  gray  box  in  this 
figure  shows  how  to  construct  a  Type  I  signature  on  “cdefghi”  of  length  t  =  7;  it  includes  all  the 
arrows  in  the  lower  figure  and  can  be  re-quoted.  A  technical  challenge  is  to  enforce  that  following 
the  arrows  is  the  only  way  to  form  a  valid  signature.  Details  are  below. 

immediately  to  the  left  of  ‘b’  (because  22  =  4  is  the  largest  power  of  two  less  than  5)  and  end  in 
row  0  immediately  to  the  right  of  T.  Intuitively,  taking  an  arrow  over  a  character  includes  it  in 
the  quote.  A  Type  II  quote  on  “defgh”  is  illustrated  in  Figure  1. 

A  technical  challenge  is  to  make  this  a  0(lgn)-length  path  rather  than  a  0(n)-length  path.  To 
do  this,  the  key  insight  is  to  view  the  length  of  any  possible  quote  as  the  sum  of  powers  of  two 
and  to  allow  arrows  that  correspond  to  covering  the  quote  in  pieces  of  size  corresponding  to  one 
operand  of  the  sum  at  a  time.  Each  location  (ic,  ir )  in  the  matrix  (except  the  bottom-most  row) 
contains: 

•  a  “start”  arrow:  an  arrow  that  goes  down  one  row  and  over  2lr  columns  ending  in  (ic  +  2V ,  ir  — 
1),  if  this  end  point  is  in  the  matrix.  This  adds  all  characters  from  position  ic  to  ic  +  2lr  —  1 
to  the  quoted  substring;  effectively  adding  the  largest  power-of-two-length  prefix  of  the  quote 
characters.  This  arrow  indicates  that  the  quote  starts  here.  These  are  represented  as  St  j,  Sij 
pairs  in  our  construction. 

•  a  “one”  arrow:  operate  similarly  to  start  arrows  and  used  to  include  characters  after  a  start 
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arrow  includes  the  quote  prefix.  These  are  represented  as  A,;  j ,  Ajj  pairs  in  our  construction. 
•  a  “zero”  arrow:  an  arrow  that  goes  straight  down  one  row  ending  in  (ic,ir  —  1).  This  does 
not  add  any  characters  to  the  quoted  substring.  These  are  represented  as  Dhj,  Dt  j  pairs  in 
our  construction. 


A  Type  II  quote  always  starts  with  a  start  arrow  and  then  contains  one  and  zero  arrows 
according  to  the  binary  representation  of  the  length  of  the  quote.  In  our  example  of  original 
message  “abcdefghijklmn” ,  we  have  15  columns  and  5  rows.  We  will  logically  divide  our  desired 
substring  of  “bcdef ’  (length  5  =  22  +  2°  =  4  +  l)  into  its  powers-of-two  components  “bcde” (length 
4  =  22)  and  “f”  (length  1  =  2°).  To  form  the  Type  II  quote,  we  start  in  row  2  (since  4  =  22)  of 
column  2  (to  the  left  of  ’b’)  and  take  the  start  arrow  (£2,2)  t°  row  1  of  column  7,  take  the  zero 
arrow  (Z?7  i)  to  row  0  of  column  7,  and  then  take  the  one  arrow  (A7  o)  to  the  lowest  row  of  column 
8.  The  arrows  “pass  over”  the  characters  “bcdef”.  Figure  1  illustrates  this  for  quote  “defgh”. 

For  a  quote  of  length  £,  the  elements  on  this  0(lg  7)-length  path  of  arrows  form  a  very  short  Type 
II  signature.  For  Type  I  signatures,  we  include  all  the  elements  corresponding  to  all  arrows  that 
make  connections  within  the  columns  corresponding  to  the  quote.  We  illustrate  this  in  Figure  1. 
This  allows  quoting  of  quotes  with  a  signature  size  of  0(£\g£). 

It  is  essential  for  security  that  the  signature  structure  and  data  algorithm  enforce  that  the 
quoting  algorithm  be  used  and  not  allow  an  attacker  to  “splice”  together  a  quote  from  different 
parts  of  the  signature.  We  realize  this  by  adding  in  random  “chaining”  variables.  In  order  to 
cancel  these  out  and  get  a  well  formed  Type  II  quote  a  user  must  intuitively  follow  the  prescribed 
procedure  (i.e.,  following  the  arrows  is  the  only  way  to  form  a  valid  quote.) 

The  Construction:  We  now  describe  our  algorithms.  While  Sign  is  simply  a  special  case  of  the 
SignDerive  algorithm,  we  will  explicitly  provide  both  algorithms  here  for  clarity  purposes. 


KeyGen(lA)  :  The  algorithm  selects  a  bilinear  group  G  of  prime  order  p  >  2X  with  generator  g. 
Let  L  be  the  maximum  message  length  supported  and  denote  n  =  |_lg(L)J .  Let  H  :  {0, 1}*  — > 
G  and  Hs  :  {0, 1}*  — >  G  be  the  description  of  two  hash  functions  that  we  model  as  random 
oracles.  Choose  random  zo, ■ .  ■ ,  zn-\,a  G  Zp.  The  secret  key  is  (zo,  •  •  ■ ,  zn- 1,  a)  and  the 
public  key  is: 

PK  =  ( H ,  Hs,  g,gz°,...,  gz"~' ,  e(g,  g)a). 

Sign (sk,M  =  (t,m)  G  {0,1}  x  £f-i)  :  If  t  =  1,  signatures  produced  by  this  algorithm  are  Type  I 
as  described  below.  If  t  =  0,  the  Type  II  signature  can  be  obtained  by  running  this  algorithm 
and  then  running  the  Quote-Type  II  algorithm  below  to  obtain  a  quote  on  the  entire  message. 
The  message  space  is  treated  as  £  <  L  symbols  from  alphabet  X. 

Recall:  we  use  notation  rntj  to  denote  the  substring  of  m  of  length  j  starting  at  position  i. 

For  i  =  3  to  £  +  1  and  j  =  0  to  [lg(7  —  1)  —  lj ,  choose  random  values  xtg  G  Z p.  These  will 
serve  as  our  random  “chaining”  variables,  and  they  should  all  “cancel”  each  other  out  in  our 
short  Type  II  signatures.  By  definition,  set  Xi-\  :=  0  for  all  i  =  1  to  £  +  1. 

A  signature  is  comprised  of  the  following  values  for  i  =  1  to  f  and  j  =  0  to  [lg(£  —  i  +  1)J ,  for 
randomly  chosen  values  rt  J  G  Zp: 


[start  arrow:  start  and  include  power  j] 

Stj  =  gag~Xi+2j ’j~1Hs  (mi2j  )ri,j  ,  S~j  =  gn' 
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Together  with  the  following  values  for  i  =  3  to  l  and  j  =  0  to  min(Llg(i  —  1)  —  lj ,  |_lg(-£ — « +  1)J ) , 
for  randomly  chosen  values  r[  ■  G  Zp: 


[one  arrow:  include  power  j  and  decrease  j] 

A,j  =  ,  Aid  =  gr ^ 


Together  with  the  following  values  for  i  =  3  to  1+  1  and  j  =  0  to  Llg(i  —  1)  —  lj ,  for  randomly 
chosen  values  r'P  G  Zp: 


[zero  arrow:  decrease  j] 
Did  =  gn-g 


Dij  = 


We  provide  an  example  of  how  to  form  Type  II  signatures  from  this  construction  shortly.  To 
see  why  our  and  values  start  at  i  =  3,  note  that  Type  II  quotes  at  position  i  of 
length  2°  =  1  symbol  include  only  the  Sho  value,  where  the  x.g-\  term  is  0  by  definition. 
Type  II  quotes  at  position  i  of  length  21  =  2  symbols  include  the  Slti  value  plus  an  additional 
Th+2,o  term  to  cancel  out  the  Xi+2,0  value  (leaving  only  Xj+2,-1  =  0.)  Quotes  at  position  i  of 
length  21  +  1  =  3  symbols  include  the  5'j.i  value  plus  an  additional  A*+ 2,0  term  to  cancel  out 
the  Xi+ 2,0  value  (leaving  only  Xi+3-1  =  0.)  Since  we  index  strings  from  position  1,  the  first 
position  to  include  an  At  j  or  Ditj  value  is  i  +  2  =  3. 

SignDerive(pfc,  a,  M  =  ( t,m),M '  =  ( t',m '))  :  If  P(M,M')  =  0,  output  _L.  Otherwise,  if  t!  =  1, 
output  Quote-Type  l(PK,a,7n,7n');  if  t'  =  0,  output  Quote-Type  11(PK,  cr,  m,  tu'),  where 
these  algorithms  are  defined  below. 

Quote- Type  I (pk,  a,  m,  rri’)  :  The  quote  algorithm  takes  a  Type  I  signature  and  produces  another 
Type  I  signature  that  maintains  the  ability  to  be  quoted  again.  Intuitively,  this  operation 
will  simply  find  a  substring  m'  in  m,  keep  only  the  components  associated  with  this  substring 
and  re-randomize  them  all  (both  the  Xij  and  terms  in  every  component.) 

If  w!  is  not  a  substring  of  to,  then  output  _L.  Otherwise,  let  i'  =  |  m/ 1 .  Determine  the  first  index 
k  at  which  substring  to'  occurs  in  7n.  Parse  a  as  a  collection  of  Sh] ,  5)^ ,  Atj ,  AtJ ,  D,  j ,  Di  j 
values,  exactly  as  would  come  from  Sign  with  i  =  |m|. 

First,  we  choose  re-randomization  values  (to  re-randomize  the  xtj  terms  of  a.)  For  i  =  2  to 
P  +  1  and  j  =  0  to  |_lg(z  —  1)  —  lj ,  choose  random  values  yij  G  Z p.  Set  yi~i  :=  0  for  all  i  =  1 
to  P  +  1.  Later,  we  will  choose  values  to  re-randomize  the  Tij  terms  of  a. 

The  quote  signature  a'  is  comprised  of  the  following  values: 

For  i  =  1  to  P  and  j  =  0  to  [lg (P  —  i  +  1)J ,  for  randomly  chosen  tt,j  G  Zp: 

-S ij  =  Si+k_ ij  •  g~Vi+2j’j-1Hs(mi+k_12j)ti’p  SP  =  Si+k_ ij  •  gPi 


Together  with  the  following  values  for  i  =  3  to  P  and  j  =  0  to  min  ( [lg(z — 1)  —  lj ,  \\g(P — i+l)J ), 
for  randomly  chosen  t\  j  G  Zp: 


=  Ai+k-i,j  ■  9Vi'j9  Vi+2i 'j-xH {mi+k_12j  p’i , 


A'i,j  -  Ai+k- 1,. 


t'  ■ 

9 
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Together  with  the  following  values  for  i  =  3  to  £'  + 1  and  j 
chosen  t” 3  £  Zp: 


d'.j  oi+k  ViJ  xgZjtix 


D' 


h3 


0  to  [lg(*  —  1 )  —  lj ,  for  randomly 


Di+k—l,j  '  9  *’■* 


Quote- Type  II (pk,  a,  m,  ml)  :  The  quote  algorithm  takes  a  Type  I  signature  and  produces  a 
Type  II  signature.  If  P(m,m')  ^  1,  then  output  _L. 

A  quote  is  computed  from  one  start  value  and  logarithmically  many  subsequent  pieces  depend¬ 
ing  on  the  bits  of  \m!\.  All  signature  pieces  must  be  re-randomized  to  prevent  content-hiding 
attacks. 

Consider  the  length  £1  written  as  a  binary  string.  Let  fi’  be  the  largest  index  of  £'  =  \m'\ 
that  is  set  to  1,  where  we  start  counting  with  zero  as  the  least  significant  bit.  That  is,  set 
fi'  =  [lgCOJ-  Select  random  values  v,  ug/_i, . . . ,  vq  G  Zp.  Set  the  start  position  as  B  :=  Skfi/ 
and 

k!  :=  k  +  2 P  .  Then,  from  j  =  j3'  —  1  down  to  0,  proceed  as  follows: 

•  If  the  jth  bit  of  £'  is  1,  set  B  :=  B ■  Ak,  j  ■  H (mk, }2i)Vj ,  set  k'  :=  k'+ 2J  ,  and  Zj  :=  Atf  j  ■  gVj 

•  If  the  jth  bit  of  l'  is  0,  set  B  :=  B  ■  B>k' ,j  ■  gZjVj  and  Zj  :=  D^  j  ■  gV] . 

To  end,  re-randomize  as  B  :=  B  ■  Hs(mk  2p)v  and  S  :=  S^p  ■  gv ;  output  the  quote  as 

o'  =  (B,S,Zp_u...,Z0) 


Verify (pk,M  =  ( t,m),a )  :  If  t  =  1,  output  Verify-Type  I (pk,m,a).  Otherwise,  output  Verify- 
Type  II (pk,m,a),  where  these  algorithms  are  defined  immediately  below. 

Verify— Type  I  (pk,  m,  a)  :  Parse  a  as  the  set  of  Stj,  Sij ,  Ajj,  Dtj.  Dij.  Let  l  =  \m\. 

Let  Xij  denote  e(g,g)Xi’j.  We  can  compute  these  values  as  follows.  The  value  =  1, 

since  for  all  i  =  1  to  £  +  1,  Xi- \  =  0.  For  i  =  3  to  £  +  1  and  j  =  0  to  [lg(z  —  1)  —  lj , 
we  compute  Xj  j  in  the  following  manner:  Let  I  =  i  —  2^+l  and  J  =  j  +  1.  Next,  compute 
Xi,j  =  (e(g,g)a  ■  pj),  /  e(Si,J,  9)-  The  verification  accepts  if  and  only  if  all  of 

the  following  hold: 

•  for  i  =  3  to  £  and  j  =  0  to  min(|_lg(i  —  1)  —  lj ,  ~  i  +  1)J), 

e(A ij,g)  =  Xij/Xi+2jJ_  1  ■  e(H (mij2j) ,  Aid) 

•  and  for  i  =  3  to  £  +  1  and  j  =  0  to  |_lg(*  —  1)  —  lj,  e(Dij,g)  =  Xij/Xij- 1  •  e(gZj ,  Dij). 

Verify-Type  II (pk,  m,  a)  :  We  give  the  verification  algorithm  for  Type  II  signatures.  Parse  a  as 
( B ,  S ,  Z/3_i, . . . ,  Zq).  Let  £  =  \m\  and  /3  be  the  index  of  the  highest  bit  of  l  that  is  set  to  1. 

If  a  does  not  include  exactly  /3  Z \  values,  reject.  Set  C  :=  1  and  k  =  1.  From  j  =  fi  —  1  down 

to  0,  proceed  as  follows: 

•  If  the  jth  bit  of  £  is  1,  set  C  :=  C  •  e{H{rnk  2j ),  Zj)  and  k  :=  k  +  2J  ; 

•  If  the  jth  bit  of  £  is  0,  set  C  :=  C  ■  e{gZj ,  Zj). 

Accept  if  and  only  if  e(B,  g)  =  e(g,  g)a  ■  e(Hs(m1  2p),S)  •  C. 

Theorem  5.1  (Security  under  CDH)  If  the  CD H  assumption  holds  inG,  then  the  above  quotable 
signature  scheme  is  selectively  quote  unforgeable  and  context-hiding  in  the  random  oracle  model. 
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Efficiency  Discussion  This  construction  presents  the  best  known  balance  between  time  and 
space  complexity.  The  quotable  (Type  I)  signatures  require  0(£lg£)  elements  in  G  for  a  message 
of  length  £.  The  group  elements  in  both  types  of  signatures  are  elements  of  G,  and  not  the  target 
group  G t-  Typically,  elements  of  the  base  group  are  significantly  smaller  than  elements  of  the 
target  group.  Computing  quotes  requires  0(£  \gl)  modular  exponentations  for  a  quote  of  length  £ 
for  re-randomization.  Similarly,  verification  also  requires  0(£\g£)  pairings. 

The  non-quotable  (Type  II)  signatures  require  only  0(\g£)  elements  in  G.  Computing  quotes 
is  very  efficient  as  it  requires  only  0{\g£)  modular  exponentiations  for  a  quote  of  length  l  for 
re-randomization.  Similarly,  verification  requires  only  0(\g£)  pairings. 

Removing  the  Random  Oracle  and  Obtaining  Pull  Security  There  are  a  few  different 
options  for  adapting  the  above  construction  to  the  standard  model.  We  observe  that  our  signa¬ 
tures  share  many  properties  with  the  private  keys  of  hierarchical  identity-based  encryption  (HIBE) 
schemes.  To  remove  the  random  oracle,  while  remaining  under  a  selective  definition,  we  can  use  the 
Boneh-Boyen  techniques  [9]  to  instantiate  H(m)  =  g'nh,  where  h  e  G  is  added  to  the  public  key 
and  there  is  a  method  for  mapping  the  message  space  to  7Lp.  Similarly,  we  can  remove  the  random 
oracle  by  instantiating  H  with  the  Waters  hash  [55]  and  applying  his  proof  techniques.  This  can 
be  viewed  as  a  full  security  construction  with  a  reduction  to  the  concrete  security  parameter  by 
roughly  a  factor  of  (l/0(g,))lg^,  where  q  is  the  number  of  signing  queries  and  £  is  the  length  of 
the  quote.  A  direction  for  achieving  full  security  is  to  use  the  recent  “Dual  System”  techniques 
introduced  by  Waters  [56].  One  obstacle  in  adapting  the  Waters  system  is  that  it  contains  “tags” 
in  the  private  key  structure,  which  would  likely  make  our  re-randomization  step  difficult  for  our 
context  hiding  property.  Lewko  and  Waters  [37]  recently  removed  the  tags,  which  may  make  their 
techniques  and  construction  more  suitable  for  our  application.  One  drawback  in  using  their  HIBE 
techniques  to  construct  signatures  is  that  even  the  signatures  resulting  from  their  construction 
require  (slightly  non-standard)  decisional  complexity  assumptions.  Thus,  it  is  unknown  how  to 
balance  time/space  efficiently  while  achieving  full  security  in  the  standard  model  from  a  simple 
computational  assumption  such  as  CDH. 

5.1  Security  Analysis 

We  now  provide  a  proof  of  Theorem  5.1  by  showing  the  following  lemmas. 

Lemma  5.2  (Strong  Context-Hiding)  The  Section  5  quotable  signature  scheme  is  strongly  context¬ 
hiding. 

Proof.  Given  any  two  challenge  messages  M  =  ( t,m),M '  =  ( t',m /)  such  that  P(M,M')  =  1,  we 
claim  that  whether  t1  =  1  or  0,  SignDerive(p/c,  a,  M' ,  M)  has  an  identical  distribution  to  that  of 
Sign (sk,M),  which  implies  that  the  two  distributions  are  statistically  close. 

{{SK,  a  -e-  Sign (SK,  M),  Sign(S7i,  M’)}skmm, 

{( SK ,  a  <-  Sign  (SK,  M ),  SignDerive(PA,  a,  M,  M')}skmm, 

Let  £,£'  denote  |m|  and  \m'\  respectively.  Let  T  =  min(|_lg(i  —  1)  —  1] ,  \\g(£  —  i  +  l)\).  Sign (SK,M) 
is  composed  of  the  following  values: 

Sij  =  gag~Xi+2i^-1Hs(mi  2j)ri’:i,  S =  g ^  ,  for  i  =  1  to  t  and  j  =  0  to  |_lg(^  -  *  +  1)J 

Aij  =  gXi’j g~xi+23 j-1  H (mi  2j)ri’j ,  =  tf1'1  ,  for  i  =  3  to  £  and  j  =  0  to  T 

Dij  =  gXi’j g~Xi’j~1gZjr'i’j ,  Dij  =  gVin  ,  for  i  =  3  to  £  +  1  and  j  =  0  to  |_lg(i  —  1)  —  1] 
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for  randomly  chosen  nj,  rC,  r'h,  Xij  £  Zp. 

Case  where  f'  =  1  (Type  I  Signatures).  Let  C  =  min( [lg(i  —  1)  —  lj,  \  —  i  +  1)J).  When 

t'  =  1,  Sign(S'iL,  M1)  is  composed  of  the  following  values: 


■h",  //"//  S'B  </'■'  ,  for  i 

A'ij  =  gx,-J9  Xi+23’i-1H{m'i^2 j)Vi’j ,  A"j  =  gVi’j  ,  fori 

Dij  =  g  ^ g  ^~xg  J  D'B  =  g  ^  ,  for  i 

for  randomly  chosen  vtg ,  Q  j ,  v'B ,  x(  j  £  Zp. 


1  to  I'  and  j  =  0  to  [lg(^  —  i  +  1)J 
3  to  ('  and  j  =  0  to  r7 
3  to  l'  +  1  and  j  =  0  to  |_lg(*  —  1)  —  lj 


And  SignDerive(PA,  a,  M,  M ')  is  Quote-Type  I (PK,  a ,  m,  m'),  which  is  comprised  of  the  fol¬ 
lowing: 


S'ij  =  g"g  SB  =  ;/'•••'- 

A^j  =  gWi’i g~wi+v 2iYI,:i+ti’A  A'  ■  =  grrj+ti,i 


D'j  =  g^g  ■U,s^!.r<i),  D\  .  = 


.+t  . 
j  >j 


for  i 
for  i 
for  i 


1  to  I'  and  j  =  0  to  |_lg {£'  —  i  +  1)J 
3  to  £'  and  j  =  0  to  r7 
3  to  ('  +  1  and  j  =  0  to  [lg(i  —  1)  —  lj 


for  randomly  chosen  £  Zp,  where  m!  occurs  at  position  k  as  a  substring  of  m, 

I  =  i  +  k  —  1  and  Wij  =  xjg  +  ytg. 

Since  all  exponents  have  been  independently  re-randonrized,  one  can  see  by  inspection  that 
SignDerive(p/c,  a,  M' ,  M)  has  identical  distribution  as  that  of  Sign (sk,M'). 


Case  where  t!  =  0  (Type  II  Signatures).  Parse  m!  =  . . .  m'0  where  m7-  is  of  length  2J 

or  a  null  string  where  (3  =  [lg(OJ  •  ^  denotes  i-tli  bit  of  i  when  we  start  counting  with  zero  as 
the  least  significant  bit.  m!  occurs  at  position  k  of  m.  Sign (SK,  M')  =  ( P ,  S,  Zg_ i, . . . ,  Zq)  is  the 
following,  for  random  u,Ui  £  Zp: 


B  =  ga  ■  Hs{m'p)u  []  P(m7)^  []  (/W 

J</3,  t'=l  i'</3,  P,=0 

5  =  gu,  Zj  =  gUj 


Let  each  m7-  start  at  position  sy  in  m! .  SignDerive(PA,  <r,  M,  M')  =  Quote-Type  II (PA,  a,  m,  m7) 
is  (P7,  5',  . . . ,  Zq)  such  that 


P'  =  •  Ps(m^)r^+U  n 

3<P,  <■= 1 


n 


+v) 


j'<P>  L/=0 


5'  =  c^’^,  Z'  =  5 


,-Hu 


for  randomly  chosen  n,  Vj  £  Zp.  Since  all  exponents  have  been  independently  re-randomized, 
one  can  see  by  inspection  that  SignDerive(P/i,  a,  M,  M')  has  identical  distribution  as  that  of 
Sign (sk,  M'). 

Thus,  the  our  powers-of-2  construction  is  strongly  context-hiding.  □ 


Lemma  5.3  (Unforgeability)  If  the  CDH  assumption  holds  in  G,  then  the  Section  5  quotable 
signature  scheme  is  selectively  unforgeable  in  the  Unforg  game  in  the  random  oracle  model. 


Approved  for  Public  Release;  Distribution  Unlimited. 
21 
875 


Proof.  (Sketch)  We  first  apply  Lemma  A. 4,  which  allows  us  to  only  consider  adversaries  A  that 
asks  queries  to  Sign  oracle  in  the  simpler  NHU  game. 

Suppose  an  adversary  A  can  produce  a  forgery  with  probability  e  in  the  selective  NHU  un¬ 
forgeability  game;  then  we  can  construct  an  adversary  B  that  breaks  the  CDH  assumption  with 
probability  e  plus  a  negligible  amount. 

We  are  now  ready  to  describe  B  which  solves  the  CDH  problem.  On  input  the  CDH  challenge 
(ff,9a,g6),  B  begins  to  run  A  and  proceeds  as  follows: 

Selective  Disclosure  A  first  announces  the  message  M*  on  which  he  will  forge. 

Setup  Let  L  be  the  maximum  size  of  any  message  and  let  n  =  [lg(D)J.  Let  M*  =  ( t*,m *)  and 
i*  =  \m*\  and  let  (3  be  the  highest  bit  of  i*  set  to  1  (numbering  the  least  significant  bit  as  zero). 
Set  e(g,g)a  :=  e(ga,gb ),  which  implicitly  sets  the  secret  key  a  =  ab. 

For  i  =  0  to  n  —  1 ,  choose  a  random  6  Zp  and  set 

gbvi  jf  the  ith  bit  of  f*  is  1; 
gVi  otherwise. 

Finally,  B  give  the  public  key  PK  =  ( g ,  gzo , . . . ,  g 2n_1 ,  e(g,  g)a )  to  A  and  will  answer  its  queries 
to  random  oracles  H  and  Hs  interactively  as  described  below. 

Random  Oracle  Queries  Proceeding  adaptively,  A  may  make  any  of  the  following  queries  which 
B  will  answer  as  follows: 

1.  H(x ):  The  random  oracle  is  answered  as  follows.  If  the  query  has  been  made  before,  return 
the  same  response  as  before.  Otherwise,  imagine  dividing  up  m*  into  a  sequence  of  segments 
whose  lengths  are  decreasing  powers  of  two;  that  is,  the  first  segments  would  be  of  length  2^ 
where  (3  is  the  largest  power  of  two  less  than  £*,  the  second  segment  would  contain  the  next 
largest  power  of  two,  etc.  Let  mb  denote  the  segment  of  m*  corresponding  to  power  j.  If  no 
such  segment  exists,  let  mb  =_L.  Select  a  random  7  £  Zp  and  return  the  response  as: 

if  |x|  =  2°  and  j  <  (3  and  'mjN  =  x 
( x  is  on  the  selective  path); 
otherwise 

(x  is  not  on  the  selective  path). 

Note  that  H(m U)  is  set  according  to  the  first  method  for  all  segments  of  m*  except  the  first 
segment 

2.  Hs(x ):  The  random  oracle  is  answered  as  follows.  If  the  query  has  been  made  before,  return 
the  same  response  as  before.  Select  a  random  d  £  Zp  and  return  the  response  as: 

gs  if  | x |  =  2/3  and  tu*^  =  x\ 
gbS  otherwise. 

Note  that  Hs(m *^)  is  set  according  to  the  first  method  only  for  the  first  segment  of  rn* . 


H(x)  =  { 
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Signature  and  Quote  Queries 


Sign  (M):  Let  M  =  (t,m)  and  £  =  \m\.  Recall  that  (5*  is  highest  bit  of  £*  set  to  1  and  that  we 
are  counting  up  from  zero  as  the  least  significant  bit. 

We  describe  how  to  create  signatures. 

1.  When  t  =  1  and  m*  is  not  a  substring  of  m  (Type  I  Signature  Generation): 

Here  nriij  denotes  the  substring  m  of  length  j  starting  at  position  i.  It  will  help  us  to  first 
establish  the  variables  Xij,  which  will  be  set  to  1  if  on  the  selective  forgery  path  and  0 
otherwise.  We  give  a  set  of  “rules”  defining  terms  and  make  a  few  observations.  Then  we 
describe  how  the  reduction  algorithm  creates  the  signatures. 

Rules. 

For  i  =  1  up  to  £  +  1, 

For  j  =  Llg(f  —  i  +  1)J  down  to  —1, 

(a)  If  j  +  1  =  /3*  and  mi_2j+ y2j+i  =  then  set  Xt  j  =  1. 

(b)  Else,  if  j  +  1  <  /3*  and  (j  +  l)th  bit  of  £*  is  1  and  rrii_2j+i2j+i  =  m*j+i)  and 
Xi_2j+ i  j+i  =  1,  then  set  XhJ  =  1. 

(c)  Else  if  j  +  1  <  /3*  and  ( j  +  l)th  bit  of  £*  is  0  and  =  1,  then  set  Xtj  =  1. 

(d)  Else  set  Xij  =  0. 

Observations.  Before  we  show  how  B  will  simulate  the  signatures,  we  make  a  set  of  useful 
observations. 

(a)  For  all  i  and  j  >  /?*,  Xij  =  0. 

(b)  For  all  i,  W,-i  =  0.  Otherwise,  =  m*. 

(c)  For  all  i,j,  if  Xtj  =  1  and  ly_i  =  0,  then  the  jth  bit  of  £*  is  1.  If  the  jth  bit  were  0, 
then  Xij_ i  would  have  been  set  to  1  by  Rule  lc. 

(d)  For  all  i,j,  if  Xij  =  0  and  i  =  1,  then  the  jth  bit  of  £*  is  1.  If  the  jth  bit  were  0, 
then  the  only  way  to  set  i  to  1  would  be  by  Rule  lc,  however,  X,Lj  =  0  so  Rule  lc 
does  not  apply. 

(e)  For  all  i,j ,  if  Xij  =  1  and  Xi+2j  j_1  =  0,  then  H(mi  2j)  =  gbl  for  some  known  7  £  Zp. 
Otherwise,  Xi+2:ij-i  would  have  been  set  by  Rule  lb  to  be  1. 

(f)  For  all  i,  j,  if  Xtj  =  0  and  Xi+2jj_  1  =  1,  then  H{mi  2 j)  =  (/n  for  some  known  7  £  Zp.  If 
Xi+2j  j_  1  =  1  and  Xij  =  0,  then  Xi+2j  j_  1  was  set  to  be  1  either  by  Rule  la  or  Rule  lc. 
If  it  were  Rule  la,  then  j  =  f3*  and  it  follows  from  the  programming  of  the  random 
oracle  that  H(mi  2j)  =  ghl .  If  it  were  Rule  lc,  then  the  jth  bit  of  £*  is  0,  meaning  toqj 
cannot  be  on  the  selective  path  and  therefore  again  H{irii  2Jj  =  gb^  ■ 

(g)  For  all  i,  j,  if  Xi+2j  j_  1  =  0,  then  Hs(mi  2j)  =  gbS  for  some  known  5  £  Zp.  If  j  /  /3* ,  this 
follows  immediately  from  the  programming  of  the  random  oracle.  Otherwise,  if  j  =  /3*, 
then  the  only  way  for  Xi+2j  j_1  =  0  would  be  if  / 'm*^  by  Rule  la.  Thus,  it  also 
follows  that  Hs(m.i2j )  =  gbS . 

Signature  Components.  Next,  for  i  =  1  to  £  +  1  and  j  =  0  to  \\g{£  —  i  +  1)J,  choose  a 
random  x\j  £  Zp  and  logically  set  Xij  :=  x\j  +  Xij  ■  ( ab ).  For  i  =  1  to  £  +  1,  set  Xi-\  :=  0 
(as  consistent  with  Observation  lb.) 

A  signature  is  comprised  of  the  following  values: 

Start.  For  i  =  1  to  t  and  j  =  0  to  [lg(€  —  i  +  1)J : 
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(a)  If  Xi+2j  j- 1  =  0,  then  it  follows  by  Observation  lg  that  Hs{mi2j)  =  gb5  for  some  known 
6  £  Zp,  so  choose  random  stj  £  Zp,  implicitly  set  Tij  :=  —  a/S  +  Sij  and  set 


5, 


5, 


g  Xi+23,j-lgbSsi,j 
gag~Xi+V  ,j-l  Hs 

—a/6+Sij  _  gri,j 


(b)  Else  Xi+2j  j_i  =  1,  so  choose  random  nj  £  Zp  and  with  xi+2i,j-i  :=  ®^+2j  +  ab  set 

Sid  =  g  ^IUmi,2.nn- 
=  gag~Xi+2j’j-1Hs(mii2j)ri’j 
S~j  = 


Across.  Together  with  the  following  values  for  i  =  3  to  £  and  j  =  0  to  min(|_lg(?  —  1)  — 
1J,  \}g{l  —  i  +  1) J ) : 

(a)  If  Xij  =  1  and  Xi+2jj-i  =  1,  choose  random  r[3  £  Zp  with  implicitly  set  Xij  =  x[3+ab 
and  xi+2jj-i  =  x'i+2j  •_1  +  ab  and  set 

A,j  =  //''  //  Xi+2j’i-1H(mit23)r'i-:> 

=  !lx'  :g  II ( mi2j Yi'j 


(b)  Else,  if  Xij  =  1  and  Xi+23j~i  =  0,  then  H(mi2j)  =  gbl  for  some  known  7  £  Zp  by 
Observation  le.  Choose  random  s\3  £  Zp  with  implicitly  set  x^j  =  x'%  ■  +ab ,  xi+2jj-i  = 
x'i+2j  -_x  and  r'j  :=  —a/7  +  s'l3  and  set 

Aij  =  gAg-Xi+2i,3-ig^s'i,3 

=  gXi,j g  Xi+2J )2j)ri’j 
Aj  =  gr'^j 

(c)  Else,  if  Xij  =  0  and  Xi+2jj-i  =  lj  then  H(mi2j)  =  gbl  for  some  known  7  £  Zp  by 
Observation  If.  Choose  random  s\  3  £  Zp  with  implicitly  set  x^j  =  x  ■  ■ ,  x'J+2.)  .;_]  = 
x/+2,  3_}  +  ab  and  r[3  :=  a/ 7  +  s'j  and  set 


Xljj  =  gXi’ig~Xi+2i,i-igb^s'i,j 

=  gr>ig  X; '// (mi,23 Y 

Aij  =  grY 


(d)  Else,  Xij  =  0  and  Xi+2jj_i  =  0,  so  choose  random  r[  ■  £  Zp  and  set 

Aij  =  gx,jg  X;-  ’J-J  '  Aij  =  grY 


Down.  Together  with  the  following  values  for  i  =  3  to  £  +  1  and  j 


0  to  [lg(*  —  1)  —  1J : 
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(a)  If  Xij  =  1  and  Xij- 1  =  1,  choose  random  r'B  £  Zp  with  implicitly  set  xy  =  x\  rj  +  a& 
and  Xij-i  =  x[  +  a6  and  set 


Dj,j 

Di,j 


9  x’39 

r" 

9 


•j-  1 1 


=  Xi'i~3gziri 


(b)  Else,  if  Xij  =  1  and  =  0,  then  the  jth  bit  of  is  1  by  Observation  lc.  Thus 

Zj  =  bvj,  so  choose  random  s”  ■  £  Zp  with  implicitly  set  xtg  =  xO  +  ab ,  Xjj_ 1  =  x\  ■_l 
and  r'lj  :=  —a/vj  +  s'Z  and  set 


Di,j 

Di,j 


g<jg-xiJ-lgbvis"j 
g-a/vj+s’lj  =  gr>r 


—  gXi>i g  Xid-i 


n 

i,3 


(c)  Else,  if  Xjj  =  0  and  Wj-i  =  1,  then  the  jth  bit  of  l*  is  1  by  Observation  Id.  Thus 
Zj  =  bvj ,  so  choose  random  s'-  •  £  Zp  with  implicitly  set  xt,j  =  xO,  Xjj_ i  =  x'  •_1  +  a& 
and  r'(j  :=  a/foj  +  s'-j  and  set 


Di.j 


x'-  •  —  Xi  -7  —  1  bVnS'J 

1  *,.7/1  xi3  L  n  3  x,; 


g 

9 


a/v-j+s'-1  r" 

1  '  J  =  n 


9 

g1 


=  gXi,j  g 


n 


(d)  Else,  Xjj  =  0  and  .Xjj-i  =  0,  so  choose  random  r"  3  £  Zp  and  set 

Aj  =  sfvg-^g^,  l>;.j  = 


1.  When  t  =  0  and  m  ^  m*  (Type  II  Signature  Generation): 

Let  l  =  \m\,  and  (3  =  (lg(^)J-  denotes  i-tli  bit  of  i*  when  we  start  counting  with  zero  as 
the  least  significant  bit,  and  tL  denotes  z-th  bit  of  l. 

Parse  m*  as  m*g,m*g*_1  . . .  where  m*  is  a  string  of  length  2*  or  a  null  string,  m,  is  of  length 
2*  if  £i  =  0,  and  is  null  otherwise.  Similarly,  parse  m  as  mgmg- 1 . . .  mo- 
B  constructs  ( B ,  S,  Zg_ i, . . . ,  Zq)  in  the  following  way: 

•  If  mg  /  m*p,,  then  Hs(mg)  =  gbS  for  a  <5  which  is  known  to  B. 

(a)  B  sets  S  :=  g~a/s+r  for  a  randomly  chosen  r  and  B  :=  gbSr . 

(b)  For  j  =  [3  —  1  down  to  0,  Zj  :=  gri  for  a  randomly  chosen  rj,  and 

-  If  lj  =  1,  then  B  :=  B-  H(rrij)rB 

-  If  lj  =  0,  then  B  :=  B  ■  gz>ri . 

•  Otherwise,  if  (3  =  /3*  and  mg  =  there  exists  js  <  (3  such  that 

-  4  +  or 

-  lj.  =  f*]s  =  1  and  H{mjs)  /  H(m*g). 

so  B  can  construct  a  signature  ( B ,  S ,  Zg_ i, . . . ,  Zq)  in  the  following  way. 

(a)  B  sets  S  :=  gTc  for  a  randomly  chosen  rc  and  B  :=  gSr°. 

(b)  For  j  =  (3  —  1  down  to  js  +  1  and  j  =  j s  —  1  to  0,  Zj  :=  gri  for  randomly  chosen  rj, 
and 

-  If  lj  =  1,  then  B  :=  B-  H{mj)r‘ . 

-  If  A,  =  0,  then  B  :=  B  ■  gz ^ . 

(c)  For  j  =  j.s, 
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—  If  £3  =  1,  whether  t*  =  0  or  not,  B  knows  7  such  that  H(rrij)  =  gbl .  B  sets 
Zj  =  g~aA+ri  for  a  randomly  chosen  77,  and  B  :=  B  ■  gb'yrB 
—  If  £j  =  0  and  £*  =  l,  then  B  knows  v  such  that  gZj  =  gbv .  B  sets  Zj  =  g~a/v+ri 
for  a  randomly  chosen  77,  and  B  :=  B  ■  gbvrj . 

B  returns  ( B ,  S.  Zg_  \ . . . . ,  Zq). 


Response  Eventually,  A  outputs  a  valid  signature  a*  on  M*  =  ( t*  ,m *).  Recall  that  £*  =  \m*\ 
and  /3  =  |_lg(^*)J .  Here  £*  denotes  i-tli  bit  of  £*  when  we  start  counting  with  zero  as  the  least 
significant  bit.  Parse  m*  as  . .  .m,Q  where  m*  is  a  string  of  length  2*  (when  £*  =  1)  or  a 

null  string  (when  £*  =0). 

Because  of  the  selective  disclosure  and  setup,  B  knows  the  following  exponents: 

-  7  such  that  Hs(rn*g)  =  g 7. 

-  Sj  such  that  H(m*  2, )  =  gb>  when  £*■  =  1  and  j  /  /3. 

-  Zj  when  £*  =  0. 

t*  is  either  1  or  0. 


•  lit*  =  1, 

Si  denotes  the  position  where  m*  starts.  B  can  compute  the  information  of  some  xtj  with 
the  following  components  of  a*. 

-  Shp  =  gag-x^^Hs(m*py°,  S^g  =  gr M 

B  knows  7  such  that  Hs(m*p )  =  g 7,  so  B  can  compute  gag~x^+^,P-i  =  Si^g/Si^g1 . 

—  For  j  =  f3  —  1  down  to  0, 

*  when  £j  =  1,  ASjj  =  gXsx3 g~Xsi-1'3~1  H(jn*)rsi'3 ,  ASjj  =  grsi'3 

B  knows  5  such  that  H(m*)  =  g5,  so  B  can  compute  gXai’3 g~Xsj-i •3~1  =  ASjj/ASjg  . 

*  when  £j  =  0,  DSjg  =  gXsj’j g~X3j-i’3~1  gZjrsj-3 ,  DSjj  =  g*i'3 

B  knows  Zj,  so  B  can  compute  g'Lsj’3 g  Xsj-i’3~1  =  DSjj/DSjj  3 . 
so  B  can  compute  gXsP3  g~Xsj- iJ_1. 

B  has  the  values  of  gXsi’3 g^Xsi~3’3~1  for  j  =  (3—  1  down  to  0  and  gag  xi+2P,p-i,  so  can  compute 

0-1 

gag~Xl  +  2P,P~l  gX°j,i  g-X°3-l,3*l  =  ga  g-Xs_lt- 1  =  ga 

j= 0 


•  lit*  =  0, 

B  parses  a*  as  ( B ,  S,  Zg_ i, . . . ,  Zq),  with 

S  =  gc ,  Zg_1=gc^,  ...,  Z0=gco 

for  some  c,  cg_ i, . . . ,  cq  G  Zp. 

B  =  ga  ■  Hs(m*g)c  H(m*)C3  (g ^f3’ 

j<0,  £*=1  j’<0,  t*,=  0 


because  the  signature  is  valid. 

—  B  knows  7  such  that  Hs(rn*g)  =  g1 .  B  sets  C  :=  S"7. 
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—  From  j  =  f3  —  1  down  to  0,  B  proceeds  as: 

*  If  lj  =  1,  B  knows  Sj  such  that  H(m *)  =  gSj .  B  sets  C  :=  C  ■  ZjJ  ; 

*  If  lj  =  0,  B  knows  Zj.  B  sets  C  :=  C  ■  Z~]3 . 

Then 

C  =  Hs(m*p)c  H(rrij)Cj  (g^f3' 

j<P,  e*=i  j'<p,  t*,= o 

so  B  can  compute  B/C  =  ga. 

Thus,  whether  t*  is  1  or  0 ,  B  can  solve  for  g°  =  gab  and  correctly  answer  to  the  CDH  challenge. 

Analysis  The  distribution  of  the  above  game  and  the  security  game  are  identical.  Thus,  whenever 
A  is  successful  in  a  forgery  against  our  scheme,  B  will  solve  the  CDH  challenge. 

□ 

6  A  Construction  for  Subset  Predicates  based  on  ABE 

In  this  section  we  briefly  point  out  a  surprising  connection  to  Attribute  Based  Encryption  (ABE). 
We  show  that  existing  constructions  for  Ciphertext-Policy  ABE  [7,  36,  57]  naturally  lead  to  context 
hiding  quotable  signatures  for  arbitrary  message  subsets  (as  opposed  to  the  substring  predicate 
considered  in  the  previous  section).  In  particular,  a  message  will  be  a  sets  of  strings  (strings  can 
be  used  to  encode  elements  for  different  types  of  sets),  and  the  predicate  P(rh,  m')  =  1  iff  m!  C  rnt 
for  some  m,  £  m.  Observer  that  this  disallows  “collusions”  between  two  different  signatures  where 
m!  is  a  subset  of  the  union  of  multiple  messages,  but  not  any  single  one.  (Otherwise,  this  would  be 
trivially  realizable  from  standard  signatures  schemes.) 

Our  main  tool  is  an  observation  of  Naor  that  shows  that  secret  keys  in  Identity  Based  Encryp¬ 
tion  [11]  can  function  as  signatures.  Recall  that  in  (ciphertext-policy)  attribute  based  encryption  an 
authority  provides  secret  keys  to  a  user  based  on  the  user’s  list  of  attributes.  The  main  challenge 
in  building  such  systems  is  preventing  collusion  attacks:  two  (or  more)  users  with  distinct  sets  of 
attributes  should  be  unable  to  create  a  secret  key  for  a  combination  of  their  attributes. 

If  we  treat  words  in  a  message  m  £  X*  as  attributes,  that  is,  we  treat  a  message  m  = 
(a\, . . . ,  at)  £  Xr  as  a  sequence  of  attributes  ai,...,ag,  then  we  can  define  the  signature  on  m 
as  a  set  of  l  secret  keys  corresponding  to  the  l  attributes  in  the  message.  Verifying  the  signa¬ 
ture  can  be  done  by  trying  to  decrypt  some  test  ciphertext  using  the  secret  keys  in  the  signature. 
Now,  given  a  signature  on  m  we  derive  a  signature  on  a  subset  of  the  words  in  m  by  simply  re¬ 
moving  the  secret  keys  corresponding  to  words  not  in  the  subset.  For  context  hiding  we  need  to 
re-randomize  the  resulting  set  of  secret  keys.  (Not  all  CP-ABE  schemes  may  support  the  removal 
and  re-randomization  of  secret  keys  in  this  manner,  but  the  schemes  of  [7,  36,  57]  do.) 

Since  ABE  security  prevents  collusion  attacks,  it  is  straight  forward  to  show  that  these  signatures 
are  unforgeable  in  the  sense  of  Definition  2.3.  Moreover,  due  to  the  re-randomization  of  secret  keys, 
a  derived  signature  is  sampled  from  the  same  distribution  as  a  fresh  signature  and  is  independent 
from  the  given  signature.  This  implies  strong  context  hiding  in  sense  of  Definition  2.4. 

This  unexpected  connection  between  quoting  and  ABE  leads  to  the  following  theorem,  stated 
informally. 

Theorem  6.1  (informal)  The  Ciphertext- Policy  ABE  systems  in  [7,  36,  57]  translate  using  Naor’s 
transformation  into  a  signature  scheme  supporting  quoting  for  arbitrary  subsets  of  a  message.  (Se¬ 
lective)  security  of  the  CP-ABE  systems  imply  (selective)  unforgeability  and  context  hiding. 
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In  other  words,  when  the  ABE  scheme  provides  adaptive  (resp,  selective)  security,  then  the 
resulting  signature  scheme  achieves  adaptive  (resp.,  selective)  unforgeability.  The  (third)  ABE 
scheme  of  [57]  provides  selective  security  from  the  d-BDH  assumption.  Adaptive  security  is  proven 
in  [7],  but  only  in  the  generic  group  model.  While  [36]  proves  adaptive  security  under  certain  static 
assumptions  using  composite  order  groups. 

7  Computing  Weighted  Averages  and  Fourier  Transforms 

So  far  we  only  constructed  schemes  for  univariate  predicates  P.  We  now  give  an  example  where 
one  computes  on  multiple  signed  messages.  Let  p  be  a  prime,  n  a  positive  integer,  and  T  a  set  of 
tags.  The  message  space  A4  consists  of  pairs: 

M:=Tx  Fp 

Now,  define  the  predicate  P  as  follows:  P(s,m)  =  1  for  all  m  G  M.  and10 

P(  (  (*i,v1),,..,(tt,Vfc)  )  ,  (f,v)  )  =  1  (v1“4.’v“d 

Thus,  given  signatures  on  vectors  vi, . . . ,  grouped  together  by  the  tag  t,  anyone  can  create  a 
signature  on  a  linear  combination  of  these  vectors.  This  can  be  done  iteratively  so  that  given  signed 
linear  combinations,  new  signed  linear  combinations  can  be  created.  Unforgeability  means  that  if 
the  adversary  obtains  signatures  on  vectors  vi,...,Vfc  for  particular  tag  t  6  T  then  he  cannot 
create  a  signature  on  a  vector  outside  the  linear  span  of  vi, . . . ,  v*.. 

Signature  schemes  for  this  predicate  P  are  presented  in  [14,  13,  12,  15,  2]  while  schemes  over  Z 
(rather  than  Fp)  are  presented  in  [27].  These  schemes  were  originally  designed  to  secure  network 
coding  where  context  hiding  is  not  needed  since  there  are  no  privacy  requirements  for  the  sender  (in 
fact,  the  sender  is  explicitly  transmitting  all  his  data  to  the  recipient).  The  question  then  is  how  to 
construct  a  system  for  predicate  P  above  that  is  both  unforgeable  and  context  hiding.  Fortunately, 
we  do  not  need  to  look  very  far.  The  linearly  homomorphic  signature  schemes  in  [14]  can  be  shown 
to  be  context  hiding.  We  state  this  in  the  following  theorem. 

Theorem  7.1  If  the  CDH  assumption  holds  in  group  G,  then  the  signature  scheme  NCS\  from  [If] 
is  unforgeable  and  context-hiding  in  the  random  oracle  model,  assuming  tags  are  generated  inde¬ 
pendently  at  random  by  the  unforgeability  challenger  when  responding  to  Sign  queries. 

Unforgeability  is  Theorem  6  in  [14],  which  holds  only  when  tags  f?;  £  7~  are  generated  inde¬ 
pendently  at  random  by  the  signer.  While  context  hiding  has  not  been  considered  before  for  this 
scheme,  it  is  not  difficult  to  show  that  the  scheme  is  context  hiding.  The  scheme  is  unique  in  the 
sense  that  every  vector  v  has  a  unique  valid  signature.11  It  is  easy  to  show  that  any  homomorphic 
unique  signature  must  be  context  hiding  and  hence  NCSi  is  context  hiding. 

Viewed  in  this  way,  the  scheme  NCSi  gives  the  ability  to  carry  out  authenticated  addition  on 
signed  data.  Consider  a  server  that  stores  signed  data  samples  si, . . .  ,sn  in  Fp.  The  signature  on 
sample  s*  is  actually  a  signature  on  the  vector  (sj|ej)  €  F”+1,  where  e*  is  the  ith  unit  vector  in 
F”.  The  server  stores  (i,Si)  and  a  signature  on  (si|e./).  (The  vector  e,;  need  not  be  stored  with  the 

10Recall,  the  signature  on  e  is  the  output  the  KeyGen  algorithm. 

11Recall  that  in  unique  signatures  [38]  in  addition  to  the  regular  unforgeability  requirement  there  is  an  additional 
uniqueness  property:  for  any  honestly-generated  public  key  pk  and  any  message  to  in  the  message  space,  there  do 
not  exist  values  0-1,02  such  that  <ri  <72  and  yet  Verify(pfc,  to,  co)  =  Verify(pA),  m,  02)  =  1. 
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data  and  can  be  reconstructed  from  i  when  needed.)  Using  SignDerive,  the  server  can  compute 
a  signature  a  on  the  sum  (X)f=i  s*,  1 , . . . ,  1 ) .  Since  the  schemes  are  context  hiding,  the  server  can 
publish  the  sum  Y17=l  Si  m°d  V  and  the  signature  a  on  the  sum  and  (provably)  reveal  no  other 
information  on  the  original  data.  The  “augmentation”  (1, . . . ,  1)  proves  that  the  published  message 
really  is  the  claimed  sum  of  the  original  samples  (the  tag  t  prevents  mix-and-match  attacks  between 
different  data  sets).  We  can  similarly  publish  a  sum  of  any  required  subset. 

More  generally,  the  server  can  publish  an  authenticated  inner  product  of  the  samples  s  := 
(si, . . . ,  sn)  with  any  public  vector  ceFJJ  without  leaking  additional  information  about  the  samples. 
This  is  needed,  for  example,  to  publish  a  weighted  average  of  the  original  data  set.  Similarly,  recall 
that  the  Fourier  transform  of  the  data  (si, . . . ,  sn)  is  a  specific  linear  operator  (represented  by  a 
specific  n  x  n  matrix)  applied  to  this  vector.  Therefore,  we  can  publish  signed  Fourier  coefficients 
of  the  data.  If  we  only  publish  a  subset  of  the  Fourier  coefficients  then,  by  context  hiding,  we  are 
guaranteed  that  no  other  information  about  (si, . . . ,  sn)  is  revealed. 
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A  A  Computational  Definition  of  Context  Hiding 

Let  (KeyGen,  SignDerive,  Verify)  be  a  P-homomorphic  signature  scheme  for  predicate  P  and 
message  At.  Consider  the  following  game  to  model  context  hiding: 

Setup:  The  challenger  runs  the  algorithm  ( pk,sk )  G-  KeyGen(lA)  to  obtain  the  public  key  pk 
and  the  secret  key  sk,  and  gives  pk  to  the  adversary. 

Query  Phase  1:  Proceeding  adaptively,  the  adversary  may  query  any  of  the  three  oracles  from 
the  unforgeability  game: 

•  Sign(m  G  At):  (same  as  in  the  unforgeability  game) 

•  SignDerive(i  G  Z,m'):  (same  as  in  the  unforgeability  game) 

•  Reveal  (i  G  Z):  (same  as  in  the  unforgeability  game) 

Challenge:  At  some  point,  the  adversary  issues  a  challenge  ( m,m ')  where  P(m,m!)  =  1  for 
any  m,m'  G  At.  The  challenger  computes  the  following  three  values:  a  G-  Sign (sk,m), 
do  G-  Sign (sk,mf)  and  <j\  G-  SignDerive(pA;,  a,  m,  m').  The  challenger  then  picks  a  random 
h  G  {0, 1}  and  returns  (<r,  af)  to  the  adversary.  Note:  there  are  no  restrictions  on  m,  m!  other 
than  that  they  be  in  the  message  space;  in  particular,  they  could  be  equal  and  one  or  both 
could  have  been  previously  signed. 

Query  Phase  2:  Proceeding  adaptively,  the  adversary  may  query  the  oracles  from  Phase  1. 
Output:  Eventually,  the  adversary  will  output  a  bit  b'  and  is  said  to  win  if  b  =  b' . 

We  define  Adv^H  to  be  the  probability  that  adversary  A  wins  in  the  above  game  minus  ]> . 

Definition  A.l  (Context  Hiding)  For  a  predicate  P  and  message  space  At,  a  P-homomorphic 
signature  scheme  (KeyGen,  Sign,  SignDerive,  Verify)  is  context  hiding  if  for  all  probabilistic 
polynomial  time  adversaries  A,  Adv is  negligible  in  A. 

A.l  Relation  to  Strong  Context  Hiding 

Lemma  A. 2  A  homomorphic  signature  scheme  that  is  strongly  context  hiding  is  context  hiding. 

Proof.  (Sketch)  Let  n  =  (KeyGen,  SignDerive,  Verify)  be  a  homomorphic  signature  scheme 
and  let  A  be  an  adversary  that  has  advantage  Adv]^  (n)  =  p{ A)  in  the  context-hiding  game.  The 
advantage  probability  for  A  is  taken  over  the  random  coins  of  the  key  generation,  random  coins  of  the 
Sign  and  SignDerive  operations  used  in  the  first  query  phase,  the  random  coins  used  by  algorithm 
A,  and  the  random  coins  used  by  the  rest  of  the  experiment.  Therefore  by  an  averaging  argument, 
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there  must  exist  some  particular  key  pair  ( PK ,  SK)  KeyGen(lA;  z\),  some  particular  random 
tape  zq  for  the  Sign  and  SignDerive  operations  used  in  the  first  query  phase,  some  particular 
random  coins  za  for  A,  and  some  particular  message  pair  (m,  m!)  output  by  A  over  which  the 
probability  of  A  winning  the  context-hiding  game  in  this  case  is  at  least  p( A).  Let  the  values  of  the 
random  tapes  be  given  as  non-uniform  advice. 

We  show  how  this  information  can  be  used  to  construct  a  (non-uniform)  adversary  A'  that 
distinguishes  {(SK,a,Sign(SK,m')}  from  {(SK,  a,  SignDerive(P/\,  a,  m,  m')}  with  probability 
p( A)  for  the  triple  ((PK,  SK),m,m').  Thus,  if  II  is  strongly  context  hiding,  then  p( A)  must  be 
exponentially  small,  and  so  II  must  also  be  context-hiding. 

The  adversary  A 1  works  as  follows:  On  input  the  challenge  tuple  (SK,a,cr'),  A'  begins  to  run 
the  context-hiding  experiment  for  A(PK;  za)-  A'  answers  the  queries  that  A  asks  by  using  SK 
and  the  random  tape  zq  to  run  Sign  and  SignDerive.  When  A  outputs  a  challenge  message  pair 
(m,m')  (which  must  occur  by  construction),  then  A'  answers  with  (a,  a').  A'  answers  the  second- 
phase  queries  of  A  using  SK  and  fresh  random  coins.  Finally,  when  A  outputs  b' ,  A'  echoes  this 
answer  as  output  and  halts. 

First  observe  that  A'  performs  a  perfect  simulation  of  the  context-hiding  game.  When  the  input 
pair  (a,  a')  corresponds  to  (Sign(SK,m),Sign(SK,m')),  then  A'  simulates  the  context-hiding 
game  for  6  =  0.  In  the  other  case,  A'  simulates  the  context-hiding  game  for  6  =  1.  Therefore,  A1 
distinguishes 

{(SK,  Sign  (SK,  m),  Sign(SK,  rn'))}SKmm, 

{(SK,  Sign  (S'/I,  m),  SignDeri ve(PK,  a,  m,  m'))}. SK,m,m' 

with  probability  p(X).  □ 

A. 2  Simplified  Unforgeability  Under  Strong  Context  Hiding 

We  now  show  how  the  strong  context  hiding  property  can  help  simplify  the  security  argument  for 
unforgeability.  In  particular,  we  introduce  a  weaker  notion  of  unforgeability  in  which  the  adversary 
only  makes  calls  to  the  Sign  oracle  and  immediately  receives  a  signature. 

—  Game  NHU(II,  A,  A,  P):  This  game  is  the  same  as  the  Unforg(II,  A,  A,  P)  game  with  the 
exception  that  only  the  following  query  is  allowed: 

-  Sign(m  6  A4):  the  oracle  computes  cr  Sign (SK,m),  adds  m  to  Q  and  returns  a. 

Note,  the  only  difference  between  game  NHU  and  the  standard  unforgeability  game  for  a  signature 
scheme  is  that  in  this  game,  the  adversary  only  wins  if  it  produces  a  forgery  on  a  signature  m* 
such  that  for  all  m  £  Q,  P(m,  m*)  =  0,  whereas  in  the  standard  unforgeability  game,  the  adversary 
wins  if  it  produces  a  signature  on  any  message  that  is  not  in  Q. 

Definition  A. 3  A  quoteable  signature  scheme  II  is  NHU -unforgeable  if  for  all  efficient  adversaries 
A,  it  holds  that  Pr[NHU(II,  A,  A,  P)  =  1]  <  negl(X)  for  some  negligible  function  A. 

Lemma  A. 4  A  signature  scheme  that  is  NHU -unforgeable  and  strongly  context  hiding  is  Unforg- 
unforgeable. 

Proof.  Our  plan  is  to  present  a  series  of  hybrid  experiments  that  are  meant  to  simplify  the  quotable 
unforgeability  game. 
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Hybrid  Hi(H,  A,  X,  P)  Consider  the  first  hybrid  experiment  H i  which  is  the  same  as  the  un¬ 
forgeability  game  Unforg(II,  A,  A,  P),  with  the  exception  that  all  Sign  and  SignDerive  queries  are 
lazily  evaluated.  That  is,  when  A  makes  a  query,  the  experiment  responds  in  the  following  way: 

-  Sign(m ):  generate  a  handle  i  and  record  information  (z,  ?,m,  e)  in  T  and  return  i 

-  SignDerive(i,  m!)\  retrieve  (z,z,m,  •)  from  T,  return  _!_  if  it  does  not  exist  or  if  P(m,  ml)  A 
generate  a  new  handle  i' ,  record  (V,  ?,  m' ,  i)  in  T,  and  return  i! 

Reveal(i ):  retrieve  (i,z,m,i  1)  from  T  (returning  _L  if  it  does  not  exist).  If  z  7^?,  then  return 
2.  Otherwise,  if  i\  =  e,  then  compute  a  <—  Sign (SK,m),  replace  the  entry  (■ i,z,m,e )  with 
( ),  and  return  <7.  Finally,  if  i\  A  e>  then  recursively  call  z\  <—  Reveal(i\),  obtain 
mi,-)  from  T  and  compute  a  4—  SignDerive(PiF,  z\,  mi,  m).  Replace  the  entry  with 
(i,cr,  and  return  cr. 

Claim  A. 5  Pr[#i(II,  A,  A,  P)  =  1]  =  Pr[Unforg(II,  A,  A,  P)  =  1]. 

This  claim  follows  by  inspection.  For  any  query  that  is  eventually  revealed,  the  same  operations 
are  performed  in  both  H\  and  the  original  game.  For  any  query  that  is  never  revealed,  no  operation 
in  H 1  is  performed;  but  this  does  not  affect  the  view  of  the  adversary,  and  therefore  does  not  affect 
the  output  of  the  adversary. 

Hybrid  #2,?(n,  A,  A,  P)  The  second  hybrid  is  the  same  as  H 1  except  that  the  first  i  queries  to 
Reveal  are  answered  using  Reveal  described  below,  and  the  remaining  queries  are  answered  as  per 
H\:  ( The  only  difference  is  that  Sign(SK,mi)  is  used  in  place  of  SignDerive(PiF,  zi,  mi,  m)  in 
the  second  to  last  sentence.) 

Revea^if)'-  retrieve  (■ i ,  z,  m,  i\)  from  T  (returning  _L  if  it  does  not  exist).  If  z  /?,  then  return 
Otherwise,  if  i\  =  e,  then  compute  cr  y-  Sign (SK,m),  replace  the  entry  (■ i,z,m,e )  with 
(■ i,a,m,e ),  and  return  cr.  Finally,  if  i\  A  O  then  recursively  call  z\  4—  Reveal{i\),  obtain 
(*i,  -,mi,  •)  from  T  and  compute  cr  <—  Sign (SK,  mi).  Replace  the  entry  with  ( i ,  a,  m,  if),  and 
return  cr. 

Claim  A. 6  A,  X,  P)  is  identically  distributed  to  H\  (II,  A,  A,  P). 

By  inspection. 

Claim  A. 7  i/2,i(n,  A,  A,  P)  is  identically  distributed  to  #2,1-1  (II,  A,  A,  P)  fori  >  1. 

This  claim  follows  via  the  strong  context-hiding  property  of  the  signature  scheme  because  this 
property  guarantees  Sign  (SK,  m')  and  SignDerive(Piv,  cr,  m,  rnf)  are  statistically  close. 

Suppose  that  A  makes  i  =  poly(X)  queries.  Observe  that  H2/ (II,  A ,  A,  P)  only  evaluates  Sign, 
and  only  does  so  on  messages  that  are  immediately  returned  to  the  adversary.  Thus,  #2/  is 
syntactically  equivalent  to  the  NHU  game.  Since  the  #2 ,e  game  enables  A  to  produce  a  forgery  with 
the  same  probability  as  Unforg(II,  A,  A,  P),  we  have  that  Unforg(II,  A,  A,  P )  =  NHU(II,  A,  A,  P) 
which  completes  the  lemma.  □ 
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Abstract 

With  computer  networks  spreading  into  a  variety  of  new  environments,  the  need  to  au¬ 
thenticate  and  secure  communication  grows.  Many  of  these  new  environments  have  particular 
requirements  on  the  applicable  cryptographic  primitives.  For  instance,  a  frequent  requirement 
is  that  the  communication  overhead  inflicted  be  small  and  that  many  messages  be  processable 
at  the  same  time.  In  this  paper,  we  consider  the  suitability  of  public  key  signatures  in  the  latter 
scenario.  That  is,  we  consider  signatures  that  are  1)  short  and  2)  where  many  signatures  from 
(possibly)  different  signers  on  (possibly)  different  messages  can  be  verified  quickly.  Prior  work 
focused  almost  exclusively  on  batching  signatures  from  the  same  signer. 

We  propose  the  first  batch  verifier  for  messages  from  many  (certified)  signers  without  random 
oracles  and  with  a  verification  time  where  the  dominant  operation  is  independent  of  the  number 
of  signatures  to  verify.  We  further  propose  a  new  signature  scheme  with  very  short  signatures,  for 
which  batch  verification  for  many  signers  is  also  highly  efficient.  Combining  our  new  signatures 
with  the  best  known  techniques  for  batching  certificates  from  the  same  authority,  we  get  a  fast 
batch  verifier  for  certificates  and  messages  combined.  Although  our  new  signature  scheme  has 
some  restrictions,  it  is  very  efficient  and  still  practical  for  some  communication  applications. 


1  Introduction 

As  the  world  moves  towards  pervasive  computing  and  communication,  devices  from  vehicles  to 
dog  collars  will  soon  be  expected  to  communicate  with  their  environments.  For  example,  many 
governments  and  industry  consortia  are  currently  planning  for  the  future  of  intelligent  cars  that 
constantly  communicate  with  each  other  and  the  transportation  infrastructure  to  prevent  accidents 
and  to  help  alleviate  traffic  congestion  [16,  50].  Raya  and  Hubaux  suggest  that  vehicles  will  transmit 
safety  messages  every  300ms  to  all  other  vehicles  within  a  minimum  range  of  110  meters  [49],  which 
in  turn  may  retransmit  these  messages. 

For  such  pervasive  systems  to  work  properly,  there  are  many  competing  constraints  [16,  50, 
37,  49].  For  one,  there  are  physical  limitations,  such  as  a  limited  spectrum  allocation  for  specific 
types  of  communications  and  the  potential  roaming  nature  of  devices,  that  require  that  messages 
be  kept  very  short  and  (security)  overhead  be  minimal  [37].  Yet  for  messages  to  be  trusted  by 
their  recipients,  they  need  to  be  authenticated  in  some  fashion,  so  that  entities  spreading  false 
information  can  be  held  accountable.  Thus,  some  short  form  of  authentication  must  be  added. 
Furthermore,  different  messages  from  many  different  signers  may  need  to  be  verified  and  processed 
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quickly  (e.g.,  every  300ms  [49]).  Another  possible  constraint  that  these  authentications  remain 
anonymous  or  pseudonymous,  we  leave  as  an  exciting  open  problem. 

In  this  work,  we  consider  the  suitability  of  public  key  signatures  to  the  needs  of  pervasive 
communication  applications.  Generating  one  signature  every  300ms  is  not  a  problem  for  current 
systems,  but  transmitting  and/or  verifying  100+  messages  per  second  might  pose  a  problem.  Using 
RSA  signatures  for  example  seems  attractive  as  they  are  verified  quickly,  however,  one  would  need 
approximately  3000  bits  to  represent  a  signature  on  a  message  plus  the  certificate  (i.e. ,  the  public 
key  and  signature  on  that  public  key)  which  might  be  too  much  for  some  applications  (see  Section 
8.2  of  [49]).  While  many  new  schemes  based  on  bilinear  maps  can  provide  the  same  security  with 
significantly  smaller  signatures,  they  take  significantly  more  time  to  verify  (e.g.,  [9,  6,  13,  53]). 
Thus,  it  is  not  immediately  clear  what  the  proper  tradeoff  between  message  length  and  verification 
time  is  for  many  pervasive  communication  applications.  However,  in  some  applications,  there  is 
evidence  that  doing  a  small  amount  of  additional  computation  is  more  advantageous  than  sending 
longer  messages.  For  example,  Landsiedel,  Wehrle,  and  Gotz  showed  that  for  applications  using 
Mica2  sensors  transmitting  data  consumes  significantly  more  battery  power  than  keeping  the  CPU 
active  [40].  Barr  and  Asanovic  note  that  the  wireless  transmission  of  just  a  single  bit,  can  use  more 
than  1000  times  the  energy  required  for  a  32  bit  computation  [3]. 

1.1  Our  Contributions 

Now,  if  one  wants  both,  short  signatures  and  short  verification  times,  it  seems  that  one  needs  to 
improve  on  the  verification  of  the  bilinear-map  based  schemes  or  try  to  reduce  the  signature  size 
of  a  fast  signature  scheme  such  as  RSA.  In  this  paper  we  take  the  first  route  and  investigate  the 
known  batch-verification  techniques  and  to  what  extent  they  are  applicable  to  bilinear-map  based 
schemes,  whereas  for  example  Gentry  provides  a  method  for  compressing  Rabin  signatures  in  [28]. 
We  note  that  while  these  two  techniques  are  not  mutually  exclusive  (in  fact  Gentry  mentions  that 
the  compressed  Rabin  signatures  can  be  aggregated  [28]),  compressing  signatures  has  not  been  the 
focus  of  our  work.  More  precisely,  the  main  contributions  of  this  paper  are: 

1.  We  instantiate  the  general  batch  verification  definitions  of  Bellare,  Garay,  and  Rabin  [4]  to  the 
case  of  signatures  from  many  signers.  We  also  do  this  for  a  weaker  notion  of  batch  verification 
called  screening  and  show  the  relation  of  these  notions  to  the  one  of  aggregate  signatures. 
Surprisingly,  for  most  known  aggregate  signature  schemes  a  batching  algorithm  is  provably 
not  obtained  by  aggregating  many  signatures  and  then  verifying  the  aggregate. 

2.  We  present  a  batch  verifier  for  the  n-IBS  scheme  [19].  (More  precisely,  this  is  the  IBS  scheme 
implicitly  defined  by  the  Chatterjee-Sarkar  hierarchical  IBE  [19]  and  it  can  also  be  viewed  as  a 
generalized  version  of  the  Boyen- Waters  IBS  [11]  as  we  will  discuss  later.)  To  our  knowledge, 
this  is  the  first  batch  verifier  for  a  signature  scheme  without  random  oracles.  Let  z  be  the 
additional  security  parameter  required  by  the  n-IBS  scheme.  When  identities  and  messages 
are  k  bits,  viewed  as  2  chunks  of  k/z  bits  each,  our  algorithm  verifies  n  n-IBS  signatures 
using  only  (z  +  3)  pairings.  Individually  verifying  n  signatures  would  cost  3 n  pairings. 

3.  We  present  a  new  signature  scheme,  n-Sig,  derived  from  the  Camenisch-Lysyanskaya  signature 
scheme  [13],  which  is  secure  in  the  random  oracle  model.  n-Sig  signatures  require  only  one- 
third  the  space  of  the  original  CL  signatures-  on  par  with  the  shortest  signatures  known  [9] 
-,  but  users  may  only  issue  one  signature  per  period  (e.g.,  users  might  only  be  allowed  to  sign 
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one  message  per  300ms).  We  present  a  batch  verifier  for  these  signatures  from  many  different 
signers  that  verifies  n  signatures  using  only  three  total  pairings,  instead  of  the  5 n  pairings 
required  by  n  original  CL  signatures.  Yet,  our  batch  verifier  has  the  restriction  that  it  can 
only  batch  verify  signatures  made  during  the  same  period.  fl-Sig  signatures  form  the  core  of 
the  only  public  key  authentication,  known  to  us,  that  is  extremely  short  and  highly  efficient 
to  verify  in  bulk. 

4.  Often  signatures  and  certificates  need  to  be  verified  together.  This  happens  implicitly  in 
IBS  schemes.  To  achieve  this  functionality  with  the  II-Sig  signature  scheme,  we  can  issue 
signatures  with  II-Sig  and  certificates  with  the  Boneh,  Lynn  and  Shacham  scheme  [9].  Then 
we  can  batch  the  II-Sig  signatures  (on  any  message  from  any  signer)  using  a  new  batch  verifier 
proposed  herein;  and  we  can  batch  the  BLS  certificates  (on  any  public  key  from  the  same 
authority)  using  a  known  batch  verifier  that  can  batch  verify  n  signatures  from  the  same 
signer  using  only  two  pairings. 

1.2  Batch  Verification  Overview 

We  start  by  a  some  historical  remarks  and  then  later  present  the  schemes  relevant  to  this  paper  in 
more  detail. 

Batch  cryptography  was  introduced  in  1989  by  Fiat  [26]  for  a  variant  of  RSA.  Later,  in  1994, 
Naccache,  M’Raihi,  Vaudenay  and  Raphaeli  [48]  gave  the  first  efficient  batch  verifier  for  DSA 
signatures,  however  an  interactive  batch  verifier  presented  in  an  early  version  of  their  paper  was 
broken  by  Lim  and  Lee  [43].  In  1995  Laih  and  Yen  proposed  a  new  method  for  batch  verification  of 
DSA  and  RSA  signatures  [39],  but  the  RSA  batch  verifier  was  broken  five  years  later  by  Boyd  and 
Pavlovski  [10].  In  1998,  Harn  presented  two  batch  verification  techniques  for  DSA  and  RSA  [32,  33] 
but  both  were  later  broken  [10,  35,  36].  The  same  year,  Bellare,  Garay  and  Rabin  took  the  first 
systematic  look  at  batch  verification  [4]  and  presented  three  generic  methods  for  batching  modular 
exponentiations,  called  the  random  subset  test ,  the  small  exponents  test  and  the  bucket  test  which 
are  similar  to  the  ideas  from  [48,  39].  They  showed  how  to  apply  these  methods  to  batch  verification 
of  DSA  signatures  and  also  introduced  a  weaker  form  of  batch  verification  called  screening.  Later, 
Cheon  and  Lee  introduced  two  new  methods  called  the  sparse  exponents  test  and  the  complex 
exponents  test  [22],  which  they  claim  to  be  about  twice  as  fast  as  the  small  exponents  test.  In  2000, 
Boyd  and  Pavlovski  published  some  attacks  against  different  batch  verification  schemes,  mostly  ones 
based  on  the  small  exponents  test  and  related  tests  [10].  These  attacks  do  not  invalidate  the  proof  of 
security  for  the  small  exponents  test,  but  rather  show  how  the  small  exponents  test  is  often  used  in 
a  wrong  way.  However,  the  authors  also  describe  methods  to  repair  some  broken  schemes  based  on 
this  test.  In  2001,  Hoshino,  Masayuki  and  Kobayashi  [34]  pointed  out  that  the  problem  discovered 
by  Boyd  and  Pavlovski  [10]  might  not  be  critical  for  batch  verification  of  signatures,  but  only  when 
using  batch  verification  to  verify  for  example  zero- knowledge  proofs.  In  2004  Yoon,  Cheon  and  Kim 
proposed  a  new  ID-based  signature  scheme  with  batch  verification  [21],  but  their  security  proof  is 
for  aggregate  signatures  and  does  not  meet  the  definition  of  batch  verification  by  Bellare  et  al.  [4]; 
hence  their  title  is  somewhat  misleading.  Other  schemes  for  batch  verification  based  on  bilinear 
maps  were  proposed  [17,  54,  55,  56]  but  all  were  later  broken  by  Cao,  Lin  and  Xue  [15].  In  2006, 
a  method  was  proposed  for  identifying  invalid  signatures  in  RSA- type  batch  signatures  [42],  but 
Stanek  [52]  showed  that  this  method  is  flawed.  Shacham  and  Boneh  gave  a  practical  application 
of  batch  verification  by  using  a  modified  version  of  Fiat’s  batch  verifier  for  RSA  to  improve  the 
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efficiency  of  SSL  handshakes  on  a  busy  server  [51].  Ferrara,  Green,  Hohenberger,  and  Pedersen 
gave  performance  measurements  for  the  schemes  herein,  and  also  showed  how  to  batch  verify  other 
types  of  signatures,  such  as  group  and  ring  signatures  [25].  Law  and  Matt  pointed  out  some  IBS 
schemes  that  batch  well,  and  also  give  methods  for  identifying  invalid  signatures  in  a  batch  [41]. 

Bellare,  Garay  and  Rabin  Testing  Techniques.  Let  g  generate  a  group  of  prime  order. 
In  1998,  Bellare,  Garay  and  Rabin  described  some  tests  [4],  for  verifying  equations  of  the  form 
Hi  =  9Xi  for  i  =  1  to  n.  Obviously  if  one  just  multiplies  these  equations  together  and  checks 
if  nr=i  yi  =  g^i=tXi,  it  is  easy  to  produce  two  pairs  (xq ,  y\ )  and  (. X2,y2 )  such  that  the  product 
of  them  verifies  correctly,  but  each  individual  verification  does  not,  e.g.,  by  submitting  the  pairs 
( x\  —  a,  yi )  and  (x2  +  a,  j/2)  instead.  Let  us  review  three  fixes  to  this  broken  initial  proposal. 

Random  Subset  Test:  The  idea  here  is  to  pick  a  random  subset  of  these  pairs  (xq,  y-i)  and  mul¬ 
tiply  them  together,  hoping  to  split  up  the  pairs  that  were  specifically  crafted  to  cancel  each 
other  out.  Repeating  this  test  £  times,  picking  a  new  random  subset  every  time,  results  in 
the  probability  of  accepting  invalid  pairs  being 

Small  Exponents  Test:  Instead  of  picking  a  random  subset  every  time,  one  can  choose  exponents 
Si  of  (a  small  number  of)  £  bits  and  compute  nf=i  2/f‘  =  g^i=1  XiSi  ■  Bellare  et  al.  prove  that 
this  test  results  in  the  probability  of  accepting  a  bad  pair  being  .  The  size  of  £  is  a  tradeoff 
between  efficiency  and  security  and  hence  it  is  difficult  to  give  an  exact  recommendation  for 
it.  It  all  depends  on  the  application  and  how  critical  it  is  not  to  accept  even  a  single  invalid 
signature.  For  just  a  rough  check  that  all  signatures  are  correct  20  bits  seems  reasonable.  In 
a  higher  security  setting  we  should  probably  be  using  around  64  bits. 

Bucket  Test:  This  method  is  even  more  efficient  than  the  small  exponents  test  for  large  values 
of  n.  The  idea  is  to  repeat  a  test  called  the  atomic  bucket  test  m  times.  The  atomic  bucket 
test  works  by  first  putting  the  n  instances  one  wants  to  verify  into  M  buckets  at  random. 
This  results  in  M  new  instances  of  the  same  problem,  which  are  then  checked  using  the  small 
exponents  test  with  security  parameter  m.  After  repeating  the  atomic  bucket  test  m  times, 
the  probability  of  accepting  a  bad  pair  in  the  original  n  instances  is  at  most  2~m. 


1.3  Efficiency  of  Prior  Work  and  our  Contributions 

Efficiency  will  be  given  as  an  abstract  cost  for  computing  different  functions.  We  begin  by  discussing 
prior  work  on  RSA,  DSA,  and  BLS  signatures  mostly  for  single  signers,  and  then  discuss  our  new 
work  on  LLIBS,  LLSig  and  BLS  signatures  for  many  signers.  Note  that  Lim  [44]  provides  a  number  of 
efficient  methods  for  doing  m- term  exponentiations  and  Granger  and  Smart  [31]  give  improvements 
over  the  naive  method  for  computing  a  product  of  pairings,  which  is  why  we  state  them  explicitly. 


m-MultPairCost^jj 

m-  M  u  It  ExpCost^  ( k) 

PairCost^H 

ExpCost^O) 

GroupTestCostg 

HashCostjg 

MultCost6' 


s  m- term  pairings  n”=i  eG?i>  hi)  where  gi  £  G,  ht  £  H. 
s  TO-term  exponentiations  Hq=i  9<H  where  g  £  G,  | a* |  =  k. 
s  pairings  e(gq,  hi)  for  i  =  1 . . .  s,  where  gt  £  G,  hi  £  HI. 
s  exponentiations  gai  for  *  =  1 ...  s  where  g  £  G,  \ai\  =  k. 
Testing  whether  or  not  s  elements  are  in  the  group  G. 
Hashing  s  values  into  the  group  G. 
s  multiplications  in  one  or  more  groups. 
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If  s  =  1  we  will  omit  it.  Throughout  this  paper  we  assume  that  n  is  the  number  of  message/signature 
pairs  and  4  is  a  security  parameter  such  that  the  probability  of  accepting  a  batch  that  contains  an 
invalid  signature  is  at  most  2~^b. 

RSA*  is  a  modified  version  of  RSA  by  Boyd  and  Pavlovski  [10].  The  difference  to  normal  RSA  is 
that  the  verification  equation  accepts  a  signature  a  as  valid  if  aae  =  m  for  some  element  a  6  T,*rn  of 
order  no  more  than  2,  where  m  is  the  product  of  two  primes.  The  signatures  are  usually  between 
1024  —  2048  bits  and  the  same  for  the  public  key.  A  single  signer  batch  verifier  for  this  signature 
scheme  with  cost  n- M  u 1 1 Ex p C ost| m  (4)  +  ExpCostZm(A’),  where  k  is  the  number  of  bits  in  the  public 
exponent  e,  can  be  found  in  [10].  Note  that  verifying  n  signatures  by  verifying  each  signature 
individually  only  costs  ExpCost g  (&),  so  for  small  values  of  e  (|e|  <  2-4/3)  the  naive  method  is  a 
faster  way  to  verify  RSA  signatures  and  it  can  also  handle  signatures  from  multiple  signers.  Bellare 
et  al.  [4]  presents  a  screening  algorithm  for  RSA  that  assumes  distinct  messages  from  the  same 
signer  and  costs  2 n  +  ExpCost z  (A;). 

DSA**  is  a  modified  version  of  DSA  from  [48]  compatible  with  the  small  exponents  test  from  [10]. 
There  are  two  differences  to  normal  DSA.  First  there  is  no  reduction  modulo  q,  so  the  signatures 
are  672  bits  instead  of  320  bits  and  second,  individual  verification  should  check  both  a  signature  a 
and  —  o  and  accept  if  one  of  them  holds.  Messages  and  public  keys  are  both  160  bits  long.  Using  the 
small  exponents  test  the  cost  is  n-Mu ltExpCostG (4)  +  ExpCostG(160)  +  HashCostG  +  MultCost2n+1 
multiplications.  This  method  works  for  a  single  signer  only. 

n-iBS  is  an  IBS  scheme  derived  from  the  Chatterjee  and  Sarkar  HIBE  scheme  [19]  for  which  we 
provide  a  batch  verifier  without  random  oracles  in  Section  4.  An  interesting  property  of  this  scheme 
is  that  the  identity  does  not  need  to  be  verified  separately.  Identities  and  messages  are  k  bits  divided 
into  z  logical  chunks,  each  of  k/z  bits,  where  z  is  a  security  parameter,  and  a  signature  is  three 
bilinear  group  elements.  The  computational  effort  required  depends  on  the  number  of  messages 
and  the  security  parameters.  Let  M  =  ra-MultExpCost^j  (4)  +  n-MultExpCostG(4)  +  PairCostGG  + 
GroupTestCostGra  +  MultCost3  and  refer  to  the  table  below  for  efficiency  of  the  scheme. 

n<2z:  M  +2n-MultPairCostG  G  +  2-MultExpCostGn(|)  +  ExpCostGn(4) 

n  >  2z  :  M  +z-MultPairCostG;G  +  ExpCostGn(|  +  4)  +  MultCostzn 

The  naive  application  of  Il-IBS  to  verify  n  signatures  costs  PairCostGnG  +  2-MultExpCostGn(7)  + 
MultCost4n.  Also  note  that  in  many  security  applications  we  do  not  need  to  transmit  the  identity 
as  a  separate  parameter,  as  it  is  already  included  in  the  larger  protocol.  For  example,  the  identity 
may  be  the  hardware  address  of  the  network  interface  card. 

BLS  is  the  signature  scheme  by  Boneh,  Lynn  and  Shacham  [9] .  We  discuss  batch  verifiers  for  BLS 
signatures  based  on  the  small  exponents  test.  For  a  screening  algorithm,  aggregate  signatures  by 
Boneh,  Gentry,  Lynn  and  Shacham  [8]  can  be  used.  The  signature  is  only  one  group  element  in 
a  bilinear  group  and  the  same  for  the  public  key.  For  different  signers  the  cost  of  batch  verifica¬ 
tion  is  n-MultPairCostG G  +  n-MultExpCostG(4)  +  PairCostGG  +  ExpCostG  (4)  +  GroupTestCostG  + 
HashCostG,  but  for  single  signer  it  is  only  n- Mu  It  ExpCost,2  (4)  +  PairCostGG  +  GroupTestCostG  + 
HashCostG. 
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II-Sig  is  a  new  variant  of  Camenisch  and  Lysyanskaya  signatures  [13]  presented  in  Section  5  designed 
specifically  to  enable  efficient  batch  verification.  The  signature  is  only  one  bilinear  group  element 
and  the  same  for  the  public  key.  Batch  verification  costs  n-MultExpCost^(^)+n-MultExpCostG(|u;|  + 
4)  +  PairCostg  G  +  GroupTestCostg  +  HashCostg,  where  w  is  the  output  of  a  hash  function.  However, 
the  scheme  has  some  additional  restrictions. 

Small  Exponents  and  Bucket  Tests.  Recall  the  various  testing  techniques  covered  in  Sec¬ 
tion  1.2.  Our  batch  verifiers  in  this  paper  make  use  of  the  small  exponents  test,  but  since  the 
bucket  test  uses  the  small  exponents  test  as  a  subroutine,  we  note  that  we  can  also  use  the  bucket 
test  to  further  speed  up  verification  of  many  signatures. 

2  Definitions 

Recall  that  a  digital  signature  scheme  is  a  tuple  of  algorithms  (Gen,  Sign,  Verify)  that  also  is  cor¬ 
rect  and  secure.  The  correctness  property  states  that  for  all  Gen(l^)  — >  ( pk,sk ),  the  algorithm 
Verify(p/c,  m,  Sign(sfc,  m))  =  1. 

There  are  two  common  notions  of  security.  Goldwasser,  Micali  and  Rivest  [30]  defined  a  scheme 
to  be  unforgeable  as  follows:  Let  Gen(l£)  — >  ( pk ,  sk ).  Suppose  ( m,a )  is  output  by  a  p.p.t.  adversary 
A  with  access  to  a  signing  oracle  Os &(•)  and  input  pk.  Then  the  probability  that  m  was  not  queried 
to  Osk(-)  and  yet  Verify  [pk,  m,  cr)  =  1  is  negligible  in  t.  An,  Dodis  and  Rabin  [1]  proposed  the 
notion  of  strong  unforgeability ,  where  if  A  outputs  a  pair  (m,,a)  such  that  Verify  (pk,  m,  a)  =  1, 
then  except  with  negligible  probability  at  some  point  the  signing  oracle  Os &(•)  was  queried  on  m 
and  outputted  signature  a  exactly.  In  other  words,  an  adversary  cannot  create  a  new  signature 
even  for  a  previously  signed  message.  Our  batch  verification  definitions  work  with  either  notion. 
The  signatures  used  in  Section  4  meet  the  GMR  [30]  definition,  while  those  in  Section  5  meet  the 
stronger  ADR  [1]  definition. 

Now,  we  consider  the  case  where  we  want  to  quickly  verify  a  set  of  signatures  on  (possibly) 
different  messages  by  (possibly)  different  signers.  The  input  is  {(ti,  mi,  oq), . . . ,  ( tn ,  m.n ,  <rn)},  where 
ti  specifies  the  verification  key  against  which  cry  is  purported  to  be  a  signature  on  message  ruj.  We 
extend  the  definitions  of  Bellare,  Garay  and  Rabin  [4]  to  deal  with  multiple  signers.  And  this  is  an 
important  point  that  wasn’t  a  concern  with  only  a  single  signer:  one  or  more  of  the  signers  may 
be  maliciously  colluding. 

Definition  2.1  (Batch  Verification  of  Signatures)  Let  I  be  the  security  parameter.  Suppose 
(Gen,  Sign,  Verify)  is  a  signature  scheme,  k ,  n  G  poly(f),  and  ( pk1 ,  sk i), . . . ,  ( pkk ,  skk )  are  generated 
independently  according  to  Gen(l^).  Let  PK  =  {p/cl5 . . .  ,pkk}.  Then  we  call  probabilistic  Batch  a 
batch  verification  algorithm  when  the  following  conditions  hold: 

•  If  pkt.  G  PK  and  Verify(p/ct., m*, cr*)  =  1  for  all  i  G  [l,n],  then 
Batch((pktl ,  mi,  a\), . . . ,  ( pktn,mn,an ))  =  1. 

•  If  pkt.  G  PK  for  all  i  G  [l,n]  and  Verify (pkt.,mi,<Ji)  =  0  for  some  i  G  [l,n],  then 
Batch((p&tl,  mi,  <7i), . . . ,  ( pktn,mn,an ))  =  0  except  with  probability  negligible  in  I, 
taken  over  the  randomness  of  Batch. 
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Note  that  Definition  2.1  requires  that  signing  keys  be  generated  honestly,  but  then  they  can  be 
later  held  by  an  adversary.  In  practice,  users  could  register  their  keys  and  prove  some  necessary 
properties  of  the  keys  at  registration  time  [2], 

On  Differences  between  Batch  Verification,  Screening  and  Aggregate  Signatures.  As 

we  discussed  in  the  introduction,  when  doing  our  literature  search  on  batch  verification,  we  often 
came  across  works  (e.g.,  [21,  23])  which  confuse  the  goals  of  aggregate  signatures  and  batch  veri¬ 
fication  or  claim  to  do  batch  verification  when,  in  fact,  they  often  meet  a  weaker  guarantee  called 
screening  [4].  Let  us  clarify  these  distinct  notions. 

Informally,  in  both  batch  verification  and  screening,  the  goal  is  an  algorithm  that  takes  as  input 
n  distinct  signatures  and  verifies  them  quickly.  In  batch  verification,  the  batch  of  signatures  should 
verify  if  and  only  if  all  individual  signatures  are  valid.  In  the  screening  security  model,  an  honest 
signer  is  protected  in  the  sense  that  an  attacker  cannot  cause  her  to  become  bound  to  a  message 
that  she  did  not  sign,  even  if  the  attacker  controls  all  other  signers;  however,  honest  verifiers  are 
not  totally  protected  from  dishonest  signers  in  the  sense  that  a  dishonest  signer  might  be  able  to 
devise  a  batch  of  signatures  that  pass  the  screening  test,  but  do  not  all  individually  verify. 

The  goal  in  aggregate  signatures  is  an  algorithm  that  takes  as  input  n  distinct  signatures 
and  compresses  them  to  save  bandwidth.  It  happens  that  the  security  definition  of  aggregate 
signatures  [8]  implies  screening,  while  neither  definition  implies  batch  verification.  We  first  give  the 
formal  definitions  of  screening  and  aggregate  signatures,  and  then  discuss  a  scheme  which  satisfies 
these  notions,  but  not  batch  verification. 

Definition  2.2  (Screening  of  Signatures)  Let  £  be  the  security  parameter.  Suppose  (Gen,  Sign, 
Verify)  is  a  signature  scheme,  n  €  poly(f')  and  ( pk0,sko )  A-  Gen(l^).  Let  Osk0{-)  be  an  oracle  that 
on  input  m  outputs  a  =  Sign(sfco)  m)  ■  Then  for  all  p.p.t.  adversaries  A,  we  call  probabilistic  Screen 
a  screening  algorithm  when  n{£)  defined  as  follows  is  a  negligible  function: 

Pr[(pA;0,  sk0 )  A-  Gen(l^),  (pk±,  sk i)  A-  Gen(l^), . . . ,  ( pkn ,  skn)  A-  Gen(l£), 

D  A-  A°sko^(pk0,  (pk1,  skx), ...,  ( pkn ,  skn ))  : 

Screen(D)  =  1  A  ( pk0,m,a )  6  D  A  m  0  Q\  =  /i(£), 

where  Q  is  the  set  of  queries  that  A  made  to  Osk0(-)  and  for  all  ( pka ,  b,  c)  £  D,  a  £  {0, . . . ,  n}. 

The  above  definition  is  generalized  to  the  multiple-signer  case  from  the  single-signer  screening 
definition  of  Bellare,  Garay  and  Rabin  [4],  We  now  describe  the  security  notion  for  aggregate 
signatures;  the  correctness  property  should  be  obvious. 

Definition  2.3  (Aggregate  Signatures  Security  [8])  Let  £  be  the  security  parameter.  Suppose 
(Gen,  Sign,  Verify)  is  a  signature  scheme,  n  £  poly(f)  and  ( pk0,sko )  A-  Gen(lf).  Let  Osk0(-)  be  an 
oracle  that  on  input  m  outputs  a  =  S\gn(sko,m).  Then  for  all  p.p.t.  adversaries  A,  we  call  prob¬ 
abilistic  AggVerify  an  aggregate-verification  algorithm  when  /i(f)  defined  as  follows  is  a  negligible 
function: 

Pr[(pk0,sk0)  4-  Gen(l^);  (pkl, . . . ,  pkn,  m0,  •  •  • ,  mn,a)  <-  A°sko(''\pk0)  : 

AggVerify((p/c0, . . . ,  pkn),  (m0,  •  •  • ,  mn),  a)  =  1  A  m0^Q]  =  /a(£), 

where  Q  is  the  set  of  queries  that  A  made  to  Osk0(-). 
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As  mentioned  above,  screening  is  the  (maximum)  guarantee  that  some  aggregate  signatures 
offer  if  one  were  to  attempt  to  batch  verify  a  group  of  signatures  by  first  aggregating  them  together 
and  then  executing  the  aggregate- verification  algorithm.  We  now  give  an  example  of  a  construction 
which  can  satisfy  both  Definitions  2.2  and  2.3,  but  which  provably  does  not  satisfy  Definition  2.1. 
Consider  the  aggregate  signature  scheme  of  Boneh,  Gentry,  Lynn  and  Shacham  [8]  based  on  the 
BLS  signatures  [9].  First,  we  review  the  BLS  signatures.  Let  G  =  (g)  be  a  group  of  prime  order 
q  that  provided  for  a  bilinear  map  e  :  G  x  G  — >  G t-  To  generate  a  key  pair,  choose  a  random 
sk  e  Z9  and  set  pk  =  gsk .  A  signature  on  message  m  is  cr  =  H(m)sk ,  where  H  :  {0, 1}*  — >  G  is 
a  hash  function.  To  verify  a  signature  a  on  a  message  m,  one  checks  that  e(a,g)  =  e(H(m),pk). 
Given  a  group  of  message-signature  pairs  (mi,  <ti),  . . . ,  (mn,  an)  (all  purportedly  from  the  same 
signer)  where  each  message  is  distinct,  BGLS  aggregate  them  as  A  =  nT=i  Then  all  signatures 
can  be  verified  in  aggregate  (i.e.,  screened)  by  testing  that  e(A,g)  =  e(] ~Xi=i  H (mi) ,  pk) .  This 
scheme  is  not ,  however,  a  batch  verification  scheme  since,  for  any  a  ^  1  6  G,  the  two  invalid 
message-signature  pairs  P\  =  (mi,  a  ■  H(m.\)sk )  and  P2  =  (m2,  a-1  •  H(ni2)sk)  will  verify  under 
Definition  2.2  (as  BGLS  observe  [8]),  but  will  not  verify  under  Definition  2.1.  Indeed,  for  some 
pervasive  computing  applications  only  guaranteeing  screening  would  be  disastrous,  because  only 
P\  may  be  relevant  information  to  forward  to  the  next  entity  -  and  it  won’t  verify  once  it  arrives! 
Also  recall  the  e-mail  scenario  from  Section  1.  If  we  only  did  screening  on  the  server,  a  user  could 
send  n  messages  with  invalid  signatures  (to  different  receivers)  that  would  screen  correctly.  The 
sender  could  then  later  claim  that  he  did  not  send  one  of  the  messages  and  indeed  the  signature 
will  not  verify  unless  one  can  get  hold  of  all  n  messages!  To  be  fair,  batch  verification  is  not  what 
aggregate  schemes  were  designed  to  do. 

Let’s  make  one  final  observation  about  the  relationship  between  batch  verification  and  screening. 
Let  D  =  {(ti,  mi,  <ti), . . . ,  (tn,  mn,  an)}.  We  note  that  while  Screen(D)  =  1  does  not  guarantee  that 
Verify  (pkti,  m;,  <7j)  for  all  i;  it  does  guarantee  that  the  holder  of  sktt  authenticated  m*.  That  is,  for 
all  i ,  the  holder  of  sktt  helped  to  create  cr*,  which  may  or  may  not  be  a  valid  signature  for  m*.  Thus, 
a  screening  scheme  can  be  employed  to  hold  users  accountable  for  the  messages  they  “sign”  in  a  set 
D  such  that  Screen  (D)  =  1,  but  to  do  this  the  entire  set  D  must  be  recorded  or  retransmitted  to  a 
third  party.  In  the  authenticated  email  scenario,  where  the  mailserver  is  verifying  the  signatures  on 
emails  for  many  different  users,  releasing  D  (in  the  event  of  disputes)  raises  serious  privacy  issues. 
One  could  consider  releasing  a  non-interactive  zero-knowledge  proof  of  knowledge  of  D  such  that 
Screen(D)  =  1,  although  the  naive  approach  will  require  0(\D\)  space  and  0(\D\)  time  to  verify. 

3  Algebraic  Setting  and  Group  Membership 

Bilinear  Groups.  Let  BSetup  be  an  algorithm  that,  on  input  the  security  parameter  ]/,  outputs 
the  parameters  for  a  bilinear  map  as  (q,  g,  G,  Gt,  e),  where  G  and  G t  are  groups  of  prime  order 
q  €  0(2^).  The  efficient  mapping  e:GxG->  G  t  is  both:  ( bilinear )  for  all  g  €  G  and  a,b  <—  7Lq, 
e(ga,gb)  =  e(g,g)ab-,  and  (non- degenerate)  if  g  generates  G,  then  e(g,g)  /  1.  Following  prior  work, 
we  write  G  and  Gt  in  multiplicative  notation  (although  G  is  often  also  denoted  as  an  additive 
group).  This  bilinear  map  is  called  a  symmetric  bilinear  map.  A  more  general  version  of  the 
bilinear  map  is  the  asymmetric  bilinear  map  e  :  Gi  x  G2  — >  G t,  where  Gi  and  G2  are  distinct 
groups,  possibly  without  efficient  isomorphisms  between  them.  Getting  into  details  about  how 
these  bilinear  maps  are  constructed  is  not  the  purpose  of  this  paper,  so  we  just  give  a  very  brief 
overview  required  for  reasoning  about  the  efficiency  of  our  schemes. 
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Gi  and  O2  are  groups  of  points  on  some  curve  and  G t  is  a  subgroup  of  a  multiplicative  group 
over  a  related  finite  field.  All  groups  have  the  same  order  7.  Let  E  be  an  elliptic  curve.  We  denote 
the  group  of  points  on  E  defined  over  Fp  as  E(¥p).  Gi  (or  G  in  the  symmetric  setting)  is  a  subgroup 
of  E(¥p),  G2  is  usually  defined  as  a  subgroup  of  E(¥pk)  where  k  is  the  embedding  degree  and  G t 
is  usually  a  subgroup  of  E(¥*k).  Let’s  look  at  the  size  of  the  group  elements.  For  simplicity  we  will 
assume  that  we  are  aiming  for  security  comparable  to  1024  bit  RSA.  Note  that  although  a  point 
( x ,  y )  on  a  curve  consist  of  two  elements  x  and  y  in  the  underlying  field,  the  size  of  groups  elements 
are  equivalent  to  the  size  of  elements  in  the  underlying  field.  The  reason  is  that  we  only  need  to 
represent  the  x  coordinate  and  the  least  significant  bit  of  y  in  order  to  reconstruct  y  when  needed. 

So  what  is  the  minimum  size  the  group  elements  can  have?  First  of  all  the  group  order  q  must 
be  large  enough  to  resist  attacks  on  discrete  logarithms,  such  as  the  Pollard-p  attack,  which  means 
that  q  >  160.  Second,  the  MOV  attack  states  that  solving  the  discrete  logarithm  problem  on  a 
curve,  reduces  to  solving  it  over  the  corresponding  finite  field  [46],  which  means  that  the  bitlength 
of  pk  must  be  around  1024,  which  has  implications  for  the  size  of  G t-  The  best  known  curves  in 
the  symmetric  setting  works  with  \p\  =  512  and  k  =  2,  and  hence  elements  of  G  will  be  512  bits, 
while  elements  of  G t  will  be  1024  bits.  In  the  asymmetric  setting  one  can  choose  \p\  =  160  and 
k  =  6  which  results  in  elements  of  size  160  bits  in  Gi,  while  elements  of  G2  and  G t  will  be  960 
bits.  In  some  cases  elements  of  G2  can  be  represented  in  the  subfield  i?(F  *72)  instead,  resulting  in 
elements  of  480  bits  [38] . 

Our  constructions  from  Section  5  also  work  in  the  asymmetric  setting  which  allows  us  to  use  a 
short  representation  of  the  signatures.  The  LLIBS  scheme  from  Section  4  can  be  modified  to  work 
in  the  asymmetric  setting,  but  some  parts  of  the  signature  will  end  up  in  the  large  group.  We  refer 
to  the  efficiency  note  paragraphs  in  Section  4  and  5  for  a  more  detailed  discussion. 

Testing  Membership  in  G.  In  a  non-bilinear  setting,  Boyd  and  Pavlovski  [10]  observed  that 
the  proofs  of  security  for  many  previous  batch  verification  or  screening  schemes  assumed  that 
the  signatures  (potentially  submitted  by  a  malicious  adversary)  were  elements  of  an  appropriate 
subgroup.  For  example,  it  was  common  place  to  assume  that  signatures  submitted  for  batch  DSA 
verification  contained  an  element  in  a  subgroup  G  of  Z*  of  prime  order  q.  Boyd  and  Pavlovski  [10] 
pointed  out  efficient  attacks  on  many  batching  algorithms  via  exploiting  this  issue.  Of  course,  group 
membership  cannot  be  assumed ,  it  must  be  tested  and  the  work  required  by  this  test  might  well 
obliterate  all  batching  efficiency  gains.  E.g.,  verifying  that  an  element  y  is  in  G  by  testing  if  yq 
mod  (/=1;  easily  obliterates  the  gain  of  batching  DSA  signatures.  Boyd  and  Pavlovski  [10]  suggest 
methods  for  overcoming  this  problem  through  careful  choice  of  q. 

In  this  paper,  we  will  work  in  a  bilinear  setting,  and  we  must  be  careful  to  avoid  this  common 
mistake  in  batch  verification.  Our  proofs  will  require  that  elements  of  purported  signatures  are 
members  of  G  and  not  E(¥p)  \  G.  The  question  is:  how  efficiently  can  this  fact  be  verified? 
Determining  whether  some  data  represents  a  point  on  a  curve  is  easy.  The  question  is  whether  it 
is  in  the  correct  subgroup.  Assume  we  have  a  bilinear  map  e  :  Gi  x  G2  — >  G t-  In  all  the  schemes 
we  use,  signatures  are  in  Gi,  so  this  is  the  group  we  are  interested  in  testing  membership  of. 

If  the  order  of  Gi  is  7,  one  option  is  to  verify  that  an  element  y  is  in  Gi  by  checking  that 
yq  =  1.  While  this  might  seem  inefficient,  it  is  actually  not  a  problem  in  practice  when  working 
with  pairing  based  schemes,  since  the  time  required  for  a  single  exponentiation  is  considerably  less 
than  the  time  required  for  computing  a  pairing.  This  has  been  verified  experimentally  by  Ferrara 
et  al.  [25].  One  area  for  improvement  in  batching,  however,  is  to  devise  more  efficient  methods  for 
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membership  testing  in  bilinear  groups.  Chen,  Cheng  and  Smart  [20]  provide  more  details  on  this. 

Complexity  Assumptions.  In  the  coming  sections,  we  will  refer  to  the  following  complexity 
assumptions. 

Assumption  3.1  (Computational  DifRe-Hellman  [24])  Let  g  generate  a  group  G  of  prime 
order  q  £  0(2f).  For  all  p.p.t.  adversaries  A,  the  following  probability  is  negligible  in  t: 

Pr[a,  b,  4—  Zg;  z  •£-  A(g,ga,gb)  :  z  =  gab]. 

Assumption  3.2  (Decisional  Bilinear  DifRe-Hellman  [7])  Let  BSetup(l^)  — >  (q,  g,  G,  Gt,  e), 

where  g  generates  G.  For  all  p.p.t.  adversaries  A,  the  following  probability  is  at  most  1/2  plus  a 
negligible  function  in  i: 

Pr[a,  6,  c,  d  <—  Zg;  x0  <-  e(g,  g)abc;  X!<-e(g,g)d;  z  <-  {0, 1};  z'  £-  A(g,  ga,  gb,  gc,  xz)  :  z  =  z'\. 

Assumption  3.3  (LRSW  [45])  Let  BSetup(l£)  -»  (q,  g,  G,  Gt,  e).  Let  X,Y  £  G,  X  =  gx ,  and 
Y  =  gy .  Let  Ox.yi  )  be  an  oracle  that,  on  input  a  value  m  £  Z*,  outputs  a  triple  A  =  (a,  ay,  ax+mxy ) 
for  a  randomly  chosen  a  £  G.  For  all  p.p.t.  adversaries  A^'\  the  following  probability  is  negligible 
in  i: 


Pr[(<7,  g,  G,  Gt,  e)  £-  BSetup(l£);  x  £-  Zg;  y  £-  Zg;  X  =  gx\  Y  =  gy- 

(■ m ,  a,  b ,  c)  •£-  A°^(q,g,G,GT,e,X,Y)  :  m  ^  Q  A  m  £  Z*  A 

a  £  G  A  b  =  ay  A  c  =  ax+mxy] 


where  Q  is  the  set  of  queries  that  A  made  to  Ox,y(/- 

4  Batch  Verification  without  Random  Oracles 

In  this  section,  we  present  a  method  for  batch  verifying  an  identity-based  signature  scheme  II-IBS. 
This  batch  verification  method  can  be  executed  in  different  modes,  optimizing  for  the  lowest  run¬ 
time.  Let  n  be  the  number  of  certificate/signature  pairs,  let  2k  be  the  number  of  users  and  let  there 
be  k  bits  per  message.  Let  z  be  the  additional  security  parameter  required  by  the  II-IBS.  Further¬ 
more  assume  that  the  k  bits  are  divided  into  z  elements  of  k/z  bits  each.  Then  our  batch  verifier 
will  verify  n  certificate/signature  pairs  with  asymptotic  complexity  of  the  dominant  operations 
roughly  MIN{(2?r  +  3)  ,  (z  +  3)}. 

On  the  practical  side,  we  note  that  as  z  grows  there  is  a  corresponding  degradation  in  the 
concrete  security  of  the  IBS  scheme  (see  [19]  for  a  detailed  discussion  of  these  tradeoffs.)  Setting 
z  =  k/ 32,  however,  seems  a  reasonable  choice.  Suppose  we  use  SHA256  to  hash  all  the  messages 
( k  =  256)  and  we  choose  the  elements  to  be  32  bits  (k/z  =  32),  then  roughly  when  n  >  3  batch 
verification  becomes  faster  than  individual  verification. 
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4.1  Batch  Verification  for  II-IBS 


We  describe  a  batch  verification  algorithm  for  the  II-IBS  scheme  [19],  where  the  number  of  pairings 
depends  on  the  security  parameter  and  not  on  the  number  of  signatures  and  where  no  random 
oracles  are  necessary.  The  underlying  II-IBS  signature  scheme  appears  only  implicitly  in  prior 
work,  so  let  us  clearly  explain  its  origin.  We  begin  with  the  observation  by  Boyen  and  Waters 
that  an  IBS  scheme  is  realized  by  the  key  issuing  algorithm  of  any  (fully-secure)  2-level  hierarchical 
identity-based  encryption  (HIBE)  scheme  [11]. 

In  2004,  Boneh  and  Boyen  described  an  efficient  HIBE  in  the  selective-ID  security  model  [5].  In 
2005,  Waters  described  how  to  alter  this  scheme  to  make  it  fully-secure  [53].  The  IBS  scheme  that 
can  be  extracted  from  Waters  2-HIBE  was  proven  secure  under  CDH  in  the  standard  model  by 
Boyen  and  Waters  [11].  In  the  conference  version  of  this  paper  [12],  we  presented  a  batch  verifier 
for  this  IBS  scheme.  Let  n  be  the  number  of  certificate/signature  pairs,  let  2fcl  be  the  number  of 
users,  and  let  k 2  be  the  bits  per  message.  Then  our  batch  verifier  from  the  conference  version  can 
verify  n  certificate/signature  pairs  with  asymptotic  complexity  of  the  dominant  operations  roughly 
MIN{(2n  +  3)  ,  (k\  +  n  +  3)  ,  (n  +  k,2  +  3)  ,  (k\  +  +  3)}.  Suppose  there  are  one  billion  users 

(k\  =  30)  and  SHA256  is  used  to  hash  all  the  messages  (&2  =  256),  then  when  n  >  31  batching 
becomes  faster  than  individual  verification  and  at  most  289  dominant  operations  will  have  to  be 
performed  regardless  of  n. 

Fortunately,  we  are  able  to  significantly  improve  the  efficiency  of  these  prior  results.  We  begin 
by  recalling  that  in  2005  Naccache  [47]  and  Chatterjee  and  Sarkar  [18]  independently  showed  how 
to  generalize  the  Waters  IBE  to  optimize  it  for  efficiency.  In  2006  Chatterjee  and  Sarkar  extended 
these  ideas  to  Waters  HIBE  and  the  resulting  HIBE  was  proven  secure  under  DBDH  in  the  standard 
model  [19].  We  call  the  IBS  scheme  implicitly  defined  by  this  generalized  HIBE  as  n-IBS.  It  is 
known  to  be  secure  under  DBDH  [19]  and  we  conjecture  that  its  security  can  be  shown  under  CDH. 

The  n-IBS  scheme  and  its  batch  verification  algorithm  are  both  considerably  more  practical  than 
the  non-generalized  version  presented  in  our  conference  paper  [12].  Indeed,  the  structure  imposed 
by  the  generalization  [47,  19]  makes  the  n-IBS  scheme  particularly  well-suited  for  batch  verification. 
We  now  explicitly  describe  the  n-IBS  and  then  show  how  to  batch  verify  these  signatures. 

We  assume  that  the  identities  and  messages  are  both  bit-strings  of  length  k  represented  by  z 
blocks  of  k/z  bits  each.  (If  this  is  not  the  case,  then  let  k  be  the  larger  bit-length  and  then  pre-pad 
the  shorter  string  with  zeros.)  Let  BSetup(C)  — >•  (q,g,  G,  Gr,e). 

Setup:  First  choose  a  secret  a£Zg  and  h  £  G  and  calculate  A  =  e(g,  h)a.  Then  pick  two  random 
integers  y[ ,  y'2  £  Zg  and  a  random  vector  y  =  (yi,  ■  •  ■  ,yz)  £  Z*.  The  master  secret  key  is 
MK  =  ha  and  the  public  parameters  are  given  as:  PP  =  (g,  A.  u\  =  gyi,u'2  =  gy'2,  ui  = 
gyi,---,uz  =gVz). 

We  use  the  notation  of  Chatterjee  and  Sarkar  [19]  to  define  the  following  function.  Let 
v  =  (ui, . . .  ,vz),  where  each  u,  is  a  (k/z)- bit  string.  For  i  G  {1,2},  let: 

Ui(v)  =  u\  u/ . 

3= 1 

Extract:  To  create  a  private  key  for  a  user  with  identity  ID  =  (aci,  . . . ,  kz),  select  r  G  Z„  and 
return  KID  =  (ha  ■  U^IDY,  g~r) . 
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Sign:  To  sign  a  message  m  =  (mi, . . .  ,mz),  where  each  m;  is  a  (k/z)- bit  string,  using  private  key 
K  =  (K\ .  K2),  select  s£  T,q  and  return 

5  =  (Kx  •  U2(m)s ,  K2,  g~s )  . 

Verify:  To  verify  a  signature  S  =  (Si,  S2,  S3)  from  identity  ID  =  m, . . . ,  kz  on  message  m ,  parse 
m  =  (mi, . . . ,  mz),  where  each  rrit  is  a  (k/z)- bit  string,  and  check  that: 

A  =  e(Si,g)  ■  e(S2,Ui(ID))  ■  e(S3,  U2(m)). 

If  this  equation  holds,  output  accept ;  otherwise  output  reject. 


We  now  introduce  a  batch  verifier  for  this  signature  scheme.  The  basic  idea  is  to  adopt  the 
small  exponents  test  from  [4]  and  to  take  advantage  of  the  peculiarities  of  bilinear  maps. 

Batch  Verify:  Suppose  we  want  to  batch  verify  n  purported  signatures.  Let  «*■  and  m*  denote 
the  j 'th  (k/z)- bit  block  of  the  identity  of  the  z’th  signer  and  the  message  signed  by  the  i’th 
signer,  respectively.  Let  Sr  =  (S{,  S\,  SI)  denote  the  signature  from  the  i’th  signer.  First 
check  that  all  the  identities  have  the  correct  length  and  that  ,Sj' ,  S\ ,  S\  e  G  for  all  i.  If  not; 
output  reject.  Otherwise  generate  a  vector  A  =  (<5i, . . . ,  Sn)  where  each  5,  is  a  random  element 
of  £b  bits  from  7Lq  and  set 

n  n  n 

P  =  e(f]  S{S\g)  ■  e(H  sf\u\)  •  e(f]  sf,u'2). 

2—1  2—1  2—  1 

Depending  on  the  values  of  z  and  n  proceed  as  follows:  if  n  <  2z  check  whether 


n  a^ 


^  n 


e(sL.n 


u  ■ 


e(S: 


■Si 


3= 1 


n 

3= 1 


(1) 


holds,  otherwise  verify  the  equation 


f[A^  =  P  .f[e(ll(Sp  ■  SimhSi,nj)  .  (2) 

2—  1  j  =  1  2—1 

Output  accept  if  the  chosen  equation  holds;  otherwise  output  reject. 

Theorem  4.1  The  above  algorithm  is  a  batch  verifier  for  the  Il-IBS. 

Proof.  Let  IDi  =  (k\,  . . . ,  ).  The  requirement  that  all  public  keys  are  valid  is  trivially  sat¬ 

isfied  for  an  identity  based  scheme,  once  it  has  been  verified  that  all  identities  have  the  correct 
length.  First  we  show  that  Verify  (IDi,  Mi,  Si)  =  ■■■  =  Verify(/Dn,  Mn,  Sn)  =  1  implies  that 
Batch((/Di,  Mi,  Si), . . . ,  (IDn,  Mn,  Sn))  =  1.  This  follows  from  the  verification  equation  for  the 
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II-IBS  scheme: 


UaS  =  n  (e(5i’5)  •  e(S,2,  Ui(IDi))  ■  e(5l,C/1(MJ)))<5i 
i=  1  i=l 


i=  1  i= 1 


U 


ii 

2= 1 


U  ■ 


2=1 


a  n 

2=i 


n 


(3) 


(4) 


For  the  first  part  of  the  proof,  all  we  need  now  is  to  show  that  equation  1  is  equivalent  to 
equation  2.  Since  for  all  i,  Verify (IDi,  Mi,  Si)  =  1,  (iSf,  S2,  S3)  are  valid  signatures  and  hence  we 
can  write  Sl2  =  gbi  and  S 3  =  gCi  for  some  elements  bi,  Ci  6Zg.  Now  we  rewrite  the  part  inside  the 
parenthesis  of  equation  1  and  get  equation  2: 


n  e(52<5'  ’11'“?)  ■  n  >  n  ?? ) = n  ^ 


tt  _  m? 


A  nEj=i  'i  .  „(nCi  „EJ  1  X  i 


2=1  J  =  1  2=1 


j  =  l 


2=1 


II  (e^9) 


Ej=i(5i&iKi%+5iciml%) 


2=1 

Z 


n  ff)% 


E”=i  {SibiK)+SiCimli 


3= 1 
2:  n 


)Ie:][:.Sp -.Vr* 


2=1  *=1 


We  must  now  show  the  other  direction.  This  proof  is  an  application  of  the  technique  for  proving 
the  small  exponents  test  in  [4],  Batch  verification  accepts  so  we  know  that  S\,  S2,  S|  £  G  and  hence 
we  can  write  S\  =  gai ,  S2  =  gbi  and  S\  =  gCi  for  some  a*,  bi .  c,;  £  Z9.  Also  since  A  £  G  we  can  write 
h  =  gd  for  some  d  £  7Lq. 

Since  equation  3  is  just  an  (inefficient)  variant  of  the  batch  verification,  we  know  that  it  holds, 
and  we  can  rewrite  it  as: 


=  II  (e(9a\d)  -Big*, gtigZ^VM) 


2=1 


2=1 

n 


“Q  e(5,  g^i(o’i+biy'1+ciy!2+bi  Ej= 1  yj^j+a  E|=i  %"£•) 


2=1 


=  e(g,  h)^=1  Sid  1{ai+biyi+ciy,2+bi  EJ=1  •  r-  E)=1  %mi) 


^  ^  Sid  1  j  a{  +  biy'i  +  ciU 2  +  bi  ^  +  c;  ^  yffri)  =  0  (mod  q) 


2=1 


2=1 


2=1 


2=1 
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Setting  /3i  =  a  -  d  1  +  bit/ [  +  Ciy'2  +  h  J2j=i  VjK}  +  °i  J2j= 1 2 this  can  be  written  as: 

n 

^2  $iPi  =  0  (m°d  q)  ■  (5) 

i= 1 

Assume  that  Batch((/L>i,  Mi,  Si), . . . ,  ( IDn ,  Mn,  Sn ))  =  1,  but  for  at  least  one  i  it  is  the  case 
that  Verify (IDi,  Mi,  Si)  =  0.  Assume  wlog  that  this  is  true  for  i  =  1,  which  means  that  f5\  ^  0. 
Since  q  is  a  prime  then  f3\  has  an  inverse  71  such  that  =  1  (mod  q ).  This  and  equation  5  gives 
us: 

n 

hi  =  -71  ^2  (mod  <l)  •  (6) 

i=2 

Given  (TDj,  Mi,  Si),  where  i  =  1 . . .  n,  let  E  be  an  event  that  Verify (ID\,  Mi,  S\)  =  0  holds 
but  that  Batch((/T>i,  Mi,  Si), . . . ,  (IDn,  Mn,  Sn))  =  1,  or  in  other  words,  that  we  break  batch 
verification.  Note  that  we  do  not  make  any  assumptions  about  the  remaining  values.  Let  A'  = 
82,  ■  ■  ■  ,Sn  denote  the  last  n  —  1  values  of  A  and  let  |A'|  be  the  number  of  possible  values  for  this 
vector.  Equation  6  says  that  given  a  fixed  vector  A'  there  is  exactly  one  value  of  hi  that  will 
make  event  E  happen,  or  in  other  words  that  the  probability  of  E  given  a  randomly  chosen  hi  is 
PrfEjA7]  =  2_b>.  So  if  we  pick  <5j  af  random  and  sum  over  all  possible  choices  of  A'  we  get  Pr[E]  < 

Si:=i  (Pr[-E|A']  •  Pr[A']).  Plugging  in  the  values,  we  get:  PrfE1]  <  J2i=i  '  (2-^  •  2~h'(n_V)  = 
2~ib.  □ 


Efficiency  Note.  The  signature  for  MBS  consists  of  three  group  elements,  but  since  it  is 
identity-based  there  is  no  public  key,  and  we  assume  that  the  identity  is  given  ’’for  free”  e.g.,  it 
could  be  the  hardware  address  of  the  network  interface  card.  Hence  the  size  of  the  signature  that 
verifies  both  the  message  and  the  identity  depends  only  on  the  size  of  these  group  elements.  We 
have  described  the  scheme  in  the  symmetric  bilinear  setting  e:GxG->  G  t  because  the  original 
scheme  does  not  work  in  the  asymmetric  bilinear  setting  e  :  Gi  x  G2  — >  G t-  However,  by  switching 
the  order  of  the  elements  in  the  first  pairing  and  modifying  the  public  parameters  accordingly,  the 
scheme  also  works  in  the  asymmetric  bilinear  setting. 

In  the  symmetric  bilinear  setting,  elements  must  be  around  512  bits  for  security  comparable  to 
1024  bits  RSA,  which  gives  us  a  total  signature  size  of  1536  bits.  In  the  asymmetric  bilinear  setting 
the  elements  S2  and  S3  can  be  represented  using  160  bits,  whereas  S 1  needs  512  bits.  So  all  in  all 
we  can  represent  the  signature  on  the  message  and  the  identity  using  only  832  bits.  However,  it 
might  not  be  efficient  to  test  membership  of  the  group  G2,  which  is  needed  for  batch  verification. 

5  Faster  Batch  Verification  with  Restrictions 

In  this  section,  we  present  a  second  method  for  batch  verifying  signatures  together  with  their 
accompanying  certificates.  We  propose  using  the  BLS  signature  scheme  [9]  for  the  certificates  and 
a  modified  version  of  the  CL  signature  scheme  [13]  for  signing  messages.  This  method  requires 
only  two  pairings  to  verify  n  certificates  (from  the  same  authority)  and  three  pairings  to  verify 
n  signatures  (from  possibly  different  signers).  The  cost  for  this  significant  efficiency  gain  is  some 
usage  restrictions,  although  as  we  will  discuss,  these  restrictions  may  not  be  a  problem  for  some  of 
the  applications  we  have  in  mind. 
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Certificates:  We  use  a  batch  verifier  for  BLS  signatures  from  the  same  authority  as  described  in 
Section  5.1.  The  scheme  is  secure  under  CDH  in  the  random  oracle  model.  To  verify  n  BLS 
certificates  costs  n-MultExpCostG(4)  +  PairCostG  G  +  GroupTestCostG  +  HashCostG,  using  the 
Section  1.2  notation. 

Signatures:  We  describe  a  new  signature  scheme  II-Sig  with  a  batch  verifier  in  Section  5.2.  The 
scheme  is  secure  under  the  LRSW  assumption  in  the  plain  model  when  the  size  of  the  message 
space  is  a  polynomial  and  in  the  random  oracle  model  when  the  size  of  the  message  space 
is  super-polynomial.  We  assume  that  there  are  discrete  time  or  location  identifiers  G  T. 
A  user  can  issue  at  most  one  signature  per  f  (e.g.,  this  might  correspond  to  a  device  being 
allowed  to  broadcast  at  most  one  message  every  300nrs)  and  only  signatures  from  the  same 
(j>  can  be  batch  verified  together.  To  verify  n  II-Sig  signatures,  costs  n-MultExpCostG(4)  + 
n-MultExpCostG(|w;|  +  4)  +  PairCostG  G  +  GroupTestCostG  +  HashCostG,  where  w  is  the  output 
of  a  hash  function. 

5.1  Batch  Verification  of  BLS  Signatures 

We  describe  a  batch  verifier  for  many  signers  for  the  Boneh,  Lynn,  and  Shacham  signatures  [9] 
described  in  Section  2,  using  the  small  exponents  test  [4],  which  requires  distinct  messages. 

Batch  Verify:  Given  purported  signatures  ay  from  n  users  on  distinct  messages  Mt  for  i  =  1 . . .  n, 
first  check  that  all  public  keys  yki  where  i  G  [1,  n]  are  valid,  and  that  ay  G  G  for  all  i.  If  not;  output 
reject.  Otherwise  compute  hi  =  H(Mf)  and  generate  a  vector  S  =  (Si,... , 8n)  where  each  Si  is  a 
random  element  of  4  bits  from  Z9.  Check  that  e(nr=i  of ,  g)  =  n"=i  e(/q,  pkf)Si.  If  this  equation 
holds,  output  accept ;  otherwise  output  reject. 

Theorem  5.1  The  algorithm  above  is  a  batch  verifier  for  BLS  signatures. 

Proof.  First  we  show  that  Verify(pAq,  Mi,  Si)  =  ■■■  =  Verify  (pkn,Mn,Sn)  =  1  implies  that 
Batch((p/c1,  Mi,  Si), . . . ,  (pkn,  Mn,  Sn))  =  1.  This  follows  from  the  verification  equation  for  the 
BLS  scheme: 


n  n  n  n 

=  Y[e(hi,pki)Si  4*  e(JJof%5)  =  e(/q, pkf)5i  (7) 

i= 1  i= 1  i= 1  i= 1 

We  must  now  show  the  other  direction.  This  proof  is  again  an  application  of  the  technique  for 
proving  the  small  exponents  test  in  [4].  Batch  verification  accepts  so  we  know  that  ay  G  G  and 
hence  we  can  write  oy  =  gCi  for  some  cy  G  Zg.  We  also  know  that  hi  G  G  so  we  write  it  as  hi  =  gVi. 
Recall  that  pki  =  gXi.  We  know  that  equation  7  holds,  so  we  can  rewrite  it  as: 


IIe(^)*  =  JJ  e(hi,pki)Si  =  \\e(g,g)5iriXi 
i—  1  i=  1  i= 1 

=>  e(g,g)^SiCi  =  e(g,  g)^SiViXi 
n  n 

=>  ^  Sid  -  ^2  SidXi  =  0  (mod  q) 
1=1  1=1 
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Setting  f3i  =  Ci  —  riXi  this  is  equivalent  to: 


n 

y,  ^ /3i  =  0  (mod  q) 
i=l 

The  rest  of  the  proof  follows  from  the  last  part  of  the  proof  of  Theorem  4.1.  □ 


Single  Singer  for  BLS.  However,  BLS  [9]  previously  observed  that  if  we  have  a  single  signer 
with  public  key  v,  the  verification  equation  can  be  written  as  e(nti  ai^9)  =  e(n”=i  hi^v)  which 
reduces  the  load  to  only  two  pairings. 

Theorem  5.2  ([9])  The  algorithm  above  is  a  single-signer,  batch  verifier  for  BLS  signatures. 

5.2  A  New  Signature  Scheme  II-Sig 

In  this  section  we  introduce  a  new  signature  scheme  secure  under  the  LRSW  assumption  [45] ,  which 
is  based  on  the  Camenisch-Lysyanskaya  signature  scheme  [13]. 

The  Original  CL  Scheme.  Recall  the  Camenisch  and  Lysyanskaya  signature  scheme  [13].  Let 
BSetup(l^)  — >  (q,g,  G,  Gr,e).  Choose  the  secret  key  sk  =  (x,y)  £  T?q  at  random  and  set  X  =  gx 
and  Y  =  gy .  The  public  key  is  pk  =  (X,Y).  To  sign  a  message  m  £  Z*,  choose  a  random 
a  £  G  and  compute  b  =  ay ,  c  =  axbxm.  Output  the  signature  (a,  6,  c).  To  verify,  check  whether 
e(X,  a)  ■  e(X,  b)m  =  e(g,  c)  and  e(a,  Y)  =  e(g.  b)  holds. 

n~Sig:  A  version  of  the  CL  Scheme  Allowing  Batch  Verification.  Our  goal  is  to  batch- 
verify  CL  signatures  made  by  different  signers.  That  is,  we  need  to  consider  how  to  verify  equations 
of  the  form  e(X,  a)  ■  e(X,  b)m  =  e(g,  c)  and  e(a,  Y)  =  e(g,  b).  The  fact  that  the  values  X,  a ,  b,  and 
c  are  different  for  each  signature  seems  to  prevent  efficient  batch  verification.  Thus,  we  need  to  find 
a  way  such  that  many  different  signers  share  some  of  these  values.  Obviously,  X  and  c  need  to  be 
different.  Now,  depending  on  the  application,  all  the  signers  can  use  the  same  value  a  by  choosing 
a  as  the  output  of  some  hash  function  applied  to,  e.g.,  the  current  time  period  or  location.  We 
then  note  that  all  signers  can  use  the  same  b  in  principle,  i.e.,  have  all  of  them  share  the  same  Y  as 
it  is  sufficient  for  each  signer  to  hold  only  one  secret  value  (i.e.,  sk  =  x).  Indeed,  the  only  reason 
that  the  signer  needs  to  know  Y  is  to  compute  b.  However,  it  turns  out  that  if  we  define  b  such 
that  loga  b  is  not  known,  the  signature  scheme  is  still  secure.  So,  for  instance,  we  can  derive  b  in  a 
similar  way  to  a  using  a  second  hash  function.  Thus,  all  signers  will  virtually  sign  using  the  same 
Y  per  time  period  (but  a  different  one  for  each  period). 

We  note  that  the  idea  of  sharing  some  value  between  the  signers  in  order  to  efficiently  perform 
some  operation  on  the  signatures  is  not  new.  Gentry  and  Ramzan  present  an  identity  based 
aggregate  signature  scheme  [29]  in  which  signatures  can  only  be  aggregated  if  all  signers  agree  on 
some  dummy  message  that  none  of  them  have  used  before. 

Let  us  now  describe  the  resulting  scheme.  Let  BSetup(l^)  — >  (q,  g,  G,  Gt,  e).  Let  4>  £  denote 
the  current  time  period  or  location,  where  |4>|  is  polynomial.  Let  Xi  be  the  message  space,  for  now 
let  M.  =  {0, 1}*.  Let  H\  :  d>  — >  G,  H-2  :  4>  — >  G,  and  H3  :  Xi  x  4?  — y  7Lq  be  different  hash  functions. 

Key  Gen:  Choose  a  random  x  £  Z9  and  set  X  =  gx.  Set  sk  =  x  and  pk  =  X. 
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Sign:  If  this  is  the  first  call  to  Sign  during  period  (j)  £  then  on  input  message  m  £  M,  set 
w  =  H^{m\\fa),  a  =  H\ {fa),  b  =  H2 {fa)  and  output  the  signature  cr  =  axbxw.  Otherwise,  abort. 

Verify:  On  input  message-period  pair  ( m,q i>)  and  purported  signature  cr,  compute  w  =  #3(m||0), 
a  =  H\  {fa)  and  6  =  H2{fa),  and  check  that  e(a,g)  =  e{a,X)  ■  e{b,X)w.  If  true,  output  accept ; 
otherwise  output  reject. 


Theorem  5.3  Under  the  LRSW  assumption  in  G,  the  H-Sig  signature  scheme  is  existentially 
unforgeable  in  the  random  oracle  model  for  message  space  M  =  {0, 1}*. 


Proof.  We  show  that  if  there  exists  a  p.p.t.  adversary  A  that  succeeds  with  probability  e  in  forging 
II-Sig  signatures,  then  we  can  construct  a  p.p.t.  adversary  B  that  solves  the  LRSW  problem  with 
probability  e  ■  |^|_1  •  q  jj1  in  the  random  oracle  model,  where  qn  is  the  maximum  number  of  oracle 
queries  A  makes  to  H%  during  any  period  4>  £  $.  Recall  that  |<J>|  is  a  polynomial.  Adversary 
B°x,y(-)  against  LRSW  operates  as  follows  on  input  {q,  g,  G,  Gt,  e,  X,  Y).  Let  t  be  the  security 
parameter.  We  assume  that  $  is  pre-defined.  Let  qn  be  the  maximum  number  of  queries  A  makes 
to  L/3  during  any  period  cf  £  <3?. 


1.  Setup:  Send  the  bilinear  parameters  {q,g,  G,Gt,g)  to  A.  Choose  a  random  w'  £  JA  and 
query  Ox,y(w>)  1°  obtain  an  LRSW  instance  (w',  a',  b' ,  c').  Choose  a  random  fa  £  <h.  Treat 
Hi,  H-2,  H%  as  random  oracles.  Allow  A  access  to  the  hash  functions  Hi,  H2,  H%. 

2.  Key  Generation:  Set  pk*  =  X.  For  i  =  1  to  n,  choose  a  random  ski  £  Z q  and  set  pk{  =  gski. 
Output  to  A  the  keys  pk*  and  all  {pkt,  ski )  pairs. 


3.  Oracle  queries:  B  responds  to  A’s  hash  and  signing  queries  as  follows.  Choose  random  r*  and 
Si  in  Z q  for  each  time  period  (except  fa).  Set  up  Hi  and  H2  such  that: 


f  gTi  if  fa  A  4>,%i 

Hi{<t>i)  =  r, 

a  otherwise. 


(8) 


and 


}99i  if  ^  ^  ^ 

2  ^  I  b’  otherwise. 


(9) 


Pick  a  random  j  in  the  range  [l,qn\.  Choose  random  ti ^  £  Zg,  such  that  t^i  A  w’  1  for 
l  £  [1  ,qu\  and  i  £  [1,  |3>|].  Set  up  H3  such  that: 


HlimWAi)  = 


ti,i  if  fa  A  $  or  i  A  i; 

w'  otherwise. 


(10) 


B  records  m*  :=  mj.  Finally,  set  the  signing  query  oracle  such  that  on  the  Z t h  query  involving 
period  fa: 


Osk*{mi\\fa) 


abort  if  fa  =  fa  and  l  A  3\ 

<  d  else  if  fa  =  fa  and  l  =  j; 

XnxGJKi  otherwise. 


(11) 
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4.  Output:  At  some  point  A  stops  and  outputs  a  purported  forgery  a  G  G  for  some  (mi,  fa).  If 
fa  fa  fa,  B  did  not  guess  the  correct  period  and  thus  B  outputs  a  random  guess  for  the  LRSW 
game.  If  mi  =  rri* ,  or  the  II-Sig  signature  does  not  verify,  A’s  output  is  not  a  valid  forgery 
and  thus  B  outputs  a  random  guess  for  the  LRSW  game.  Otherwise,  B  outputs  (tiy,  a' ,h' ,  a) 
as  the  solution  to  the  LRSW  game. 

We  now  analyze  B’s  success.  If  B  is  not  forced  to  abort  or  issue  a  random  guess,  then  we  note 
that  a  =  Hi(cf>i)x H2((f>i)x'H3^miW^i'> ■  In  this  scenario  fa  =  fa  and  tn  fa  ufa .  We  can  substitute  as 
a  =  Thus,  we  see  that  ( titi,a' ,b',a )  is  indeed  a  valid  LRSW  instance.  Thus,  B 

succeeds  at  LRSW  whenever  A  succeeds  in  forging  II-Sig  signatures,  except  when  B  is  forced  to 
abort  or  issue  a  random  guess.  First,  when  simulating  the  signing  oracle,  B  is  forced  to  abort 
whenever  it  incorrectly  guesses  which  query  to  H$,  during  period  fa,  A  will  eventually  query  to 
Osk*( •,  •).  Since  all  outputs  of  H$  are  independently  random,  B  will  be  forced  to  abort  at  most  qfa1 
probability.  Next,  provided  that  A  issued  a  valid  forgery,  then  B  is  only  forced  to  issue  a  random 
guess  when  it  incorrectly  guesses  which  period  (j>  G  that  A  will  choose  to  issue  its  forgery.  Since, 
from  the  view  of  A  conditioned  on  the  event  that  B  has  not  yet  aborted,  all  outputs  of  the  oracles 
are  perfectly  distributed  as  either  random  oracles  (Hi,  H2,  Hfa)  or  as  a  valid  II-Sig  signer  (O^fa). 
Thus,  this  random  guess  is  forced  with  probability  at  most  l^?]^1.  Thus,  if  A  succeeds  with  e 
probability,  then  B  succeeds  with  probability  £  •  |4>|_1  •  qfa1.  □ 


On  Removing  the  Random  Oracles.  In  the  previous  proof,  notice  that  we  treated  hash 
functions  Hi ,  H2  and  H3  as  independent  random  oracles  which  were  (statically)  programmed  in 
|4>|,  |$|,  and  |<3?|  •  |A4 1  points,  respectively,  where  is  the  set  of  time  period  identifiers  and  AI 
is  the  signing  message  space.  Recall  that,  as  before,  |4>|  is  restricted  to  be  polynomial  in  the 
security  parameter.  Now,  for  sufficiently  short  message  spaces,  e.g.,  ISO  defined  error  messages, 
we  can  replace  all  three  random  oracles  in  the  security  proof  of  II-Sig  by  concrete  hash  functions. 
Suppose  that  given  a  set  of  pairs  (xi,  y\), . . . ,  (. Xk,yk ),  it  is  possible  to  efficiently  sample  a  function 
H  :  {0,1}*  — >  G  (where  k  <  21  +  1)  from  a  (2 £  +  1  (-independent  function  family  H  such  that  for 
each  H  G  H,  we  have  H(xfa)  =  yt  for  i  =  1  to  k.  If  such  types  of  hash  function  families  exist  then 
we  could  simply  constrain  them  exactly  as  we  programmed  our  random  oracles. 

Fortunately,  Canetti,  Halevi,  and  Katz  [14]  describe  a  method  of  efficiently  constructing  such 
a  hash  function  family  which  allows  to  map  strings  to  bilinear  map  elements  (or  to  map  strings  to 
elements  in  another  prime-order  algebraic  group  such  as  Z9).  Any  family  satisfying  the  constraints 
above  will  work  for  our  purposes,  where  H 1  and  H-2  map  into  bilinear  group  G  and  H3  maps  into 
7jq.  The  construction  remains  as  before  and  the  new  security  proof  simply  uses  concrete  functions 
with  constraints  mirroring  the  points  (statically)  programmed  in  the  oracles. 

Lemma  5.4  Under  the  LRSW  assumption  in  G,  the  Tl-Sig  signature  scheme  is  existentially  un- 
forgeable  in  the  plain  model  when  \M\  are  polynomial  in  the  security  parameter. 


Batch  Verification  of  n-Sig  Signatures.  Batch  verification  of  n  signatures  a±, . . . ,  crn  on  mes¬ 
sages  m±, . . . ,  mn  for  the  same  period  can  be  done  as  follows.  (Recall  that  each  signer  can  issue 
at  most  one  signature  per  time  period.  Thus,  these  n  signatures  are  all  from  different  signers.) 
Assume  that  user  i  with  public  key  Xt  signed  message  mt .  Set  wt  =  H(mi\\fa).  First  check  that  all 
public  keys  X{  where  i  G  [l,n]  are  valid,  and  that  a i  G  G  for  all  i.  If  not;  output  reject.  Otherwise 
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pick  a  vector  A  =  (Si,...  ,5n)  with  each  element  being  a  random  IV  bit  number  and  check  that 
e f II /=  i  of* ,9)  =  e(a,  n 1  xfl )  •  e(b,  f[™=1  If  this  equation  holds,  output  accept ;  otherwise 

output  reject. 

Theorem  5.5  The  algorithm  above  is  a  batch  verifier  for  II- Sig  signatures. 

Proof.  First  we  show  that  Verify(Xi,  Mi,  Si)  =  •  •  •  =  Verify(Xn,  Mn,  Sn)  =  1  implies  that  Batch((Xi, 
Mi,  Si), . . . ,  (. IDn ,  Mn,  Sn))  =  1.  This  follows  from  the  verification  equation  for  the  II-Sig  scheme 
if  we  keep  in  mind  that 


n  e(cr*’  9)&i = n  (e(°’ ■  e(^ 


\Wi\Si 


~[\e(a,Xi)Si-  Y[e(b,Xi 


1  Wi8i 


(12) 


2=1 


2= 1 


i=l 


2= 1 


^  e(II  °i >  9)  =  e(a,  X?)  •  e(6,  X 


WiSi 


2—1 


2—1 


2—  1 


We  must  now  show  the  other  direction.  This  proof  is  again  an  application  of  the  technique  for 
proving  the  small  exponents  test  in  [4].  Batch  verification  accepts  so  we  know  that  a,  £  G  and 
hence  we  can  write  a,  =  gCi  for  some  q  £  Zg.  We  also  know  that  a  and  b  are  in  G  so  we  write  them 
as  a  =  gr  and  b  =  gs.  Since  equation  12  is  just  an  (inefficient)  variant  of  the  batch  verification,  we 
know  that  it  holds,  and  we  can  rewrite  it  as: 


IIe(™)*  =  II  (e^X^-e^Xirf  =He(g,g)s^+sx^ 

2—1  2—1  2=1 

=►  e(g,g)^=^iCi  =  e(g,g)^= 

n  n 

=>  ^  SiCi  -  ^2  Si  ( TXi  +  sxiWi)  =  0  (mod  q)  . 

2=1  2=1 

Setting  fa  =  a  —  ( rxi  +  sx^Wi)  this  is  equivalent  to: 

n 

Y.  Sifii  =  0  (mod  q)  . 

2=1 

The  rest  of  the  proof  follows  from  the  last  part  of  the  proof  of  Theorem  4.1.  □ 


II-Sig  Without  Batch  Verification.  So  far  we  have  described  II-Sig  only  as  an  efficient  signa¬ 
ture  scheme  to  batch  verify,  but  for  completeness  we  note  that  if  we  are  not  interested  in  batch 
verification,  II-Sig  is  still  a  fairly  efficient  regular  signature  scheme  without  any  restrictions. 

Key  Gen:  Choose  a  random  x  £  7Lq  and  set  X  =  gx.  Set  sk  =  x  and  pk  =  X. 

Sign:  Generate  a  value  4>  £  <f>  that  has  never  been  used  by  the  signer  before.  Then  on  input 
message  m  £  A4,  set  w  =  H^(m\\fi),  a  =  Hi ((f),  b  =  H2((j>),  and  a  =  axbxw  and  output  the 
signature  (cr,(j>). 
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Verify:  On  input  message  m  and  purported  signature  (a,  </>),  compute  w  =  H^{m\\4>),  a  =  Hi((j>) 
and  b  =  i/2 (</>)>  and  check  that  e(cr,g)  =  e(abw,X).  If  true,  output  accept ;  otherwise  output 
reject. 

This  is  very  similar  to  the  original  scheme.  Note  that  the  only  change  is  that  4>  is  now  generated 
independently  from  all  other  signers  and  included  as  part  of  the  signature,  which  makes  the  scheme 
unsuitable  for  batch  verification  (since  the  probability  that  many  signers  will  share  the  same  value 
of  is  small).  However,  now  that  we  are  only  interested  in  individual  verification,  we  can  rewrite 
the  original  verification  equation  e(a,g )  =  e(a,X)  ■  e(b1X)w  as  e(<r,  g)  =  e(abw,X)  which  requires 
only  two  pairings  to  verify.  Finally  note  that  this  variant  of  the  verification  equation  does  not 
depend  on  how  <f>  was  generated,  and  can  always  be  used  for  individual  verification  if  needed. 

Efficiency  Note.  First,  we  observe  that  the  n-Sig  signatures  are  very  short,  requiring  only  one 
element  in  G.  Since  the  BLS  signatures  also  require  only  one  element  in  G,  and  since  a  public  key 
for  the  n-Sig  scheme  is  also  only  one  group  element,  the  entire  signature  plus  certificate  could  be 
transmitted  in  three  G  elements.  In  order  to  get  the  shortest  representation  for  these  elements,  we 
need  to  use  asymmetric  bilinear  maps  e  :  Gi  x  G2  — >  G t,  where  Gi  7^  G2,  which  will  allow  elements 
in  Gi  to  be  160  bits  and  elements  of  G2  to  be  512  bits  for  a  security  level  comparable  to  RSA-1024. 
For  n-Sig  signatures  we  need  to  hash  into  Gi  which  according  to  Galbraith,  Paterson  and  Smart 
can  be  done  efficiently  [27].  To  summarize;  using  BLS  and  n-Sig  we  can  represent  the  signature 
plus  certificate  using  approximately  832  bits  with  security  comparable  to  RSA-1024,  compared  to 
around  3072  bits  for  actually  using  RSA-1024. 

Second,  suppose  one  uses  the  universal  one-way  hash  functions  described  by  Canetti,  Halevi,  and 
Katz  [14]  to  remove  the  random  oracles  from  n-Sig.  These  hash  functions  require  one  exponentiation 
per  constraint.  In  our  case,  we  may  require  as  many  as  |4>|  •  |A4|  constraints.  Thus,  the  cost  to 
compute  the  hashes  may  dampen  the  efficiency  gains  of  batch  verification.  However,  our  scheme  will 
benefit  from  improvements  in  the  construction  of  universal  one-way  hash  functions  with  constraints. 

If  n-Sig  is  used  as  a  signatures  scheme  without  an  efficient  batch  verifier,  the  signature  require 
one  group  element  in  G  and  one  element  in  4>,  where  the  size  of  4>  only  needs  to  be  large  enough 
to  represent  the  number  of  times  a  user  might  want  to  sign  with  the  same  private  key.  Verification 
of  a  single  n-Sig  signature  requires  two  pairings. 

6  Conclusions  and  Open  Problems 

In  this  paper  we  focused  on  batch  verification  of  signatures.  We  overviewed  the  large  body  of 
existing  work,  almost  exclusively  dealing  with  single  signers  (Boneh,  Lynn  and  Shacham  [9]  provide 
a  batch  verification  scheme  for  multiple  signers  on  the  same  message).  We  extended  the  general 
batch  verification  definition  of  Bellare,  Garay  and  Rabin  [4]  to  the  case  of  multiple  signers.  We 
then  presented,  to  our  knowledge,  the  first  efficient  and  practical  batch  verification  scheme  for 
signatures  without  random  oracles.  We  focused  on  solutions  that  comprehended  the  time  to  verify 
the  signature  and  the  corresponding  certificate  for  the  verification  key.  First,  we  presented  a 
batch  verifier  for  the  n-IBS  that  can  verify  n  signatures  using  only  z  +  3  pairings  (the  dominant 
operation),  where  identities  are  k  bits  divided  into  z  elements,  each  oik/ z  bits.  This  is  a  significant 
improvement  over  the  3n  pairings  required  by  individual  verification.  Second,  we  presented  a 
solution  in  the  random  oracle  model  that  batch  verifies  n  BLS  certificates  and  n  n-Sig  signatures 
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using  only  5  pairings.  Here,  n~Sig  is  a  variant  of  the  Camenisch-Lysyanskaya  signatures  that  is 
much  shorter,  allows  for  efficient  batch  verification  from  many  signers,  but  where  only  one  signature 
can  be  safely  issued  per  period. 

It  is  an  open  problem  to  find  a  fast  batch  verification  scheme  for  short  signatures  without  the 
period  restrictions  from  Section  5.  Another  exciting  open  problem  is  to  develop  fast  batch  verifiers 
for  various  forms  of  anonymous  authentication  such  as  group  signatures,  e-cash,  and  anonymous 
credentials. 


Acknowledgments 

We  thank  Ivan  Damgard,  Anna  Lisa  Ferrara,  Jean-Pierre  Hubaux,  Panos  Papadimitratos  and  the 
anonymous  reviewers  for  their  helpful  input.  Susan  Hohenberger  and  Michael  0stergaard  Peder¬ 
sen  performed  part  of  this  research  while  at  IBM  Research,  Zurich  Research  Laboratory.  Also, 
Michael  0stergaard  Pedersen  performed  part  of  this  research  while  at  the  University  of  Aarhus. 
Susan  Hohenberger  is  sponsored  by  the  Defense  Advanced  Research  Projects  Agency  (DARPA) 
and  the  Air  Force  Research  Laboratory  (AFRL)  under  contract  FA8750-1 1-2-0211,  the  Office  of 
Naval  Research  under  contract  N00014-11-1-0470,  NSF  CAREER  CNS-1053886,  a  Microsoft  Fac¬ 
ulty  Fellowship  and  a  Google  Faculty  Research  Award.  The  views  and  conclusions  contained  in 
this  document  are  those  of  the  authors  and  should  not  be  interpreted  as  representing  the  official 
policies,  either  expressed  or  implied,  of  the  Defense  Advanced  Research  Projects  Agency  or  the  US 
government. 


References 

[1]  Jee  Hea  An,  Yevgeniy  Dodis,  and  Tal  Rabin.  On  the  security  of  joint  signature  and  encryption. 
In  Lars  R.  Knudsen,  editor,  Advances  in  Cryptology  -  EUROCRYPT  ’ 02 ,  volume  2332  of 
Lecture  Notes  in  Computer  Science,  pages  83-107.  Springer,  2002. 

[2]  Boaz  Barak,  Ran  Canetti,  Jesper  Buus  Nielsen,  and  Rafael  Pass.  Universally  composable 
protocols  with  relaxed  set-up  assumptions.  In  45th  Symposium  on  Foundations  of  Computer 
Science  (FOCS),  pages  186-195.  IEEE  Computer  Society,  2004. 

[3]  Kenneth  Barr  and  Krste  Asanovic.  Energy  aware  lossless  data  compression.  In  MobiSys. 
USENIX,  2003. 

[4]  Mihir  Bellare,  Juan  A.  Garay,  and  Tal  Rabin.  Fast  batch  verification  for  modular  exponentia¬ 
tion  and  digital  signatures.  In  Kaisa  Nyberg,  editor,  Advances  in  Cryptology  -  EUROCRYPT 
’98,  volume  1403  of  Lecture  Notes  in  Computer  Science,  pages  236-250.  Springer,  1998. 

[5]  Dan  Boneh  and  Xavier  Boyen.  Efficient  selective-ID  secure  identity-based  encryption  without 
random  oracles.  In  Christian  Cachin  and  Jan  Camenisch,  editors,  Advances  in  Cryptology 
-  EUROCRYPT  ’04,  volume  3027  of  Lecture  Notes  in  Computer  Science ,  pages  223-238. 
Springer,  2004. 

[6]  Dan  Boneh  and  Xavier  Boyen.  Short  signatures  without  random  oracles.  In  Christian  Cachin 
and  Jan  Camenisch,  editors,  Advances  in  Cryptology  -  EUROCRYPT  ’04,  volume  3027  of 
Lecture  Notes  in  Computer  Science,  pages  382-400.  Springer,  2004. 

21 

Approved  for  Public  Release;  Distribution  Unlimited. 

910 


[7]  Dan  Boneh  and  Matthew  K.  Franklin.  Identity-based  encryption  from  the  Weil  pairing.  In 
Joe  Kilian,  editor,  Advances  in  Cryptology  -  CRYPTO  '01,  volume  2139  of  Lecture  Notes  in 
Computer  Science ,  pages  213-229.  Springer,  2001. 

[8]  Dan  Boneh,  Craig  Gentry,  Ben  Lynn,  and  Hovav  Shacham.  Aggregate  and  verihably  encrypted 
signatures  from  bilinear  maps.  In  Eli  Biham,  editor,  Advances  in  Cryptology  -  EUROCRYPT 
'03,  volume  2656  of  Lecture  Notes  in  Computer  Science,  pages  416-432.  Springer,  2003. 

[9]  Dan  Boneh,  Ben  Lynn,  and  Hovav  Shacham.  Short  signatures  from  the  Weil  pairing.  Journal 
of  Cryptology,  17(4):297-319,  2004. 

[10]  Cohn  Boyd  and  Chris  Pavlovski.  Attacking  and  repairing  batch  verification  schemes.  In 
Tatsuaki  Okamoto,  editor,  Advances  in  Cryptology  -  ASIACRYPT  ’00,  volume  1976  of  Lecture 
Notes  in  Computer  Science,  pages  58-71.  Springer,  2000. 

[11]  Xavier  Boyen  and  Brent  Waters.  Compact  group  signatures  without  random  oracles.  In  Serge 
Vaudenay,  editor,  Advances  in  Cryptology  -  EUROCRYPT  '06,  volume  4004  of  Lecture  Notes 
in  Computer  Science,  pages  427-444.  Springer,  2006. 

[12]  Jan  Camenisch,  Susan  Hohenberger,  and  Michael  0stergaard  Pedersen.  Batch  verification  of 
short  signatures.  In  Moni  Naor,  editor,  Advances  in  Cryptology  -  EUROCRYPT  ’07,  volume 
4515  of  Lecture  Notes  in  Computer  Science,  pages  246-263.  Springer,  2007. 

[13]  Jan  Camenisch  and  Anna  Lysyanskaya.  Signature  schemes  and  anonymous  credentials  from 
bilinear  maps.  In  Matthew  K.  Franklin,  editor,  Advances  in  Cryptology  -  CRYPTO  ’Of,  volume 
3152  of  Lecture  Notes  in  Computer  Science,  pages  56-72.  Springer,  2004. 

[14]  Ran  Canetti,  Shai  Halevi,  and  Jonathan  Katz.  A  forward-secure  public-key  encryption  scheme. 
In  Eh  Biham,  editor,  Advances  in  Cryptology  -  EUROCRYPT  '03,  volume  2656  of  Lecture 
Notes  in  Computer  Science,  pages  255-271.  Springer,  2003. 

[15]  Tianjie  Cao,  Dongdai  Lin,  and  Rui  Xue.  Security  analysis  of  some  batch  verifying  signatures 
from  pairings.  International  Journal  of  Network  Security,  3(2):138-143,  2006. 

[16]  Car  2  Car.  Communication  consortium,  http://car-to-car.org. 

[17]  Jae  Choon  Cha  and  Jung  Hee  Cheon.  An  identity-based  signature  from  gap  Diffie-Hellman 
groups.  In  Yvo  Desmedt,  editor,  6th  Public  Key  Cryptography  (PKC),  volume  2567  of  Lecture 
Notes  in  Computer  Science,  pages  18-30.  Springer,  2003. 

[18]  Sanjit  Chatterjee  and  Palash  Sarkar.  Trading  time  for  space:  Towards  an  efficient  IBE  scheme 
with  short(er)  public  parameters  in  the  standard  model.  In  Dongho  Won  and  Seungjoo  Kim, 
editors,  8th  Information  Security  and  Cryptology  (ICISC),  volume  3935  of  Lecture  Notes  in 
Computer  Science,  pages  424-440.  Springer,  2005. 

[19]  Sanjit  Chatterjee  and  Palash  Sarkar.  HIBE  with  short  public  parameters  without  random 
oracle.  In  Xuejia  Lai,  editor,  Advances  in  Cryptology  -  ASIACRYPT  ’06,  volume  4284  of 
Lecture  Notes  in  Computer  Science,  pages  145-160.  Springer,  2006. 

[20]  L.  Chen,  Z.  Cheng,  and  N.P.  Smart.  Identity-based  key  agreement  protocols  from  pairings, 
2006.  Cryptology  ePrint  Archive:  Report  2006/199. 

22 

Approved  for  Public  Release;  Distribution  Unlimited. 

911 


[21]  Jung  Hee  Cheon,  Yongdae  Kim,  and  Hyo  Jin  Yoon.  A  new  ID-based  signature  with  batch 
verification,  2004.  Cryptology  ePrint  Archive:  Report  2004/131. 

[22]  Jung  Hee  Cheon  and  Dong  Hoon  Lee.  Use  of  sparse  and/or  complex  exponents  in  batch 
verification  of  exponentiations.  IEEE  Transactions  on  Computers ,  55(  12) :  1536— 1542,  January 
2006. 

[23]  Shi  Cui,  Pu  Duan,  and  Choong  Wah  Chan.  An  efficient  identity-based  signature  scheme  with 
batch  verifications.  In  Abdur  Chowdhury,  Francis  Lau,  and  Frank  Zhigang  Wang,  editors,  1st 
International  Conference  on  Scalable  Information  Systems  (InfoScale).  ACM  Press,  2006. 

[24]  Whitfield  Diffie  and  Martin  Heilman.  New  directions  in  cryptography.  IEEE  Transactions  on 
Information  Theory ,  22:644-654,  1976. 

[25]  Anna  Lisa  Ferrara,  Matthew  Green,  Susan  Hohenberger,  and  Michael  0stergaard  Peder¬ 
sen.  Practical  short  signature  batch  verification,  2008.  Cryptology  ePrint  Archive:  Report 
2008/015. 

[26]  Amos  Fiat.  Batch  RSA.  In  Gilles  Brassard,  editor,  Advances  in  Cryptology  -  CRYPTO  ’ 89 , 
volume  435  of  Lecture  Notes  in  Computer  Science ,  pages  175-185.  Springer,  1989. 

[27]  Steven  D.  Galbraith,  Kenneth  G.  Paterson,  and  Nigel  P.  Smart.  Pairings  for  cryptographers, 
2006.  Cryptology  ePrint  Archive:  Report  2006/165. 

[28]  Craig  Gentry.  How  to  compress  Rabin  ciphertexts  and  signatures  (and  more).  In  Matthew  K. 
Franklin,  editor,  Advances  in  Cryptology  -  CRYPTO  ’ 04 ,  volume  3152  of  Lecture  Notes  in 
Computer  Science ,  pages  179-200.  Springer,  2004. 

[29]  Craig  Gentry  and  Zulfikar  Ramzan.  Identity-based  aggregate  signatures.  In  Moti  Yung,  editor, 
9th  Public  Key  Cryptography  ( PKC ),  volume  3958  of  Lecture  Notes  in  Computer  Science ,  pages 
257-273.  Springer,  2006. 

[30]  Shafi  Goldwasser,  Silvio  Micali,  and  Ronald  L.  Rivest.  A  digital  signature  scheme  secure 
against  adaptive  chosen-message  attacks.  SIAM  J.  Computing ,  17(2),  1988. 

[31]  R.  Granger  and  N.P.  Smart.  On  computing  products  of  pairings,  2006.  Cryptology  ePrint 
Archive:  Report  2006/172. 

[32]  Lein  Harn.  Batch  verifying  multiple  DSA  digital  signatures.  Electronics  Letters,  34(9):870-871, 
1998. 

[33]  Lein  Harn.  Batch  verifying  multiple  RSA  digital  signatures.  Electronics  Letters,  34(12):1219- 
1220,  1998. 

[34]  Fumitaka  Hoshino,  Masayuki  Abe,  and  Tetsutaro  Kobayashi.  Lenient/strict  batch  verification 
in  several  groups.  In  George  I.  Davida  and  Yair  Frankel,  editors,  fth  Information  Security , 
volume  2200  of  Lecture  Notes  in  Computer  Science,  pages  81-94.  Springer,  2001. 

[35]  Min-Shiang  Hwang,  Cheng-Chi  Lee,  and  Yuan-Liang  Tang.  Two  simple  batch  verifying  mul¬ 
tiple  digital  signatures.  In  Sihan  Qing,  Tatsuaki  Okamoto,  and  Jianying  Zhou,  editors,  3rd 
Information  and  Communications  Security  ( ICICS ),  volume  2229  of  Lecture  Notes  in  Com¬ 
puter  Science,  pages  233-237.  Springer,  2001. 

23 

Approved  for  Public  Release;  Distribution  Unlimited. 

912 


[36]  Min-Shiang  Hwang,  Iuon-Chang  Lin,  and  Kuo-Feng  Hwang.  Cryptanalysis  of  the  batch  verify¬ 
ing  multiple  RSA  digital  signatures.  Informatica,  Lithuanian  Academy  of  Sciences,  11(1) :  15— 
19,  2000. 

[37]  IEEE.  5.9  GHz  Dedicated  Short  Range  Communications,  http://grouper.ieee.org/ 
groups/ scc32/dsrc. 

[38]  Neal  Koblitz  and  Alfred  Menezes.  Pairing-based  cryptography  at  high  security  levels,  2005. 
Cryptology  ePrint  Archive:  Report  2005/076. 

[39]  Chi-Sung  Laih  and  Sung-Ming  Yen.  Improved  digital  signature  suitable  for  batch  verification. 
IEEE  Transactions  on  Computers ,  44(7):957-959,  1995. 

[40]  Olaf  Landsiedel,  Klaus  Wehrle,  and  Stefan  Gotz.  Accurate  prediction  of  power  consumption 
in  sensor  networks.  In  IEEE  Workshop  on  Embedded  Networked  Sensors  ( EmNetS-Il ),  2005. 

[41]  Laurie  Law  and  Brian  J.  Matt.  Finding  invalid  signatures  in  pairing-based  batches.  In  Steven  D. 
Galbraith,  editor,  Cryptography  and  Coding,  11th  IMA  International  Conference,  volume  4887 
of  Lecture  Notes  in  Computer  Science,  pages  34-53.  Springer,  2007. 

[42]  Seungwon  Lee,  Seongje  Cho,  Jongmoo  Choi,  and  Yookun  Cho.  Efficient  identification  of  bad 
signatures  in  RSA-type  batch  signature.  IEICE  Transactions  on  Fundamentals  of  Electronics, 
Communications  and  Computer  Sciences,  E89-A(l):74-80,  2006. 

[43]  C.  Lim  and  P.  Lee.  Security  of  interactive  DSA  batch  verification.  In  Electronics  Letters, 
volume  30(19),  pages  1592-1593,  1994. 

[44]  Chae  Hoon  Lim.  Efficient  multi-exponentation  and  application  to  batch  verification  of  digital 
signatures,  2000.  http : //dasan . se j ong . ac . kr/~chlim/ english_pub . html. 

[45]  Anna  Lysyanskaya,  Ronald  L.  Rivest,  Amit  Sahai,  and  Stefan  Wolf.  Pseudonym  systems.  In 
Carlisle  Adams  and  Howard  Heys,  editors,  6th  Selected  Areas  in  Cryptography  (SAC),  volume 
1758  of  Lecture  Notes  in  Computer  Science,  pages  184-199.  Springer,  1999. 

[46]  Alfred  Menezes,  Scott  Vanstone,  and  Tatsuaki  Okamoto.  Reducing  elliptic  curve  logarithms 
to  logarithms  in  a  finite  field.  In  23rd  ACM  Symposium  on  Theory  of  Computing  (STOC), 
pages  80-89,  1991. 

[47]  D.  Naccache.  Secure  and  practical  identity-based  encryption,  2005.  Cryptology  ePrint  Archive: 
Report  2005/369. 

[48]  David  Naccache,  David  M’Rai'hi,  Serge  Vaudenay,  and  Dan  Raphaeli.  Can  DSA  be  improved? 
complexity  trade-offs  with  the  digital  signature  standard.  In  Alfredo  De  Santis,  editor,  Ad¬ 
vances  in  Cryptology  -  EUROCRYPT  ’94,  volume  950  of  Lecture  Notes  in  Computer  Science, 
pages  77-85.  Springer,  1994. 

[49]  Maxim  Raya  and  Jean-Pierre  Hubaux.  Securing  vehicular  ad  hoc  networks.  Journal  of  Com¬ 
puter  Security,  15:39-68,  2007. 

[50]  SeVeCom.  Security  on  the  road,  http://www.sevecom.org. 


24 

Approved  for  Public  Release;  Distribution  Unlimited. 

913 


[51]  Hovav  Shacham  and  Dan  Boneh.  Improving  SSL  handshake  performance  via  batching.  In  David 
Naccache,  editor,  Cryptographer’s  Track  at  RSA  Conference  ’01,  volume  2020  of  Lecture  Notes 
in  Computer  Science,  pages  28-43.  Springer,  2001. 

[52]  Martin  Stanek.  Attacking  LCCC  batch  verification  of  RSA  signatures,  2006.  Cryptology  ePrint 
Archive:  Report  2006/111. 

[53]  Brent  Waters.  Efficient  identity-based  encryption  without  random  oracles.  In  Ronald  Cramer, 
editor,  Advances  in  Cryptology  -  EUROCRYPT  '05,  volume  3494  of  Lecture  Notes  in  Computer 
Science ,  pages  320-329.  Springer,  2005. 

[54]  HyoJin  Yoon,  Jung  Hee  Cheon,  and  Yongdae  Kim.  Batch  verifications  with  ID-based  signa¬ 
tures.  In  Choonsik  Park  and  Seongtaek  Chee,  editors,  7th  Information  Security  and  Cryptology 
(ICISC),  volume  3506  of  Lecture  Notes  in  Computer  Science,  pages  233-248.  Springer,  2004. 

[55]  Fangguo  Zhang  and  Kwangjo  Kim.  Efficient  ID-based  blind  signature  and  proxy  signature  from 
bilinear  pairings.  In  Reihaneh  Safavi-Naini  and  Jennifer  Seberry,  editors,  8th  Information 
Security  and  Privacy,  Australasian  Conference  (ACISP),  volume  2727  of  Lecture  Notes  in 
Computer  Science ,  pages  312-323.  Springer,  2003. 

[56]  Fangguo  Zhang,  Reihaneh  Safavi-Naini,  and  Willy  Susilo.  Efficient  verifiably  encrypted  signa¬ 
ture  and  partially  blind  signature  from  bilinear  pairings.  In  Thomas  Johansson  and  Subhamoy 
Maitra,  editors,  Progress  in  Cryptology  -  INDOCRYPT  '03,  volume  2904  of  Lecture  Notes  in 
Computer  Science ,  pages  191-204.  Springer,  2003. 


25 

Approved  for  Public  Release;  Distribution  Unlimited. 

914 


Outsourcing  the  Decryption  of  ABE  Ciphertexts 


Matthew  Green  Susan  Hohenberger* 

Johns  Hopkins  University  Johns  Hopkins  University 


Brent  Waters  ' 

University  of  Texas  at  Austin 


Abstract 

Attribute-based  encryption  (ABE)  is  a  new  vision  for 
public  key  encryption  that  allows  users  to  encrypt  and 
decrypt  messages  based  on  user  attributes.  For  example, 
a  user  can  create  a  ciphertext  that  can  be  decrypted  only 
by  other  users  with  attributes  satisfying  (“Faculty”  OR 
(“PhD  Student”  AND  “Quals  Completed”)).  Given  its 
expressiveness,  ABE  is  currently  being  considered  for 
many  cloud  storage  and  computing  applications.  How¬ 
ever,  one  of  the  main  efficiency  drawbacks  of  ABE  is  that 
the  size  of  the  ciphertext  and  the  time  required  to  decrypt 
it  grows  with  the  complexity  of  the  access  formula. 

In  this  work,  we  propose  a  new  paradigm  for  ABE  that 
largely  eliminates  this  overhead  for  users.  Suppose  that 
ABE  ciphertexts  are  stored  in  the  cloud.  We  show  how 
a  user  can  provide  the  cloud  with  a  single  transformation 
key  that  allows  the  cloud  to  translate  any  ABE  ciphertext 
satisfied  by  that  user’s  attributes  into  a  (constant-size)  El 
Gamal-style  ciphertext,  without  the  cloud  being  able  to 
read  any  part  of  the  user’s  messages. 

To  precisely  define  and  demonstrate  the  advantages  of 
this  approach,  we  provide  new  security  definitions  for 
both  CPA  and  replayable  CCA  security  with  outsourc¬ 
ing,  several  new  constructions,  an  implementation  of  our 
algorithms  and  detailed  performance  measurements.  In  a 
typical  configuration,  the  user  saves  significantly  on  both 
bandwidth  and  decryption  time,  without  increasing  the 
number  of  transmissions. 
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1  Introduction 

Traditionally,  we  have  viewed  encryption  as  a  method 
for  one  user  to  encrypt  data  to  another  specific  targeted 
party,  such  that  only  the  target  recipient  can  decrypt  and 
read  the  message.  However,  in  many  applications  a  user 
might  often  wish  to  encrypt  data  according  to  some  pol¬ 
icy  as  opposed  to  specified  set  of  users.  Trying  to  realize 
such  applications  on  top  of  a  traditional  public  key  mech¬ 
anism  poses  a  number  of  difficulties.  For  instance,  a  user 
encrypting  data  will  need  to  have  a  mechanism  which 
allows  him  to  look  up  all  parties  that  have  access  creden¬ 
tials  or  attributes  that  match  his  policy.  These  difficul¬ 
ties  are  compounded  if  a  party’s  credentials  themselves 
might  be  sensitive  (e.g.,  the  set  of  users  with  a  Top  SE¬ 
CRET  clearance)  or  if  a  party  gains  credentials  well  after 
data  is  encrypted  and  stored. 

To  address  these  issues,  a  new  vision  of  encryption 
was  put  forth  by  Sahai  and  Waters  [38]  called  Attribute- 
Based  Encryption  (ABE).  In  an  ABE  system,  a  user  will 
associate  an  encryption  of  a  message  M  with  an  function 
/(•),  representing  an  access  policy  associated  with  the 
decryption.  A  user  with  a  secret  key  that  represents  their 
set  of  attributes  (e.g.,  credentials)  S  and  will  be  able  to 
decrypt  a  ciphertext  associated  with  function  /(•)  if  and 
only  if  f(S')  =  1.  Since  the  introduction  of  ABE  there 
have  been  several  other  works  proposing  different  vari¬ 
ants  [24,  7,  14,  36,  23,  42,  15,  28,  35]  extending  both 
functionality  and  refining  security  proof  techniques.  1 

One  property  that  all  of  these  ABE  systems  have  is 
that  both  the  ciphertext  size  and  time  for  decryption  grow 
with  the  size  of  the  access  formula  /.  Roughly,  cur¬ 
rent  efficient  ABE  realizations  are  set  in  pairing-based 
groups  where  the  ciphertexts  require  two  group  elements 
for  every  node  in  the  formula  and  decryption  will  require 

A  more  general  concept  of  functional  encryption  [11]  allows  for 
more  general  functions  to  be  computed  on  the  encrypted  data  and  en¬ 
compasses  work  such  as  searching  on  encrypted  data  and  predicate  en¬ 
cryption  [10,  2,  12,  39,  27], 
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Figure  1:  Summary  of  ABE  outsourcing  results.  Above  s  denotes  the  size  of  an  attribute  set,  l  refers  to  an  LSSS  access 
structure  with  an  l  x  n  matrix,  k  is  the  message  bit  length  in  RCCA  schemes,  and  P.  Eq .  Ej  stand  for  the  maximum  time 
to  compute  a  pairing,  exponentiation  in  G  and  exponentiation  in  G j  respectively.  We  ignore  non-dominant  operations. 
All  schemes  are  in  the  selective  security  setting.  We  discuss  methods  for  moving  to  adaptive  security  in  Section  5.1. 


a  pairing  for  each  node  in  the  satisfied  formula.  While 
conventional  desktop  computers  should  be  able  to  handle 
such  a  task  for  typical  formula  sizes,  this  presents  a  sig¬ 
nificant  challenge  for  users  that  manage  and  view  private 
data  on  mobile  devices  where  processors  are  often  one  to 
two  orders  of  magnitude  slower  than  their  desktop  coun¬ 
terparts  and  battery  life  is  a  persistent  problem.  Interest¬ 
ingly,  in  tandem  there  has  emerged  the  ability  for  users 
to  buy  on-demand  computing  from  cloud-based  services 
such  as  Amazon’s  EC2  and  Microsoft’s  Windows  Azure. 

Can  cloud  services  be  securely  used  to  outsource  de¬ 
cryption  in  Attribute-Based  Encryption  systems?  A 
naive  first  approach  would  be  for  a  user  to  simply  hand 
over  their  secret  key,  SK,  to  the  outsourcing  service. 
The  service  could  then  simply  decrypt  all  ciphertexts  re¬ 
quested  by  the  user  and  then  transmit  the  decrypted  data. 
However,  this  requires  complete  trust  of  the  outsourc¬ 
ing  service;  using  the  secret  key  the  outsourcing  service 
could  read  any  encrypted  message  intended  for  the  user. 

A  second  approach  might  be  to  leverage  recent  out¬ 
sourcing  techniques  [20,  17]  based  on  Gentry’s  [21]  fully 
homomorphic  encryption  system.  These  give  outsourc¬ 
ing  for  general  computations  and  importantly  preserve 
the  privacy  of  the  inputs  so  that  the  decryption  keys  and 
messages  can  remain  hidden.  Unfortunately,  the  over¬ 
head  for  these  systems  is  currently  impractical.  Gentry 
and  Halevi  [22]  showed  that  even  for  weak  security  pa¬ 
rameters  one  “bootstrapping”  operation  of  the  homomor¬ 
phic  operation  would  take  at  least  30  seconds  on  a  high 
performance  machine  (and  30  minutes  for  the  high  se¬ 
curity  parameter).  Since  one  such  operation  would  only 
count  for  a  small  constant  number  of  gates  in  the  overall 
computation,  this  would  need  to  be  repeated  many  times 
to  evaluate  an  ABE  decryption  using  the  methods  above. 

Closer  to  practice,  we  might  leverage  recent  tech¬ 
niques  on  secure  outsourcing  of  pairings  [16].  These 
techniques  allow  a  client  to  outsource  a  pairing  operation 
to  a  server.  However,  the  solutions  presented  in  [16]  still 
require  the  client  to  compute  multiple  exponentiations  in 
the  target  group  for  every  pairing  it  outsources.  These  ex¬ 


ponentiations  can  be  quite  expensive  and  the  work  of  the 
client  will  still  be  proportional  to  the  size  of  the  policy 
/.  Moreover,  every  pairing  operation  in  the  original  pro¬ 
tocol  will  trigger  four  pairings  do  be  done  by  the  proxy. 
Thus,  the  total  workload  is  increased  by  a  factor  of  at 
least  four  from  the  original  decryption  algorithm,  and  the 
client’s  bandwidth  requirements  may  actually  increase. 
Given  these  drawbacks,  we  aim  for  an  ABE  outsourcing 
system  that  is  secure  and  imposes  minimal  overhead. 

Our  Contributions.  We  give  new  methods  for  effi¬ 
ciently  and  securely  outsourcing  decryption  of  ABE  ci¬ 
phertexts.  The  core  change  to  outsourceable  ABE  sys¬ 
tems  is  a  modified  Key  Generation  algorithm  that  pro¬ 
duces  two  keys.  The  first  key  is  a  short  El  Gamal  [19] 
type  secret  key  that  must  be  kept  private  by  the  user.  The 
second  is  what  we  call  a  “transformation  key”,  TK,  that 
is  shared  with  a  proxy  (and  can  be  publicly  distributed). 
If  the  proxy  then  receives  a  ciphertext  CT  for  a  func¬ 
tion  /  for  which  the  user’s  credentials  satisfy,  it  is  then 
able  to  use  the  key  TK  to  transform  CT  into  a  simple  and 
short  El  Gamal  ciphertext  CT'  of  the  same  message  en¬ 
crypted  under  the  user’s  key  SK.  The  user  is  then  able  to 
decrypt  with  one  simple  exponentiation.  Our  system  is 
secure  against  any  malicious  proxy.  Moreover,  the  com¬ 
putational  effort  of  the  proxy  is  no  more  than  that  used  to 
decrypt  a  ciphertext  in  a  standard  ABE  system. 

To  achieve  our  results,  we  create  what  we  call  a  new 
key  blinding  technique.  At  a  high  level,  the  new  out¬ 
sourced  key  generation  algorithm  will  first  run  a  key  gen¬ 
eration  algorithm  from  an  existing  bilinear  map  based 
ABE  scheme  such  as  [24,  42],  Then  it  will  choose  a 
blinding  factor  exponent  z  C  Zp  (for  groups  of  prime  or¬ 
der  p)  and  raise  all  elements  to  z~  1  (mod  p).  This  will 
produce  the  transformation  key  TK,  while  the  blinding 
factor  z  can  serve  as  the  secret  key. 

We  show  that  we  are  able  to  adapt  our  outsourcing 
techniques  to  both  the  “Ciphertext-Policy”  (CP-ABE) 
and  “Key-Policy”  (KP-ABE)  types  of  ABE  systems.2  To 

“CP-ABE  systems  behave  as  we  outlined  above  where  a  ciphertext 
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Figure  2:  Illustration  of  how  ABE  ciphertexts  are  fetched 
today. 
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Figure  3:  Outsourcing  the  Decryption:  Illustration  of 
how  ABE  ciphertexts  could  be  transformed  by  a  proxy 
into  much  shorter  El  Gamal-style  ciphertexts. 


achieve  our  KP-ABE  and  CP-ABE  outsourcing  systems 
we  respectively  apply  our  methodology  to  the  construc¬ 
tions  of  Goyal  et  al.  [24]  and  Waters  [42].  To  prove  se¬ 
curity  of  the  systems  we  must  show  that  they  remain  se¬ 
cure  even  in  the  presence  of  an  attacker  that  acts  as  a 
user’s  proxy.  Our  first  systems  and  proofs  model  seman¬ 
tic  security  for  an  attacker  that  tries  to  eavesdrop  on  the 
user.  We  then  extend  our  systems  and  proofs  to  chosen 
ciphertext  attacks  where  the  attack  might  query  the  user’s 
decryption  routine  on  maliciously  formed  ciphertexts  to 
compromise  privacy.  Our  solutions  in  this  setting  apply 
the  random  oracle  heuristic  to  achieve  efficiency  near  the 
chosen  plaintext  versions. 

Typical  Usage  Scenarios.  We  envision  a  typical  usage 
scenario  in  Figures  2  and  3.  Here  a  client  sends  a  single 
transformation  key  once  to  the  proxy,  who  can  then  re¬ 
trieve  (potentially  large)  ABE  ciphertexts  that  the  user  is 
interested  in  and  forward  to  her  (small,  constant-size)  El 
Gamal-type  ciphertexts.  The  proxy  could  be  the  client’s 
mail  server,  or  the  ciphertext  server  and  the  proxy  could 
be  the  same  entity,  as  in  a  cloud  environment. 

The  savings  in  bandwidth  and  local  computation  time 
for  the  client  are  immediate:  a  transformed  ciphertext 
is  always  smaller  and  faster  to  decrypt  than  an  ABE  ci¬ 
phertext  of  [24,  42]  (for  any  policy  size).  'We  emphasize 
in  this  useage  scenario  that  the  number  of  transmissions 
will  be  the  same  as  in  the  prior  (non-outsourced)  solu¬ 
tions.  Thus,  the  power  consumption  can  only  improve 
with  faster  computations  and  smaller  transmissions. 

Implementation  and  Evaluation.  To  evaluate  our  out¬ 
sourcing  systems,  we  implemented  the  CP-ABE  version 

is  associated  with  a  boolean  access  formula  /  and  a  user’s  key  is  a  set  of 
attributes  x,  where  a  user  can  decrypt  if  f(x)  =  1.  KP-ABE  is  useful  in 
applications  where  we  want  to  have  the  mirror  image  semantics  where 
the  attributes  x  are  associated  with  a  ciphertext  and  an  access  formula 
/  with  the  key. 


and  tested  it  in  an  outsourcing  environment.  Our  imple¬ 
mentation  modified  part  of  the  libfenc  [25]  library,  which 
includes  a  current  CP-ABE  implementation.  We  con¬ 
ducted  our  experiments  on  both  an  ARM-based  mobile 
device  and  an  Intel  server  to  model  the  user  device  and 
proxy  respectively. 

Outsourcing  decryption  resulted  in  significant  practi¬ 
cal  benefits.  Decrypting  on  an  ABE  ciphertext  contain¬ 
ing  100  attributes,  we  found  that  without  the  use  of  a 
proxy  the  mobile  device  would  require  about  30  seconds 
of  computation  time  and  drain  a  significant  amount  of 
the  device’s  battery.  When  we  applied  our  outsourcing 
technique,  decrypting  the  ciphertext  took  2  seconds  on 
our  Intel  server  and  approximately  60  milliseconds  on 
the  mobile  device  itself. 

To  demonstrate  compatibility  with  existing  infrastruc¬ 
ture,  we  constructed  a  re-usable  platform  for  outsourcing 
decryption  using  the  Amazon  EC2  service.  Our  proxy  is 
deployed  as  a  public  Amazon  Machine  Image  that  can  be 
programmatically  instantiated  by  any  application  requir¬ 
ing  acceleration. 

In  addition  to  the  core  benefits  of  outsourcing,  we  dis¬ 
covered  other  collateral  advantages.  In  existing  ABE  im¬ 
plementations  [6,  25]  much  of  the  decryption  code  is 
dedicated  to  determining  how  a  policy  is  satisfied  by  a 
key  and  executing  the  corresponding  pairing  computa¬ 
tions  of  decryption.  In  our  outsourcing  solution,  most 
of  this  code  is  pushed  into  the  untrusted  transformation 
algorithm,  leaving  only  a  much  smaller  portion  on  the 
user’s  device.  This  has  two  advantages.  First,  the  amount 
of  decryption  code  that  needs  to  reside  on  a  resource  con¬ 
strained  user  device  will  be  smaller.  Actually,  all  bilinear 
map  operations  can  be  pushed  outside.  Second,  this  par¬ 
titioning  will  dramatically  decrease  the  size  of  the  trusted 
code  base,  removing  thousands  of  lines  of  complex  pars¬ 
ing  code.  Even  without  using  outsourcing,  this  partition¬ 
ing  of  code  is  useful. 

Related  Work:  Proxy  Re-Encryption.  In  this  work,  we 
show  how  to  delegate  (in  a  true  offline  sense)  the  ability 
to  transform  an  ABE  ciphertext  on  message  m  into  an 
El  Gamal-style  ciphertext  on  the  same  m,  without  learn¬ 
ing  anything  about  m.  This  is  similar  to  the  concept  of 
proxy  re-encryption  [8,  4]  where  an  untrusted  proxy  is 
given  a  re-encryption  key  that  allows  it  to  transform  an 
encryption  under  Alice’s  key  of  m  into  an  encryption  un¬ 
der  Bob’s  key  of  the  same  m,  without  allowing  the  proxy 
to  learn  anything  about  m. 

2  Background 

We  first  give  the  security  definitions  for  ABE  with  out¬ 
sourcing.  We  then  give  background  information  on  bi¬ 
linear  maps.  Finally,  we  provide  formal  definitions  for 
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access  structures  and  relevant  background  on  Linear  Se¬ 
cret  Sharing  Schemes  (LSSS),  as  taken  from  [42], 

Types  of  ABE.  We  consider  two  distinct  varieties 
of  Attribute-Based  Encryption:  Ciphertext-Policy  (CP- 
ABE)  and  Key-Policy  (KP-ABE).  In  CP-ABE  an  access 
structure  (policy)  is  embedded  into  the  ciphertext  during 
encryption,  and  each  decryption  key  is  based  an  some 
attribute  set  S.  KP-ABE  inverts  this  relationship,  embed¬ 
ding  S  into  the  ciphertext  and  a  policy  into  the  key.3  We 
capture  both  paradigms  in  a  generalized  ABE  definition. 

2.1  Access  Structures 

Definition  1  (Access  Structure  [5])  Let  {P\,  P2,  . . .,  P„} 

be  a  set  of  parties.  A  collection  A  C  2'Pi  / s  mono¬ 

tone  if\/B,C  :  if  B  £  A  and  B  C  C  then  C  £  A.  An  access 
structure  (respectively,  monotone  access  structure)  is  a 
collection  (resp.,  monotone  collection)  A  of  non-empty 
subsets  of  {Pi, Pi,..., Pn},  i.e.,  A  C  2'f/>1’/>2’  ’’/>"^\{0}. 
The  sets  in  A  are  called  the  authorized  sets,  and  the  sets 
not  in  A  are  called  the  unauthorized  sets. 

In  our  context,  the  role  of  the  parties  is  taken  by  the 
attributes.  Thus,  the  access  structure  A  will  contain  the 
authorized  sets  of  attributes.  We  restrict  our  attention  to 
monotone  access  structures.  However,  it  is  also  possible 
to  (inefficiently)  realize  general  access  structures  using 
our  techniques  by  defining  the  “not”  of  an  attribute  as 
a  separate  attribute  altogether.  Thus,  the  number  of  at¬ 
tributes  in  the  system  will  be  doubled.  From  now  on, 
unless  stated  otherwise,  by  an  access  structure  we  mean 
a  monotone  access  structure. 

2.2  ABE  with  Outsourcing 

Let  S  represent  a  set  of  attributes,  and  A  an  access  struc¬ 
ture.  For  generality,  we  will  define  ( hncfkey )  as  the  in¬ 
puts  to  the  encryption  and  key  generation  function  re¬ 
spectively.  In  a  CP-ABE  scheme  (Jencfkey)  =  (A, S), 
while  in  a  KP-ABE  scheme  we  will  have  (lencfkey)  - 
(5,  A).  A  CP-ABE  (resp.  KP-ABE)  scheme  with  out¬ 
sourcing  functionality  consists  of  five  algorithms: 

Setu  p(A ,  U).  The  setup  algorithm  takes  security  param¬ 
eter  and  attribute  universe  description  as  input.  It  outputs 
the  public  parameters  PK  and  a  master  key  MK. 

Encrypt(PK,  M .  Ienc).  The  encryption  algorithm  takes 
as  input  the  public  parameters  PK,  a  message  M.  and  an 

3More  intuitively,  CP-ABE  is  often  suggested  as  a  means  to  imple¬ 
ment  role-based  access  control,  where  the  user’s  key  attributes  corre¬ 
spond  the  long-term  roles  and  ciphertexts  carry  an  access  policy.  Key- 
Policy  ABE  is  more  appropriate  in  applications  where  ciphertexts  may 
be  tagged  with  attributes  {e.g.,  relating  to  message  content),  and  each 
user’s  access  to  these  ciphertexts  determined  by  a  policy  in  their  de¬ 
cryption  key.  For  more  on  applications,  see  e.g.,  [37], 


access  structure  (resp.  attribute  set)  Ienc.  It  outputs  the 
ciphertext  CT. 

KevGen„,(/ (MK .  4Y,V).  The  key  generation  algorithm 
takes  as  input  the  master  key  MK  and  an  attribute  set 
(resp.  access  structure)  fey  and  outputs  a  private  key  SK 
and  a  transformation  key  TK. 

TransformfTK,  CT).  The  ciphertext  transformation  al¬ 
gorithm  takes  as  input  a  transformation  key  TK  for  fey 
and  a  ciphertext  CT  that  was  encrypted  under  Ienc.  It  out¬ 
puts  the  partially  decrypted  ciphertext  CT'  if  S  £  A  and 
the  error  symbol  _L  otherwise. 

Decrypts,  (SK,  CT').  The  decryption  algorithm  takes  as 
input  a  private  key  SK  for  4ev  and  a  partially  decrypted 
ciphertext  CT'  that  was  originally  encrypted  under  Ienc. 
It  outputs  the  message  M  if  S  £  A  and  the  error  symbol 
_L  otherwise.4 

Why  RCCA  security?  We  describe  a  security  model  for 
ABE  that  support  outsourcing.  We  want  a  very  strong 
notion  of  security.  The  traditional  notion  of  security 
against  adaptive  chosen-ciphertext  attacks  (CCA)  is  a  bit 
too  strong  since  it  does  not  allow  any  bit  of  the  cipher- 
text  to  be  altered,  and  the  purpose  of  our  outsourcing  is 
to  compress  the  size  of  the  ciphertext.  We  thus  adopt 
a  relaxation  due  to  Canetti,  Krawczyk  and  Nielsen  [13] 
called  replayable  CCA  security,  which  allows  modifica¬ 
tions  to  the  ciphertext  provided  they  cannot  change  the 
underlying  message  in  a  meaningful  way. 

RCCA  Security  Model  for  ABE  with  Outsourcing.  Fig¬ 
ure  4  describes  a  generalized  RCCA  security  game  for 
both  KP-ABE  and  CP-ABE  schemes  with  outsourcing. 
We  define  the  advantage  of  an  adversary  srf  in  this  game 
asPr  [b'  =  b\-\. 

Definition  2  (RCCA-Secure  ABE  with  Outsourcing) 

A  CP-ABE  or  KP-ABE  scheme  with  outsourcing  is 
RCCA -secure  (or  secure  against  replayable  chosen- 
ciphertext  attacks)  if  all  polynomial  time  adversaries 
have  at  most  a  negligible  advantage  in  the  RCCA  game 
defined  above. 

CPA  Security.  We  say  that  a  system  is  CPA-secure  (or 
secure  against  chosen-plaintext  attacks)  if  we  remove  the 
Decrypt  oracle  in  both  Phase  1  and  2. 

Selective  Security.  We  say  that  a  CP-ABE  (resp.  KP- 
ABE)  system  is  selectively  secure  if  we  add  an  Init  stage 
before  Setup  where  the  adversary  commits  to  the  chal¬ 
lenge  value  I*nc. 


4Note  that  we  can  implement  the  standard  (non-outsourced)  ABE 
Decrypt  algorithm  by  combining  Transform  and  Decrypts . 
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Setup.  The  challenger  runs  the  Setup  algorithm  and  gives  the  public  parameters,  PK  to  the  adversary. 

Phase  1.  The  challenger  initializes  an  empty  table  T ,  an  empty  set  D  and  an  integer  j  =  0.  Proceeding  adaptively, 
the  adversary  can  repeatedly  make  any  of  the  following  queries: 

•  Create!/^):  The  challenger  sets  j  :=  j  +  1.  It  runs  the  outsourced  key  generation  algorithm  on  to  obtain  the 
pair  (SK,TK)  and  stores  in  table  T  the  entry  (j,4ey,SK,TK).  It  then  returns  to  the  adversary  the  transformation 
keyTK. 

Note:  Create  can  be  repeatedly  queried  with  the  same  input. 

•  Corrupt(i):  If  there  exists  an  i'h  entry  in  table  T,  then  the  challenger  obtains  the  entry  (i,  4cy.  SK.  TK)  and  sets 
D  :=  DU  {I key}-  It  then  returns  to  the  adversary  the  private  key  SK.  If  no  such  entry  exists,  then  it  returns  _L. 

•  Dccrypt(f.CT):  If  there  exists  an  ith  entry  in  table  T,  then  the  challenger  obtains  the  entry  (7.  4,.v,  SK.  TK  )  and 
returns  to  the  adversary  the  output  of  the  decryption  algorithm  on  input  (SK,CT).  If  no  such  entry  exists,  then 
it  returns  _L. 

Challenge.  The  adversary  submits  two  equal  length  messages  Mq  and  M\ .  In  addition  the  adversary  gives  a  value 
I*nc  such  that  for  all  I  key  G  D,  ffkey-f}nc)  7^  1-  The  challenger  flips  a  random  coin  b,  and  encrypts  Mi,  under  I*nc.  The 
resulting  ciphertext  CT*  is  given  to  the  adversary. 

Phase  2.  Phase  1  is  repeated  with  the  restrictions  that  the  adversary  cannot 

•  trivially  obtain  a  private  key  for  the  challenge  ciphertext.  That  is,  it  cannot  issue  a  Corrupt  query  that  would 
result  in  a  value  Ikey  which  satisfies  f  {l key  fine)  =  I  being  added  to  D. 

•  issue  a  trivial  decryption  query.  That  is.  Decrypt  queries  will  be  answered  as  in  Phase  1,  except  that  if  the 
response  would  be  either  Mq  or  M\,  then  the  challenger  responds  with  the  special  message  test  instead. 

Guess.  The  adversary  outputs  a  guess  b'  of  b. 


Figure  4:  Generalized  RCCA  Security  game  for  CP-  and  KP-ABE  with  outsourcing  functionality.  For  CP-ABE  we 
define  the  function  ffkeyfenc)  as  f(S.A)  and  for  KP-ABE  it  is  defined  as  /(A, S).  In  either  case  the  function  / 
evaluates  to  1  iff  S  €  A. 


2.3  Bilinear  Maps 

Let  G  and  Gt  be  two  multiplicative  cyclic  groups  of 
prime  order  p.  Let  g  be  a  generator  of  G  and  e:GxG-> 
Gj  be  a  bilinear  map  with  the  properties: 

1.  Bilinearity:  for  all  u,v  €  G  and  a.b  G  Zp,  we  have 
e(ua  ,vb)  =  e(u,v)ab . 

2.  Non-degeneracy:  e(g,g)  ^  1. 

We  say  that  G  is  a  bilinear  group  if  the  group  opera¬ 
tion  in  G  and  the  bilinear  map  e:GxG->  G  t  are  both 
efficiently  computable. 

The  schemes  we  present  in  this  work  are  provably 
secure  under  the  Decisional  Parallel  BDHE  Assump¬ 
tion  [42]  and  the  Decisional  Bilinear  Diffie-Hellman  as¬ 
sumption  (DBDH)  [9]  in  bilinear  groups.  For  reasons 
of  space  we  will  omit  a  definition  of  these  assumptions 
here,  and  refer  the  reader  to  the  cited  works. 


2.4  Linear  Secret  Sharing  Schemes 

We  will  make  essential  use  of  linear  secret-sharing 
schemes.  We  adapt  our  definitions  from  those  in  [5]: 

Definition  3  (Linear  Secret-Sharing  Schemes  (LSSS) ) 

A  secret-sharing  scheme  II  over  a  set  of  parties  S?  is 
called  linear  (over  Zp)  if 

1.  The  shares  of  the  parties  form  a  vector  over  Zp. 

2.  There  exists  a  matrix  M  with  £  rows  and  n  columns 
called  the  share-generating  matrix  for  II.  There  ex¬ 
ists  a  function  p  which  maps  each  row  of  the  matrix 
to  an  associated  party.  That  is  for  i  =  1 , . . . ,  £,  the 
value  p(i)  is  the  party  associated  with  row  i.  When 
we  consider  the  column  vector  v  =  [s,n, . . .  ,rn), 
where  s  £  Zp  is  the  secret  to  be  shared,  and 
ri,  ■  ■  ■ ,  rn  G  Zp  are  randomly  chosen,  then  Mv  is  the 
vector  of  i  shares  of  the  secret  s  according  to  II. 
The  share  (Mv),-  belongs  to  party  p(i). 

It  is  shown  in  [5]  that  every  linear  secret  sharing- 
scheme  according  to  the  above  definition  also  enjoys  the 
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linear  reconstruction  property,  defined  as  follows:  Sup¬ 
pose  that  II  is  an  LSSS  for  the  access  structure  A.  Let 
S  £  A  be  any  authorized  set,  and  let  IC{  1,2,...,*}  be 
defined  as  I  =  {i :  p (i)  £  5}.  Then,  there  exist  constants 
{ft);  €  1,p}iei  such  that,  if  {A;}  are  valid  shares  of  any  se¬ 
cret  s  according  to  n,  then  L;e/ft);A,  =  s.  It  is  shown 
in  [5]  that  these  constants  {ft),}  can  be  found  in  time 
polynomial  in  the  size  of  the  share-generating  matrix  M. 

Like  any  secret  sharing  scheme,  it  has  the  property  that 
for  any  unauthorized  set  S  A,  the  secret  s  should  be 
information  theoretically  hidden  from  the  parties  in  S. 

Note  on  Convention.  We  use  the  convention  that  vector 
(1,0,0, ...  ,0)  is  the  “target”  vector  for  any  linear  secret 
sharing  scheme.  For  any  satisfying  set  of  rows  7  in  M. 
we  will  have  that  the  target  vector  is  in  the  span  of  7. 

For  any  unauthorized  set  of  rows  7  the  target  vector  is 
not  in  the  span  of  the  rows  of  the  set  7.  Moreover,  there 
will  exist  a  vector  w  such  that  w •  (1,0,0. ..  ,0)  =  —  1  and 
w  ■  Mi  =  0  for  all  i  £  I. 

Using  Access  Trees.  Some  prior  ABE  works  (e.g.,  [24]) 
described  access  formulas  in  terms  of  binary  trees.  Using 
standard  techniques  [5]  one  can  convert  any  monotonic 
boolean  formula  into  an  LSSS  representation.  An  access 
tree  of  £  nodes  will  result  in  an  LSSS  matrix  of  i  rows. 

3  Outsourcing  Decryption  for  Ciphertext- 
Policy  ABE 

3.1  A  CPA-secure  Construction 

Our  CP-ABE  construction  is  based  on  the  “large  uni¬ 
verse”  construction  of  Waters  [42],  which  was  proven 
to  be  selectively  CPA-secure  under  the  Decisional  q- 
parallel  BDHE  assumption  for  a  challenge  matrix  of  size 
i*  x  n* ,  where  £* .  n*  <  q.5  The  Setup,  Encrypt  and  (non- 
outsourced)  Decrypt  algorithms  are  identical  to  [42],  To 
enable  outsourcing  we  modify  the  KeyGen  algorithm  to 
output  a  transformation  key.  We  also  define  a  new  Trans¬ 
form  algorithm,  and  modify  the  decryption  algorithm  to 
handle  outputs  of  Encrypt  as  well  as  Transform.  We 
present  the  full  construction  in  Figure  5. 

Discussion.  For  generality,  we  defined  the  transfor¬ 
mation  key  TK  as  being  created  by  the  master  author¬ 
ity.  However,  we  observe  that  our  outsourcing  approach 
above  is  actually  backwards  compatible  with  existing  de¬ 
ployments  of  the  Waters  system.  In  particular,  one  can 
see  that  any  existing  user  with  her  own  Waters  SK  can 
create  a  corresponding  outsourcing  pair  (SK',TK')  by 
rerandomizing  with  a  random  value  z. 


5  By  “large  universe”,  we  mean  a  system  that  allows  for  a  super¬ 
polynomial  number  of  attributes. 


Theorem  3.1  Suppose  the  large  universe  construction 
of  Waters  [42,  Appendix  C]  is  a  selectively  CPA-secure 
CP-ABE  scheme.  Then  the  CP-ABE  scheme  of  Figure  5 
is  a  selectively  CPA-secure  outsourcing  scheme. 

Note  that  the  Waters  scheme  of  [42]  was  proven  secure 
under  the  Decisional  ^-parallel  BDHE  assumption.  Due 
to  space  constraints,  we  omit  a  proof  of  Theorem  3.1. 
However,  we  observe  that  the  proof  techniques  are  quite 
similar  to  those  used  for  the  RCCA-secure  variant  we 
present  in  the  next  section. 

3.2  An  RCCA-secure  Construction 

We  now  extend  our  CPA-secure  system  to  achieve  the 
stronger  RCCA-security  guarantee.  To  do  so,  we  borrow 
some  techniques  from  Fujisaki  and  Okamoto  [18],  who 
(roughly)  showed  how  to  transform  a  CPA-secure  en¬ 
cryption  scheme  into  a  CCA-secure  encryption  scheme 
in  the  random  oracle  model.  Here  we  relax  to  RCCA- 
security  and  have  the  additional  challenge  of  preserving 
the  decryption  outsourcing  capability. 

The  Setup  and  KeyGen  algorithms  operate  exactly  as 
in  the  CPA-secure  scheme,  except  the  public  key  addi¬ 
tionally  includes  the  description  of  hash  functions  H\  : 
{0, 1  }*  -£Zp  and  H2  :  {0,1}*  {0, 1}*.  We  now  de¬ 

scribe  the  remaining  algorithms. 

Entry  pt,,,„ (PK, .,//  £  {0.  1  }k .  (M.p))  The  encryption 

algorithm  selects  a  random  R  £  Gy  and  then  com¬ 
putes  s  =  If  i  (R,./f/)  and  r  =  If(R).  It  then  computes 
(Ci,Di), . . . ,  (< C(,D( )  as  in  the  CPA-secure  construction 
of  Figure  5  (except  that  s  is  no  longer  chosen  randomly 
as  part  of  v).  The  ciphertext  is  published  as  CT  = 

C  =  R-e{g,g)as ,  C'=gs,  C"  =  © r, 

(Ci,Di),...,(Ce,De) 

along  with  a  description  of  access  structure  ( M,p ). 

Transform,,,,, (TK .  CT ).  The  transformation  algorithm 
recovers  the  value  e(g,g)sa/z  as  before.  It  outputs  the 
partially  decrypted  ciphertext  CT'  as  (C,C"  ,e(g,g)salz). 

Decrypt,,,,, (SK.  CT).  The  decryption  algorithm  takes 
as  input  a  private  key  SK  =  (z,TK)  and  a  ciphertext  CT. 
If  the  ciphertext  is  not  partially  decrypted,  then  the  algo¬ 
rithm  first  executes  T  ransform,,,,,  (TK.  CT).  If  the  output 
is  _L,  then  this  algorithm  outputs  _L  as  well.  Otherwise,  it 
takes  the  ciphertext  (7o,  T\,T2)  and  computes  R  =  To/Tf, 
Jf  =  Ti®H2 (R),  and .s  =  77, (R,  J?).lfTQ=R ■  e(g,g)as 
and  T2  =  e(g,g)as/z,  it  outputs  ;  otherwise,  it  outputs 
the  error  symbol  _L. 
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Setup(A, [/).  The  setup  algorithm  takes  as  input  a  security  parameter  and  a  universe  description  U.  To  cover  the  most  general 
case,  we  let  U  =  {0. 1}*.  It  then  chooses  a  group  G  of  prime  order  p,  a  generator  g  and  a  hash  function  F  that  maps  {0, 1}* 
to  G.a  In  addition,  it  chooses  random  exponents  a, a  6  Zp.  The  authority  sets  MSK  =  (g“,PK)  as  the  master  secret  key.  It 
publishes  the  public  parameters  as: 

PK  =  g,e(g,g)a,ga,F 

EncryptIPK,  (M,p))  The  encryption  algorithm  takes  as  input  the  public  parameters  PK  and  a  message  to  encrypt.  In 
addition,  it  takes  as  input  an  LSSS  access  structure  ( M.p ).  The  function  p  associates  rows  of  M  to  attributes.  Let  M  be  an 
£x  n  matrix.  The  algorithm  first  chooses  a  random  vector  v  =  (s,y2,--,yn)  £  Z£.  These  values  will  be  used  to  share  the 
encryption  exponent  For  i  =  1  to  l,  it  calculates  A;  =  v  ■  Mj,  where  M,  is  the  vector  corresponding  to  the  ith  row  of  M.  In 
addition,  the  algorithm  chooses  random  r\ , . . . ,  6  Zp.  The  ciphertext  is  published  as  CT  = 

C  =  y/-e(g,g)as,  C'  =  gs, 

(Q  =g^‘-F(p( l))-'\  D\  =gr>),-,(Q  =  ^'f(pWr'.  Dt  =gr>) 

along  with  a  description  of  ( M,p ). 

KeyGenOH,(MSK,5)  The  key  generation  algorithm  runs  KeyGen(MSK,  5)  to  obtain  SK'  =  (PKjA"'  =  gagat'  ,L!  =  g1'  ,{K[  = 
F(x)'  }xeS).  It  chooses  a  random  value  z  £  Z* .  It  sets  the  transformation  key  TK  as 

PK,  K  =  K'^  =  gWz)g°«lz)  =  gW*)gf*,  L  =  L'Vz  =  =  g',  {Kx}xes  =  {K^z}xeS 

and  the  private  key  SK  as  (z.TK). 

Transform,,^ (TK.CT)  The  transformation  algorithm  takes  as  input  a  transformation  key  TK  =  (PK,K,L,  for  a  set  S 

and  a  ciphertext  CT  =  (C,C',Ci , . . .  ,Q)  for  access  structure  ( M,p ).  If  S  does  not  satisfy  the  access  structure,  it  outputs  _L. 
Suppose  that  5  satisfies  the  access  structure  and  let  /  C  {1,2,. . .  ,1}  be  defined  as  /  =  {i :  p(i)  £  S}.  Then,  let  {to,  £  ^p}iel 
be  a  set  of  constants  such  that  if  {A/}  are  valid  shares  of  any  secret  ,v  according  to  M,  then  Y-ie-j  Ct»,A,  =  s.  The  transformation 
algorithm  computes 

e(C',K)/ (eOl-e/Cf'.L)  ■  A-p(0))  = 

e(g,gYa/ze(g,g)ast/  (n iae(g,g)ta^)  =  e{g,gya^ 

It  outputs  the  partially  decrypted  ciphertext  CT'  as  (C,  e(g,g)'!“/;:),  which  can  be  viewed  as  the  El  Gamal  ciphertext  (.-#  • 
Gzd,Gd)  where  G  =  e(g,g)l/z  e  G j  and  d  =  sa  G  Zp. 

Decrypts  (SK,  CT)  The  decryption  algorithm  takes  as  input  a  private  key  SK  =  (z.TK)  and  a  ciphertext  CT.  If  the  ciphertext  is 
not  partially  decrypted,  then  the  algorithm  first  executes  Transform^/  (TK,  CT).  If  the  output  is  T,  then  this  algorithm  outputs 
_L  as  well.  Otherwise,  it  takes  the  ciphertext  (7o,7i)  and  computes  Tq / Tf  =  ,J/,. 

Notice  that  if  the  ciphertext  is  already  partially  decrypted  for  the  user,  then  she  need  only  compute  one  exponentiation  and  no 
pairings  to  recover  the  message. 

“See  Waters  [42]  for  details  on  how  to  implement  this  hash  in  the  standard  model.  For  our  purposes,  one  can  think  of  F  as  a  random  oracle. 


Figure  5:  A  CPA-secure  CP- ABE  outsourcing  scheme  based  on  the  large-universe  construction  of  Waters  [42,  Ap¬ 
pendix  C], 
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Theorem  3.2  Suppose  the  large  universe  construction 
of  Waters  [42,  Appendix  C]  is  a  selectively  CPA-secure 
CP-ABE  scheme.  Then  the  outsourcing  scheme  above  is 
selectively  RCCA-secure  in  the  random  oracle  model  for 
large  message  spaces .6 7 

We  present  a  proof  of  Theorem  3.2  in  Appendix  A. 

4  Outsourcing  Decryption  for  Key-Policy 
ABE 

4.1  A  CPA-secure  Construction 

We  now  present  an  outsourcing  scheme  based  on  the 
large  universe  KP-ABE  construction  due  to  Goyal, 
Pandey,  Sahai  and  Waters  [24] .  The  Setup  and  Encrypt 
algorithms  are  identical  to  [24].  We  modify  KeyGen  to 
output  a  transformation  key,  introduce  a  Transform  algo¬ 
rithm,  and  then  modify  the  decryption  algorithm  to  han¬ 
dle  outputs  of  Encrypt  as  well  as  Transform.  The  full 
construction  is  presented  in  Figure  6. 

Theorem  4.1  Suppose  the  GPSW  KP-ABE  scheme  [24 ] 
is  selectively  CPA-secure.  Then  the  KP-ABE  scheme  of 
Figure  6  is  a  selectively  CPA-secure  outsourcing  scheme. 

Discussion.  As  in  the  previous  construction,  we  defined 
the  transformation  key  TK  as  being  created  by  the  master 
authority.  We  again  note  that  our  outsourcing  approach 
above  is  actually  backwards  compatible  with  existing  de¬ 
ployments  of  the  GPSW  system. 

Due  to  restrictions  on  space,  we  leave  the  proof  of  se¬ 
curity  to  the  full  version  of  this  work  [26]. 

4.2  An  RCCA-secure  construction 

We  now  extend  our  above  results,  which  only  hold  for 
CPA-security,  to  the  stronger  RCCA-security  guarantee. 
Once  again,  we  accomplish  this  using  the  techniques 
from  Fujisaki  and  Okamoto  [18].  The  Setup  and  Key- 
Gen  algorithms  operate  exactly  as  before,  except  the  pub¬ 
lic  key  additionally  includes  the  value  e(g,h)a  (which 
was  already  computable  from  existing  values)  and  the 
description  of  hash  functions  H\  :  {0,1}*  —y  hp  and 
H2  :  {0,1}*  ^{0,1}*. 

6 The  security  of  this  scheme  follows  for  large  message  spaces;  e.g., 
k- bit  spaces  where  k  >  A,  the  security  parameter.  To  obtain  a  secure 
scheme  for  smaller  message  spaces,  replace  C"  with  any  CPA-secure 
symmetric  encryption  of  ^  using  key  H2  (R)  and  let  the  range  of  H2  be 
the  key  space  of  this  symmetric  scheme.  Since  the  focus  of  this  work  is 
on  efficiency,  we’ll  typically  be  assuming  large  enough  message  spaces 
and  therefore  opting  for  the  quicker  XOR  operation. 

7 This  construction  was  originally  described  using  access  trees;  here 

we  generalize  it  to  LSSS  access  structures. 


Encrypt,rca(PK,„#  €  {0,1}*, S).  The  encryption  al¬ 
gorithm  chooses  a  random  R  £  Gt-  It  then  computes 
s  =  If  (R../f/)  and  r  =  H2(R).  For  each  x  £  S  it  gener¬ 
ates  Cx  as  in  the  CPA-secure  scheme.  The  ciphertext  is 
published  as  CT  = 

C  =  R  e(g,h)as,  C'  =  g\  C"  =r®Jf,  {Cx}xeS 

along  with  a  description  of  S. 

Transform«fa(TK,CT).  The  transformation  algorithm 
recovers  the  value  e(g,h)sa/z  as  before.  It  outputs  the 
partially  decrypted  ciphertext  CT'  as  (C,C"  ,e(g,h)salz). 

Decrypt,rca(SK,CT).  The  decryption  algorithm  takes 
as  input  a  private  key  SK  =  (z.  TK)  and  a  ciphertext  CT. 
If  the  ciphertext  is  not  partially  decrypted,  then  the  algo¬ 
rithm  first  executes  T  ransform,,,,,  (TK.  CT).  If  the  output 
is  _L,  then  this  algorithm  outputs  _L  as  well.  Otherwise,  it 
takes  the  ciphertext  (To,  T\,T2)  and  computes  R  =  Tq /Tf, 
.Jf  =  T\  ®H2 (R),  and  .?  =  //,  (R,  Jf).lfTQ=R  -e(g, h)as 
and  T2  =  e(g,h)aslz,  it  outputs  ;  otherwise,  it  outputs 
the  error  symbol  1. 

Theorem  4.2  Suppose  the  construction  of  GPSW  [24 ] 
is  a  selectively  CPA-secure  KP-ABE  scheme.  Then  the 
outsourcing  scheme  above  is  selectively  RCCA-secure  in 
the  random  oracle  model  for  large  message  spaces. 

See  the  footnote  on  Theorem  3.2  for  a  definition  and  dis¬ 
cussion  of  “large  message  spaces”.  We  present  a  proof 
of  Theorem  4.2  in  the  full  version  [26]  of  this  work. 

5  Discussion 

5.1  Achieving  Adaptive  Security 

The  systems  we  presented  were  proven  secure  in  the  se¬ 
lective  model  of  security.  We  briefly  sketch  how  we  can 
adapt  our  techniques  to  achieve  ABE  systems  that  are 
provably  secure  in  the  adaptive  model.8 

Recently,  the  first  ABE  systems  that  achieved  adap¬ 
tive  security  were  proposed  by  Lewko  el  al.  [28]  using 
the  techniques  of  Dual  System  Encryption  [41],  Since 
the  underlying  structure  of  the  KP-ABE  and  CP-ABE 
schemes  presented  by  Lewko  et  al.  is  almost  respectively 
identical  to  the  underlying  Goyal  et  al.  [24]  and  Wa¬ 
ters  [42]  systems  we  use,  it  is  possible  to  adapt  our  con¬ 
struction  techniques  to  these  underlying  constructions.9 

8We  briefly  note  that  it  is  simple  to  prove  adaptive  security  of  our 
schemes  in  the  generic  group  model  like  Bethencourt,  Sahai,  and  Wa¬ 
ters  [7],  Here  we  are  interested  in  proofs  under  non-interactive  assump¬ 
tions. 

''The  main  difference  in  terms  of  the  constructions  is  that  the  sys¬ 
tems  proposed  by  Lewko  et  al.  are  set  in  composite  order  groups  where 
the  “core  scheme”  sits  in  one  subgroup.  The  primary  novelty  of  their 
work  is  in  developing  adaptive  proofs  of  security  for  ABE  systems. 
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Setup(A,  [/).  The  setup  algorithm  takes  as  input  a  security  parameter  and  a  universe  description  U.  To  cover  the  most  general 
case,  we  let  U  =  {0, 1}*.  It  then  chooses  a  group  G  of  prime  order  p,  a  generator  g  and  a  hash  function  F  that  maps  {0, 1}* 
to  G.fl  In  addition,  it  chooses  random  values  a  £  Zp  and  h  £  G.  The  authority  sets  MSK  =  (a,PK)  as  the  master  secret  key. 
The  public  key  is  published  as 

PK  =  g,  ga ,  h,  F 

EncryptCPK,  ./Ft .  S).  The  encryption  algorithm  takes  as  input  the  public  parameters  PK,  a  message  ./Ft  to  encrypt,  and  a  set  of 
attributes  S.  It  chooses  a  random  s  £  Z p.  The  ciphertext  is  published  as  CT  =  (S.  C)  where 

C  =  J(-  e(g,h)as,  d  =  gs ,  {Cx  =  F(xY}xeS. 


KeyGen0„,  (MSK,  ( M,p )).  Parse  MSK  =  (a,PK).  The  key  generation  algorithm  runs  KeyGen((a,  PK),  (Af,p))  to  obtain  SK'  = 
(PK,)/))  =hYl  •  F(p(l))'Ji  ,R\  =  g'Ji ),...,  (/){,,  /?{)).  Next,  it  chooses  a  random  value  z  £  Zp,  computes  the  transformation  key 
TK  as  below,  and  outputs  the  private  key  as  (z,TK).  Denoting  FJz  as  r,-,  TK  is  computed  as: 

PK,  (D{  =  D'l/z  =  hX'/*  •  F(p(l))ri ,  Rt  =  R\l/z  (Dt  =  Rt  =  <A‘) 


Transform^, (TK,CT).  The  transformation  algorithm  takes  as  input  a  transformation  key  TK  =  (PK, (D\,R i ), . . . , (D(.R())  for 
access  structure  (M,p)  and  a  ciphertext  CT  =  (C,d ,  {C.r}xgs)  for  set  S.  If  5  does  not  satisfy  the  access  structure,  it  outputs 
_L.  Suppose  that  S  satisfies  the  access  structure  and  let  I  C  {1,2, ...,/}  be  defined  as  /  =  {/ :  p(i)  £  S}.  Then,  let  {co;  £  Z p},g/ 
be  a  set  of  constants  such  that  if  {A/}  are  valid  shares  of  any  secret  ,v  according  to  M,  then  Y.iel  The  transformation 

algorithm  computes 


yc.Y\d?)/{Y\^A 


iel 


iel 


-tCOj 

Mi 


=  e{g\X\h^,z.F{p(i)Y“*)/ 

iel 


II  e(gr‘,F(p(i)Y 

iel 


=  e(g,hYa/z-Ue(8S^(p(i)Y^)/  (x\e{gYF{p{i)Y<*) )  =  e(g,hYa/z 

iel  \iei  ) 

It  outputs  the  partially  decrypted  ciphertext  CT'  as  (C,e(g,h)sa/Z),  which  can  be  viewed  as  the  El  Gamal  ciphertext  Y//  ■ 
Gzd ,Gd)  where  G  =  e(g,hY^z  £  G j  and  d  =  sa  £  Zp. 


Decrypts  (SK,  CT).  The  decryption  algorithm  takes  as  input  a  private  key  SK  =  (z,  TK)  and  a  ciphertext  CT.  If  the  ciphertext  is 
not  partially  decrypted,  then  the  algorithm  first  executes  Transform,,,,,  (TK,  CT).  If  the  output  is  ±,  then  this  algorithm  outputs 
±  as  well.  Otherwise,  it  takes  the  ciphertext  (7o,7\)  and  computes  Tq/T {  =  .dt . 

"Goya I  et  al.  [24]  give  a  standard  model  instantiation  for  F  using  an  n-wise  independent  hash  function  (in  the  exponents)  with  the  restriction 
that  any  ciphertext  can  contain  at  most  n  attributes.  For  our  purposes,  one  can  think  of  F  as  a  random  oracle. 


Figure  6:  A  CPA-secure  KP-ABE  outsourcing  scheme  based  on  the  large-universe  construction  of  Goyal,  Pandey, 
Sahai  and  Waters  [24]. 
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Figure  7:  Architecture  and  data  flow  for  our  cloud-based  outsourcing  proxy.  An  application  programmatically  instan¬ 
tiates  one  or  more  instances  of  the  outsourcing  proxy,  which  is  loaded  from  a  public  Amazon  Machine  Image  (AMI) 
in  the  S3  storage  cloud.  Next  the  application  uploads  a  transform  key  TK  to  the  proxy,  and  subsequently  instructs 
the  proxy  to  obtain  ciphertexts  from  remote  web  servers  or  from  locations  within  the  S3  storage  cloud.  The  proxy 
transforms  the  ciphertexts  and  returns  the  partially-decrypted  result  to  the  application,  which  completes  decryption  to 
obtain  a  plaintext.  We  emphasize  that  the  setup  step  including  uploading  the  transformation  key  only  needs  to  be  done 
once;  subsequently,  many  decryption  steps  can  follow.  In  an  alternative  configuration  (not  shown)  the  application  can 
also  upload  ABE  ciphertexts  to  the  proxy  from  its  local  storage.  We  note  the  first  configuration  conflates  the  ciphertext 
delivery  and  partial  decryption  and  thus  requires  no  additional  transmissions  relative  to  non  outsourcing  solutions.  The 
alternative  will  require  an  round  trip  for  each  outsourcing  operation. 


One  might  hope  that  the  proof  of  adaptive  security 
could  be  a  black  box  reduction  to  the  adaptively  secure 
schemes  of  Lewko  et  al.  Unfortunately,  this  seems  in¬ 
feasible.  Consider  any  direct  black  box  reduction  to  the 
security  of  the  underlying  scheme.  When  the  attacker 
makes  a  query  to  some  transformation  key,  the  reduction 
algorithm  has  two  options.  First,  it  could  ask  the  security 
game  for  the  underlying  ABE  system  for  a  private  key. 
Yet,  it  might  turn  out  that  the  key  both  is  never  corrupted 
and  is  capable  of  decryption  for  the  eventual  challenge 
ciphertext.  In  this  case  the  simulator  will  have  to  abort. 
A  second  option  is  for  the  reduction  algorithm  not  to  ask 
for  such  a  key,  but  fill  in  the  transformation  key  itself. 
However,  if  that  user’s  key  is  later  corrupted  it  will  be 
difficult  for  the  reduction  to  both  ask  for  such  a  private 
key  and  match  it  to  the  published  transformation  key. 

Accordingly,  to  prove  security  one  needs  to  make  a 
direct  Dual-System  encryption  type  proof.  The  proof 
would  go  along  the  lines  of  Lewko  et  al.,  with  the  ex¬ 
ception  that  in  the  hybrid  stage  of  the  proof  all  private 
keys  and  transformational  keys  will  be  set  (one  by  one) 
to  be  semi-functional  including  those  that  could  decrypt 
the  eventual  challenge  ciphertext.  In  the  Lewko  et  al. 
proof  giving  a  private  key  that  could  decrypt  the  chal¬ 
lenge  ciphertext  would  undesirably  result  in  the  sim¬ 
ulator  producing  observably  incorrect  correlations  be¬ 
tween  the  challenge  ciphertext  and  keys.  However,  if 
we  only  give  out  the  transformation  part  of  such  a  key 
(and  keep  the  whole  private  key  hidden)  then  this  cor¬ 
relation  will  remain  hidden.  This  part  of  the  argument 
is  somewhat  similar  to  the  work  of  Lewko,  Rouselakis, 
and  Waters  [29],  who  show  that  in  their  leakage  resilient 
ABE  scheme  if  only  part  of  a  private  key  is  leaked  such 
a  correlation  will  be  hidden. 


5.2  Checking  the  Transformation 

In  the  description  of  our  systems  a  proxy  will  be  able 
to  transform  any  ABE  ciphertext  into  a  short  ciphertext 
for  the  user.  While  the  security  definitions  show  that  an 
attacker  will  not  be  able  to  learn  an  encrypted  message, 
there  is  no  guarantee  on  the  transformation’s  correctness. 
In  some  applications  a  user  might  want  to  request  the 
transformation  of  a  particular  ciphertext  and  (efficiently) 
check  that  the  transformation  was  indeed  done  correctly 
(assuming  the  original  ciphertext  was  valid).  It  is  easy  to 
adapt  our  RCCA  systems  to  such  a  setting.  Since  decryp¬ 
tion  results  in  recovery  of  the  ciphertext  randomness,  one 
can  simply  add  a  tag  to  the  ciphertext  as  H'(r),  where  H' 
is  a  different  hash  function  modeled  as  a  random  oracle 
and  r  is  the  ciphertext  randomness.  On  recovery  of  r  the 
user  can  compute  H'(r)  and  make  sure  it  matches  the  tag. 

6  Performance  in  Practice 

To  validate  our  results,  we  implemented  the  CPA-secure 
CP-ABE  of  Section  3  as  an  extension  to  the  libfenc  At¬ 
tribute  Based  Encryption  library  [25],  We  then  used  this 
as  a  building  block  for  a  platform  for  accelerating  ABE 
decryption  through  cloud-based  computing  resources. 

The  core  of  our  solution  is  a  virtualized  outsourcing 
“proxy”  that  runs  in  the  Amazon  Elastic  Compute  Cloud 
(EC2).  Our  proxy  exists  as  a  machine  image  that  can 
be  programmatically  instantiated  by  any  application  that 
requires  assistance  with  ABE  decryption.  As  we  demon¬ 
strate  below,  this  proxy  is  particularly  useful  for  accel¬ 
erating  decryption  on  constrained  devices  such  as  mo¬ 
bile  phones.  However,  the  system  can  be  used  in  any 
application  where  significant  numbers  of  ABE  decryp¬ 
tions  must  be  performed,  e.g.,  in  large-scale  search  op- 
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erations.10  The  use  of  on-demand  computing  is  particu¬ 
larly  well-suited  to  our  outsourcing  techniques,  since  we 
do  not  require  trusted  remote  servers  or  long-term  stor¬ 
age  of  secrets. 

System  Architecture.  Figure  7  illustrates  the  architec¬ 
ture  of  our  outsourcing  platform.  The  proxy  is  stored  in 
Amazon’s  S3  datastore  as  a  public  Amazon  Machine  Im¬ 
age  (AMI),  which  wraps  a  standard  Linux/ Apache  distri¬ 
bution  along  with  the  code  needed  to  execute  the  Trans¬ 
form  algorithm.  Applications  can  remotely  instantiate 
the  proxy  and  upload  a  TK  corresponding  to  a  particu¬ 
lar  ABE  decryption  key. 1 1  Depending  on  the  use  case, 
they  can  either  push  ciphertexts  to  the  proxy  for  transfor¬ 
mation,  or  direct  the  proxy  to  retrieve  ABE  ciphertexts 
from  remote  locations  such  as  the  web  or  the  Amazon  S3 
storage  cloud.  The  latter  technique  is  helpful  when  ac¬ 
cessing  remotely-held  records  on  a  mobile  device,  since 
the  proxy  transformation  dramatically  reduces  the  mo¬ 
bile  device’s  bandwidth  requirements  vs.  downloading 
and  decrypting  each  ABE  ciphertext  locally.  This  can 
significantly  enhance  device  battery  life. 

6.1  Performance:  Microbenchmarks 

To  evaluate  the  performance  of  our  CPA-secure  CP- ABE 
outsourcing  scheme  in  isolation  (without  confounding 
factors  such  as  network  lag,  file  I/O,  etc.)  we  conducted  a 
series  of  microbenchmarks  using  the  libfenc  implemen¬ 
tation.  For  consistency,  we  ran  these  tests  on  two  dedi¬ 
cated  hardware  platforms:  a  3GHz  Intel  Core  Duo  plat¬ 
form  with  4GB  of  RAM  running  32-bit  Linux  Kernel 
version  2.6.32,  and  a  412MHz  ARM-based  iPhone  3G 
with  128MB  of  RAM  running  iOS  4.0. 12  We  instantiated 
the  ABE  schemes  using  a  224-bit  MNT  elliptic  curve 
from  the  Stanford  Pairing-Based  Crypto  library  [30], 13 

The  existing  libfenc  implementation  implements  the 
Waters  scheme  using  a  Key  Encapsulation  variant.  For 
backwards  compatibility,  we  adopted  this  approach  in 
our  implementation  as  well.  Herein,  the  ciphertext  car¬ 
ries  a  symmetric  session  key  k  that  is  computed  at  en¬ 
cryption  time  as  k  =  H(e(g,g)as).  The  element  C  = 

10Indeed,  since  cloud  computing  platforms  support  the  creation  of 
multiple  proxy  instances,  servers  can  rapidly  scale  their  outsourcing 
capability  up  and  down  to  meet  demand. 

1 1  The  proxy  requires  only  one  TK  to  decrypt  an  unlimited  number 
of  ciphertexts.  However,  a  proxy  can  be  shared  by  multiple  users,  each 
with  their  own  TK. 

12Note  that  our  tests  were  single-threaded,  and  thus  used  resources 
from  only  a  single  core  of  the  Intel  processor.  In  all  cases  we  conducted 
our  timing  experiments  with  accessible  background  services  disabled, 
and  with  the  mobile  device  connected  to  a  power  source. 

13  Although  we  define  our  schemes  in  the  symmetric  bilinear  group 
setting,  the  MNT  curve  choice  required  that  we  implement  the  scheme 
in  asymmetric  groups  with  a  pairing  of  the  form  Gi  x  G2  — >  Gj.  As 
a  result  we  assigned  various  elements  of  the  ciphertext  and  key  to  the 
groups  Gi  and  G2  with  the  aim  of  minimizing  ciphertext  size. 


.///  ■  e(g,  g)as  is  omitted  from  the  ciphertext,  and  any  data 
payload  must  be  carried  via  a  separate  symmetric  encryp¬ 
tion  under  k.  The  practical  impact  of  this  approach  is 
that  the  ABE  ciphertexts  (and  partially-decrypted  cipher- 
texts)  are  shortened  by  one  element  of  Gt- 

Experimental  setup.  Both  decryption  time  and  cipher- 
text  size  in  the  CP-ABE  scheme  depend  on  the  com¬ 
plexity  of  the  ciphertext’s  policy.  To  capture  this  in  our 
experiments,  we  first  generated  a  collection  of  100  dis¬ 
tinct  ciphertext  policies  of  the  form  (A  |  AND  A2  AND 
. . .  AND  Ajv),  where  each  A,-  is  an  attribute,  for  values  of 
N  increasing  from  1  to  100.  In  each  case  we  constructed 
a  corresponding  decryption  key  that  contained  the  N  at¬ 
tributes  necessary  for  decryption.  This  approach  ensures 
that  the  decryption  procedure  depends  on  all  N  compo¬ 
nents  of  the  ciphertext  and  is  a  reasonable  sample  of  a 
complex  policy. 

To  obtain  our  baseline  results,  we  encapsulated  a  ran¬ 
dom  128-bit  symmetric  key  under  each  of  these  100  dif¬ 
ferent  policies,  then  decrypted  the  resulting  ABE  cipher- 
text  using  the  normal  (non-outsourced)  Decrypt  algo¬ 
rithm.14  To  smooth  any  experimental  variability,  we  re¬ 
peated  each  of  our  experiments  100  times  on  the  Intel 
device  (due  to  the  time  consuming  nature  of  the  experi¬ 
ments,  we  repeated  the  test  only  30  times  on  the  ARM 
device)  and  averaged  to  obtain  our  decryption  timings. 
Figure  8  shows  the  size  of  the  resulting  ciphertexts  as  a 
function  of  N ,  along  with  the  measured  decryption  times 
on  our  Intel  and  ARM  test  platforms. 

Next,  we  evaluated  the  algorithms  by  generating  a 
Transform  Key  (TK)  from  the  appropriate  /V-attribute 
ABE  decryption  key  and  applying  the  Transform  algo¬ 
rithm  to  the  ABE  ciphertext  using  this  key.15  Finally  we 
decrypted  the  resulting  transformed  ciphertext.  Figure  8 
shows  the  time  required  for  each  of  those  operations. 

Discussion.  As  expected,  the  ABE  ciphertext  size  and 
decryption/transform  time  were  linear  in  the  complexity 
of  the  ciphertext’s  policy  (A).  However,  our  results  illus¬ 
trate  the  surprisingly  high  constants.  Encrypting  under  a 
100-component  ciphertext  policy  produced  an  unwieldy 
25KB  of  ABE  ciphertext.  The  relatively  fast  Intel  proces¬ 
sor  required  nearly  2  full  seconds  to  decrypt  this  value. 
By  comparison,  the  same  machine  can  perform  a  1024- 
bit  RSA  decryption  in  1.7  milliseconds.16 

The  results  were  more  dramatic  on  the  mobile  device. 
Decrypting  a  100-component  ciphertext  policy  on  the 

l4Note  that  for  this  experiment  we  did  not  employ  any  symmetric 
encryption,  hence  all  times  and  ciphertext  sizes  refer  to  the  ABE  key 
encapsulation  ciphertext. 

15  We  used  the  “backwards-compatible”  key  generation  approach  de¬ 
scribed  in  Section  3.1  to  derive  a  TK  from  a  standard  ABE  decryption 
key,  rather  than  having  the  PKG  generate  the  TK  directly.  This  allowed 
us  to  retain  compatibility  with  the  existing  CP-ABE  implementation. 

16Measured  with  OpenSSL  1.0  [40]. 


Approved  for  Public  Release;  Distribution  Unlimited. 

925 


ABE  Ciphertext  Size 


Partially-decrypted  Ciphertext  Size 


ABE  Decryption  Time 


Outsourcing  Keygen  (Time) 


Transform  (Time) 


Final  Decryption  (Time) 


Figure  8:  Microbenchmark  results  for  our  CP-ABE  scheme  with  outsourcing.  Timing  results  are  provided  for  both 
Intel  and  ARM  platforms.  Key  generation  times  represent  the  time  to  convert  a  standard  ABE  decryption  key  into 
an  outsourcing  key,  using  the  “backwards-compatible”  approach  described  in  Section  3.1.  “Final  decryption”  refers 
to  the  decryption  of  a  partially-decrypted  ciphertext.  Note  that  we  present  the  Transform  timing  results  for  the  Intel 
platform  only,  since  we  view  this  as  the  more  likely  outsourcing  platform.  Intel  (resp.  ARM)  timings  represent  the 
average  of  100  (resp.  30)  test  iterations. 


ARM  processor  required  nearly  30  seconds  of  sustained 
computation.  Even  at  lower  policy  complexities,  our  re¬ 
sults  seem  problematic  for  implementers  looking  to  de¬ 
ploy  unassisted  ABE  on  limited  computing  devices. 

Outsourcing  substantially  reduced  both  ciphertext  size 
and  the  time  needed  to  decrypt  the  partially-decrypted  ci¬ 
phertext.  Each  partially-decrypted  ciphertext  was  a  fixed 
188  bytes  in  size,  regardless  of  the  original  ciphertext’s 
CP-ABE  policy.  Furthermore,  the  final  decryption  pro¬ 
cess  required  only  4ms  on  the  Intel  processor  and  a  man¬ 
ageable  60ms  on  ARM.17  Thus,  it  appears  that  outsourc¬ 
ing  can  provide  a  noticeable  decryption  time  advantage 
for  ciphertexts  with  10  or  more  attributes. 

Other  Implementation  Remarks.  There  are  several  opti¬ 
mizations  and  tradeoffs  one  might  explore  that  could  im¬ 
pact  both  the  performance  of  the  existing  ABE  scheme 
and  our  outsourced  scheme.  We  chose  to  use  the  PBC 
library  due  to  its  use  in  the  libfenc  system  and  its  simple 
API.  However,  PBC  does  not  include  all  of  the  latest  op¬ 
timizations  discussed  in  the  research  literature.  Other  fu¬ 
ture  optimizations  could  include  the  use  of  multi-pairings 
for  decryption.  We  emphasize  that  while  using  such  op- 


17We  conducted  our  experiments  on  the  CPA-secure  version  of  our 
scheme.  The  primary  performance  differences  in  the  RCCA  version 
are  an  extra  exponentiation  in  Gy  and  some  additional  bytes. 


timizations  to  the  existing  ABE  systems  could  give  some 
performance  improvements,  they  will  not  improve  the 
size  of  ABE  ciphertexts.  Furthermore,  decryption  time 
will  still  be  linear  in  the  size  of  the  satisfied  formula, 
whereas  our  outsourcing  technique  transforms  the  final 
decryption  step  to  a  short  El-Gamal-type  ciphertext. 


A  note  on  policy  complexity.  The  reader  might  assume 
that  50-  or  100-component  policies  are  rare  in  practice. 
In  fact,  we  observed  that  it  is  relatively  easy  to  arrive 
at  highly  complex  policies  in  typical  use  cases.  This  is 
particularly  true  when  using  policies  that  contain  integer 
comparison  operators,  e.g.,  “AGE  <  30”.  The  libfenc  li¬ 
brary  implements  integer  comparison  operators  using  the 
technique  of  Bethencourt  et  al.  [7]:  prior  to  encryption, 
each  comparison  operator  is  converted  into  a  boolean 
policy  circuit  composed  of  OR  and  AND  gates,  and  the 
resulting  policy  is  applied  to  the  ciphertext.  Comparing 
an  attribute  to  a  fixed  n-bit  integer  adds  approximately 
n  components  to  the  policy.  For  example,  without  spe¬ 
cial  optimizations,  a  restriction  window  involving  a  Unix 
time  value  (x  <  KEY_CREATI0N_TIME  <  y)  increases 
the  policy  size  by  approximately  64  components. 
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Figure  9:  Some  average  performance  results  for  the  proxy-enhanced  iHealthEHR  application  running  on  our  iPhone 
3G.  From  left  to  right,  “local-only”  indicates  device-local  decryption  and  storage  of  ciphertexts,  “local+web”  indicates 
that  ciphertexts  were  downloaded  from  a  web  server  and  decrypted  at  the  device,  “proxy”  indicates  local  ciphertext 
storage  with  proxy  outsourcing,  “proxy+web”  indicates  that  ciphertexts  were  obtained  from  the  web  via  the  proxy. 
Where  relevant  we  provide  both  timings  and  total  bandwidth  transferred  (up+down)  from  the  device.  Note  that  proxy 
launch  times  exhibit  some  variability  depending  on  factors  outside  of  our  control. 


6.2  Performance:  Mobile  Example 

To  validate  our  ideas  in  a  real  application,  we  incorpo¬ 
rated  outsourcing  into  the  iPhone  viewer  component  of 
iHealthEHR  [3],  an  experimental  system  for  distributing 
Electronic  Health  Records  (EHRs).  Since  EHRs  can  con¬ 
tain  highly  sensitive  data,  iHealthEHR  uses  CP-ABE  to 
perform  end-to-end  encryption  of  records  from  the  orig¬ 
ination  point  to  the  viewing  device.  Distinct  ciphertext 
policies  may  be  applied  to  each  node  in  an  individual’s 
health  record  fe.g.,  to  admit  special  permissions  for  psy¬ 
chiatric  records).  iHealthEHR  supports  both  local  and 
cloud-based  storage  of  records. 

We  modified  the  iPhone  application  to  remotely 
instantiate  our  outsourcing  proxy  on  startup,  using 
a  “small”  server  instance  within  Amazon’s  storage 
cloud.18  In  our  experiments  we  found  that  the  first  EC2 
instantiation  required  anywhere  from  1-3  minutes,  pre¬ 
sumably  depending  on  the  system’s  load.  However,  once 
the  proxy  was  launched,  it  could  be  left  running  indefi¬ 
nitely  and  shared  by  many  different  users  with  different 
TKs,  or  —  when  not  in  use  —  paused  and  brought  back 
to  full  operation  in  as  little  as  30  seconds  (with  an  av¬ 
erage  closer  to  45  seconds).  During  this  startup  interval 
we  set  the  application  to  locally  process  all  decryption 
operations.  Once  the  proxy  signaled  its  availability,  the 
application  pushed  a  TK  to  it  via  HTTP,  and  outsourced 
all  further  decryption  operations. 

To  evaluate  the  performance  implications,  we  con¬ 
ducted  experiments  on  the  system  with  outsourcing  en¬ 
abled  and  disabled,  considering  four  likely  usage  sce¬ 
narios.  In  the  first  scenario  (local-only),  we  conducted 
device-local  decryption  on  ciphertexts  stored  locally  in 
the  device’s  Flash  memory.  In  the  second  scenario  (lo¬ 
cal+web)  we  downloaded  ciphertexts  from  a  web  server, 

18According  to  Amazon's  documentation,  a  small  EC2  instance  pro¬ 
vides  “the  equivalent  CPU  capacity  of  a  1.0- 1.2  GHz  2007  Opteron  or 
2007  Xeon  processor”  and  1.7GB  of  RAM,  at  a  cost  of  USD  $0. 085/hr. 
[1]. 


then  decrypted  them  locally  at  the  device.  In  the  third 
scenario  (proxy),  we  stored  ciphertexts  locally  and  then 
uploaded  them  to  the  proxy  for  transformation.  In  the 
final  scenario  (proxy+web)  ciphertexts  were  retrieved 
from  a  web  server  by  the  proxy,  then  Transformed  be¬ 
fore  being  sent  to  the  device.  In  each  case  we  measured 
the  time  required  to  decrypt,  along  with  the  total  band¬ 
width  transmitted  and  received  by  the  device  (excepting 
the  local-only  case,  which  did  not  employ  the  network 
connection).  The  results  are  summarized  in  Figure  9. 

7  Hardening  ABE  Implementations 

Thus  far  we  described  outsourcing  solely  as  a  means  to 
improve  decryption  performance.  In  certain  cases  out¬ 
sourcing  can  also  be  used  to  enhance  security.  By  way 
of  motivation,  we  observe  that  ABE  implementations 
tend  to  be  relatively  complex  compared  to  implementa¬ 
tions  of  other  public-key  encryption  schemes.  For  ex¬ 
ample,  libfenc’s  policy  handling  components  alone  com¬ 
prise  nearly  3,000  lines  of  C  code,  excluding  library  de¬ 
pendencies.  It  has  been  observed  that  the  number  of  vul¬ 
nerabilities  in  a  software  product  tends  to  increase  in  pro¬ 
portion  to  the  code’s  complexity  [34]. 

It  is  common  for  designers  to  mitigate  software  issues 
by  sandboxing  vulnerable  processes  e.g.,  [33],  or  through 
techniques  that  isolate  security-sensitive  functions  within 
a  process  [32],  McCune  etal.  recently  proposed  TrustVi- 
sor  [31],  a  specialized  hypervisor  designed  to  protect  and 
isolate  security-sensitive  “Pieces  of  Application  Logic” 
(PALs)  from  less  sensitive  code. 

We  propose  outsourcing  as  a  tool  to  harden  ABE  im¬ 
plementations  in  platforms  with  code  isolation.  For  ex¬ 
ample,  in  a  system  equipped  with  TrustVisor,  imple- 
menters  can  embed  the  relatively  simple  key  generation 
and  Decrypt,,,,,  routines  in  security-sensitive  code  (e.g., 
a  TrustVisor  PAL)  and  use  outsourcing  to  push  the  re¬ 
maining  calculations  into  non-sensitive  code.  This  not 
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only  reduces  the  size  of  the  sensitive  code  base,  it  also 
simplifies  parameter  validation  for  the  PAL  (since  the 
partially-decrypted  ABE  ciphertext  is  substantially  less 
complex  than  the  original).  We  refer  to  this  technique 
as  “self-outsourcing”  and  note  that  it  can  also  be  used 
in  systems  containing  hardware  security  modules  ( e.g 
cryptographic  smart  cards).  Moreover,  based  on  our  ex¬ 
periments  of  Section  6,  we  estimate  that  this  approach 
will  have  a  minimal  impact  on  performance. 
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A  Proof  of  Theorem  3.2 

Proof  Suppose  there  exists  a  polynomial-time  adversary 
st/  that  can  attack  our  scheme  in  the  selective  RCCA- 
security  model  for  outsourcing  with  advantage  e.  We 
build  a  simulator  3$  that  can  attack  the  Waters  scheme 
of  [42,  Appendix  C]  in  the  selective  CPA-security  model 
with  advantage  e  minus  a  negligible  amount.  In  [42]  the 
Waters  scheme  is  proven  secure  under  the  decisional  q- 
parallel  BDHE  assumption. 

Init.  The  simulator  3$  runs  sY .  sY  chooses  the  chal¬ 
lenge  access  structure  ( M*  ,p *),  which  3$  passes  on  to 
the  Waters  challenger  as  the  structure  on  which  it  wishes 
to  be  challenged. 


Approved  for  Public  Release;  Distribution  Unlimited. 

929 


Setup.  The  simulator  28  obtains  the  Waters  public 
parameters  PK  =  g,e(g,g)a,ga  and  a  description  of  the 
hash  function  F.  It  sends  these  to  &'/  as  the  public  pa¬ 
rameters. 

Phase  1.  The  simulator  28  initializes  empty  tables 
T.  T\ ,  73,  an  empty  set  D  and  an  integer  j  =  0.  It  answers 
the  adversary’s  queries  as  follows: 

•  Random  Oracle  Hash  H\  (R..  //y.  If  there  is  an  en¬ 
try  (R,^8(,s)  in  T\ ,  return  s.  Otherwise,  choose  a 
random  .v  £  Zp,  record  (R..///.S)  in  1]  and  return  ,v. 

•  Random  Oracle  Hash  H2(R):  If  there  is  an  entry 
(R.  r)  in  73,  return  r.  Otherwise,  choose  a  random 
r  £  {0, 1  }k,  record  ( R ,  r )  in  73  and  return  r. 

•  Create((5)):  2%  sets  j  :=  j  +  1.  It  now  proceeds  one 
of  two  ways. 

-  If  S  satisfies  ( M * ,  p*),  then  it  chooses  a  “fake” 
transformation  key  as  follows:  choose  a  ran¬ 
dom  d  £  Zp  and  run  KeyGen((t/,PK),5)  to 
obtain  SK'.  Set  TK  =  SK'  and  set  SK  = 
(t/,TK).  Note  that  the  pair  (<7,TK)  is  not  well- 
formed,  but  that  TK  is  properly  distributed  if  d 
was  replaced  by  the  unknown  value  z  =  a/d. 

-  Otherwise,  it  calls  the  Waters  key  genera¬ 

tion  oracle  on  S  to  obtain  the  key  SK'  = 
(PKjK'jL',  (Recall  that  in  the 

non-outsourcing  CP-ABE  game,  the  Create 
and  Corrupt  functionalities  are  combined  in 
one  oracle.)  The  algorithm  chooses  a  ran¬ 
dom  value  z  £  Zip  and  sets  the  transfor¬ 
mation  key  TK  as  (PK,  K  =  Knlz,L  = 
Ln/Z,  {Kx}xeS  =  {Kx,z}xeS)  and  the  private 
key  as  (z,TK). 

Finally,  store  (j.  S ,  SK,  TK)  in  table  T  and  return  TK 
to  . 

•  Corrupt)/):  ,<//  cannot  ask  to  corrupt  any  key  cor¬ 
responding  to  the  challenge  structure  ( M*,p *).  If 
there  exists  an  ith  entry  in  table  T,  then  38  obtains 
the  entry  (/,S,SK,TK)  and  sets  D  :=  Z)U{5}.  It 
then  returns  SK  to  .<// ,  or  _L  if  no  such  entry  exists. 

•  Decrypt(/,CT):  Without  loss  of  generality,  we  as¬ 
sume  that  all  ciphertexts  input  to  this  oracle  are  al¬ 
ready  partially  decrypted.  Recall  that  both  2%  and 
.e/  have  access  to  the  TK  values  for  all  keys  created, 
so  either  can  execute  the  transformation  operation. 
Let  CT  =  (Co,Ci,C2)  be  associated  with  structure 
(M,p).  Obtain  the  record  (/..S'.SK.TK)  from  table 
T.  If  it  is  not  there  or  S  ^  (M,  p),  return  _L  to  . 

If  key  /  does  not  satisfy  the  challenge  structure 
(M*,p*),  proceed  as  follows: 

1.  Parse  SK  =  (z,TK).  Compute  R  =  Co/C 

2.  Obtain  the  records  (R,^/2j,Sj)  from  table  7).  If 
none  exist,  return  _L  to  . 


3.  If  in  this  set,  there  exists  indices  y  ^  x  such 
that  (R,^y,sy)  and  (R,^x,sx)  are  in  table  7), 

,£x  and  sy  =  sx ,  then  28  aborts  the  sim¬ 
ulation. 

4.  Otherwise,  obtain  the  record  (R,r)  from  table 
T).  If  it  does  not  exist,  28  outputs  _L. 

5.  For  each/,  testifCo=R-e(g,g)ai,,Ci  =  ® 

r  and  C2  =  e(g,g)aSi^z. 

6.  If  there  is  an  /  that  passes  the  above  test,  output 
the  message  otherwise,  output  _L.  (Note: 
at  most  one  value  of  ,v(-,  and  thereby  one  index 
/,  can  satisfy  the  third  check  of  the  above  test.) 

If  key  /  does  satisfy  the  challenge  structure 
(M*,p*),  proceed  as  follows: 

1.  Parse  SK  =  (<7,TK).  Compute  j3  =  c\/d . 

2.  For  each  record  (/?,-,  ^-,5,-)  in  table  7),  test  if 
P  =e(g,g)Si- 

3.  If  zero  matches  are  found,  28  outputs  _L  to  s2 . 

4.  If  more  than  one  matches  are  found,  £ 8  aborts 
the  simulation. 

5.  Otherwise,  let  (R,^,s)  be  the  sole  match. 
Obtain  the  record  (R. r)  from  table  73.  If  it 
does  not  exist,  28  outputs  J_. 

6.  Testif  Co  =R-e(g,g)as,  C\  =„#®randC2  = 

e{g,g)ds- 

7.  If  all  tests  pass,  output  .28 ;  else,  output  _L. 

Challenge.  Eventually,  submits  a  message  pair 
(./^g* ,./#/)  £  {0,  l}2xi'.  38  acts  as  follows: 

1.  2i8  chooses  random  “messages”  (3?o,3?i)  £  and 
passes  them  on  to  the  Waters  challenger  to  obtain  a 
ciphertext  CT  =  (C,C,  {C,}(€[x^)  under  (M*,p*). 

2.  28  chooses  a  random  value  C"  £  {0, 1}*. 

3.  28  sends  to  s2  the  challenge  ciphertext  CT*  = 
(C,C',C",{C,},.eM). 

Phase  2.  The  simulator  28  continues  to  answer  queries 
as  in  Phase  1,  except  that  if  the  response  to  a  Decrypt 
query  would  be  either  or  ,  then  82  responds  with 
the  message  test  instead. 

Guess.  Eventually,  ///  must  either  output  a  bit  or  abort, 
either  way  28  ignores  it.  Next,  28  searches  through  tables 
T\  and  T)  to  see  if  the  values  28- o  or  28\  appear  as  the 
first  element  of  any  entry  (i.e.,  that  issued  a  query  of 
the  form  H\[28i ,•)  or  7/2 (.5?,).)  If  neither  or  both  values 
appear,  28  outputs  a  random  bit  as  its  guess.  If  only  value 
28b  appears,  then  28  outputs  b  as  its  guess. 

This  ends  the  description  of  the  simulation.  Due  to  space 
limitations,  our  analysis  of  this  simulation  appears  in  the 
full  version  of  this  work  [26], 
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Glossary  of  Terms 


ABE 

AES 

AES-NI 

BLS 

CCA 

CHARM 

CLP  ORAM 

cNM-CCAl 

CPA 

CPU 

CS-Lite 

DAP  Schemes 

DARPA 

DCCA 

DDH 

DHK 

DRG 

EC2 

ECC 

ECDSA 

EDT 

FHE 

GPGPU 

GPU 

HBC 

IBE 

LWE 

MIMD 

MIRACL 

NAND 

NIZK 

NM-CCA1 

ORAM 

OT 

PCF 

PCP  Theorem 
PI 

POK 

p-Tampering 

RAM 

RELIC 

RLWE 

RSA 

SC 

SCO  RAM 

SFE 

SIMD 


Attribute  Based  Encryption 

Advanced  Encryption  Standard 

AES  Encryption  Instruction  Set  from  Intel 

Boneh-Lynn-Shachem  Signature 

Chosen  Ciphertext  Attack 

A  Toolkit  for  Protyping  Cryptossytems 

Circuit  Oblivious  Random  Access  Memory 

Chosen  Non-Malleable  Chosen  Ciphertext  Attack 

Chosen  Plaintext  Attack 

Central  Processing  Unit 

Cramer-Shoup  Lite  Scheme 

Decentralized  Anonymous  Payment  Scheme 

Defense  Advanced  Research  Projects  Agancy 

Detectable  Chosen  Ciphertext  Security 

Decisional  Diffe-Hellman  Assumption 

Diffe-Hellman  Knowledge 

Damgard  Elgamal  Scheme 

Amazon  Elastic  Compute  Cloud  Infrastructure 

Error  Correcting  Code 

Eliptic  Curve  Signature  Algorithm 

Encryption  Data  Table 

Fully  Homomorphic  Encryption 

General  Purpose  Graphics  Processing  Unit 

Graphical  Processing  Unit 

Honest  But  Curioous 

Identity  Based  Encryption  Scheme;  Boneh  -  Franklin 
Learning  With  Errors 

Multiple  Instruction,  Multiple  Data;  a  class  of  Parallel  Computers 

A  Pairing  Based  Encryption  Library 

Not  AND  Logical  Gate 

Non-Interactive  Zero  Knowledge  Proof 

Non-Maleable  Chosen  Ciphertext  Attack 

Oblivious  Randon  Access  Memory 

Oblivious  Transfer 

Portable  Circuit  Format 

Probabalistically  Checkable  Proof  Characterization  Theorem 
Principle  Investigator 
Proof  of  Knowledge 

Attack  where  each  bit  may  be  tampered  with  probabality  p 

Random  Access  Memory 

A  Pairing  Based  Encryption  Library 

Ring  Learning  With  Errors 

Rivest,  Shamir,  Adleman  Encryption  Scheme 

Secure  Computation 

Heuristic  Compact  Oblivious  Random  Access  Memory 
Secure  Function  Evaluation 

Single  Instruction,  Multiple  Data;  a  class  of  Parallel  Computers 
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SMC 

Secure  Multi-Party  Encryption 

SMT  Solvers 

Satisfyability  Modulo  Theories  Solvers 

SOA 

Selective  Opening  Attack 

SSE2 

Extension  of  SIMD  Instruction  Set 

TFHE 

Threshold  Fully  Homomorphic  Encryption 

UC 

Universal  Composition 

VSS 

Verifiable  Secret  Sharing  Scheme 

XEN  Hypervisor 

Hypervisor  Utilized  in  Amazon  EC2  Cloud 

XOR 

Exclusive  OR  Logical  Gate 

Yau 

Yau's  Garbled  Circuit  Protocol 

ZK  Proof 

Zero  Knowledge  Proof 

zk-SNARKs 

Zero  Knowledge  Succinct  Non-Interactive  Arguments  of  Knowledge 
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